User Flag
Enumeration
as always we scan the port and identify them.
this is my recon tools & command that i used
Copy sudo masscan '-p1-65535,U:1-65535' 10.129.36.41 '--rate=1000' -e tun0
[sudo] password for replican:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-05-18 05:39:02 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.129.36.41
Discovered open port 5000/tcp on 10.129.36.41 after we know the port we scan using nmap
Copy sudo nmap -p '80, 5000' -sVSC -A -oN nmap_detailed_all_tcp_ports.txt 10.129.36.41 -v2
[sudo] password for replican:
Starting Nmap 7.95 ( https://nmap.org ) at 2024-05-18 21:58 WIB
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3 ) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3 ) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3 ) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 0.00s elapsed
Initiating Ping Scan at 21:58
Scanning 10.129.36.41 [4 ports]
Completed Ping Scan at 21:58, 0.09s elapsed (1 total hosts )
Initiating Parallel DNS resolution of 1 host. at 21:58
Completed Parallel DNS resolution of 1 host. at 21:58, 0.05s elapsed
Initiating SYN Stealth Scan at 21:58
Scanning 10.129.36.41 [2 ports]
Discovered open port 5000/tcp on 10.129.36.41
Completed SYN Stealth Scan at 21:58, 0.09s elapsed (2 total ports )
Initiating Service scan at 21:58
Scanning 1 service on 10.129.36.41
Completed Service scan at 21:58, 6.21s elapsed (1 service on 1 host )
Initiating OS detection (try #1) against 10.129.36.41
Initiating Traceroute at 21:58
Completed Traceroute at 21:58, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:58
Completed Parallel DNS resolution of 2 hosts. at 21:58, 0.04s elapsed
NSE: Script scanning 10.129.36.41.
NSE: Starting runlevel 1 (of 3 ) scan.
Initiating NSE at 21:58
Completed NSE at 21:58, 1.11s elapsed
NSE: Starting runlevel 2 (of 3 ) scan.
Initiating NSE at 21:58
Completed NSE at 21:59, 0.20s elapsed
NSE: Starting runlevel 3 (of 3 ) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Nmap scan report for 10.129.36.41
Host is up, received echo-reply ttl 63 (0.044s latency ).
Scanned at 2024-05-18 21:58:50 WIB for 10s
PORT STATE SERVICE REASON VERSION
80/tcp closed http reset ttl 63
5000/tcp open http syn-ack ttl 63 Werkzeug httpd 2.2.2 (Python 3.11.2 )
| http-methods:
| _ Supported Methods: HEAD GET OPTIONS
| _http-server-header: Werkzeug/2.2.2 Python/3.11.2
| _http-title: Under Construction
Device type: general purpose
Running: Linux 4.X | 5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V =7.95%E=4%D=5/18%OT=5000%CT=80%CU=34143%PV=Y%DS=2%DC=T%G=Y%TM=6648
OS:C234%P =x86_64-pc-linux-gnu )SEQ(SP = F7% GCD = 1% ISR = 10C% TI = Z% CI = Z% II = I% TS = A )O
OS:PS(O1 =M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CS
OS:T11NW7%O6 =M53CST11 )WIN(W1 = FE88% W2 = FE88% W3 = FE88% W4 = FE88% W5 = FE88% W6 = FE88 )E
OS:CN(R =Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q= )T1(R = Y% DF = Y% T = 40% S = O% A = S+%F
OS: =AS%RD=0%Q= )T2(R = N )T3(R = N )T4(R = Y% DF = Y% T = 40% W = 0% S = A% A = Z% F = R% O = % RD = 0% Q = )T5
OS:(R =Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q= )T6(R = Y% DF = Y% T = 40% W = 0% S = A% A = Z
OS:%F =R%O=%RD=0%Q= )T7(R = Y% DF = Y% T = 40% W = 0% S = Z% A = S+% F = AR% O = % RD = 0% Q = )U1(R = Y% DF =
OS:N%T =40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G )IE(R = Y% DFI = N% T = 40%
OS:CD =S )
Uptime guess: 29.290 days (since Fri Apr 19 15:01:20 2024 )
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty= 247 (Good luck! )
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 80/tcp )
HOP RTT ADDRESS
1 50.28 ms 10.10.14.1
2 50.36 ms 10.129.36.41
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3 ) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3 ) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
NSE: Starting runlevel 3 (of 3 ) scan.
Initiating NSE at 21:59
Completed NSE at 21:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up ) scanned in 9.49 seconds
Raw packets sent: 38 (2.458KB) | Rcvd: 22 (1.594KB)
after we know port 5000 open we scan using dirsearch
Copy dirsearch -u http://10.129.36.41:5000
/usr/share/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_ | . _ _ _ _ _ _ | _ v0.4.3
( _ ||| _ ) ( /_(_ || ( _ | )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11723
Output: /home/replican/Desktop/Prod/HackTheBox/machine/Headless/reports/http_10.129.36.41_5000/__24-05-18_22-02-29.txt
Target: http://10.129.36.41:5000/
[22:02:29] Starting:
[22:04:16] 401 - 317B - /dashboard
[22:05:50] 200 - 2KB - /support
Task Completed after we know /dashboard cant access ( it said unaothorized ) we go to the /support
after a while i notice the site is using cookies also
Exploitation
like usual ctf chall ( cookie, admin page, form without uploading any files) = xss
we directly put our payload xss but got blocked hmm
but our user agent also got reflected. so we can inject our user agent using burpsuite and input our payload xss to steal the cookie ( we assume in the backend the admin auto check our form )
as we see our payload work perfectly. now we opening server using http.server python to see the log requests
after sometimes. we get a response of the cookie admin.
after that we go into the dashboard and use command injection vulnerability ( because there is word system ) we assume this is command
and yep its command injection when we do ;ls the list of file appeared
directly to revshells
and we get the flag user.
Root Flag
Enumeration
because this is a linux also this is was easy machine i still use c2 framework sliver like usual.
first we see the mail
as we see we need to find system check script and ( create the database init script )
after that we use this
we have acess to sudo binary syscheck that is the inside searching script initdb.sh. we can simply make /bin/bash is root script and call it initdb.sh. and we call syscheck with sudo.
Exploitation
after we put our payload we run the syscheck and ( dont forget to create a listener )
and we get the flag.
Last updated 8 months ago
